I attached a copy of my rules file and I was wonndiering if there is some commands that I don''t need. I am running a webserver,email server,samba server. Thanks --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now-------------- next part -------------- ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # #Accept DNS connections local to firewall ACCEPT loc fw tcp 53 ACCEPT fw loc tcp 53 #Allows webserver traffic from internet to fw #ACCEPT net fw tcp 80 #ACCEPT loc fw tcp 80 ACCEPT loc fw tcp 80 ACCEPT fw loc tcp 80 #Allows Samba connections from local to firewall ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 #Allows connections to webmin from local to firewall ACCEPT loc fw tcp 10000 ACCEPT fw loc tcp 10000 #Allows connections from the internet to the fw ACCEPT fw net tcp 10000 ACCEPT net fw tcp 10000 # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # Allows SSH from the internet #ACCEPT net fw tcp 22 # Allows port 25 traffic ACCEPT loc fw tcp 25 ACCEPT fw loc tcp 25 ACCEPT net fw tcp 25 ACCEPT fw net tcp 25 #Allows port 143 traffic ACCEPT loc fw tcp 143 ACCEPT fw loc tcp 143 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
cheers();> I attached a copy of my rules file and I was wonndiering if there is > some commands that I don''t need. I am running a webserver,email > server,samba server. ThanksIt really depends on what you wanna allow and how you trust the folks in your local net. You cal allow all connections from loc to fw in the policies, if you trust your users.> # Accept DNS connections from the firewall to the network > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > # > #Accept DNS connections local to firewall > ACCEPT loc fw tcp 53 > ACCEPT fw loc tcp 53You didn''t mention this above. So, are you running DNS (caching) server on the fw?> #Allows connections to webmin from local to firewall > ACCEPT loc fw tcp 10000 > ACCEPT fw loc tcp 10000 > #Allows connections from the internet to the fw > ACCEPT fw net tcp 10000 > ACCEPT net fw tcp 10000Uh, you really need Webmin access from the net? I wouldn''t do that. If you really need it once, log in via ssh and allow it. But i wouldn''t allow webmin from the net all the time. And I doubt, you have to open all ports in both directions. IMHO it should be enough, only to ACCEPT incoming connections on the fw as long, as you don''t wanna establish a connection from your firewall to an other server on the net (like webmin above). Correct me someone, if I''m wrong. What are your policies? All DROP/REJECT or ACCEPT policies? .karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
--On Wednesday, January 01, 2003 10:04 PM -0800 Eric <subzero123_80@yahoo.com> wrote:> I attached a copy of my rules file and I was wonndiering if there is > some commands that I don''t need. I am running a webserver,email > server,samba server. ThanksIt is impossible to evaluate rules without also knowing what your policies are. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Sorry about that. My policy file is listed below.Yes I am running a internal cache dns server. I agree about the webmin so I already made that change. I trust all my local users. I will add loc fw in my policy file. One other question I play a lot of games online is there a way where I can enable all ports above certain number to be forward to one of my internal systems? I maybe will just add them in by hand which ports I need for gaming I was just wondering. How hard is it to setup IPSEC from my linux firewall to road warrior setup running windows XP system? I want to give samba access over a secure network so people can work from home. Tom Eastep I have to say these is the best firewall I have ever used on linux so keep up the good work. Thanks for everyone help. Policy File Rules loc net ACCEPT net all DROP info all all REJECT info loc fw ACCEPT --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
cheers();> Sorry about that. My policy file is listed below.Yes I am running a > internal cache dns server. I agree about the webmin so I already made > that change. I trust all my local users. I will add loc fw in my > policy file.So you can simplify it a lot. ;) Are you trusting your fw? You can allow your firewall any connections to net. Tom: I am wondering, if this is a safe assumption. Or are there any points, not to ACCEPT all traffic from fw2net?> Policy File Rules > loc net ACCEPT > net all DROP info > all all REJECT info > loc fw ACCEPTAll ACCEPT policies really should be before any DROP or REJECT, as the first match is triggered. After that all2all any other will be rejected. When you changed that, you can get rid of all rules from lof to fw, as they are in the policy ACCEPTed. (Don''t have your rules file any more, so I can''t tell, which rules are obsolete. Post rules and policies in one mail, please, after the mentioned changes.) ...guenther -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
--On Thursday, January 02, 2003 6:12 PM +0100 guenther <guenther@rudersport.de> wrote:> > Tom: I am wondering, if this is a safe assumption. Or are there any > points, not to ACCEPT all traffic from fw2net? >I personally want to know all of the connection types that my firewall is making to the internet (same with my server). If you don''t feel that need, then you can allow all fw->net traffic. