TakaTaka
2003-Nov-12 07:10 UTC
[Shorewall-users] Configuring Shorewall on a Dial In server
I have a RedHat 7.3 box sitting in my DMZ along with my e-mail server to privide "dialup" access for a couple of users who travel around a lot and don''t always have a local ISP available. The setup is pretty simple.... email server - Public IP xxx.xxx.xxx.123 Dialin server - Public IP xxx.xxx.xxx.121 Dialin user - Public IP xxx.xxx.xxx.119 I want to be able to use shorewall to give the Dialin server access to the internet, ftp, etc without giving that same access to the dial in user who only should have access to the e-mail server. (I have enough problems with a high 800 number bill without them surfing the web on my tab) I am currently blocking all that kind of traffic on the main firewall providing the DMZ for my e-mail server, but all the programs running in the background on my dialin users computers are filling up my main firewall logs with useless junk that I would prefer to stop right on the dialin server. I am looking for some direction as how to configure shorewall for this instance. I am using shorewall on the e-mail server so I am familiar with the software but am definatly still a newbie. If the simplest way is to use the NAT portion of shorewall and give the dialin user a private IP address I am open to that as well. Nathan
Tom Eastep
2003-Nov-12 08:30 UTC
[Shorewall-users] Configuring Shorewall on a Dial In server
> I have a RedHat 7.3 box sitting in my DMZ along with my e-mail server to > privide "dialup" access for a couple of users who travel around a lot > and don''t always have a local ISP available. > > The setup is pretty simple.... > > email server - Public IP xxx.xxx.xxx.123 > Dialin server - Public IP xxx.xxx.xxx.121 > Dialin user - Public IP xxx.xxx.xxx.119 > > I want to be able to use shorewall to give the Dialin server access to > the internet, ftp, etc without giving that same access to the dial in > user who only should have access to the e-mail server. (I have enough > problems with a high 800 number bill without them surfing the web on my > tab) I am currently blocking all that kind of traffic on the main > firewall providing the DMZ for my e-mail server, but all the programs > running in the background on my dialin users computers are filling up my > main firewall logs with useless junk that I would prefer to stop right > on the dialin server. > > I am looking for some direction as how to configure shorewall for this > instance. I am using shorewall on the e-mail server so I am familiar > with the software but am definatly still a newbie. If the simplest way > is to use the NAT portion of shorewall and give the dialin user a > private IP address I am open to that as well. >a) Define a zone called "dial". b) Define "dial" via the "interfaces" file: -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
Tom Eastep
2003-Nov-12 08:32 UTC
[Shorewall-users] Configuring Shorewall on a Dial In server
> I have a RedHat 7.3 box sitting in my DMZ along with my e-mail server to > privide "dialup" access for a couple of users who travel around a lot > and don''t always have a local ISP available. > > The setup is pretty simple.... > > email server - Public IP xxx.xxx.xxx.123 > Dialin server - Public IP xxx.xxx.xxx.121 > Dialin user - Public IP xxx.xxx.xxx.119 > > I want to be able to use shorewall to give the Dialin server access to > the internet, ftp, etc without giving that same access to the dial in > user who only should have access to the e-mail server. (I have enough > problems with a high 800 number bill without them surfing the web on my > tab) I am currently blocking all that kind of traffic on the main > firewall providing the DMZ for my e-mail server, but all the programs > running in the background on my dialin users computers are filling up my > main firewall logs with useless junk that I would prefer to stop right > on the dialin server. >Sorry for the premature "send" of my previous post -- Squirrelmail and the tab key fouled me up. a) Define a zone called "dial" b) Define "dial" via the "interfaces" file as: dial ppp+ - c) Now just configure the policy/rules that you want for "dial" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
EmailAdmin AIM-US
2003-Nov-12 11:07 UTC
[Shorewall-users] Configuring Shorewall on a Dial In server
I knew it couldn''t be that hard. I had messed up how I had defined the dial interface. Thank you! Nathan When replying to this message, please include all relevant information from the original and/or related messages.? In most cases simply hitting the reply button works best.? If you are concerned about the size of the e-mail you can delete the parts of the message that are unrelated to the problem. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, November 12, 2003 11:33 AM To: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] Configuring Shorewall on a Dial In server> I have a RedHat 7.3 box sitting in my DMZ along with my e-mailserver to> privide "dialup" access for a couple of users who travel arounda lot> and don''t always have a local ISP available. > > The setup is pretty simple.... > > email server - Public IP xxx.xxx.xxx.123 > Dialin server - Public IP xxx.xxx.xxx.121 > Dialin user - Public IP xxx.xxx.xxx.119 > > I want to be able to use shorewall to give the Dialin serveraccess to> the internet, ftp, etc without giving that same access to thedial in> user who only should have access to the e-mail server. (I haveenough> problems with a high 800 number bill without them surfing theweb on my> tab) I am currently blocking all that kind of traffic on themain> firewall providing the DMZ for my e-mail server, but all theprograms> running in the background on my dialin users computers arefilling up my> main firewall logs with useless junk that I would prefer tostop right> on the dialin server. >Sorry for the premature "send" of my previous post -- Squirrelmail and the tab key fouled me up. a) Define a zone called "dial" b) Define "dial" via the "interfaces" file as: dial ppp+ - c) Now just configure the policy/rules that you want for "dial" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm