Hi, I''m a newbie when it comes to firewalls and Linux. I''ve been having a difficult time trying to configure Shorewall on Mandrake 9.0. Here''s my problem: - I have a broadband connection thru cable and the cable modem is connected to a Linksys cable/dsl router (befsr41). I have a couple of Windows machines and a Mandrake 9.0 box connected to the router. They each get a static ip address. (the 192.168.1.xxx kind) - Mandrake 9 comes with Shorewall preinstalled. But I couldn''t get it to allow my windows machines to talk to servers running on the Linux box. (samba, apache, ssh, etc) - Basically what I want is to have the firewall *not* blocking any connections from my local machines. How do I set it up? I looked thru the documentations on the web site, and I still don''t have a clue and couldn''t get it to work. Any help is appreciated. Thanks. wy -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GE/FA/IT/O d-(---) s+:+(-:-) a-- C+++(++)>$ U>$ P+>$ L(+) E---(----) W++>$ N+ o(+) K- w(+) O? M- V-- PS++(+)@ PE+(-)@ Y+ PGP t 5? X++(+) R? tv(+) b+(++) Dl D- G e++ h! !r !z ------END GEEK CODE BLOCK------
Wai Yung wrote:> Hi, > > I''m a newbie when it comes to firewalls and Linux. I''ve been having > a difficult time trying to configure Shorewall on Mandrake 9.0. > Here''s my problem: > > - I have a broadband connection thru cable and the cable modem is > connected to a Linksys cable/dsl router (befsr41). I have a couple > of Windows machines and a Mandrake 9.0 box connected to the router. > They each get a static ip address. (the 192.168.1.xxx kind) > > - Mandrake 9 comes with Shorewall preinstalled. But I couldn''t get > it to allow my windows machines to talk to servers running on the > Linux box. (samba, apache, ssh, etc) > > - Basically what I want is to have the firewall *not* blocking any > connections from my local machines. How do I set it up? > > I looked thru the documentations on the web site, and I still don''t > have a clue and couldn''t get it to work. Any help is appreciated. > Thanks.Mandrake chose to ship Shorewall with a configuration different from any that I provide or recommend. FMandrake haven''t sent me the copy of 9.0 that I ordered from them two weeks ago and I can''t support their installation of Shorewall unless I can at least see it. I therefore suggest that you refer questions about Shorewall on Mandrake to Mandrakesoft. As such time as I receive my CDs, I will install 9.0 and will then be in a position to support Shorewall on Mandrake 9.0. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi, I run shorewall on mdk 9.0 (Cooker) too, but AFAIR packages don''t use last=20 shorewall version. I set it up using 1.3.9a, without so much problems. You seem to have 2 zones, fw & loc, so: =09- either open each needed ports in /etc/shorewall/rules from loc->fw, refer=20 to /etc/services to find wich ports you need to open) =09- or open all ports from loc->fw in /etc/shorewall/policy. Caution: this are newbie advices, I strongly recommend a free dive in Tom''s=20 excellent documentation ! J=E9r=E9mie Le Dimanche 13 Octobre 2002 15:18, Wai Yung a =E9crit :> Hi, > > I''m a newbie when it comes to firewalls and Linux. I''ve been having > a difficult time trying to configure Shorewall on Mandrake 9.0. > Here''s my problem: > > - I have a broadband connection thru cable and the cable modem is > connected to a Linksys cable/dsl router (befsr41). I have a couple > of Windows machines and a Mandrake 9.0 box connected to the router. > They each get a static ip address. (the 192.168.1.xxx kind) > > - Mandrake 9 comes with Shorewall preinstalled. But I couldn''t get > it to allow my windows machines to talk to servers running on the > Linux box. (samba, apache, ssh, etc) > > - Basically what I want is to have the firewall *not* blocking any > connections from my local machines. How do I set it up? > > I looked thru the documentations on the web site, and I still don''t > have a clue and couldn''t get it to work. Any help is appreciated. > Thanks. > > wy--=20 Future Is Free, Fight Against Bill & Friends Linux User # 274160 Linux Boxes #157052, 157053, 157054 MandrakeClub Member
