Shoot! Sorry Tom. I thought I replaced your e-mail address with the shorewall list address. I got it working!!! I finally figured out what I was doing wrong. Pays to write down what I want to accomplish versus flying by the seat mof my pants. The ACCEPT+ is G R E A T! Took care of some of my issues along with removing the redirect rule (yeah, yeah...I should have thought it over more carefully, hence, the writing it down I mentioned above. I didn''t need to redirect that after all. Just limit what IP to accept traffic on that port. That way, the users can''t bypass the proxy with content filtering.) I would like to suggest an archive of working scripts for varying situations contributed by fellow Shorewall users. Would you like mine to start with? Thank you so much for your help. And not flaming me as a nOOb (which I am at Linux firewalling). Best regards, Greg Shepherd -----Original Message----- From: Greg Shepherd [mailto:Greg.Shepherd@netmanaged.com] Sent: Sunday, December 19, 2004 5:36 PM To: ''Tom Eastep'' Subject: RE: [Shorewall-users] Shorewall and selective access Hmmm....it looks like systems in the ADM zone are still be redirected to port 3128. I am getting a squid error when I use a system with an IP address in the ADM zone and do not configure my browser for a proxy. I am on shorewall version 2.0.13. I saw this: ACCEPT+ Added in Shorewall 2.0.2 Beta 2. Works like ACCEPT but also exempts the connection from matching DNAT and REDIRECT rules later in the file. But, I am still being redirected. I added the ACCEPT+ rule before the redirect as you suggested. Here is my latest shorewall status report. Thanks Greg -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, December 19, 2004 3:02 PM To: Greg.Shepherd@netmanaged.com; Shorewall Users Subject: RE: [Shorewall-users] Shorewall and selective access On Sun, 2004-12-19 at 14:54 -0500, Greg Shepherd wrote:> I modified the address to include the !. I missed that detail. > > Here is the shorewall status file you requests. > > The public interface is currently 192.168.1.80. Later, this will change toa> public address when it is deployed.You have no adm->fw policy and you have no adm->loc rules so I don''t know how you expect to allow any adm->fw traffic given that the applicable policy for adm->fw is all2all which appears to be REJECT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 18:27 -0500, Greg Shepherd wrote:> > I would like to suggest an archive of working scripts for varying situations > contributed by fellow Shorewall users. > > Would you like mine to start with?Greg, I''m worried that unless such "working scripts" were carefully screened and documented, that they might do more harm than good. Do others have opinions? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>I would like to suggest an archive of working scripts for varying situations >>contributed by fellow Shorewall users. >> >>Would you like mine to start with? >> >> > >Greg, > >I''m worried that unless such "working scripts" were carefully screened >and documented, that they might do more harm than good. Do others have >opinions? > >-Tom > >If you mean by "scripts" configuration files, I think this is a bad idea. Your (Tom''s) documentation is fine. Having a set of configs to "plug and pray" is a recipe for disaster. Maybe I misunderstand your question here though... "I tried script #571 and now my game works kindof, but now my ftp died, and my ssh sessions are wierd, umm, anyone help me?" (YIKES!) I think that while some example configs might be helpful, they would allow for people to aviod a little RTFM. RTFM can only do good. In this case the F means Fine as your manuals are quite fine. For complex situations it might be more helpful, but like Tom says, they would need to be screened, documented, and the actual documentation would be fine in the first place, etc... To summarize, while example configs might be helpful, they would probably cause more trouble than not. Maybe something more like a howto type format, like, "I set up this type of network in shorewall, and this is how i did it, this is how it could be done, this is how not to do it, here is my example." I guess this is like the screened/documented version of an example config. Just my .02$ Alex Martin http://www.rettc.com
Greg, I''m worried that unless such "working scripts" were carefully screened and documented, that they might do more harm than good. Do others have opinions? -Tom Tom, I agree. There definitely is a need for guidelines for contributors to follow and a review/screening process of submitted scripts/configurations. I certainly like shorewall better than the (very) few others I have tried. As well as the help! ; ) Popularity can be good or bad. I reckon it depends on where you want shorewall to go. Thank you very much for your help and guidance (read hand-holding). Best regards, Greg Shepherd
On Sun, 2004-12-19 at 17:16 -0700, Alex Martin wrote:> > > If you mean by "scripts" configuration files, I think this is a bad > idea. Your (Tom''s) documentation is fine. Having a set of configs to > "plug and pray" is a recipe for disaster. Maybe I misunderstand your > question here though... > > "I tried script #571 and now my game works kindof, but now my ftp died, > and my ssh sessions are wierd, umm, anyone help me?" (YIKES!)Your nightmare visions are similar to my own.> > I think that while some example configs might be helpful, they would > allow for people to aviod a little RTFM. RTFM can only do good. In this > case the F means Fine as your manuals are quite fine. > > For complex situations it might be more helpful, but like Tom says, they > would need to be screened, documented, and the actual documentation > would be fine in the first place, etc... To summarize, while example > configs might be helpful, they would probably cause more trouble than > not. Maybe something more like a howto type format, like, "I set up this > type of network in shorewall, and this is how i did it, this is how it > could be done, this is how not to do it, here is my example." I guess > this is like the screened/documented version of an example config.I''m always happy to accept articles such as that -- the current OpenVPN documentation, for example, was contributed by Simon Mater. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Caveat: Sorry, I missed the OP, so I might got it wrong...> > I would like to suggest an archive of working scripts for varying situations > > contributed by fellow Shorewall users. > > > > Would you like mine to start with?Well, this is an honorable thought, but it reminds me...> I''m worried that unless such "working scripts" were carefully screened > and documented, that they might do more harm than good. Do others have > opinions?Isn''t this just the same as the Wiki that died recently -- due to no content? "The same" as in the same idea, but probably without the ease to use and extend it by any user... I still think sharing your experience and scripts is a good thing. Really. But it doesn''t make sense starting another project, unless we at least could imagine, why it might work while the Wiki died... If the scripts are good, I believe Tom would be glad to add them to the "contributed" section. karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Karsten Bräckelmann wrote:> Isn''t this just the same as the Wiki that died recently -- due to no > content? "The same" as in the same idea, but probably without the ease > to use and extend it by any user... > > I still think sharing your experience and scripts is a good thing. > Really. But it doesn''t make sense starting another project, unless we at > least could imagine, why it might work while the Wiki died... > > If the scripts are good, I believe Tom would be glad to add them to the > "contributed" section. > > karstenI agree with Karsten, anyone who would like to submit custom scripts should be able to do so, with Tom''s approval, by archiving them in the contributed section. It could become quite a resource for those running similar systems but who are stumped into fixing a customized solution for their particular needs. -- Patrick Benson Stockholm, Sweden -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.0 - Release Date: 2004-12-17