Use policies, that''s what they''re for.
I.e.: add a policy that says that traffic from "loc" (or whatever) to
"net" (or whatever) is by default rejected.
Later on, as you add ACCEPT rules, you allow access to specific
ports/protocols as desired.
I''d say by default dropped, but for your lan users it''s better
if it''s
rejected cuz they don''t have to sit and wait for timeouts, but for
everyone else on the internet the policy should be drop rather than
reject.
i.e.:
$shorewall/policy:
# Policy File
loc all REJECT -
dmz all REJECT -
all all DROP info
$shorewall/rules
# Rules file
ACCEPT loc dmz tcp ssh,smtp,smtps,webcache,domain
ACCEPT loc dmz udp domain
ACCEPT dmz net tcp http,https,ftp,ftp-data,domain
ACCEPT dmz net udp domain
.
.
.
you get the picture :)
Best
On Mon, 2003-07-28 at 22:35, Dubba Kor wrote:> Setup: RH 9.0, 2.4.20-8, SW-1.4.6a with three NICs eth0(net), eth1(loc) and
> eth2(dmz)
>
> After setting up the Shorewall, I realized that by default all ports are
> accessible from local to internet (using the default three interfaces
config
> files)
>
> I would like to do the reverse of it, meaning: allow only few ports (http,
> https, ssh) from local to Internet and rest should not be available to the
> local users. However, I should be able to add new rules to allow other
ports
> on a later date.
>
> Pl. advise and thanks in advance
> DK
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
--
==========================================================* Diego Rivera
*
* *
* "The Disease: Windows, the cure: Linux" *
* *
* E-mail: lrivera<AT>racsa<DOT>co<DOT>cr *
* Replace: <AT>=''@'', <DOT>=''.''
*
* *
* GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD *
* GPG Public Key avaliable at: http://pgp.mit.edu *
==========================================================-------------- next
part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030730/c44aa4cc/attachment.bin