Hello all: I''m working on redoing my 4 legged firewall using shorewall instead of the long and convoluted startup script that''s running now. And a few questions are coming up. I''d appreciate any tips to keep me on track: 1- I have squid running on the same machine as the FW, but under an aliased IP. ( The primary IP fo the FW machine is DNATed to the webserver in my DMZ for all http traffic.) So I want to use a rule like: REDIRECT loc1 $FW:$SQUID_IP:8080 tcp http - !$ARAVA_IP ACCEPT net $FW:$SQUID_IP tcp - http but this doesn''t wash. 2- I realize that shorewall uses stateful packet inspection, but where do I indicate in the rules file that a particular connection should be accepted only if it''s ESTABLISHED,RELATED. like an iptables rule: .... -m state --state ESTABLISHED,RELATED How does shorewall determine which states to match in general?? TIA Micha
--On Monday, March 17, 2003 04:35:12 PM +0200 Micha Silver <micha@arava.co.il> wrote:> Hello all: > I''m working on redoing my 4 legged firewall using shorewall instead of > the long and convoluted startup script that''s running now. And a few > questions are coming up. I''d appreciate any tips to keep me on track: > > 1- I have squid running on the same machine as the FW, but under an > aliased IP. ( The primary IP fo the FW machine is DNATed to the > webserver in my DMZ for all http traffic.) So I want to use a rule like: > > REDIRECT loc1 $FW:$SQUID_IP:8080 tcp http - > !$ARAVA_IP ACCEPT net $FW:$SQUID_IP tcp - http > > but this doesn''t wash.Please read http://www.shorewall.net/shorewall_Squid_Usage.html for information on configuring Shorewall with> > 2- I realize that shorewall uses stateful packet inspection, but where do > I indicate in the rules file that a particular connection should be > accepted only if it''s ESTABLISHED,RELATED. like an iptables rule: .... > -m state --state ESTABLISHED,RELATEDYou don''t.> How does shorewall determine which states to match in general??Shorewall accepts ESTABLISHED,RELATED except from blacklisted sources. All rules and policies only apply to state NEW. Beginning with 1.4.0, Shorewall unconditionally DROPs all state INVALID. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 17 Mar 2003, Tom Eastep wrote:> --On Monday, March 17, 2003 04:35:12 PM +0200 Micha Silver > <micha@arava.co.il> wrote: > > > > 1- I have squid running on the same machine as the FW, but under an > > aliased IP. ( The primary IP fo the FW machine is DNATed to the > > webserver in my DMZ for all http traffic.) So I want to use a rule like: > > > > REDIRECT loc1 $FW:$SQUID_IP:8080 tcp http - > > !$ARAVA_IP ACCEPT net $FW:$SQUID_IP tcp - http > > > > but this doesn''t wash. > > Please read http://www.shorewall.net/shorewall_Squid_Usage.html for > information on configuring Shorewall withThat of course should have been "...configuring Shorewall with Squid". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net