Tarax wrote:> Hi, > > I run shorewall on mdk 9.0 (Cooker) too, but AFAIR packages don''t use last > shorewall version. > I set it up using 1.3.9a, without so much problems.Wy -- if you choose to do this, I suggest that you cd /etc mv shorewall shorewall.mdk mkdir shorewall Then upgrade to shorewall-1.3.9a. rpm -Uvh /<whereyoudownloaded>/shorewall-1.3.9a-1.noarch.rpm Then follow the instructions at http://www.shorewall.net/two-interface.htm. The above sequence of commands will ensure that the Shorewall configuration from shorewall-1.3.9a and my two-interface sample will be installed on your system and that none of the Mandrake configuration will remain. It is then a pretty simple process if you follow the two-interface guide. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi, I tried to modify /etc/shorewall/policy file, putting a line loc fw ACCEPT there, also added a "loc" zone in /etc/shorewall/zones as well. But it didn''t work. One of the things I don''t understand is do I need to specify another interface in /etc/shorewall/interfaces. It already has one like this: net eth0 detect I tried to add another line specifying the loc zone with eth0, but that didn''t work either. wy On Sun, 13 Oct 2002, Tarax wrote: ;P~Hi, ;P~ ;P~I run shorewall on mdk 9.0 (Cooker) too, but AFAIR packages don''t use last ;P~shorewall version. ;P~I set it up using 1.3.9a, without so much problems. ;P~You seem to have 2 zones, fw & loc, so: ;P~ - either open each needed ports in /etc/shorewall/rules from loc->fw, refer ;P~to /etc/services to find wich ports you need to open) ;P~ - or open all ports from loc->fw in /etc/shorewall/policy. ;P~ ;P~Caution: this are newbie advices, I strongly recommend a free dive in Tom''s ;P~excellent documentation ! ;P~ ;P~Jérémie ;P~ ;P~Le Dimanche 13 Octobre 2002 15:18, Wai Yung a écrit : ;P~> Hi, ;P~> ;P~> I''m a newbie when it comes to firewalls and Linux. I''ve been having ;P~> a difficult time trying to configure Shorewall on Mandrake 9.0. ;P~> Here''s my problem: ;P~> ;P~> - I have a broadband connection thru cable and the cable modem is ;P~> connected to a Linksys cable/dsl router (befsr41). I have a couple ;P~> of Windows machines and a Mandrake 9.0 box connected to the router. ;P~> They each get a static ip address. (the 192.168.1.xxx kind) ;P~> ;P~> - Mandrake 9 comes with Shorewall preinstalled. But I couldn''t get ;P~> it to allow my windows machines to talk to servers running on the ;P~> Linux box. (samba, apache, ssh, etc) ;P~> ;P~> - Basically what I want is to have the firewall *not* blocking any ;P~> connections from my local machines. How do I set it up? ;P~> ;P~> I looked thru the documentations on the web site, and I still don''t ;P~> have a clue and couldn''t get it to work. Any help is appreciated. ;P~> Thanks. ;P~> ;P~> wy ;P~ ;P~ -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GE/FA/IT/O d-(---) s+:+(-:-) a-- C+++(++)>$ U>$ P+>$ L(+) E---(----) W++>$ N+ o(+) K- w(+) O? M- V-- PS++(+)@ PE+(-)@ Y+ PGP t 5? X++(+) R? tv(+) b+(++) Dl D- G e++ h! !r !z ------END GEEK CODE BLOCK------
I''ll give it a try. It turns out MDK9 ships with shorewall v1.3.7c. Thanks wy On Sun, 13 Oct 2002, Tom Eastep wrote: ;P~Wy -- if you choose to do this, I suggest that you ;P~ ;P~cd /etc ;P~mv shorewall shorewall.mdk ;P~mkdir shorewall ;P~ ;P~Then upgrade to shorewall-1.3.9a. ;P~ ;P~rpm -Uvh /<whereyoudownloaded>/shorewall-1.3.9a-1.noarch.rpm ;P~ ;P~Then follow the instructions at http://www.shorewall.net/two-interface.htm. ;P~ ;P~The above sequence of commands will ensure that the Shorewall ;P~configuration from shorewall-1.3.9a and my two-interface sample will be ;P~installed on your system and that none of the Mandrake configuration will ;P~remain. It is then a pretty simple process if you follow the two-interface ;P~guide. ;P~ ;P~-Tom ;P~ -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GE/FA/IT/O d-(---) s+:+(-:-) a-- C+++(++)>$ U>$ P+>$ L(+) E---(----) W++>$ N+ o(+) K- w(+) O? M- V-- PS++(+)@ PE+(-)@ Y+ PGP t 5? X++(+) R? tv(+) b+(++) Dl D- G e++ h! !r !z ------END GEEK CODE BLOCK------
