Hey gang, So I''m busy setting up new servers here. Our previous web servers were Apple XServes, but our new boxes are Opteron Linux beasts, and so I discovered Shorewall as an interesting alternative to Mac OS X''s ipfw. The prospect of directly writing iptables rules was terrifying - I was delighted to find Shorewall. In my old Mac OS X Server world I used Apple''s GUI admin tool to set up a bunch of rules that got interpreted for ipfw''s consumption. You could set up lists of addresses to which certain rules applied. Anyway, I digress. What I''d like to achieve in Shorewall is to have a set of rules for the whole public ''net. I''d also like to have a set of rules for a list of company IP addresses - a subset of the public ''net. So I read the docs and tried to set this up, using a zone for "net" and another for "company" - the idea being that "company" is a zone within "net". Unfortunately I haven''t managed to get this to work as I''d like - to get it to work I have to duplicate "net" rules for "company". This seems kind of redundant to me. It seems to me that I shouldn''t have to make these duplicates - that I must be doing something wrong. Anyway, here''s a my config for Shorewall 3.0.5: zones: fw firewall company ipv4 net ipv4 interfaces: net eth1 - nosmurfs hosts: company eth1:192.168.254.0/24 policy: company $FW REJECT all company CONTINUE $FW net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info rules: SSH/ACCEPT net $FW Webmin/ACCEPT company $FW This rule set is obviously slightly simplified. With this set-up I can access Webmin from a company computer (but not a computer on the general ''net), but I don''t get SSH access on the same computer. Any hints? Cheers, Steve ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 23 March 2006 08:06, Steve Sims wrote:> Hey gang, > > So I''m busy setting up new servers here. Our previous web servers > were Apple XServes, but our new boxes are Opteron Linux beasts, and > so I discovered Shorewall as an interesting alternative to Mac OS X''s > ipfw. The prospect of directly writing iptables rules was > terrifying - I was delighted to find Shorewall. > > In my old Mac OS X Server world I used Apple''s GUI admin tool to set > up a bunch of rules that got interpreted for ipfw''s consumption. You > could set up lists of addresses to which certain rules applied. > Anyway, I digress. > > What I''d like to achieve in Shorewall is to have a set of rules for > the whole public ''net. I''d also like to have a set of rules for a > list of company IP addresses - a subset of the public ''net. So I > read the docs and tried to set this up, using a zone for "net" and > another for "company" - the idea being that "company" is a zone > within "net". Unfortunately I haven''t managed to get this to work as > I''d like - to get it to work I have to duplicate "net" rules for > "company". This seems kind of redundant to me.It is -- but if you add this policy: company all CONTINUE (and be sure to make "company" a subnet of "net" in /etc/shorewall/zones), then after passing through the "company"-specific rules, connection requests from "company" will pass through the "net" rules. You can do the same thing traffic *to* company, if you choose: all company CONTINUE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanks for the reply. On 23 Mar 2006, at 18:24, Tom Eastep wrote:> On Thursday 23 March 2006 08:06, Steve Sims wrote: >> What I''d like to achieve in Shorewall is to have a set of rules for >> the whole public ''net. I''d also like to have a set of rules for a >> list of company IP addresses - a subset of the public ''net. So I >> read the docs and tried to set this up, using a zone for "net" and >> another for "company" - the idea being that "company" is a zone >> within "net". Unfortunately I haven''t managed to get this to work as >> I''d like - to get it to work I have to duplicate "net" rules for >> "company". This seems kind of redundant to me. > > It is -- but if you add this policy: > > company all CONTINUE > > (and be sure to make "company" a subnet of "net" in /etc/shorewall/ > zones), > then after passing through the "company"-specific rules, connection > requests > from "company" will pass through the "net" rules. > > You can do the same thing traffic *to* company, if you choose: > > all company CONTINUECool stuff. I think it''s working now. So what I''ve ended up with is a "policy" file like this: all company CONTINUE company all CONTINUE $FW net ACCEPT net all DROP info all all REJECT info and my "zones" file is like so: fw firewall company ipv4 net ipv4 This seems to do the trick - although I''ll need to test it out a bit more before I''m really convinced. :-) It''s a relief to be able to sort this out - I was talking this over with a friend last night who it turns out is a bit of an expert at hand-coding iptables rules who was advocating that I do the same. Easy for him to say - he''s been tweaking iptables rules for years, using them to do all sorts of fangled stuff like load-balancing, and knows them inside out so he thinks it''s all really easy. The prospect of hand-coding the lot really wasn''t attractive to me. The big challenge left now is securing NFS. What joy. :-) Thanks for the help! Steve ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642