Shorewall users - May 2003 - newbie question ;)

Hello all

I?m a relative newbie to linux and a complete newbie to setting up
firewalls.
I?m running RedHat 8.0 ( Linux web 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
2002 i686 i686 i386 GNU/Linux ) and my Shorewall version is 1.4.2.

I set my firewall up with the two-interface example, which worked fine
but....
According to the policy in the two-interface example all traffic
established by the local zone (loc) to the internet zone (net) are
allowed. So any rules with loc as source to net are redundant?

Now if I change the policy for loc to net as follows:
loc		net		REJECT
then all traffic from loc to net is rejected. Ping still works ( since
it is allowd in the rules )
but how do I allow www traffic ?
I?ve tried using: ( in rules )
ACCEPT  loc            net             tcp     www,http
And:
ACCEPT  loc             fw              tcp     www,http
ACCEPT  fw              net             tcp     www,http
ACCEPT  fw              loc             tcp     www,http
But neither works.

Perhaps I?m just a stupid fella but can some nice person out there help
me here ?
Be nice to the newbie so the newbie can help other newbies ;)

Many many thanks to you all

Regards
Arnar Thorarinsson

On Wed, 7 May 2003 23:02:15 -0000, Arnar ??rarinsson <art@strik.is> wrote:

>
> I set my firewall up with the two-interface example, which worked fine
> but....
> According to the policy in the two-interface example all traffic
> established by the local zone (loc) to the internet zone (net) are
> allowed. So any rules with loc as source to net are redundant?
Any ACCEPT rules are, yes.
>
> Now if I change the policy for loc to net as follows:
> loc		net		REJECT
> then all traffic from loc to net is rejected. Ping still works ( since
> it is allowd in the rules )
> but how do I allow www traffic ?
> I?ve tried using: ( in rules )
> ACCEPT  loc            net             tcp     www,http
> And:
> ACCEPT  loc             fw              tcp     www,http
> ACCEPT  fw              net             tcp     www,http
> ACCEPT  fw              loc             tcp     www,http
> But neither works.
Two things:

a) www and http are the same port (port 80) -- you probably want www,https.
b) You also need DNS access to the net.

ACCEPT	loc	net	udp	domain
ACCEPT	loc	net	tcp	domain

The Shorewall log ("shorewall show log") will always show you what
packets
are getting blocked provided that your REJECT policy specifies logging. 
Learn to interpret the log messages (start with 
http://www.shorewall.net/troubleshoot.htm) and you will be able to diagnose 
these problems yourself.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

> I?m a relative newbie to linux and a complete newbie to setting up
> firewalls.
> I?m running RedHat 8.0 ( Linux web 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
> 2002 i686 i686 i386 GNU/Linux ) and my Shorewall version is 1.4.2.
> 
> I set my firewall up with the two-interface example, which worked fine
> but....
> According to the policy in the two-interface example all traffic
> established by the local zone (loc) to the internet zone (net) are
> allowed. So any rules with loc as source to net are redundant?
Nope. Only ACCEPT rules are redundant. You can block single ports, log
traffic and even redirect...
http://shorewall.net/Documentation.htm#Rules

As all rules are evaluated before the policies, you ca fine-grain here.
The first matching rule/policy applies, all other are omitted.

> Now if I change the policy for loc to net as follows:
> loc		net		REJECT
> then all traffic from loc to net is rejected. Ping still works ( since
> it is allowd in the rules )
> but how do I allow www traffic ?
> I?ve tried using: ( in rules )
> ACCEPT  loc            net             tcp     www,http
> And:
> ACCEPT  loc             fw              tcp     www,http
> ACCEPT  fw              net             tcp     www,http
> ACCEPT  fw              loc             tcp     www,http
> But neither works.
ACCEPT  loc  net  tcp  http

should work. You probably want https and domain, too. You can set port
numbers/ranges or the corresponding service names (see /etc/services).

What do you mean by not working? Does ''shorewall restart''
generate
errors? Does it work with the ACCEPT policy? Masquerading enabled?

> Perhaps I?m just a stupid fella but can some nice person out there help
> me here ?
> Be nice to the newbie so the newbie can help other newbies ;)
Everyone started as newbie... ;-)

	karsten


-- 
char
*t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
putchar(t[s]);h=m;s=0; }}}