Check out whitelisting:
http://shorewall.net/1.3/whitelisting_under_shorewall.htm
I am not sure if this still works under the latest versions, I can''t
imagine why
not.
The doc''s suggest this will work for versions >= 1.3.1 which of
course includes
you.
First you define a /etc/shorewall/zone entry and a /etc/shorewall/hosts entry
for ''somenewzone'' as a sub-zone of ''loc''
from the standard three interface
setup.
Then you add /etc/shorewall/policy entries to effectively "whitelist"
your new
sub-zone to whatever degree you specify.
After defining a policy, you can still allow/drop specific traffic with
/etc/shorewall/rules to be explicit.
In your case ''somenewzone'' might define a single host.
I would like to know if this works for you, please post back. If I have a bit of
time I will try it myself.
Behavior defined in /etc/shorewall/routestopped is only functional when the
firewall is stopped.
There are instructions for earlier versions of shorewall if you search for
"whitelist" on www.shorewall.net as well.
Alex Martin
http://www.rettc.com
----- Original Message -----
From: "franco segna" <fsegna@web.de>
To: <shorewall-users@lists.shorewall.net>
Sent: Thursday, December 04, 2003 1:50 AM
Subject: [Shorewall-users] Using Nessus from behind Shorewall
> I''m using Nessus (a remote vulnerability scanning tool) from
behind
> Shorewall (now 1.4.5) running on various platforms (from Red Hat to
> Bering) with full satisfaction.
> To make full use of the Nessus features I must usually restart shorewall
> with very permissive policies (the meaning of firewall is completely
> lost) for the time needed to conduct the remote tests, and then revert
> to the "armored" configuration.
>
> My question is : is the use of the ''routestopped" file a
better way than
> using alternate config files ?
> The requirements of Nessus are:
>
> OUTBOUND ICMP except Time Exceeded, Timestamp Reply, Address
> Mask Reply, and Destination unreachable (Echo Reply being
> (ab)used by some backdoor protocols)
> OUTBOUND TCP & UDP from any port to any port
> INBOUND UDP from any port to any port
> INBOUND ICMP Destination Unreachable, Echo Reply, Address Mask
> Reply, Timestamp Reply, Time Exceeded
> INBOUND non-SYN TCP from any port to any port
>
>
> My trials with routestopped were unsuccessful. Thanks in advance for any
> help
>
> Franco
>
> --
>
> Franco Segna - fsegna@web.de
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>