Hi All, The only Internet connection our LAN have is via a proxy server (remotely located) which is in ZONE is defined as prox and in HOSTS defined as prox eth0:<proxy_ip> Local Area Network is defined in ZONE as net and HOSTS defined as eth0:<ip_subnet> Is it possible for shorewall to be a proxy server of the local area network (net)? and shorewall will then get the connection from the proxy server? (prox) If so, how can I do this? Thanks and best regards, Kenneth Oncinian
Kenneth Oncinian <koncinian@pkme.panasonic.com.ph> writes:> Hi All, > > The only Internet connection our LAN have is via a proxy server (remotely > located) which is in ZONE is defined as prox and in HOSTS defined as prox > eth0:<proxy_ip> > Local Area Network is defined in ZONE as net and HOSTS defined as > eth0:<ip_subnet> > > Is it possible for shorewall to be a proxy server of the local area network > (net)? > and shorewall will then get the connection from the proxy server? (prox) > > If so, how can I do this?You sent your message to shorewall-announce. This list is solely for announcements (new versions and the like), not for support requests! Please re-send your message to shorewall-users: http://lists.shorewall.net/mailman/listinfo/shorewall-users Tom, I don''t recall getting inappropriate messages to shorewall-announce in the past, yet we''ve had three in just the past few days. Any ideas? Was the list previously moderated and is no longer or something? I''ve sent my message to the list this time rather than to just the individual, so that hopefully people get the message... -- Dan Harkless shorewall@harkless.org http://harkless.org/dan/
On Tue, 19 Aug 2003, Kenneth Oncinian wrote:> Hi All, > > The only Internet connection our LAN have is via a proxy server (remotely > located) which is in ZONE is defined as prox and in HOSTS defined as prox > eth0:<proxy_ip> > Local Area Network is defined in ZONE as net and HOSTS defined as > eth0:<ip_subnet> > > Is it possible for shorewall to be a proxy server of the local area network > (net)? > and shorewall will then get the connection from the proxy server? (prox) > > If so, how can I do this? >Shorewall is not a proxy server. You can run a proxy server such as Squid on the Shorewall system however -- see http://shorewall.net/Shorewall_Squid_Usage.html -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 18 Aug 2003, Dan Harkless wrote:> > Tom, I don''t recall getting inappropriate messages to shorewall-announce in > the past, yet we''ve had three in just the past few days. > > Any ideas? Was the list previously moderated and is no longer or something?I haven''t a clue. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-08-18 at 21:46, Tom Eastep wrote:> On Mon, 18 Aug 2003, Dan Harkless wrote: > > > > > Tom, I don''t recall getting inappropriate messages to shorewall-announce in > > the past, yet we''ve had three in just the past few days. > > > > Any ideas? Was the list previously moderated and is no longer or something? > > I haven''t a clue. >The Shorewall-announce list continues to be set for member-only posting but I''ve also set the option to moderate all new members'' posts. This should stop the type of clueless postings we''ve seen recently. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-19 17:08 UTC
[Shorewall-users] Re: [Shorewall-announce] help with DNAT rule
On Wed, 20 Aug 2003, Kenneth Oncinian wrote:> On Tuesday 19 August 2003 11:20 pm, you wrote: > > Good Morning Mr. Tom, > > The proxy server is external, located overseas, The idea is to control > internet access from LAN, so maybe I was kind of thinking that instead of > the clients proxy settings points to the external ip address, it can be > pointed to shorewall or something so It can be controlled. >What kind of control do you need?> I dont have a clue how to control Internet access since proxy server is > externel and is open to our router so anyone from the LAN can access it. >Well -- you have a firewall in between so you can control access at a very gross level.> Hope I have explained this clearly, I really need to have a control about the > access to the proxy server. > >I''m copying your post to the Shorewall User''s list -- I simply don''t have the time to deal with people''s problems individually. If I answer your question off-list and someone asks the same question tomorrow then I have to answer it again tomorrow. -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Kenneth Oncinian
