Hello all, What I am doing seems fairly straight forward to me, I just am not sure how to put it into Shorewall''s config files. Here is what I have: I have a single router that takes 5 public IP addresses and routes them to internal IP addresses. In the past, I had control over that router and could port filter at the router, forwarding only the traffic I wanted. However, now, I don''t control that router, and all traffic is being forwarded. So now I need to filter at the box instead of at the router. In addition, I need to differentiate between traffic comming from the Net and traffic generated internally, and grant/deny access based on that distinction. I set up my /etc/shorewall/interfaces file as such: #ZONE INTERFACE BROADCAST OPTIONS - eth0 192.168.254.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE One NIC is all the box has. No zone so that has to be defined elsewhere. I configured my two zones for loc (internal) and net (external) users as such: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE This seems simple enough, now I need to define hosts. Right now, my hosts file looks like such: #ZONE HOST(S) OPTIONS loc eth0:192.168.254.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE I figure I need an additional line in here that states that net is ANY host that is not loc, but how would I define that line? From there the rules are fairly simple, I think, but time will tell. There is no routing envolved, just filtering... how hard can that be ;-) Thanks in advance Kevin Fries
Kevin Fries wrote:> Hello all, What I am doing seems fairly straight forward to me, I just > am not sure how to put it into Shorewall''s config files. Here is what I > have: > I have a single router that takes 5 public IP addresses and routes them > to internal IP addresses. In the past, I had control over that router > and could port filter at the router, forwarding only the traffic I > wanted. However, now, I don''t control that router, and all traffic is > being forwarded. So now I need to filter at the box instead of at the > router. In addition, I need to differentiate between traffic comming > from the Net and traffic generated internally, and grant/deny access > based on that distinction. > I set up my /etc/shorewall/interfaces file as such: > #ZONE INTERFACE BROADCAST OPTIONS > - eth0 192.168.254.255 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > One NIC is all the box has. No zone so that has to be defined > elsewhere. I configured my two zones for loc (internal) and net > (external) users as such: > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > This seems simple enough, now I need to define hosts. Right now, my > hosts file looks like such: > #ZONE HOST(S) OPTIONS > loc eth0:192.168.254.0/24 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > I figure I need an additional line in here that states that net is ANY > host that is not loc, but how would I define that line? From there the > rules are fairly simple, I think, but time will tell. There is no > routing envolved, just filtering... how hard can that be ;-)Simply change the interface file entry to specify ''net'' rather than ''-'' in the ZONE column AND reverse the order of your entries in the zones file. This is all covered at http://shorewall.net/Multiple_Zones.html under "One-armed Router" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Sorry Tom, I mis-understood that section because I am not trying to route, just filter. I seems to be working OK, except for DNS, but that is always a PITA to get through the firewall. I have looked though tons of docs on setting up Shorewall, but have not seen anything on firewall recipies (i.e. settings for a FTP server, or DNS client, or ...). This firewall seems much more complex to me than a CISCO router, or maybe I am just more familure with IOS. Thanks for the help Kevin Fries Tom Eastep writes:> Kevin Fries wrote: >> Hello all, What I am doing seems fairly straight forward to me, I just am >> not sure how to put it into Shorewall''s config files. Here is what I >> have: >> I have a single router that takes 5 public IP addresses and routes them >> to internal IP addresses. In the past, I had control over that router >> and could port filter at the router, forwarding only the traffic I >> wanted. However, now, I don''t control that router, and all traffic is >> being forwarded. So now I need to filter at the box instead of at the >> router. In addition, I need to differentiate between traffic comming >> from the Net and traffic generated internally, and grant/deny access >> based on that distinction. >> I set up my /etc/shorewall/interfaces file as such: >> #ZONE INTERFACE BROADCAST OPTIONS >> - eth0 192.168.254.255 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> One NIC is all the box has. No zone so that has to be defined elsewhere. >> I configured my two zones for loc (internal) and net (external) users as >> such: >> #ZONE DISPLAY COMMENTS >> net Net Internet >> loc Local Local networks >> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE >> >> This seems simple enough, now I need to define hosts. Right now, my >> hosts file looks like such: >> #ZONE HOST(S) OPTIONS >> loc eth0:192.168.254.0/24 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE >> I figure I need an additional line in here that states that net is ANY >> host that is not loc, but how would I define that line? From there the >> rules are fairly simple, I think, but time will tell. There is no >> routing envolved, just filtering... how hard can that be ;-) > > Simply change the interface file entry to specify ''net'' rather than ''-'' in > the ZONE column AND reverse the order of your entries in the zones file. > This is all covered at http://shorewall.net/Multiple_Zones.html under > "One-armed Router" > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Kevin Fries wrote:> Sorry Tom, > I mis-understood that section because I am not trying to route, just > filter.You can''t filter without routing unless you are configuring Shorewall one a standalone system.