Hi All, Lately i been testing with shorewall and squid to get replace my MS ISA server. Now I build up a lab with Linux and vmware and some MS servers. I read the shorewall documentation a couple of times. Ok here''s the problem I don''t understand. I want to be able to decide which protocols are allowed from the local network to the internet and vice versa. I thougt if you block everything in the policy then you be able to allow specific protocols in the rules, which doesn''t work. Also I can''t figure out when you install the two-interface sample http traffic is allowed??????? Its not enabled by the rules. And I don''t understand the function of actions.std file. DNAT etc. works fine. But I want to be in control of what goes out of my network. This is my policy file: (DNS to the net form loc is drop all the time??) Nofrc1918 is removed from the interface because I am using reserved addresses in the lab. And there is a router in front off the internet, behind it now is isa which must be replaced by a linux box with shorewall and squid. # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc net tcp 53 ACCEPT loc net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp ACCEPT fw net icmp # ACCEPT net fw tcp 10000 # DNAT net loc:10.0.0.2 tcp 10000 DNAT net loc:10.0.0.1 tcp 80 This is my policy file: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info So a little help in the right direction will be appreciated! Regards, Rob Mokkink
Hi Rob,> I want to be able to decide which protocols are allowed from the local > network to the internet and vice versa. > > I thougt if you block everything in the policy then you be able to allow > specific protocols in the rules, which doesn''t work. > > Also I can''t figure out when you install the two-interface sample http > traffic is allowed??????? > > Its not enabled by the rules....but by the policy> This is my policy file: (DNS to the net form loc is drop all the time??)No. This is your rules file.> Nofrc1918 is removed from the interface because I am using reserved > addresses in the lab. And there is a router in front off the internet, > behind it now is isa which must be replaced by a linux box with > shorewall and squid. > > # Accept DNS connections from the firewall to the network > #...> This is my policy file: > > > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST----> loc net ACCEPT---- This policy will allow all traffic form you local net to the internet. Take it out...> # If you want open access to the Internet from your Firewall > # remove the comment from the following line.----> fw net ACCEPT info---- An I think as you are defining rules for the firewall you want to takt this out, too. Remember policies get checked first. I a packet is accepted in the policy the rule for that one will never get checked. Regards Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany knific@k-sysdes.net http://www.k-sysdes.net
Sascha wrote on 17/06/2004 10:13:38:> Hi Rob, > > > > I want to be able to decide which protocols are allowed from the local > > network to the internet and vice versa. > > > > I thougt if you block everything in the policy then you be able toallow> > specific protocols in the rules, which doesn''t work. > > > > Also I can''t figure out when you install the two-interface sample http > > traffic is allowed??????? > > > > Its not enabled by the rules. > > ...but by the policy > > > This is my policy file: (DNS to the net form loc is drop all thetime??)> > No. This is your rules file. > > > Nofrc1918 is removed from the interface because I am using reserved > > addresses in the lab. And there is a router in front off the internet, > > behind it now is isa which must be replaced by a linux box with > > shorewall and squid. > > > > # Accept DNS connections from the firewall to the network > > # > ... > > > > This is my policy file: > > > > > > #SOURCE DEST POLICY LOG LEVEL > > LIMIT:BURST > ---- > > loc net ACCEPT > ---- > This policy will allow all traffic form you local net to the internet.Take> it out... > > > # If you want open access to the Internet from your Firewall > > # remove the comment from the following line. > ---- > > fw net ACCEPT info > ---- > An I think as you are defining rules for the firewall you want to taktthis> out, too. > > Remember policies get checked first. I a packet is accepted in thepolicy> the rule for that one will never get checked.no, policies are checked last - they are the default behaviour for traffic between zones if no other rule matches. regards, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Thu, 2004-06-17 at 05:21, Rob Mokkink wrote:> Hi All, > > Lately i been testing with shorewall and squid to get replace my MS ISA > server. > > Now I build up a lab with Linux and vmware and some MS servers. > > I read the shorewall documentation a couple of times. > > Ok here''s the problem I don''t understand. > > I want to be able to decide which protocols are allowed from the local > network to the internet and vice versa. > > I thougt if you block everything in the policy then you be able to allow > specific protocols in the rules, which doesn''t work. >Where does you policy show that you have blocked everything?> Also I can''t figure out when you install the two-interface sample http > traffic is allowed??????? >The default example does allow all traffic out.> Its not enabled by the rules.Yes it is.> > And I don''t understand the function of actions.std file. >IIRC a set of rules that are applied to all interfaces before all other rules.> DNAT etc. works fine. But I want to be in control of what goes out of my > network. >You *can* control it.> This is my policy file: (DNS to the net form loc is drop all the time??) > Nofrc1918 is removed from the interface because I am using reserved > addresses in the lab. And there is a router in front off the internet, > behind it now is isa which must be replaced by a linux box with > shorewall and squid. > > # Accept DNS connections from the firewall to the network > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT loc net tcp 53 > ACCEPT loc net udp 53 > # > # Accept SSH connections from the local network for administration > # > ACCEPT loc fw tcp 22 > # > # Allow Ping To And From Firewall > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp > ACCEPT fw net icmp > # > ACCEPT net fw tcp 10000 > # > DNAT net loc:10.0.0.2 tcp 10000 > DNAT net loc:10.0.0.1 tcp 80 > > > This is my policy file: > > > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST > loc net ACCEPT <<<<<<<<<<<<<<<<<<<<<<<<<<Above is a good place to start, in English ACCEPT means "To receive with a consenting mind" in other words the policy you have is to consent to all traffic. Try not accepting and see what happens In other words, oops, I may say I want to reject all outgoing traffic, but I am going to do the opposite of that.> # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT info > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > > So a little help in the right direction will be appreciated! > > Regards, > > Rob Mokkink >Respectfully /psh
Sascha Knific wrote:> Remember policies get checked first. I a packet is accepted in the policy > the rule for that one will never get checked.NO!!! Rules are checked first and if there is no match *then* the policy is applied. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Good Morning Tom> > Remember policies get checked first. I a packet is accepted in the > policy > > the rule for that one will never get checked. > > NO!!! Rules are checked first and if there is no match *then* the policy > is applied.Sorry! I mixed it up... Maybe because policies are more global (and I set them always up first). Where is this brown paper bag again.... Regards Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany knific@k-sysdes.net http://www.k-sysdes.net
Sascha Knific wrote:> > Where is this brown paper bag again.... >I would loan you mine but I seem to need it fairly regularly myself :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net