Shorewall users - Sep 2002 - Shorewall 1.3.8

This is a minor release of Shorewall which rolls up a number of bug
fixes.

New features include:

1. A NEWNOTSYN option has been added to shorewall.conf. This option
    determines whether Shorewall accepts TCP packets which are not part
    of an established connection and that are not ''SYN''
packets (SYN
    flag on and ACK flag off).


2. The need for the ''multi'' option to communicate between
zones za and
    zb on the same interface is removed in the case where the chain
    ''za2zb'' and/or ''zb2za'' exists.
''za2zb'' will exist if:

    a. There is a policy for za to zb.
    b. There is at least one rule for za to zb.

3. The /etc/shorewall/blacklist file now contains three columns. In
    addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
    and PORTS columns to block only certain applications from the
    blacklisted addresses.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hello all,

i am not sure if i get the general iptables conecpt correctly. Can i define
rules for MASQed boxes on my internal LAN (loc) that connect to the inet through
a linux shorewall box (using pppoe (ppp0) with a dsl connection with one single
dynamic ip after each connect/"dialup").

i have defined some rules that clients can only do ssh to the inet and ftp and
some other things, but apparently, my loc boxes can simply do anything to the
inet as soon as there is MASQ activated.

I activate mask with /etc/shorewall/masq

#INTERFACE              SUBNET          ADDRESS
ppp0                    192.168.150.0/24

...........

how can, or can i in general allow clients only certain ports/services to the
inet, and so forth? give only http/https access, but no ftp, or no ssh and so
forth...

am i misunderstand the shorewall/iptables concept?

Thanks,
Andy

Andreas Bittner wrote:
> Hello all,
> 
> i am not sure if i get the general iptables conecpt correctly. 
> Can i define rules for MASQed boxes on my internal LAN (loc) that
> connect to the inet through a linux shorewall box (using pppoe
 > (ppp0) with a dsl connection with one single dynamic ip
after
> each connect/"dialup").
> 
> i have defined some rules that clients can only do ssh to the 
 > inet and ftp and some other things, but apparently, my loc
 > boxes can simply do anything to the inet as soon as there
 > is MASQ activated.
> 
> I activate mask with /etc/shorewall/masq
> 
> #INTERFACE              SUBNET          ADDRESS
> ppp0                    192.168.150.0/24
> 
> ...........
> 
> how can, or can i in general allow clients only certain
 > ports/services to the inet, and so forth? give only
 > http/https access, but no ftp, or no ssh and so
forth...
> 
> am i misunderstand the shorewall/iptables concept?
You are failing to grasp the significance of Shorewall Policies -- the 
default loc->inet policy is ACCEPT -- you must change that to REJECT or 
DROP (REJECT is preferred) before the ACCEPT rules that you add will make 
any difference...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hello there,

ok yes, you are right, i overlooked the accept in the policy file. I was
wondering why everything was allowed already.

Thanks again for the quick answer,
Andy

----- Original Message -----=20
From: "Tom Eastep" <teastep@shorewall.net>
To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de>
Cc: <shorewall-users@shorewall.net>
Sent: Monday, September 16, 2002 8:15 PM
Subject: Re: [Shorewall-users] question relating rules for MASQed boxes on
LOC
> Andreas Bittner wrote:
> > Hello all,
> > i am not sure if i get the general iptables conecpt correctly.=20
> > Can i define rules for MASQed boxes on my internal LAN (loc) that
> > connect to the inet through a linux shorewall box (using pppoe
>  > (ppp0) with a dsl connection with one single dynamic ip after
> > each connect/"dialup").
> > i have defined some rules that clients can only do ssh to the=20
>  > inet and ftp and some other things, but apparently, my loc
>  > boxes can simply do anything to the inet as soon as there
>  > is MASQ activated.
> > I activate mask with /etc/shorewall/masq
> > #INTERFACE              SUBNET          ADDRESS
> > ppp0                    192.168.150.0/24
> > how can, or can i in general allow clients only certain
>  > ports/services to the inet, and so forth? give only
>  > http/https access, but no ftp, or no ssh and so forth...
> > am i misunderstand the shorewall/iptables concept?
> You are failing to grasp the significance of Shorewall Policies -- the 
> default loc->inet policy is ACCEPT -- you must change that to REJECT
or=20
> DROP (REJECT is preferred) before the ACCEPT rules that you add will
make=20
> any difference...
> -Tom
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net