> I seems to be working OK, except for DNS, but that is always a PITA to > get through the firewall. > I have looked though tons of docs on setting up Shorewall, but have not > seen anything on firewall recipies (i.e. settings for a FTP server, or > DNS client, or ...). This firewall seems much more complex to me than a > CISCO router, or maybe I am just more familure with IOS.Start at http://shorewall.net/ports.htm -- that will direct you to other articles when there''s something tricky about configuring a particular service. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Kevin Fries wrote: > >> Sorry Tom, >> I mis-understood that section because I am not trying to route, just >> filter. > > > You can''t filter without routing unless you are configuring Shorewall > one a standalone system. > >> I seems to be working OK, except for DNS, but that is always a PITA to >> get through the firewall. >> I have looked though tons of docs on setting up Shorewall, but have >> not seen anything on firewall recipies (i.e. settings for a FTP >> server, or DNS client, or ...). This firewall seems much more complex >> to me than a CISCO router, or maybe I am just more familure with IOS. > > > Start at http://shorewall.net/ports.htm -- that will direct you to other > articles when there''s something tricky about configuring a particular > service.Also, note that Shorewall has a large collection of "Standard Actions" which can be easily invoked from the rules file. Your /usr/share/shorewall/actions.std file (I just corrected ports.htm to list the correct file) lists them. For example, to allow FTP requests from clients in the ''net'' zone to a server in the ''loc'' zone: AllowFTP net loc:<server IP> -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2004-05-28 at 11:40 -0700, Tom Eastep wrote:> > Also, note that Shorewall has a large collection of "Standard Actions" > which can be easily invoked from the rules file. Your > /usr/share/shorewall/actions.std file (I just corrected ports.htm to > list the correct file) lists them. > > For example, to allow FTP requests from clients in the ''net'' zone to a > server in the ''loc'' zone: > > AllowFTP net loc:<server IP>Slightly off-topic but I''ve been wondering - are you taking submissions for additional ''standard'' actions? What is currently there certainly covers a large portion of situations but some others that I''ve rolled have been for dropping all MSSQL traffic (almost as many probes on 1433 these days as old CodeRed traffic!). While I can certainly see that it would be undesireable to have way too many pre-defines because it becomes overwhelming and the end-admin winds up just creating their own (if you''ve played with Checkpoint, this seems to be a very common thing there). -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:> > Slightly off-topic but I''ve been wondering - are you taking submissions > for additional ''standard'' actions? What is currently there certainly > covers a large portion of situations but some others that I''ve rolled > have been for dropping all MSSQL traffic (almost as many probes on 1433 > these days as old CodeRed traffic!). While I can certainly see that it > would be undesireable to have way too many pre-defines because it > becomes overwhelming and the end-admin winds up just creating their own > (if you''ve played with Checkpoint, this seems to be a very common thing > there). >I have given this topic a little thought and wonder if setting up something on the Wiki might not be the best solution. The alternative would be for people to send their contributions to me and I could place them in the mirrored shorewall/contrib directory. What do other folks think? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello That Will InCrEaSe the load on you - Tom-, and I beleive if you invest this time, in Shorewall dev., would be much better for all of us Thank you Kind Regards Samer ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Friday, May 28, 2004 10:55 PM Subject: Re: [Shorewall-users] Re: One NIC, filtering access> David T Hollis wrote: > > > > > Slightly off-topic but I''ve been wondering - are you taking submissions > > for additional ''standard'' actions? What is currently there certainly > > covers a large portion of situations but some others that I''ve rolled > > have been for dropping all MSSQL traffic (almost as many probes on 1433 > > these days as old CodeRed traffic!). While I can certainly see that it > > would be undesireable to have way too many pre-defines because it > > becomes overwhelming and the end-admin winds up just creating their own > > (if you''ve played with Checkpoint, this seems to be a very common thing > > there). > > > I have given this topic a little thought and wonder if setting up > something on the Wiki might not be the best solution. The alternative > would be for people to send their contributions to me and I could place > them in the mirrored shorewall/contrib directory. > > What do other folks think? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sat, 2004-05-29 at 04:25, Samer Y. Azmy wrote:> That Will InCrEaSe the load on you - Tom-, and I beleive if you invest > this time, in Shorewall dev., would be much better for all of usSamer, If the wiki is used it won''t take much of Tom''s time. The community would generate the content, and Tom could take a look at it periodically for ideas. -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs