support23@ev-theol.uni-bonn.de
2003-Apr-02 08:52 UTC
[Shorewall-users] Allow ALL internal traffic
Hi all, its a real nightmare for me. Although i have read and searched the web for two weeks i can`t get shorewall to work. problem is that we have only one server that acts as fileserver (samba, nis, nfs) and router/firewall for the lan. the server has two interfaces eth0 = lan and eth1 = internet. The only what we need is full access from the lan to the firewall and restricted access from the internet. Isn`t it possible to configure shorewall only for the wan interface and let the lan interface untouched from shorewall/iptables? Is there a simple rule/policy to allow all access f- policiy loc net ACCEPT loc all ACCEPT fw loc ACCEPT loc fw ACCEPT fw net ACCEPT net all DROP info all all REJECT info - rules ACCEPT net fw udp 22,143,25,20,21,10000,20000 - ACCEPT net fw tcp 22,143,25,20,21,10000,20000 - # SAMBA ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 rom and to the internal network? shorewall is configured like the following: - policiy loc net ACCEPT loc all ACCEPT fw loc ACCEPT loc fw ACCEPT fw net ACCEPT net all DROP info all all REJECT info - rules ACCEPT net fw udp 22,143,25,20,21,10000,20000 - ACCEPT net fw tcp 22,143,25,20,21,10000,20000 - # SAMBA ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 tia and best regards judy
Hi there, please replace FW with $FW. You might also think about default to DROP in policy and then explicitly except packets in rules (that''s what you rules file already does). Axel Westerhold -----Original Message----- From: support23@ev-theol.uni-bonn.de [mailto:support23@ev-theol.uni-bonn.de] Sent: Mittwoch, 2. April 2003 18:51 To: shorewall-users@lists.shorewall.net Hi all, its a real nightmare for me. Although i have read and searched the web for two weeks i can`t get shorewall to work. problem is that we have only one server that acts as fileserver (samba, nis, nfs) and router/firewall for the lan. the server has two interfaces eth0 = lan and eth1 = internet. The only what we need is full access from the lan to the firewall and restricted access from the internet. Isn`t it possible to configure shorewall only for the wan interface and let the lan interface untouched from shorewall/iptables? Is there a simple rule/policy to allow all access f- policiy loc net ACCEPT loc all ACCEPT fw loc ACCEPT loc fw ACCEPT fw net ACCEPT net all DROP info all all REJECT info - rules ACCEPT net fw udp 22,143,25,20,21,10000,20000 - ACCEPT net fw tcp 22,143,25,20,21,10000,20000 - # SAMBA ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 rom and to the internal network? shorewall is configured like the following: - policiy loc net ACCEPT loc all ACCEPT fw loc ACCEPT loc fw ACCEPT fw net ACCEPT net all DROP info all all REJECT info - rules ACCEPT net fw udp 22,143,25,20,21,10000,20000 - ACCEPT net fw tcp 22,143,25,20,21,10000,20000 - # SAMBA ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 tia and best regards judy _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-04-02 at 18:50, support23@ev-theol.uni-bonn.de wrote:> Hi all, > its a real nightmare for me. Although i have read and searched the > web for two weeks i can`t get shorewall to work. > problem is that we have only one server that acts as fileserver (samba, nis, > nfs) and router/firewall for the lan. the server has two interfaces eth0 = lan > and eth1 = internet. > > The only what we need is full access from the lan to the firewall and > restricted access from the internet.Check shorewall.net, QuickStart guides, two-interface and follow the instructions there! For starters try the following (full access local): # interfaces net eth1 - norfc1918,routefilter loc eth0 detect routestopped # zones net Net Internet loc Local Local network # policy loc net ACCEPT loc fw ACCEPT fw net ACCEPT fw loc ACCEPT net all DROP info all all REJECT info # rules ACCEPT net fw tcp ssh # masq eth1 eth0 If you use DSL, you have to use something like ppp0 instead of eth1 in interfaces and masq. And set CLAMPMSS=yes in shorewall.conf. Open more ports in the rules file, as you need. karsten -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}