Hi All I have multiple remote Windows networks using a Tinc VPN connection to my Linux server. They collect POP3 email and browse a Samba share. At the moment, I have rem1 rem2 rem3 rem4 rem5 in my zones and policy file, but was wondering if there was a more efficient way of doing this? i.e. Instead of putting all these in my policy file: rem1 loc ACCEPT rem1 net ACCEPT rem1 fw ACCEPT rem2 loc ACCEPT rem2 net ACCEPT rem2 fw ACCEPT rem3 loc ACCEPT rem3 net ACCEPT rem3 fw ACCEPT rem4 loc ACCEPT rem4 net ACCEPT rem4 fw ACCEPT rem5 loc ACCEPT rem5 net ACCEPT rem5 fw ACCEPT Can I just add these lines to my rules file? ACCEPT rem1 fw tcp 655 ACCEPT rem2 fw tcp 655 ACCEPT rem3 fw tcp 655 ACCEPT rem4 fw tcp 655 ACCEPT rem5 fw tcp 655 Is there a better way? Do I have too many lines in my policy file?!? Thanks in advance -- PAULLY http://www.paully.co.uk ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Tuesday 08 November 2005 03:58, Paul Littlefield wrote:> > rem1 loc ACCEPT > rem1 net ACCEPTIf these are remote zones, why do they need a ->net policy? Do they all access the internet via your Shorewall box?> rem1 fw ACCEPTYou must be a trusting soul -- I don''t have any zones that have an ACCEPT policy to the firewall.> > Can I just add these lines to my rules file? > > ACCEPT rem1 fw tcp 655 > ACCEPT rem2 fw tcp 655 > ACCEPT rem3 fw tcp 655 > ACCEPT rem4 fw tcp 655 > ACCEPT rem5 fw tcp 655 > > Is there a better way? > Do I have too many lines in my policy file?!? >My question would be "Do you have too many zones?". Do these remote networks have firewalling requirements that are so different from one another that they need to comprise separate zones? From your policy file, it sure doesn''t look like it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 08 Nov 2005 15:55, Tom Eastep wrote:> On Tuesday 08 November 2005 03:58, Paul Littlefield wrote: > > rem1 loc ACCEPT > > rem1 net ACCEPT > > If these are remote zones, why do they need a ->net policy? Do they all > access the internet via your Shorewall box?Actually they don''t... good point - that''s 5 lines removed :-)> > rem1 fw ACCEPT > > You must be a trusting soul -- I don''t have any zones that have an ACCEPT > policy to the firewall.Surely they need to get through the firewall to their POP3 / Samba services?> > Can I just add these lines to my rules file? > > > > ACCEPT rem1 fw tcp 655 > > ACCEPT rem2 fw tcp 655 > > ACCEPT rem3 fw tcp 655 > > ACCEPT rem4 fw tcp 655 > > ACCEPT rem5 fw tcp 655 > > > > Is there a better way? > > Do I have too many lines in my policy file?!? > > My question would be "Do you have too many zones?". Do these remote > networks have firewalling requirements that are so different from one > another that they need to comprise separate zones? From your policy file, > it sure doesn''t look like it.Hhmm, OK. The 5 (and growing) remote networks are not _that_ different, but I guess I am showing my ignorance here! Here are the details of the Remotes: server1 ~ # grep ^rem /etc/shorewall/hosts rem1 vpn+:192.168.1.0/24 rem2 vpn+:192.168.2.0/24 rem3 vpn+:192.168.30.0/24 rem4 vpn+:192.168.40.0/24 rem5 vpn+:192.168.50.0/24 Basically, the remote machines access POP3 and a Samba share on the same machine as the firewall, so if you can ''trim'' the lines down in any of the files that would be great and a lesson learnt! -- PAULLY ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
PAULLY wrote on 08/11/2005 14:33:00:> On Tuesday 08 Nov 2005 15:55, Tom Eastep wrote: > > On Tuesday 08 November 2005 03:58, Paul Littlefield wrote: > > > rem1 loc ACCEPT > > > rem1 net ACCEPT > > > > If these are remote zones, why do they need a ->net policy? Do theyall> > access the internet via your Shorewall box? > > My question would be "Do you have too many zones?". Do these remote > > networks have firewalling requirements that are so different from one > > another that they need to comprise separate zones? From your policyfile,> > it sure doesn''t look like it.> > > Hhmm, OK. The 5 (and growing) remote networks are not _that_ different,but I> guess I am showing my ignorance here! Here are the details of theRemotes:> > server1 ~ # grep ^rem /etc/shorewall/hosts > rem1 vpn+:192.168.1.0/24 > rem2 vpn+:192.168.2.0/24 > rem3 vpn+:192.168.30.0/24 > rem4 vpn+:192.168.40.0/24 > rem5 vpn+:192.168.50.0/24 > > Basically, the remote machines access POP3 and a Samba share on the same> machine as the firewall, so if you can ''trim'' the lines down in any ofthe> files that would be great and a lesson learnt!Paully - what kind of vpn are you using? Is it OpenVPN? If so, you don''t need a zone to each road warrior. You just need to assign a zone to the tun/tap device your OpenVPN service creates and make your rules from there. Or am I missing something? cheers -- Eduardo Ferreira
