Hey guys, I am having allot of trouble getting shorewall to allow DNS out to access anything. I have RTFM and searched via google to no avail. I have a meager 56k PPP Dialup connection that uses chap auth. my ip address is assigned dynamically. I do not want to run any kind of mailserver webserver etc my primary and secondary DNS servers are: 203.134.64.66 203.134.65.66 heres the ports/services i want to enable to allow outgoing the rest i want to drop. -Dns to access www -ssh for shell access -smtp and pop access to ISP -MSN and yahoo access -LimeWire -Bittorrent -outgoing ICMP ping/echo requests for auditing with nmap. I am running Fedora Core 2.6.8 with Iptables 1.2.9 and tracroute is installed. here is my interfaces and rules config. --------------------------------------------------------------------------------------- #ZONE INTERFACE BROADCAST OPTIONS #. net ppp0 - ----------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT loc net tcp 110 - - - - ACCEPT loc net tcp 25 - - - - ACCEPT loc net tcp 22 - - - - ACCEPT loc net tcp 1863 - - - - ACCEPT loc net tcp 5050,23 - - - - ACCEPT loc net tcp 53 - - - - ACCEPT loc net tcp 80,8080,8008,8000,8888 - - - - ACCEPT loc net tcp 443 - - - - ACCEPT loc net tcp 21 - - - - ACCEPT net loc tcp - 20 - - - ACCEPT loc net icmp - - - - - ACCEPT loc net tcp 6881,6889 - - - - ACCEPT loc net tcp 6969 - - - - ACCEPT loc net udp 4000 - - - - ACCEPT loc net udp 53 - - - - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ----------------------------------------------------------------------------------------------- Sorry if i am asking stupid questions, i realize the solution is probably simple but i have been using guarddog to configure my ruleset and as you may be aware requires very little configuration other than allowing DNS to the internet and port 80. Help please Matt
Okay thank''s Tom that worked, i think i get it now.... :S. My ppp0 interface sits behind the firewall($FW) as trusted. Then $FW checks the rules when a connection is initiated and if finds an ACCEPT rule allows traffic as defined in the policy file #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL - net ACCEPT #.If there is no rule it is dropped net all DROP info BTW is it okay to set too drop all rather than reject, I''d rather not reply to requests? Again sorry for the stupid questions, this networking stuff is all rather new and really confusing. On Fri, 27 Aug 2004 01:03 pm, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matthew Simmiss wrote: > > > - > --------------------------------------------------------------------------- >-------------------- > > | Sorry if i am asking stupid questions, i realize the solution is probably > | simple > > With a one-interface setup, there is no ''loc'' zone and Shorewall is > trying to tell you that every time you start it (Look for warnings > telling you that the ''loc'' zone is empty). The firewall itself comprises > the $FW zone (the default value of $FW is ''fw''). > > You should have started with the Standalone Quickstart Guide > (http://shorewall.net/standalone.htm) -- at least you would have had > something working quickly and you would have had a clue how Shorewall > works in a one-interface environment, assuming that you read the entire > guide. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBLqSSO/MAbZfjDLIRAqgtAKC250QRYJNpTCBUWdL8ITaIPic8nwCgyFr+ > SeMDWKbZaX1Wwj46bOuDCSw> =y9G2 > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Simmiss wrote: | - ----------------------------------------------------------------------------------------------- | | Sorry if i am asking stupid questions, i realize the solution is probably | simple With a one-interface setup, there is no ''loc'' zone and Shorewall is trying to tell you that every time you start it (Look for warnings telling you that the ''loc'' zone is empty). The firewall itself comprises the $FW zone (the default value of $FW is ''fw''). You should have started with the Standalone Quickstart Guide (http://shorewall.net/standalone.htm) -- at least you would have had something working quickly and you would have had a clue how Shorewall works in a one-interface environment, assuming that you read the entire guide. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLqSSO/MAbZfjDLIRAqgtAKC250QRYJNpTCBUWdL8ITaIPic8nwCgyFr+ SeMDWKbZaX1Wwj46bOuDCSw=y9G2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Simmiss wrote: | Okay thank''s Tom that worked, | | i think i get it now.... :S. | My ppp0 interface sits behind the firewall($FW) as trusted. Then $FW checks | the rules when a connection is initiated and if finds an ACCEPT rule allows | traffic as defined in the policy file | #SOURCE DEST POLICY LOG LIMIT:BURST | # LEVEL | - net ACCEPT The set of hosts that communicate with your firewall through ppp0 comprise the ''net'' zone. The firewall itself comprises the $FW zone. You express policies for communication between zones using the ''policy'' file. Entries in the ''rules'' file define exceptions to those policies. So you have: | #.If there is no rule it is dropped | net all DROP info That says that you don''t want to accept any connections from the internet to any other zone. Since you only have one other zone ($FW) that means that your firewall won''t accept connections from the internet. If you want to accept certain connections, then you must define rules that ACCEPT those connections. | | BTW is it okay to set too drop all rather than reject, | I''d rather not reply to requests? That is the policy that would have been installed for you if you would have followed the QuickStart Guide. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLz7kO/MAbZfjDLIRArXBAJ9MVHHGCvbnRF0cdDnwuq7vFpNbLwCgkBXq rOyZ7bD8Y8bAW3zJ3yr6nVE=+7II -----END PGP SIGNATURE-----