Tommy Balle
2003-Jan-08 00:03 UTC
[Shorewall-users] Access to internet execpt some subnets
Hello Shorewall users I have a firewall based on RedHat 8.0 and Shorewall. I have 2 interfaces, with 2 ip address on the loc interface, the connection to the internet runs through my company''s network with an ADSL/MPLS line. I need to configure my Shorewall with the possiblity to deny some users'' access to the ''net'' for some subnet. Ex. my son''s machine should also run through the firewall but i don''t want him to access the internal network''s in my company. I have tried with the follow rule: ACCEPT loc:10.0.1.10 net:!192.168.0.0/16 tcp http,https,ftp,domain - My son''s machine being 10.0.1.10. I have read the dok. but can''t see what i''m doing wrong? Any suggestions? Regards Tommy Balle
Pascal DeMilly
2003-Jan-08 08:42 UTC
[Shorewall-users] Access to internet execpt some subnets
You need to provide more information if you want people to help you. You say you have 2 NIC, so show us your interface files. You say you have 2 IP address on your loc NIC. Does it mean you are using IP aliasing? If so show us your shorewall hosts and zones file. You say you want to deny some users to access the net. Tell us what makes a deniable user? IP address, then which one? You say you want to allow your son to access the net but not your business network? Tell us then what your business network looks like. IP address, zone ...? You say what you tried failed. Show us your message file for the relevant error. Anyway if you want to prevent user from browsing, I have found that Squid (www.squid-cache.org) is always the best alternative. It is a little harder to setup but it offers at the end much more. HTH Pascal On Wed, 2003-01-08 at 00:03, Tommy Balle wrote:> Hello Shorewall users > > I have a firewall based on RedHat 8.0 and Shorewall. > > I have 2 interfaces, with 2 ip address on the loc interface, the connection > to the internet runs through my company''s network with an ADSL/MPLS line. I > need to configure my Shorewall with the possiblity to deny some users'' > access to the ''net'' for some subnet. > > Ex. my son''s machine should also run through the firewall but i don''t want > him to access the internal network''s in my company. I have tried with the > follow rule: > > ACCEPT loc:10.0.1.10 net:!192.168.0.0/16 tcp > http,https,ftp,domain - > > My son''s machine being 10.0.1.10. > > I have read the dok. but can''t see what i''m doing wrong? Any suggestions? > > Regards > > Tommy Balle > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <list.shorewall@newgenesys.com>
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-08 09:49 UTC
SV: [Shorewall-users] Access to internet execpt some subnets
I have never used this the way you point out in your example.. ACCEPT loc:10.0.1.10 net:!192.168.0.0/16 tcp This is only a wild shoot.. I would need more information to get a clear picture of your network, and fw config. But from the information provided I would try this: ACCEPT loc:10.0.1.10 net:OUTSIDE_IP_OF_SONS_GW (assuming this is in the 192.168.0.0/16 network) ACCEPT loc:10.0.1.10 net:INSIDE_IP_OF_COMPANY_GW (assuming this is in the 192.168.0.0/16 network) Again.. Just a wild shoot.. Best Regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Pascal DeMilly Sendt: 8. januar 2003 17:38 Til: Tommy Balle Kopi: ''Shorewall mailinglist (shorewall-users@shorewall.net)'' Emne: Re: [Shorewall-users] Access to internet execpt some subnets You need to provide more information if you want people to help you. You say you have 2 NIC, so show us your interface files. You say you have 2 IP address on your loc NIC. Does it mean you are using IP aliasing? If so show us your shorewall hosts and zones file. You say you want to deny some users to access the net. Tell us what makes a deniable user? IP address, then which one? You say you want to allow your son to access the net but not your business network? Tell us then what your business network looks like. IP address, zone ...? You say what you tried failed. Show us your message file for the relevant error. Anyway if you want to prevent user from browsing, I have found that Squid (www.squid-cache.org) is always the best alternative. It is a little harder to setup but it offers at the end much more. HTH Pascal On Wed, 2003-01-08 at 00:03, Tommy Balle wrote:> Hello Shorewall users > > I have a firewall based on RedHat 8.0 and Shorewall. > > I have 2 interfaces, with 2 ip address on the loc interface, theconnection> to the internet runs through my company''s network with an ADSL/MPLSline. I> need to configure my Shorewall with the possiblity to deny some users'' > access to the ''net'' for some subnet. > > Ex. my son''s machine should also run through the firewall but i don''twant> him to access the internal network''s in my company. I have tried withthe> follow rule: > > ACCEPT loc:10.0.1.10 net:!192.168.0.0/16 tcp > http,https,ftp,domain - > > My son''s machine being 10.0.1.10. > > I have read the dok. but can''t see what i''m doing wrong? Anysuggestions?> > Regards > > Tommy Balle > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <list.shorewall@newgenesys.com> _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-08 09:55 UTC
SV: [Shorewall-users] Access to internet execpt some subnets
Guessing your network looks somewhat like this: 10.0.1.10(son''s machine) <-> [(10.0.1.x) FW (192.168.0.x)] <-> [(192.168.0.x) Company FW (x.x.x.x)] <-> Internet. Best Regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Pascal DeMilly Sendt: 8. januar 2003 17:38 Til: Tommy Balle Kopi: ''Shorewall mailinglist (shorewall-users@shorewall.net)'' Emne: Re: [Shorewall-users] Access to internet execpt some subnets You need to provide more information if you want people to help you. You say you have 2 NIC, so show us your interface files. You say you have 2 IP address on your loc NIC. Does it mean you are using IP aliasing? If so show us your shorewall hosts and zones file. You say you want to deny some users to access the net. Tell us what makes a deniable user? IP address, then which one? You say you want to allow your son to access the net but not your business network? Tell us then what your business network looks like. IP address, zone ...? You say what you tried failed. Show us your message file for the relevant error. Anyway if you want to prevent user from browsing, I have found that Squid (www.squid-cache.org) is always the best alternative. It is a little harder to setup but it offers at the end much more. HTH Pascal On Wed, 2003-01-08 at 00:03, Tommy Balle wrote:> Hello Shorewall users > > I have a firewall based on RedHat 8.0 and Shorewall. > > I have 2 interfaces, with 2 ip address on the loc interface, theconnection> to the internet runs through my company''s network with an ADSL/MPLSline. I> need to configure my Shorewall with the possiblity to deny some users'' > access to the ''net'' for some subnet. > > Ex. my son''s machine should also run through the firewall but i don''twant> him to access the internal network''s in my company. I have tried withthe> follow rule: > > ACCEPT loc:10.0.1.10 net:!192.168.0.0/16 tcp > http,https,ftp,domain - > > My son''s machine being 10.0.1.10. > > I have read the dok. but can''t see what i''m doing wrong? Anysuggestions?> > Regards > > Tommy Balle > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <list.shorewall@newgenesys.com> _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users