2003-Aug-19 17:18 UTC
[Shorewall-users] Re: [Shorewall-announce] help with DNAT rule
On Wednesday 20 August 2003 8:08 am, you wrote:> On Wed, 20 Aug 2003, Kenneth Oncinian wrote: > > On Tuesday 19 August 2003 11:20 pm, you wrote: > > > > Good Morning Mr. Tom, > > > > The proxy server is external, located overseas, The idea is to control > > internet access from LAN, so maybe I was kind of thinking that instead of > > the clients proxy settings points to the external ip address, it can be > > pointed to shorewall or something so It can be controlled. > > What kind of control do you need?Control like whitelist, blacklist clients which can access the externel proxy server, like that. So my thinking instead of them directly pointing to the external ip, shorewall will be the gateway (or proxy?) of LAN and access the external ip from it.> > I dont have a clue how to control Internet access since proxy server is > > externel and is open to our router so anyone from the LAN can access it. > > I''m copying your post to the Shorewall User''s list -- I simply don''t > have the time to deal with people''s problems individually. If I answer > your question off-list and someone asks the same question tomorrow > then I have to answer it again tomorrow.Thank you very much, I understand :-).
Tom Eastep
2003-Aug-19 17:24 UTC
[Shorewall-users] Re: [Shorewall-announce] help with DNAT rule
On Wed, 20 Aug 2003, Kenneth Oncinian wrote:> On Wednesday 20 August 2003 8:08 am, you wrote: > > On Wed, 20 Aug 2003, Kenneth Oncinian wrote: > > > On Tuesday 19 August 2003 11:20 pm, you wrote: > > > > > > Good Morning Mr. Tom, > > > > > > The proxy server is external, located overseas, The idea is to control > > > internet access from LAN, so maybe I was kind of thinking that instead of > > > the clients proxy settings points to the external ip address, it can be > > > pointed to shorewall or something so It can be controlled. > > > > What kind of control do you need? > > Control like whitelist, blacklist clients which can access the externel proxy > server, like that. So my thinking instead of them directly pointing to the > external ip, shorewall will be the gateway (or proxy?) of LAN and access the > external ip from it. >Well, you can do that without running a proxy on the Shorewall box (if by "client", you mean IP address). Rather than define the external zone narrowly like you posted before, simply define it to be all addresses accessible through the proxy. Then simple have rules like: ACCEPT <local zone>:<client address> <net zone>:<proxy address> all -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Kenneth Oncinian
2003-Aug-19 17:40 UTC
[Shorewall-users] Re: [Shorewall-announce] help with DNAT rule
Thanks very much, I''ll work on this now and report the progress if all ends well :-). On Wednesday 20 August 2003 8:24 am, Tom Eastep wrote:> On Wed, 20 Aug 2003, Kenneth Oncinian wrote: > > On Wednesday 20 August 2003 8:08 am, you wrote: > > > On Wed, 20 Aug 2003, Kenneth Oncinian wrote: > > > > On Tuesday 19 August 2003 11:20 pm, you wrote: > > > > > > > > Good Morning Mr. Tom, > > > > > > > > The proxy server is external, located overseas, The idea is to > > > > control internet access from LAN, so maybe I was kind of thinking > > > > that instead of the clients proxy settings points to the external ip > > > > address, it can be pointed to shorewall or something so It can be > > > > controlled. > > > > > > What kind of control do you need? > > > > Control like whitelist, blacklist clients which can access the externel > > proxy server, like that. So my thinking instead of them directly pointing > > to the external ip, shorewall will be the gateway (or proxy?) of LAN and > > access the external ip from it. > > Well, you can do that without running a proxy on the Shorewall box (if by > "client", you mean IP address). > > Rather than define the external zone narrowly like you posted before, > simply define it to be all addresses accessible through the proxy. Then > simple have rules like: > > ACCEPT <local zone>:<client address> <net zone>:<proxy address> all > > -Tom > > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net