I have shorewall on a Dell power-edge 600sc. two interfaces with the typical
setup for shorewall
The box was built for its primary intent for Shorewall and SquidGuard functions
I have recently added an D-link wireless router wih its Wan side using
10.13.173.39 (One of the internal Shorewall IP''s)
its internal subnet is on 192.168.0.1/24. This was added for showroom use in a
Car Dealer to allow customers at the Dealer to access the internet!
I need to block access from any PC on the 192.168.0.0/24 lan from accessing
a SCO box on the 10.13.173.0./24 through telnet
in which the sco box ip is 10.13.173.194 and the D-link wireless is again
10.13.173.39 for its wan side IP
I am thinking this rule will work or is there a better way?
REJECT:ULOG loc:00:80:c8:2a:60:15 loc:10.13.173.194 tcp 23
The mac address is the D-Link wireless router
Thanks,-------Mike
Kernal 2.4.18-3 Redhat 7.3
Shorewall version 1.3.14
[root@linc root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:e2:1c:f5:be brd ff:ff:ff:ff:ff:ff
inet 216.210.232.226/29 brd 216.210.232.231 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:9f:22:63:6c brd ff:ff:ff:ff:ff:ff
inet 10.13.173.20/24 brd 10.13.173.255 scope global eth1
I should add that I can now access printers and the SCO box on the 10.13.173.0/24 They want access on the wireless Lan to one of the printers and I have not had much experiance with the D-Link firewall Mike
On Thu, 22 May 2003 11:13:32 -0700, Mike <landers@lanlinecomputers.com> wrote:> > I am thinking this rule will work or is there a better way? > REJECT:ULOG loc:00:80:c8:2a:60:15 loc:10.13.173.194 tcp > 23 > > The mac address is the D-Link wireless router >You need to specify the MAC address of the D-link using Shorewall-format. See http://www.shorewall.net/configuration_file_basics.htm#MAC -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I have a network question. I read the requirements for mac address and
shorewall. I looked at Toms wireless setup and mine seems similar.
I am going in today to add a third nic card for the wireless access to the
lan and use shorewalls maclist to build rules I need for access to the
internal lan.
My question is if you only have one internal lan no DMZ, IE: two
interface setup. Will a rule work to filter like this rule if neither is a
gateway?
And shorewalls lan gateway is 192.168.1.1
DROP loc:192.168.1.25 loc:192.168.1.30 tcp telnet,www
Thanks,
Mike
----- Original Message -----
From: "Mike" <landers@lanlinecomputers.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Thursday, May 22, 2003 11:13 AM
Subject: [Shorewall-users] Local Subnet Drop or Reject ?
I have shorewall on a Dell power-edge 600sc. two interfaces with the
typical setup for shorewall
The box was built for its primary intent for Shorewall and SquidGuard
functions
I have recently added an D-link wireless router wih its Wan side using
10.13.173.39 (One of the internal Shorewall IP''s)
its internal subnet is on 192.168.0.1/24. This was added for showroom use in
a Car Dealer to allow customers at the Dealer to access the internet!
I need to block access from any PC on the 192.168.0.0/24 lan from
accessing a SCO box on the 10.13.173.0./24 through telnet
in which the sco box ip is 10.13.173.194 and the D-link wireless is again
10.13.173.39 for its wan side IP
I am thinking this rule will work or is there a better way?
REJECT:ULOG loc:00:80:c8:2a:60:15 loc:10.13.173.194 tcp 23
The mac address is the D-Link wireless router
Thanks,-------Mike
Kernal 2.4.18-3 Redhat 7.3
Shorewall version 1.3.14
[root@linc root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:e2:1c:f5:be brd ff:ff:ff:ff:ff:ff
inet 216.210.232.226/29 brd 216.210.232.231 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:9f:22:63:6c brd ff:ff:ff:ff:ff:ff
inet 10.13.173.20/24 brd 10.13.173.255 scope global eth1
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 23 May 2003 09:52:58 -0700, Mike <landers@lanlinecomputers.com> wrote:> I have a network question. I read the requirements for mac address and > shorewall. I looked at Toms wireless setup and mine seems similar. > I am going in today to add a third nic card for the wireless access to > the > lan and use shorewalls maclist to build rules I need for access to the > internal lan. > My question is if you only have one internal lan no DMZ, IE: two > interface setup. Will a rule work to filter like this rule if neither is > a > gateway? > And shorewalls lan gateway is 192.168.1.1 > DROP loc:192.168.1.25 loc:192.168.1.30 tcp telnet,www >Assuming that the local network is 192.168.1.0/24, traffic between .25 and .30 doesn''t go through the firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net