Shorewall users - Apr 2004 - policy file local drop all

Hello shorewall''ers,

I just installed shorewall (it was very easy).

I have a three-interface setup and I followed the docs and didn''t have
any
problems. Thanks and great work.

My question is, the default setting in the policy file is set so that the
loc zone can see any on the net. I only want my local users to be able to
have port 80, 443, 53. 

So I made changes to the rules file and added these three ports to the
local users. Next I need to drop everything after these three ports. Is the
policy file the correct place to drop all?

The rule file is processed before the policy file correct?

Thanks for your help..

Dan woodham 


Best Regards
   Dan **Woody** Woodham Jr.
 
----------------------------------------
       NTT Communications Corporation
----------------------------------------
  Dan Lamar Woodham Jr. (Woody)
  Security Consultant

  Security Platform Group
  Platform Technology Development Department
  Solution Business Division
  Headquarters Office  Tokyo, Japan

    Phone  +81 3 6701 7321 (direct)
    Fax    +81 3 5220 7570
    Mobile  090  1462 6306
    PHS     070  5372 5045
    E-mail  dan.woodham@ntt.com
    Mobile  dan.woodham@docomo.ne.jp
----------------------------------------

Dan Lamar Woodham wrote:
> Hello shorewall''ers,
> 
> I just installed shorewall (it was very easy).
> 
> I have a three-interface setup and I followed the docs and didn''t
have any
> problems. Thanks and great work.
> 
> My question is, the default setting in the policy file is set so that the
> loc zone can see any on the net. I only want my local users to be able to
> have port 80, 443, 53. 
> 
> So I made changes to the rules file and added these three ports to the
> local users. Next I need to drop everything after these three ports. Is the
> policy file the correct place to drop all?
Yes.
> 
> The rule file is processed before the policy file correct?
> 
Given that rules are exceptions to policies, connection requests are 
checked against the rules before the appropriate policy is applied, yes.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

From: "Dan Lamar Woodham"
> My question is, the default setting in the policy file is set so that the
> loc zone can see any on the net. I only want my local users to be able to
> have port 80, 443, 53.
Thats fine..
> So I made changes to the rules file and added these three ports to the
> local users. Next I need to drop everything after these three ports. Is
the
> policy file the correct place to drop all?
Actually all that you need to do is edit the existing Policy of "loc net
ACCEPT" .. and make this "loc net REJECT" Thats what I do..
> The rule file is processed before the policy file correct?
Correct :D The rules file is parsed first and if there is no specific
drop/reject or accept Rule specified in the "/etc/shorewall/rules"
then the
"/etc/shorewall/policy" file is parsed.... If the packet made it to
the
Policy file because of No matching rule in the Rules file then this is where
I have the "loc net REJECT"..

If this is what you want to do.. then you need to lookup and understand the
diff between "DROP" and "REJECT" and how this effects or
looks ultimately to
the enduser experiencing the denied experience.. Heh.. Heh...

HTH''s,
JBanks

From: "Joshua Banks"
> From: "Dan Lamar Woodham"
>
> > My question is, the default setting in the policy file is set so that
the
> > loc zone can see any on the net. I only want my local users to be able
to
> > have port 80, 443, 53.
>
> Thats fine..
That''s fine... meaning I hope these are the only ports they use.. 
You''ll
soon find out I guess.. if you make the "/etc/shorewall/policy file  (loc
net REJECT or DROP)" heh.. heh..

JBanks

Joshua Banks wrote:

> 
> That''s fine... meaning I hope these are the only ports they use.. 
You''ll
> soon find out I guess.. if you make the "/etc/shorewall/policy file 
(loc
> net REJECT or DROP)" heh.. heh..
Be sure to make your policy a logging policy so that your log will show 
you what you''ve forgotten to open :-)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

it''s just what i''m looking for to do.

Is there a way to distinct in a separate "FIREWAL LOG", all the
packets that
a DROPPED and all the packets that are ACCEPTED ?

For example, having something like "cat /var/shorewall/firewall.log"
would
show :

SHOREWALL : ACCEPT : loc2net.......
SHOREWALL : DROP : net2loc....
.....
...
..
.

thanks.

Florent from FRANCE

-----Message d''origine-----
De : shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]De la part de Tom
Eastep
Envoye : vendredi 23 avril 2004 04:45
A : Mailing List for Shorewall Users
Objet : Re: [Shorewall-users] policy file local drop all


Joshua Banks wrote:

>
> That''s fine... meaning I hope these are the only ports they use.. 
You''ll
> soon find out I guess.. if you make the "/etc/shorewall/policy file 
(loc
> net REJECT or DROP)" heh.. heh..
Be sure to make your policy a logging policy so that your log will show
you what you''ve forgotten to open :-)

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Florent Gilain wrote:
> Tom,
> 
> it''s just what i''m looking for to do.
> 
> Is there a way to distinct in a separate "FIREWAL LOG", all the
packets that
> a DROPPED and all the packets that are ACCEPTED ?
> 
> For example, having something like "cat
/var/shorewall/firewall.log" would
> show :
> 
> SHOREWALL : ACCEPT : loc2net.......
> SHOREWALL : DROP : net2loc....
> .....
I don''t understand your question -- if you are looking for information 
about how to log to a separate log file, see 
http://shorewall.net/shorewall_logging.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

From: "Florent Gilain"
> Is there a way to distinct in a separate "FIREWAL LOG", all the
packets
that
> a DROPPED and all the packets that are ACCEPTED ?
>
> For example, having something like "cat
/var/shorewall/firewall.log" would
> show :
>
> SHOREWALL : ACCEPT : loc2net.......
> SHOREWALL : DROP : net2loc....
Hmmmm... not sure what you mean exactly..
In "/etc/shorewall/policy" to log at for example at the
"info" level... your
"loc to net line " would look like (in my example)?
"loc net REJECT info"
I guess you would then just "grep" out the needed info from
"/var/log/messages" or from running "shorewall logwatch" and
the like.. like
so..
"cat /var/log/messages | grep loc2net:REJECT"

Just an example.. but this seems to obvious..

HTH''s,
JBanks