We are using Shorewall 2.0.8 with SuSE 9.1 and have built a bridging firewall primarily to defend against syn flood and smurf DoS attacks. We are a small ISP using Cisco routers for a total of 5-6 subnets. Since bridges are based on use of MAC addresses, if we could use one bridging firewall system instead of 5-6 ... is this possible? practical? (Other than introducing a single point of failure ...) (Cisco offers and upgrade to the Enterprise Edition of their router software but they want $2K/router and we have four routers!) Thank you, Lucky Leavell
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shorewall List wrote: | We are using Shorewall 2.0.8 with SuSE 9.1 and have built a bridging | firewall primarily to defend against syn flood and smurf DoS attacks. | We are a small ISP using Cisco routers for a total of 5-6 subnets. | Since bridges are based on use of MAC addresses, if we could use one | bridging firewall system instead of 5-6 ... is this possible? practical? | (Other than introducing a single point of failure ...) | | (Cisco offers and upgrade to the Enterprise Edition of their router | software but they want $2K/router and we have four routers!) I personally have no information about how well Linux-based bridge/firewalls scale. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBQm1oO/MAbZfjDLIRAuulAKDCpaRXmRAr/LD7MalABpfzFTBUKACdHTGJ +Rj1g6r0TmaY9EAWdVxUEFk=jeHN -----END PGP SIGNATURE-----
hi, i''m confuse about rules file what different betwen http,www and 80 i found this setting on shorewall documentation. and why i can''t connect from internet to my Firewall but i can connect from local to fw. i was open rules from internet ACCEPT net fw tcp 22 ACCEPT loc fw tcp 22 thanks wayan ============================================Netkuis Instan untuk wilayah Bandung (kode area 022) - SD,SMP,SMA Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004 =============================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 paidjo wrote: | hi, | | i''m confuse about rules file | what different betwen http,www and 80 | i found this setting on shorewall documentation. Please read http://shorewall.net/configuration_file_basics.htm#Ports | | and why i can''t connect from internet to my Firewall but i can connect | from local to fw. | i was open rules from internet | | ACCEPT net fw tcp 22 | ACCEPT loc fw tcp 22 If you can''t tell us more than that, I have no idea. Please provide the information asked for at http://shorewall.net/support.htm and we will try to help. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBQxThO/MAbZfjDLIRAlAvAKC4cLfp3FSna2seeqzILeu3RjAewwCgiVMc A+7xet7tDUp0eAv1E+WPSKI=1gbb -----END PGP SIGNATURE-----
I dont know my server cant open from Internet (Net) to
Firewall and DMZ zone. (ftp, ssh, www, etc). But always
can browsing from DMZ, Firewall, Local to Internet.
i was give command
shorewall clear
ip addr add 202.124.35.36 dev eth0
ip addr add 202.124.35.37 dev eth0
arping -U -I eth0 202.124.35.36
arping -U -I eth0 202.124.35.37
ip addr del 202.124.35.36 dev eth0
ip addr del 202.124.35.37 dev eth0
shorewall start
no respon from internet
Please help me.
my config file for Router
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect maclist
dmz eth2 detect
proxyarp files
202.124.35.36 eth2 eth0 no yes
202.124.35.37 eth1 eth0 no yes
policy file
loc net ACCEPT
fw net ACCEPT
dmz net ACCEPT
net all DROP info
all all REJECT -
rules file
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# terima DNS dari local koneksi
ACCEPT loc net tcp 53
ACCEPT loc net udp 53
#
#
# Accept SSH connections from the local network to the
firewall and DMZ
#
#ACCEPT net fw tcp ssh
ACCEPT net dmz tcp ssh
ACCEPT loc fw tcp ssh
#ACCEPT loc dmz tcp ssh
ACCEPT loc fw tcp ssh
ACCEPT fw dmz tcp ssh
# SSH dari DMZ ke firewall
ACCEPT dmz fw tcp ssh
ACCEPT loc dmz tcp ssh
#SSH to the DMZ
ACCEPT net fw tcp ssh
#SSH to the
#
# DMZ DNS access to the Internet
#
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#
# Make ping work bi-directionally between the dmz, net,
Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw dmz icmp
ACCEPT net dmz icmp 8 # Only with Proxy ARP and
ACCEPT net loc icmp 8 # static NAT
#tambahan
ACCEPT loc net tcp www
ACCEPT dmz net tcp www
ACCEPT net fw tcp www
ACCEPT fw dmz tcp www
ACCEPT net dmz tcp www
# transparant proxy ke dmz
ACCEPT loc dmz tcp www
ACCEPT dmz net tcp www
# www dari local ke fw
ACCEPT loc fw tcp www
ACCEPT dmz fw tcp www
## webmin dan usermin
ACCEPT loc fw tcp 10000
ACCEPT dmz fw tcp 10000
ACCEPT loc fw tcp
20000
ACCEPT dmz fw tcp
20000
# ftp dari local ke fw dan fw ke proxy
ACCEPT loc fw tcp 21
ACCEPT fw dmz tcp 21
## dibawah harap dihapus
ACCEPT net dmz tcp 21
#perlu ditambah ke DMZ zone
ACCEPT net dmz:202.124.35.36 tcp smtp
#Mail from
#Internet
ACCEPT net dmz:202.124.35.36 tcp pop3
#Pop3 from
#Internet
ACCEPT loc dmz:202.124.35.36 tcp smtp
#Mail from local
#Network
ACCEPT loc dmz:202.124.35.36 tcp pop3
#Pop3 from local
#Network
ACCEPT fw dmz:202.124.35.36 tcp smtp
#Mail from the
#Firewall
ACCEPT dmz:202.124.35.36 net tcp smtp
#Mail to the
#Internet
ACCEPT net dmz:202.124.35.36 tcp http
#WWW from
#Internet
ACCEPT net dmz:202.124.35.36 tcp https
#Secure WWW
#from Internet
ACCEPT loc dmz:202.124.35.36 tcp https
#Secure WWW
#from local
#Network
#perlu Untuk DNS ke DMZ
#ACTION SOURCE DEST PROTO DEST
COMMENTS
# PORT(S)
ACCEPT net dmz:202.124.35.36 udp
domain #UDP DNS from
#Internet
ACCEPT net dmz:202.124.35.36 tcp
domain #TCP DNS from
#Internet
ACCEPT loc dmz:202.124.35.36 udp
domain #UDP DNS from
#Local Network
ACCEPT loc dmz:202.124.35.36 tcp
domain #TCP DNS from
#Local Network
ACCEPT fw dmz:202.124.35.36 udp
domain #UDP DNS from
#the Firewall
ACCEPT fw dmz:202.124.35.36 tcp
domain #TCP DNS from
#the Firewall
ACCEPT dmz:202.124.35.36 net udp
domain #UDP DNS to
#the Internet
ACCEPT dmz:202.124.35.36 net tcp
domain #TCPP DNS to
#the Internet
#untuk ssh
#squid
ACCEPT fw dmz:202.124.35.36 tcp 3401
ACCEPT fw dmz:202.124.35.36 udp 3401
nat file and masq file with empty
thanks
wayan
On Sat, 11 Sep 2004 08:08:17 -0700
Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> paidjo wrote:
> | hi,
> |
> | i''m confuse about rules file
> | what different betwen http,www and 80
> | i found this setting on shorewall documentation.
>
> Please read
>http://shorewall.net/configuration_file_basics.htm#Ports
>
> |
> | and why i can''t connect from internet to my Firewall
>but i can connect
> | from local to fw.
> | i was open rules from internet
> |
> | ACCEPT net fw tcp 22
> | ACCEPT loc fw tcp 22
>
> If you can''t tell us more than that, I have no idea.
>Please provide the
> information asked for at
>http://shorewall.net/support.htm and we will
> try to help.
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently
>talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
>http://enigmail.mozdev.org
>
> iD8DBQFBQxThO/MAbZfjDLIRAlAvAKC4cLfp3FSna2seeqzILeu3RjAewwCgiVMc
> A+7xet7tDUp0eAv1E+WPSKI> =1gbb
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
--------------------------
Plasahosting
www.plasahosting.com
Hosting Rp. 60ribu/tahun
Domain Rp. 80ribu/tahun
--------------------------
============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 paidjo wrote: | I dont know my server cant open from Internet (Net) to Firewall and DMZ | zone. (ftp, ssh, www, etc). But always can browsing from DMZ, Firewall, | Local to Internet. | | i was give command | | shorewall clear | ip addr add 202.124.35.36 dev eth0 | ip addr add 202.124.35.37 dev eth0 | arping -U -I eth0 202.124.35.36 | arping -U -I eth0 202.124.35.37 | ip addr del 202.124.35.36 dev eth0 | ip addr del 202.124.35.37 dev eth0 | shorewall start | | no respon from internet | Please help me. You continue to ignore my requests for the information listed at http://shorewall.net/support.htm yet you continue to ask for help. I''m sorry to inform you that I will no longer respond to your posts until you send the information I ask for. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBRITnO/MAbZfjDLIRAq5YAJ9lZyBLkIBZg0gvCOFAOjODMZBAegCgp6I+ AYiniZ5jiAK+9dpIMnD/3p4=aO2N -----END PGP SIGNATURE-----