Hi, I''m new to shorewall and iptables. I installed shorewalls ver. 2.2 two days ago and it''s working now, but I have some questions concerning pppoe. I have my ISP''s connection to internet trough PPPoE over an ethernet card. On the ethernet card I have a static IP and I have access to all other ISP''s clients wich are in the same subnet (it''s a small neighbourhood ISP). Our addresses are from this type: 172.17.211.* The internet goes throuh PPPoE where I have dynamic real IP address. I installed shorewall and used the one interface sample (the two interface sample was for local and internet, while I want to treat the both as Internet in order to protect the both connections). My intention is to devide the two connections in order to have different settings on both of them. I made the following changes: -interfaces- #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - norfc1918,routefilter,dhcp,tcpflags locnet eth0 detect norfc1918,routefilter,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -policy- #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT fw locnet ACCEPT net all DROP info locnet all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -rules- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net fw icmp 8 ACCEPT locnet fw icmp 8 ACCEPT fw net icmp ACCEPT fw locnet icmp DropPing net fw DropPing locnet fw ACCEPT net fw tcp 3880 ACCEPT locnet fw tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -zones- #ZONE DISPLAY COMMENTS net Net Internet locnet Local Net Local Lan #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Testing with ShieldsUp! on https://grc.com/x/ne.dll?bh0bkyd2 showed that I have open 3880 port on the ppp0 interface and no open 80 port on it. I have noway to test if the eth0 interface replies on 80 so I want to ask if the configuration is alright. I didn''t find a tip in the documention how to devide the connections the way I wanted and give them different options so I will appriciate any additional advices on this. P.S. ShieldsUp! says I accept ping replyies althogh I included this lines: DropPing net fw DropPing locnet fw in the rules'' file as it was explained in the tutorial... How do I handle this? Thanks
Milen Pankov wrote:> ACCEPT net fw tcp 3880 > ACCEPT locnet fw tcp 80 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > -zones- > #ZONE DISPLAY COMMENTS > net Net Internet > locnet Local Net Local Lan > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > Testing with ShieldsUp! on https://grc.com/x/ne.dll?bh0bkyd2 showed that > I have open 3880 port on the ppp0 interface and no open 80 port on it. I > have noway to test if the eth0 interface replies on 80 so I want to ask > if the configuration is alright.Looks right.> I didn''t find a tip in the documention how to devide the connections the > way I wanted and give them different options so I will appriciate any > additional advices on this.I have no idea what you are asking.> > P.S. ShieldsUp! says I accept ping replyies althogh I included this lines: > DropPing net fw > DropPing locnet fw > in the rules'' file as it was explained in the tutorial... > How do I handle this? >Have you looked at the traffic with ethereal or tcpdump to see if your firewall is really responding to ''ping''? I doubt that it is. False positives with test facilities like ShieldsUp are very common. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I just tested and confirmed that your firewall IS responding to pings (Quiz for the list -- how did I know Milen''s firewall IP address?). Milen Pankov wrote:> -rules- > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > RATE USER/ > # PORT PORT(S) DEST LIMIT GROUP > ACCEPT net fw icmp 8 <====================================> ACCEPT locnet fw icmp 8> > P.S. ShieldsUp! says I accept ping replyies althogh I included this lines: > DropPing net fw > DropPing locnet fw > in the rules'' file as it was explained in the tutorial... > How do I handle this?Delete the above flagged rule rule that you have BEFORE the DropPing rule!!!!!!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi again, Tom Eastep wrote: > >>I didn''t find a tip in the documention how to devide the connections the >>way I wanted and give them different options so I will appriciate any >>additional advices on this. > > > I have no idea what you are asking. > > I meant that there were no examples in the documentation about handling two interfaces conected to the internet.> I just tested and confirmed that your firewall IS responding to pings > (Quiz for the list -- how did I know Milen''s firewall IP address?).I guess from the message headers...> > Milen Pankov wrote: > > >>-rules- >>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL >>RATE USER/ >># PORT PORT(S) DEST LIMIT GROUP >>ACCEPT net fw icmp 8 <====================================>>ACCEPT locnet fw icmp 8 >I''ll try to look for info about what theese really are for, but just a quick question - do I have to remove the loclin entry too: ACCEPT locnet fw icmp 8 in order to deny ping on the ethernet card''s ip also?> >>P.S. ShieldsUp! says I accept ping replyies althogh I included this lines: >>DropPing net fw >>DropPing locnet fw >>in the rules'' file as it was explained in the tutorial... >>How do I handle this? > > > Delete the above flagged rule rule that you have BEFORE the DropPing > rule!!!!!!!! > > -TomThanks for the answers.
Milen Pankov wrote:> > I meant that there were no examples in the documentation about handling > two interfaces conected to the internet.Please see FAQ 38.> >> I just tested and confirmed that your firewall IS responding to pings >> (Quiz for the list -- how did I know Milen''s firewall IP address?). > > I guess from the message headers... > > > I''ll try to look for info about what theese really are for, but just a > quick question - do I have to remove the loclin entry too: > ACCEPT locnet fw icmp 8 > in order to deny ping on the ethernet card''s ip also?Yes. That rule is equivalent to: AllowPing locnet fw> > Thanks for the answers.You are welcome, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key