Hello, is it possible to configure Shorewall for different network environments? I am using it on a single Linux computer. When I am at home, I am using an internal IP address (192.168.0.X), and when I am using my cable modem, I get an internet IP assigned. I now want to be able to use Samba/Windows Filesharing when at home and to disable it when I am using my computer directly on the net. Is that possible? Thanks, Chris
equinox@bach-online.de wrote:> Hello, > is it possible to configure Shorewall for different network > environments? I am using it on a single Linux computer. When I am at > home, I am using an internal IP address (192.168.0.X), and when I am > using my cable modem, I get an internet IP assigned. I now want to be > able to use Samba/Windows Filesharing when at home and to disable it > when I am using my computer directly on the net. > > Is that possible? >See: http://shorewall.net/configuration_file_basics.htm#Levels http://shorewall.net/starting_and_stopping_shorewall.htm#id2435282 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> is it possible to configure Shorewall for different network > environments? I am using it on a single Linux computer. When I am at > home, I am using an internal IP address (192.168.0.X), and when I am > using my cable modem, I get an internet IP assigned. I now want to be > able to use Samba/Windows Filesharing when at home and to disable it > when I am using my computer directly on the net. > > Is that possible?While thinking about complicated ways (or hacks) how to abuse interfaces and zones, Tom already answered -- with a way more elegant solution. :-) Anyway, regarding the Samba setup: I would limit accessibility anyways, and a minimal secure setup includes limiting/binding to special address ranges or interfaces. Running the Samba server always and restricting the access to the local network should take care of the "do not offer Samba shares to the net" issue: interfaces = 192.168.0.0/24 Assuming, "use Samba [...] when at home" actually means a server. But it would not apply to this list otherwise. ;) karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Tom Eastep wrote:> equinox@bach-online.de wrote: > >>Hello, >>is it possible to configure Shorewall for different network >>environments? I am using it on a single Linux computer. When I am at >>home, I am using an internal IP address (192.168.0.X), and when I am >>using my cable modem, I get an internet IP assigned. I now want to be >>able to use Samba/Windows Filesharing when at home and to disable it >>when I am using my computer directly on the net. >> >>Is that possible? >> > > > See: > > http://shorewall.net/configuration_file_basics.htm#Levels > http://shorewall.net/starting_and_stopping_shorewall.htm#id2435282 >Also, I don''t know if you run SuSE but if so, you can define /etc/shorewall to the profile manager and have one profile for home and another profile when you are on the net. That''s what I do with my Linux laptop. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Karsten Bräckelmann wrote:>Assuming, "use Samba [...] when at home" actually means a server. But it >would not apply to this list otherwise. ;) > > karsten > >I already did this. I just wanted to block the Samba traffic also on the Shorewall level already. @tom I am running Suse Linux. I''ll give your suggestion a try. Thanks so far, Chris
Tom Eastep wrote:> > > Also, I don''t know if you run SuSE but if so, you can define > /etc/shorewall to the profile manager and have one profile for home and > another profile when you are on the net. That''s what I do with my Linux > laptop. >One word of caution regarding "shorewall save". You want to set a separate value for RESTOREFILE (shorewall.conf) in the two profiles. -Tom -- Tom Eastep \ Off-list replies are cheerfully ignored Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key