Good day. I''m having two problems with Shorewall under Mandrake 9.1. (I understand that this is an older version but am a bit concerned about breaking things if I upgrade). My main problem is that I access both the loc and net zones through eth0. I''ve set up the following rule structure to account for this: /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet zone loc Local Local zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth0:192.168.0.0/24 routestopped net eth0:0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT fw loc udp 137:139 - ACCEPT loc fw udp 137:139 - ACCEPT fw loc tcp 137,139 - ACCEPT loc fw tcp 137,139 - ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 1024: 137 ACCEPT fw loc tcp 631 - ACCEPT loc fw tcp 631 - ACCEPT fw loc udp 631 - ACCEPT loc fw udp 631 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The rules are intended to allow Samba traffic from the local zone through (which it does), and allow CUPS to work (which they don''t). What do I need to do to get CUPS working, and have I done the right thing to define the net and loc zones? Also, I don''t really understand mask width - I _think_ that, since our loc network addresses run from 192.168.0.1-8, I can describe this as 192.168.0.0/29. Is this correct? Also, does this make my PC vulnerable to someone spoofing 192.168.0.x? Thank you. -- --------------- Revenant [revenant@bigpond.net.au] ------------------ The reasonable man adapts himself to the world; the unreasonable man persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
On Wed, 2003-08-13 at 15:41, Revenant wrote:> Good day. > > I''m having two problems with Shorewall under Mandrake 9.1. (I > understand that this is an older version but am a bit concerned about > breaking things if I upgrade). > > My main problem is that I access both the loc and net zones through > eth0.Security by obscurity at best.> > I''ve set up the following rule structure to account for this: > > /etc/shorewall/zones > > #ZONE DISPLAY COMMENTS > net Net Internet zone > loc Local Local zone > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE >Since loc is a sub-zone of net, you need to reverse the order of the above definitions.> > /etc/shorewall/hosts > > #ZONE HOST(S) OPTIONS > loc eth0:192.168.0.0/24 routestopped > net eth0:0.0.0.0/0 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE> > Also, I don''t really understand mask width - I _think_ that, since our > loc network addresses run from 192.168.0.1-8, I can describe this as > 192.168.0.0/29. Is this correct?Yes.> > Also, does this make my PC vulnerable to someone spoofing 192.168.0.x?Except on your firwall, you have NO security and anyone using an unused IP address in 192.168.0.0/29 will have exactly the same access as your local systems (don''t even need to spoof -- just configure the IP address and have at it). Basically, this setup is a security disaster. Your local Windoze systems will be proudly announcing themselves to all of your friends and neighbors so they will be easy to find and hack. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net