version - 2.0.13
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:09:5b:09:d9:8e brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:09:5b:91:59:61 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1
inet6 fe80::209:5bff:fe91:5961/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:11:2f:4c:0d:77 brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.100
default via 192.168.0.1 dev eth1
I would like to use Shorewall as a simple, desktop firewall for my Linux
system. Here are my topology:
1. A wireless router (192.168.0.1) that''s connected to a cable modem.
2. My desktop computer, which is the linux system in question
(192.168.0.100).
3. My laptop (192.168.0.102).
I have the following goals for my firewall:
1. Provide an ssh server that can be accessed by the laptop on our
private network.
2. Protect myself from anyone on the net who''s trying to access my
computer.
I tried using the default one-interface setup, setting the "net"
interface in /etc/shorewall/interfaces to eth1. Shorewall was able to
start successfully after I did this, but I wasn''t able to ping my
desktop from my laptop.
In my /etc/shorewall/policy file, I have the following line:
fw net ACCEPT
net all DROP info
all all REJECT info
This should stop all pinging from the outside world, but I also have the
following line in my /etc/shorewall/rules file:
ACCEPT net fw icmp 8
I looked in /var/log/messages, and my desktop is logging the following
message when I try and ping it from the laptop:
Jul 11 13:06:58 localhost kernel: Shorewall:rfc1918:DROP:IN=eth1
OUTMAC=ff:ff:ff:ff:ff:ff:00:11:24:1f:18:a2:08:00 SRC=192.168.0.102
DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=21364 PROTO=UDP
SPT=49316 DPT=137 LEN=58
Since netfilter is dropping the packets, it seems as though my computer
thinks that my laptop is in the net zone. However, if that''s true,
then
why isn''t it following my ACCEPT line in /etc/shorewall/rules?
Any help that I can get with this would be greatly appreciated. I read
the pinging faq''s and the setup guide, and have also searched the
mailing list. There''s tons of great information if you want to use
Shorewall as a firewall in front of multiple machines, but I can''t find
much for configuring a simple, client-based firewall.
Thanks in advance!
Tom Purl
-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar