Hi! I am a new user of shorewall and am very impressed with it''s flexible configuration. I am not very experienced with firewall configuration and know little about how various servers communicate, to/from which port, protocol etc. With my previous firewall package (rcf) I always used paranoid mode which would block anything that is not explicitly allowed. I am trying to recreate such a config with shorewall but this is obviously more difficult than a fairly open policy and rules muct be created for everything. Would it be an idea to give example configuration rules on the website for various setups and programs/protocols? For example which rules are needed to allow systems on the local net to use irc (which I haven''t figured out yet) bit also for other protocols like PPTP, IPSEC etc. etc. Also some example rulesets to allow various multiplayer games or stuff like icq, msn etc. The 2 and 3 NIC example configuration files are a very good start but some things (especially IPSEC and PPTP) are very hard to set up correctly or to debug. Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Sunday, November 10, 2002 12:44:40 PM +0100 Remco Barendse <shorewall@barendse.to> wrote:> > Would it be an idea to give example configuration rules on the website > for various setups and programs/protocols?Sure -- if someone wants to volunteer to create and test such sample rules, I''ll be happy to publish them. I simply don''t have the time or interest to mess around with MSN/H.323, edonkey, or any other application that I will never use. You are always free to look at my own configuration (http://shorewall.sf.net/myfiles.htm) which contains the rules for applications that I do use.> > For example which rules are needed to allow systems on the local net to > use irc (which I haven''t figured out yet)You shouldn''t need any if the ip_nat_irc and ip_conntrack_irc kernel modules are loaded and if you don''t have a rule or policy blocking outbound ports 194 and 6667.> > The 2 and 3 NIC example configuration files are a very good start but > some things (especially IPSEC and PPTP) are very hard to set up > correctly or to debug.Please have a look at http://shorewall.sf.net/PPTP.htm, http://shorewall.sf.net/IPSEC.htm and http://shorewall.sf.net/VPN.htm. How much more documentation do you need? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
> > Would it be an idea to give example configuration rules on the website > > for various setups and programs/protocols? > > Sure -- if someone wants to volunteer to create and test such sample rules, > I''ll be happy to publish them. I simply don''t have the time or interest to > mess around with MSN/H.323, edonkey, or any other application that I will > never use. You are always free to look at my own configuration > (http://shorewall.sf.net/myfiles.htm) which contains the rules for > applications that I do use.Hereby volunteer to make a very extensive example ruleset. I will send it to you so you can put it on the site. The setup I use is paranoid, the policy is reject everything (except fw <-> fw) ofcourse) and accept the rest.> > For example which rules are needed to allow systems on the local net to > > use irc (which I haven''t figured out yet) > > You shouldn''t need any if the ip_nat_irc and ip_conntrack_irc kernel > modules are loaded and if you don''t have a rule or policy blocking outbound > ports 194 and 6667.Need I only allow these 2 ports outbound and are they tcp or udp? No rules for inbound traffic needed? I don''t fully understand how to set up a rule that allows traceroutes from the fw to the net?> > The 2 and 3 NIC example configuration files are a very good start but > > some things (especially IPSEC and PPTP) are very hard to set up > > correctly or to debug. > > Please have a look at http://shorewall.sf.net/PPTP.htm, > http://shorewall.sf.net/IPSEC.htm and http://shorewall.sf.net/VPN.htm. How > much more documentation do you need?This indeed seems like all the documentation I would need. Could somebody recommend a good ipsec client to make a net2net connection from a linux box to a Cisco VPN router on the other end? I have the Cisco ipsec client but it keeps blocking local lan access after connecting :( Any help / input greatly appreciated! Remco Barendse -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Monday, November 11, 2002 11:24:25 AM +0100 Remco Barendse <shorewall@barendse.to> wrote:> > Hereby volunteer to make a very extensive example ruleset. I will send it > to you so you can put it on the site. The setup I use is paranoid, the > policy is reject everything (except fw <-> fw) ofcourse) and accept the > rest. >Pardon my saying so but such a policy is difficult for someone who admits that he "doesn''t know anything about protocols and port numbers and so on".>> > For example which rules are needed to allow systems on the local net to >> > use irc (which I haven''t figured out yet) >> >> You shouldn''t need any if the ip_nat_irc and ip_conntrack_irc kernel >> modules are loaded and if you don''t have a rule or policy blocking >> outbound ports 194 and 6667. > Need I only allow these 2 ports outbound and are they tcp or udp? No > rules for inbound traffic needed?Remco, if you are going to go with a paranoid policy then you had better learn how to decode Shorewall log messages (as root, type "shorewall show log") and create the appropriate rule to eliminate them. Because at this rate, you are going to be posting on the list asking for us to send you the rule for every application that you want to run. http://shorewall.sf.net/troubleshoot.htm shows you how to decode the log messages.> > I don''t fully understand how to set up a rule that allows traceroutes > from the fw to the net?ACCEPT fw net udp 33434:33454 #Traceroute with max 20 hops> >> > The 2 and 3 NIC example configuration files are a very good start but >> > some things (especially IPSEC and PPTP) are very hard to set up >> > correctly or to debug. >> >> Please have a look at http://shorewall.sf.net/PPTP.htm, >> http://shorewall.sf.net/IPSEC.htm and http://shorewall.sf.net/VPN.htm. >> How much more documentation do you need? > > This indeed seems like all the documentation I would need. Could somebody > recommend a good ipsec client to make a net2net connection from a linux > box to a Cisco VPN router on the other end? I have the Cisco ipsec client > but it keeps blocking local lan access after connecting :( >Most folks use FreeS/Wan on Linux. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net