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Below what my edit policy and rules look like now. I agree with Tom on not allowing Fw Net. How hard is it to setup IPSEC from my linux firewall to road warrior setup running windows XP system? I want to give samba access over a secure network so people can work from home. Thanks Policy File loc fw ACCEPT loc net ACCEPT net all DROP info all all REJECT info Rules #Accept (DNS cache) connections local to firewall ACCEPT fw loc tcp 53 #Allows webserver traffic #ACCEPT net fw tcp 80 ACCEPT fw loc tcp 80 #Allows Samba connections from local to firewall ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 #Allows connections to webmin ACCEPT fw loc tcp 10000 #ACCEPT net fw tcp 10000 # Accept SSH connections #ACCEPT net fw tcp 22 # Allows port 25 (SMTP)traffic ACCEPT fw loc tcp 25 ACCEPT net fw tcp 25 #Allows port 143 (IMAP) traffic ACCEPT fw loc tcp 143 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Another thing tha always worries me, in case your fw box does get hacked if you allow unlimited outgoing traffic it would make things a lot easier for the potential hacker to run undesirable services on your box (that is if they don''t have root access yet. If they got root then all is lost). (I''m always using paranoia mode, block everything from anywhere to anywhere and only allow what I really need). On Thu, 2 Jan 2003, Tom Eastep wrote:> > > --On Thursday, January 02, 2003 6:12 PM +0100 guenther > <guenther@rudersport.de> wrote: > > > > > Tom: I am wondering, if this is a safe assumption. Or are there any > > points, not to ACCEPT all traffic from fw2net? > > > > I personally want to know all of the connection types that my firewall is > making to the internet (same with my server). If you don''t feel that need, > then you can allow all fw->net traffic. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > >-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
cheers();> Policy File > loc fw ACCEPT > loc net ACCEPT > net all DROP info > all all REJECT info> #Allows webserver traffic > #ACCEPT net fw tcp 80 > ACCEPT fw loc tcp 80As long as there is no webserver in loc you want to connect from fw to it, this is useless IMHO.> #Allows Samba connections from local to firewall > ACCEPT fw loc udp 137:139 > ACCEPT fw loc tcp 137,139 > ACCEPT fw loc udp 1024: 137Same as above: You wanna use the fw as Samba client?> #Allows connections to webmin > ACCEPT fw loc tcp 10000 > #ACCEPT net fw tcp 10000And again: You wanna edit the configuration with webmin from fw? I assume, you don''t use your fw as workstation, do you?> # Allows port 25 (SMTP)traffic > ACCEPT fw loc tcp 25SMTP Server in your local zone?> #Allows port 143 (IMAP) traffic > ACCEPT fw loc tcp 143And a IMAP server in your local zone, which you use from a client on your firewall? All those ACCEPT fw loc are only necessary, when your firewall acts as a client, not server. Requests from loc to fw are ACCEPTed in the first policy. The firewall can handle them, without explicitly allowed. It looks like you only wanna let DNS (53) and ssh (22) connects pass from your firewall to your local net. Get rid of those, you dont need and of those commented out. And your rules will look clean and you see at first sight all explicit rules. :) .kb (aka guenther, as I again didn''t switch account...) -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
On 2 Jan 2003 at 22:19, kb wrote: > > #Allows Samba connections from local to firewall> > ACCEPT fw loc udp 137:139 > > ACCEPT fw loc tcp 137,139 > > ACCEPT fw loc udp > > 1024: 137 > > Same as above: You wanna use the fw as Samba client? > Get rid of those, you dont need and of those commented out. > And your rules will look clean and you see at first sight all > explicitWhoa there KB Those rules are recommended on the Shorewall web site at http://www.shorewall.net/samba.htm Without these, your samba server will not have a browse list for your workgroup/domain. This will prevent it from becoming the master for that workgroup. Further, some folks use the server''s tape drive to back up a mounted share of workstations hard drives. We use a script to mount a workstation share over /mnt, take a backup using BRU, and then demount the workstation share. Don'' let your paranoia about being hacked cut into the functionality of your network. (If that''s a major concern, move the fw off of the samba server onto a separate box. Old Pentium 133s or 166s make more than adequate firewalls). ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
cheers();> > > #Allows Samba connections from local to firewall > > > ACCEPT fw loc udp 137:139 > > > ACCEPT fw loc tcp 137,139 > > > ACCEPT fw loc udp > > > 1024: 137 > > > > Same as above: You wanna use the fw as Samba client? > > Get rid of those, you dont need and of those commented out. > > And your rules will look clean and you see at first sight all > > explicit > > Whoa there KB > > Those rules are recommended on the Shorewall web site > at http://www.shorewall.net/samba.htm > > Without these, your samba server will not have a > browse list for your workgroup/domain. This will prevent it > from becoming the master for that workgroup.You''re right. Sorry, my fault. Did a quick check and had no problem with ''smb -L host''. So I assumed, it isn''t necessary. The Windows box really ran into trouble... ;)> Further, some folks use the server''s tape drive to back > up a mounted share of workstations hard drives. We use > a script to mount a workstation share over /mnt, > take a backup using BRU, and then demount the workstation share.Yep, but IMHO that was not stated in the first post, what he wann do with his fw. So I assumed that right and the fw will not act as client. Unfortunately I hadn''t enough coffee and forgot about SMB broadcasts. Stupid me...> Don'' let your paranoia about being hacked cut into the functionality > of your network. (If that''s a major concern, move the fw off of the > samba server onto a separate box. Old Pentium 133s or 166s make > more than adequate firewalls).I''m more lazy than paranoid myself on this point. I have an ACCEPT policy from fw2loc, as I trust my network... Eric, sorry for the confusion, John is right here. ...guenther -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!