Shorewall users - Nov 2005 - Basic beginner shorewall config question

I''m attempting to set up Shorewall on an Intranet server, which has a
single interface.  I thought I understood this all correctly, but
since I''m getting an error on shorewall restart, I''m evidently
mucking something up.  Also, I apologize in advance for what must
seem an elementary question.  But I''m trying to learn this while way
away from home and have extremely limited internet access at the
moment.

My server is running Mandriva Linux, with shorewall 2.0.17...

What I''m looking to do is allow all access from my local network, but
disallow all access from outside my local network.  External networks
have access to my LAN, however the entire enterprise is behind a
permimeter firewall.  So the Internet at large does not have access.

As I understand things, I should have to set my zones file to have a
net and a loc zone.  Then in interfaces I should have to set loc and
net to eth0, since they both use the single interface on the machine.
I get an error regarding duplicate interfaces though.  The system has
to be able to access the Internet, just not allow higher level
network access to it.


/etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net     eth0    detect
loc     eth0    detect

/etc/shorewall/policy
#SOURCE         DEST            POLICY          LOG
LIMIT:BURST
#                                               LEVEL
#
# THE FOLLOWING POLICY MUST BE LAST
#
loc     net     ACCEPT
loc     fw      ACCEPT
fw      loc     ACCEPT
fw      net     ACCEPT
net     all     DROP    info
all     all     REJECT  info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules

#####################################################################
#####################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE
ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)
DEST         LIMIT           GROUP
ACCEPT  loc     fw      tcp     80,443,22,25,10000      -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I''ve read The Standalone Firewall documentation, Shorewall Setup
Guide, as well as the Shorewall 2.x reference.  But evidently still
missing something.  To me, the way I have things configured right now
makes sense.  Can someone help me out here though and point me in the
right direction?


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

"IT1 Abby" <abby@ross.navy.mil> wrote on 09/11/2005 03:33:19:
> 
> What I''m looking to do is allow all access from my local network,
but
> disallow all access from outside my local network.  External networks
> have access to my LAN, however the entire enterprise is behind a
> permimeter firewall.  So the Internet at large does not have access.
ok.
 
> As I understand things, I should have to set my zones file to have a
> net and a loc zone.  Then in interfaces I should have to set loc and
> net to eth0, since they both use the single interface on the machine.
> I get an error regarding duplicate interfaces though.  The system has
> to be able to access the Internet, just not allow higher level
> network access to it.
no, you have multiple zones in the same interface. Instead of declaring 
your interface twice in the interface files, use the hosts file to define 
your zones:
/etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
-          eth0                 detect

/etc/shorewall/hosts
ZONE    HOST(S)
loc     eth0:xxx.yyy.000.000/nn
net     eth0:0.0.0.0/0
> 
> /etc/shorewall/policy
> #SOURCE         DEST            POLICY          LOG
> LIMIT:BURST
> #                                               LEVEL
> #
> # THE FOLLOWING POLICY MUST BE LAST
> #
> loc     net     ACCEPT
> loc     fw      ACCEPT
> fw      loc     ACCEPT
> fw      net     ACCEPT
I''m sure this is here for testing purpose, right?
> net     all     DROP    info
> all     all     REJECT  info
> #LAST LINE -- DO NOT REMOVE
> 
> /etc/shorewall/rules
seams fine to me.

hope it helps,

--
Eduardo Ferreira