Shorewall users - Aug 2002 - how to limit connections from certains inet subnet the best way?

Hello all,

i am new to shorewall and i already have a question ;)

i am running a mailserver in my dmz (or actually this will be when evertything
will be working fine with shorewall) with public ip addresses.. i have a subnet
of 8 ip addresses (255.255.255.248 mask) and i was planning of the classic 3 nic
(eth0-2) setup... the dmz should work with proxy-arping...=20

now my quesion is regarding the mailserver in the dmz.. my mailserver is only
getting mails from an external  mailscanning/antivirus provider. so its ip is
nowhere in any MX records or whatsoever. so i want to limit the smtp traffic to
some subnets which belong to the mailscanning/antivir provider out on the inet..

how would i do this the best way.. define another zone called
netmailscanningserviceprovider add the subnets of the mailscanner company to
that zone and then only allow traffic from that net to the dmz zone?  that
mailnet zone would be also on eth0 (external nic) right?

is this the best way or rather something else?

thanks already and cheers,
Andy Bittner

On Tue, 20 Aug 2002, Andreas Bittner wrote:
> 
> is this the best way or rather something else?
> 
Wouldn''t it be easier to just:

ACCEPT	net:<subnet of scanner>	dmz:<ip of server>	tcp	smtp

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

hello tom,

i was already using that mehtod. was just thinking about this in case i get more
subnets by the provider  from where smtp traffic can arrive.. or in general what
other applications would there be for zones on the net interface.. other zones
than net itself.. or does it make sense to use host definitions?

thanks again for your quick reply,
cheers,
andy


----- Original Message -----=20
From: "Tom Eastep" <teastep@shorewall.net>
To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de>
Cc: <shorewall-users@shorewall.net>
Sent: Wednesday, August 21, 2002 12:23 AM
Subject: Re: [Shorewall-users] how to limit connections from certains inet
subnet the best way?

> On Tue, 20 Aug 2002, Andreas Bittner wrote:
>=20
> >=20
> > is this the best way or rather something else?
> >=20
>=20
> Wouldn''t it be easier to just:
>=20
> ACCEPT net:<subnet of scanner> dmz:<ip of server> tcp smtp
>=20
> -Tom
> --=20
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>=20
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>=20

On Wednesday 21 August 2002 07:31 am, Andreas Bittner wrote:
> i was already using that mehtod. was just thinking about this in case i get
> more subnets by the provider  from where smtp traffic can arrive.. or in
> general what other applications would there be for zones on the net
> interface.. other zones than net itself.. or does it make sense to use host
> definitions?
I think that it makes sense to define sub-zones where the sub-zone has one or=20
more policies that are different from the parent zone. If there are no policy=20
differences then I prefer to simply use rules.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

hi all,

i was wondering what would be considered the normal policy for the fw to inet
acess... should my $FW get full access to inet? i want to run squid for the
dmz/loc on the fw itself, and it has 3 nics, one for dmz with proxy arping
(net+dmz nic) ...=20

should i manually add rules that allow the fw (and so the squid on it) to acces
the net with http/https/ftp or should i just add a policy for FW net accept  ??

whats considered the best way.. i am asking cos i have read about occasional
problems for example with some ports and related connects for various
situations... so is it better just to give full access to the inet for thhe fw
or add special rules for the fw and close down the rest (rgarding inet zone)...?

thnks again, and great job with shorewall. i really apreciate it.

cheers,
andy

On Wednesday 21 August 2002 12:54 pm, Andreas Bittner
wrote:
> hi all,
>
> i was wondering what would be considered the normal policy for the fw to
> inet acess... should my $FW get full access to inet? i want to run squid
> for the dmz/loc on the fw itself, and it has 3 nics, one for dmz with proxy
> arping (net+dmz nic) ...
>
You can see my recommendation at http://www.shorewall.net/myfiles.htm -- I=20
personally think that you should know EVERYTHING that your firewall sends to=20
the net so my effective fw->net policy is REJECT).
> should i manually add rules that allow the fw (and so the squid on it) to
> acces the net with http/https/ftp or should i just add a policy for FW net
> accept  ??
That''s my philosophy.
>
> whats considered the best way.. i am asking cos i have read about
> occasional problems for example with some ports and related connects for
> various situations... so is it better just to give full access to the inet
> for thhe fw or add special rules for the fw and close down the rest
> (rgarding inet zone)...?
Only if you are lazy...
>
> thnks again, and great job with shorewall. i really apreciate it.
>
You''re welcome!

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net