Version 1.0 of the Quick Start Guide and accompanying sample configurations is available at: http://www.shorewall.net/shorewall_quickstart_guide.htm. Comments and suggestions are most welcome. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> Version 1.0 of the Quick Start Guide and accompanying sample > configurations is available at: > > http://www.shorewall.net/shorewall_quickstart_guide.htm. > > Comments and suggestions are most welcome. >Very useful! ... ... follow some my humble suggestions, you decide if insert or throw it. 1) -------------- the example "ACCEPT loc dmz:192.168.2.4`tcp 80 - 206.124.146.176" have a "''" from "4" and "tcp" 2) ---------------- The general format for an ACCEPT rule for port forward: "ACCEPT net <server zone>:<server local ip address> \ <protocol> <port> - <dest ip addr> probably would be: "ACCEPT net <server zone>:<server local ip address>[:<local-port>] \ <protocol> <dest port> - <dest ip addr>" 3) ---------------- I would suggest to add in the session "Port Forwarding" the follow example, for the systems that they have one or few IP, and they must redirect the same service to more internal host: ACCEPT loc dmz:192.168.2.11:81 tcp 80 - 206.124.146.176 ACCEPT loc dmz:192.168.2.12:82 tcp 80 - 206.124.146.176 the internet cliente must connect using: # links http://206.124.146.176:81 for connect from Internet to HTTPD running on 192.168.2.11 and # links http://206.124.146.176:82 for connect from Internet to HTTPD running on 192.168.2.12 -0- Thanks ------- Dario Lesca (d.lesca@osra.it)
On Tue, 9 Apr 2002 17:20:47 -0700 (Pacific Daylight Time) Tom Eastep <teastep@shorewall.net> wrote:> Version 1.0 of the Quick Start Guide and accompanying sample > configurations is available at: > > http://www.shorewall.net/shorewall_quickstart_guide.htm. > > Comments and suggestions are most welcome.Impressively quickly done. I have a few idiot questions that arise: I wasn''t clear about the zones in a standalone system. The document implies that you just have "net", but shouldn''t there be a zone for the machine too, i.e. for 127.0.0.1? I thought there ought to be a rule that permits everything that doesn''t go outside the machine, otherwise you may not be able to print, which I can''t with the default setup, (using CUPS). Also, I assume my CM is outside the fw and is thus part of the net zone, but I wasn''t clear how to define a rule that allowed me to get my browser to connect to it''s IP (192.168.100.1) to read the status info, given the norfc1918 option. I tried ACCEPT net:192.168.100.1 fw tcp 80 but that didn''t work FYI one tiny typo in ZONE line of interfaces: "Much match" "Must match" ? - Richard. -- Richard Kimber Political Science Resources http://www.psr.keele.ac.uk/ UK-Euro FAQ http://www.psr.keele.ac.uk/docs/efaq.htm