> > > rem1 fw ACCEPT > > > > You must be a trusting soul -- I don''t have any zones that > have an ACCEPT > > policy to the firewall. > > > Surely they need to get through the firewall to their POP3 / > Samba services?I believe that the implication was that just because you want to allow POP3 and Samba, you do not also want to allow every other virus/worm/trojan to be poking around at your firewall. An accept policy means that now it is up to you to block ports rather than it being up to you to open ports. Safety begs us to block by default, and only open a hole in the barricade when we have to because it is too easy to forget to block holes, and someone will always be discovering some creative way to get in that you might not have thought of ahead of time. That''s why the rules file is there. Make the policy DROP or REJECT, and use a rule or action to allow POP3 and Samba. This is also related to the comment about how many zones you have. The more you can consolidate zones, the smaller your rule file can be because you won''t have to enable these ports on so many individual zones. --- Kevin R. Bulgrien Design & Development Engineer Mailto:kevin.bulgrien@gdsatcom.com ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Tuesday 08 November 2005 08:33, Paul Littlefield wrote:> On Tuesday 08 Nov 2005 15:55, Tom Eastep wrote: > > On Tuesday 08 November 2005 03:58, Paul Littlefield wrote: > > > rem1 loc ACCEPT > > > rem1 net ACCEPT > > > > If these are remote zones, why do they need a ->net policy? Do they all > > access the internet via your Shorewall box? > > Actually they don''t... good point - that''s 5 lines removed :-) > > > > rem1 fw ACCEPT > > > > You must be a trusting soul -- I don''t have any zones that have an ACCEPT > > policy to the firewall. > > Surely they need to get through the firewall to their POP3 / Samba > services? >''To'' the firewall and ''Through'' the firewall are two different things. If the POP3 and Samba servers are running *on the firewall* then you need to allow access. But as others have pointed out, you don''t need to open the door entirely to allow those two services. And if the servers for those services are behind the firewall, then the remote networks don''t need access ''to'' the firewall at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 08 Nov 2005 16:40, Eduardo Ferreira wrote:> Paully - what kind of vpn are you using? Is it OpenVPN? If so, you don''t > need a zone to each road warrior. You just need to assign a zone to the > tun/tap device your OpenVPN service creates and make your rules from > there.It''s Tinc, and works a treat... http://www.tinc-vpn.org -- PAULLY http://www.paully.co.uk ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Tuesday 08 Nov 2005 16:48, Bulgrien, Kevin wrote:> I believe that the implication was that just because you want to > allow POP3 and Samba, you do not also want to allow every other > virus/worm/trojan to be poking around at your firewall. An > accept policy means that now it is up to you to block ports > rather than it being up to you to open ports. Safety begs us to > block by default, and only open a hole in the barricade when we > have to because it is too easy to forget to block holes, and > someone will always be discovering some creative way to get in > that you might not have thought of ahead of time. > > That''s why the rules file is there. Make the policy DROP or > REJECT, and use a rule or action to allow POP3 and Samba.Yes, fair enough. I will examine this later today.> This is also related to the comment about how many zones you > have. The more you can consolidate zones, the smaller your > rule file can be because you won''t have to enable these ports > on so many individual zones.Does the documentation show how to ''consolidate zones''? I don''t necessarily need hand-holding, just a point in the right direction! :-) -- PAULLY http://www.paully.co.uk ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Tuesday 08 November 2005 09:11, Paul Littlefield wrote:> > Does the documentation show how to ''consolidate zones''? I don''t necessarily > need hand-holding, just a point in the right direction! >Just define one zone: /etc/shorewall/interfaces rem vpn+ - ... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Paully wrote on 08/11/2005 15:11:27:> > Does the documentation show how to ''consolidate zones''? I don''tnecessarily> need hand-holding, just a point in the right direction! > > :-)there''s something about "Dynamic Zones" using ipsets, but I you will have to patch your kernel, so I don''t know it this is an option. take a look at: http://www.shorewall.net/ipsets.html cheers -- Eduardo Ferreira
On Tuesday 08 Nov 2005 17:07, Tom Eastep wrote:> ''To'' the firewall and ''Through'' the firewall are two different things. If > the POP3 and Samba servers are running *on the firewall* then you need to > allow access. But as others have pointed out, you don''t need to open the > door entirely to allow those two services. > > And if the servers for those services are behind the firewall, then the > remote networks don''t need access ''to'' the firewall at all.Got it, thanks! -- PAULLY http://www.paully.co.uk ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Tuesday 08 Nov 2005 17:15, Tom Eastep wrote:> Just define one zone: > > /etc/shorewall/interfaces > > rem vpn+ - ...Hi All Thanks to everyone (especially Tom!) who replied with their advice. I have now simplified AND tightened my config files considerably: zones ----- #ZONE DISPLAY COMMENTS net Internet Outside Internet loc Local Local Networks vpn VPN Virtual Private Network interfaces ---------- #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0 detect routefilter,tcpflags loc eth1 detect dhcp,tcpflags vpn vpn+ - policy ------ #SOURCE DEST POLICY LOG LIMIT:BURST loc net ACCEPT loc fw ACCEPT fw net ACCEPT fw loc ACCEPT net all DROP info vpn all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info rules ----- <snip> # Allow Tinc VPN software initial connection from remote networks ACCEPT net fw tcp 655 ACCEPT net fw udp 655 # # Allow the following services only for remote networks ACCEPT fw vpn icmp 8 ACCEPT vpn fw icmp 8 ACCEPT vpn fw tcp 25 ACCEPT vpn fw tcp 110 ACCEPT vpn fw tcp 137:139 ACCEPT vpn fw udp 137:139 ACCEPT vpn fw tcp 445 ACCEPT vpn fw udp 445 <snip> Cheers! -- PAULLY http://www.paully.co.uk ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php