Wai Yung wrote:> I''ll give it a try. It turns out MDK9 ships with > shorewall v1.3.7c. Thanks >9b is the current version -- so substitute 9b in the instructions from my previous post. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Le Dimanche 13 Octobre 2002 16:04, Tom Eastep a =E9crit :> Tarax wrote: > > Hi, > > > > I run shorewall on mdk 9.0 (Cooker) too, but AFAIR packages don''t use > > last shorewall version. > > I set it up using 1.3.9a, without so much problems. > > Wy -- if you choose to do this, I suggest that you > > cd /etc > mv shorewall shorewall.mdk > mkdir shorewall > > Then upgrade to shorewall-1.3.9a. > > rpm -Uvh /<whereyoudownloaded>/shorewall-1.3.9a-1.noarch.rpm > > Then follow the instructions at http://www.shorewall.net/two-interface.htm. > > The above sequence of commands will ensure that the Shorewall > configuration from shorewall-1.3.9a and my two-interface sample will be > installed on your system and that none of the Mandrake configuration will > remain. It is then a pretty simple process if you follow the two-interface > guide. > > -TomHi Tom, What I actually meant, was that I preferred installing your packages rather=20 than Mdk''s one. As you grouped all conf in few files, Mdk''s web admin tool seemed useless and=20 less didactic to me, as well as an additional source of problems. Best regards J=E9r=E9mie --=20 Future Is Free, Fight Against Bill & Friends Linux User # 274160 Linux Boxes #157052, 157053, 157054 MandrakeClub Member
Tarax wrote:> > > Hi Tom, > > What I actually meant, was that I preferred installing your packages rather > than Mdk''s one. > As you grouped all conf in few files, Mdk''s web admin tool seemed useless and > less didactic to me, as well as an additional source of problems. >In this case however, Wai already had the mdk package installed and I didn''t know if there were any dependencies on it. Seemed like the safest thing to do in that case was to upgrade. Since Wai had modified some of the MDK files, the corresponding files from my RPM would have been installed as .rpmnew had the old ones been left in /etc/shorewall. That is why I advised that /etc/shorewall be renamed and a clean one created prior to the upgrade. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Wai Yung wrote: > >> Hi, >> >> It seems that the mdk package doesn''t have any dependencies. But I do >> think >> it''s a good idea to back up and upgrade. Since MDK''s control center >> program >> (drakconf) also plays with the config files. The problem I have with >> drakconf >> is it''s not flexible. You either select the few services it lists to >> disable/ >> enable or specify the protocol and port yourself. (and it won''t even >> show you >> which ports you specified afterward.) >> >> On the other hand, Tarax suggested that I should have another network >> card >> to serve the local network. (so I can specify eth0 to zone ''net'' and >> eth1 >> to zone ''local'') I wonder is it almost a requirement to get things to >> work? > > > No -- you can have a one-armed firewall but see below. > >> Because that would mean I should have two nics installed on each machine >> and get another hub along with my cable/dsl router. If possible I don''t >> want to do that because it''s just a small home network of 3 machines, and >> I thought that router would be good enough. The router itself also >> claims >> to be a firewall, but I thought I should still run shorewall just in >> case... >> > > If you just want to protect the linux machine itself, you can still use > Shorewall. > -TomUsing a one-armed firewall to protect multiple systems is largely security by obscurity and wouldn''t add anything over what is provided by your cable/dsl router. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net