Andreas Bittner
2002-Aug-20 20:35 UTC
[Shorewall-users] how to limit connections from certains inet subnet the best way?
Hello all, i am new to shorewall and i already have a question ;) i am running a mailserver in my dmz (or actually this will be when evertything will be working fine with shorewall) with public ip addresses.. i have a subnet of 8 ip addresses (255.255.255.248 mask) and i was planning of the classic 3 nic (eth0-2) setup... the dmz should work with proxy-arping...=20 now my quesion is regarding the mailserver in the dmz.. my mailserver is only getting mails from an external mailscanning/antivirus provider. so its ip is nowhere in any MX records or whatsoever. so i want to limit the smtp traffic to some subnets which belong to the mailscanning/antivir provider out on the inet.. how would i do this the best way.. define another zone called netmailscanningserviceprovider add the subnets of the mailscanner company to that zone and then only allow traffic from that net to the dmz zone? that mailnet zone would be also on eth0 (external nic) right? is this the best way or rather something else? thanks already and cheers, Andy Bittner
Tom Eastep
2002-Aug-20 22:23 UTC
[Shorewall-users] how to limit connections from certains inet subnet the best way?
On Tue, 20 Aug 2002, Andreas Bittner wrote:> > is this the best way or rather something else? >Wouldn''t it be easier to just: ACCEPT net:<subnet of scanner> dmz:<ip of server> tcp smtp -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Andreas Bittner
2002-Aug-21 14:31 UTC
[Shorewall-users] how to limit connections from certains inet subnet the best way?
hello tom, i was already using that mehtod. was just thinking about this in case i get more subnets by the provider from where smtp traffic can arrive.. or in general what other applications would there be for zones on the net interface.. other zones than net itself.. or does it make sense to use host definitions? thanks again for your quick reply, cheers, andy ----- Original Message -----=20 From: "Tom Eastep" <teastep@shorewall.net> To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de> Cc: <shorewall-users@shorewall.net> Sent: Wednesday, August 21, 2002 12:23 AM Subject: Re: [Shorewall-users] how to limit connections from certains inet subnet the best way?> On Tue, 20 Aug 2002, Andreas Bittner wrote: >=20 > >=20 > > is this the best way or rather something else? > >=20 >=20 > Wouldn''t it be easier to just: >=20 > ACCEPT net:<subnet of scanner> dmz:<ip of server> tcp smtp >=20 > -Tom > --=20 > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >=20 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >=20
Tom Eastep
2002-Aug-21 15:58 UTC
[Shorewall-users] how to limit connections from certains inet subnet the best way?
On Wednesday 21 August 2002 07:31 am, Andreas Bittner wrote:> i was already using that mehtod. was just thinking about this in case i get > more subnets by the provider from where smtp traffic can arrive.. or in > general what other applications would there be for zones on the net > interface.. other zones than net itself.. or does it make sense to use host > definitions?I think that it makes sense to define sub-zones where the sub-zone has one or=20 more policies that are different from the parent zone. If there are no policy=20 differences then I prefer to simply use rules. -Tom --=20 Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Andreas Bittner
2002-Aug-21 19:54 UTC
[Shorewall-users] whats the best policy for fw->net ?
hi all, i was wondering what would be considered the normal policy for the fw to inet acess... should my $FW get full access to inet? i want to run squid for the dmz/loc on the fw itself, and it has 3 nics, one for dmz with proxy arping (net+dmz nic) ...=20 should i manually add rules that allow the fw (and so the squid on it) to acces the net with http/https/ftp or should i just add a policy for FW net accept ?? whats considered the best way.. i am asking cos i have read about occasional problems for example with some ports and related connects for various situations... so is it better just to give full access to the inet for thhe fw or add special rules for the fw and close down the rest (rgarding inet zone)...? thnks again, and great job with shorewall. i really apreciate it. cheers, andy
On Wednesday 21 August 2002 12:54 pm, Andreas Bittner wrote:> hi all, > > i was wondering what would be considered the normal policy for the fw to > inet acess... should my $FW get full access to inet? i want to run squid > for the dmz/loc on the fw itself, and it has 3 nics, one for dmz with proxy > arping (net+dmz nic) ... >You can see my recommendation at http://www.shorewall.net/myfiles.htm -- I=20 personally think that you should know EVERYTHING that your firewall sends to=20 the net so my effective fw->net policy is REJECT).> should i manually add rules that allow the fw (and so the squid on it) to > acces the net with http/https/ftp or should i just add a policy for FW net > accept ??That''s my philosophy.> > whats considered the best way.. i am asking cos i have read about > occasional problems for example with some ports and related connects for > various situations... so is it better just to give full access to the inet > for thhe fw or add special rules for the fw and close down the rest > (rgarding inet zone)...?Only if you are lazy...> > thnks again, and great job with shorewall. i really apreciate it. >You''re welcome! -Tom --=20 Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net