--On Tuesday, November 12, 2002 01:58:47 AM -0800 storm monitor
<solarstormmonitor@yahoo.com> wrote:
> Hi,
>
> I''ve just installed Shorewall on my Mandrake 8.2 box
> and this is just what I''ve been looking for. I really
> like the freedom and ease of creating my own rules it
> gives me, but want to make sure I''m going about it in
> the right way before attempting to go online.
>
> I have a simple ruleset concept I want to implement.
> Block all ICMP,
You can''t -- Shorewall will allow the ICMP traffic necessary to ensure
that
your firewall works properly.
> all UDP except to and from my DNS
> servers,
So no traceroute?
> and all TCP except from net port 80 to my
> temp range ports 1024-5000 and back using a dialup
> interface. Is this the correct way to do it?
>
># Interface
> fw ppp0 *-* filterping,norfc1918,dropunclean
I recommend against using ''dropunclean'' -- there are simply
too many broken
IP stacks out there.
>
>
># Changes to shorewall.config file
> NAT_ENABLED=no
> IP_FORWARDING=off
> ADD_IP_ALIASES=no
> ADD_SNAT_ALIASES=no
> CLAMPMSS=yes
> ROUTE_FILTER=yes
> NAT_BEFORE_RULES=no
> MERGE_HOSTS=no
> FORWARD_PING=no
>
>
> ACTION SRC DEST PROTO DEST PORT SRC PORT
>
># accept HTTP traffic from host
> ACCEPT net fw tcp 1024:5000 80
Is this rule intended to allow the internet access to your HTTPD server?
Because if that is the goal then you can''t guarantee that the source
port
will be in the 1024:5000 range. And even if you have the rule backwards,
the temporary port range on Linux 2.4 tend to be higher than that:
[root@gateway root]# cat /proc/sys/net/ipv4/ip_local_port_range
32768 61000
[root@gateway root]#
>
># accept return HTTP traffic to host
> ACCEPT fw net tcp 80 1024:5000
NO NO NO NO NO!!!! Shorewall is stateful and you NEVER define rules for
relies.
>
># drop all other TCP traffic from net
> DROP net fw tcp 0:65535 0:65535
Why don''t you simply stick with the DROP net->all
policy?>
># drop all other outgoing TCP traffic to net
> DROP fw net tcp 0:65535 0:65535
Dropping outgoing traffic means that it you try to send such traffic then
you get timeouts.
>
># primary DNS server traffic
> ACCEPT IP.primary.DNS.server fw udp 1024:5000 53
>
># primary DNS server answer
> ACCEPT fw IP.primary.DNS.server 1024:5000 53
>
># secondary DNS server traffic
> ACCEPT IP.secondary.DNS.server fw udp 1024:5000 53
>
>
># secondary DNS server answer
> ACCEPT fw IP.secondary.DNS.server 53 1024:5000
All of your DNS rules are backward.
>
># drop all other UDP raffic from net
> DROP net fw udp 0:65535 0:65535
>
># drop all other outgoing UDP traffic to net
> DROP fw net udp 0:65535 0:65535
>
Again, why don''t you simply rely on the POLICY? If you don''t
like the rules
that I supply in common.def, just create an empty /etc/shorewall/common
file.
># drop all incoming ICMP
> DROP net fw icmp all
>
># drop all outgoing ICMP
> DROP fw net icmp all
>
>
Again, why not simply rely on POLICY?
Unless you really know what you are doing, starting from the one-interface
sample configuration will cause you less grief than struggling with your
own ruleset.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://shorewall.sf.net
ICQ: #60745924 \ teastep@shorewall.net