I have a zone setup as a WiFi access point and DMZ both of these zones I''d like to have unrestricted access to the internet "net" zone, but not be able to directly access the actuall FW zone it has to pass through to get to the net. Is this even possible? I don''t want any traffic from the WiFI ap to be able see or touch anything on the rest of the internal network, only the internet. I have DNS running on the FW box for the LAN zone users but I don''t want DMZ or wifi users or traffic to be able to reach this. Thank you ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-08 20:57 UTC
Re: how to block all dmz traffic from fw but allow to net
Kinnaert wrote:> I have a zone setup as a WiFi access point and DMZ both of these zones > I''d like to have unrestricted access to the internet "net" zone, but > not be able to directly access the actuall FW zone it has to pass > through to get to the net. Is this even possible?Of course.> > I don''t want any traffic from the WiFI ap to be able see or touch > anything on the rest of the internal network, only the internet. I > have DNS running on the FW box for the LAN zone users but I don''t want > DMZ or wifi users or traffic to be able to reach this. >So far you have described almost identically the default behavior of the three-interface sample configuration. http://www.shorewall.net/three-interface.htm. You need to add one rule for loc->fw DNS access and another rule for fw->net DNS access. The referenced document should give you everything you need. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I''ve already have a 3 interface setup running for months now. I just added a forth zone/interface and want to lock it down to the point where I can use it as an public AP with no worries of anyone screwing around with the firewall itself. I have services on the fw zone such as squid and DNS running. I don''t want the AP users to be able to even reach this. You can currently reach services running on the fw zone since you have to enable wifi > fw for wifi > net to work, or are you saying that you can have wifi > net without wifi > fw or am I missing something here. traffic won''t go out to the net unless wifi > fw policy is enabled. Am I mistaken here, but it does''t seem possible to hide the firewall''s presense from the dmz or wifi zone unless I had the entire firewall setup in bridge mode correct? On 8/8/06, Tom Eastep <teastep@shorewall.net> wrote:> Kinnaert wrote: > > I have a zone setup as a WiFi access point and DMZ both of these zones > > I''d like to have unrestricted access to the internet "net" zone, but > > not be able to directly access the actuall FW zone it has to pass > > through to get to the net. Is this even possible? > > Of course. > > > > > I don''t want any traffic from the WiFI ap to be able see or touch > > anything on the rest of the internal network, only the internet. I > > have DNS running on the FW box for the LAN zone users but I don''t want > > DMZ or wifi users or traffic to be able to reach this. > > > > So far you have described almost identically the default behavior of the > three-interface sample configuration. > http://www.shorewall.net/three-interface.htm. You need to add one rule for > loc->fw DNS access and another rule for fw->net DNS access. The referenced > document should give you everything you need. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-08 21:30 UTC
Re: how to block all dmz traffic from fw but allow to net
Kinnaert wrote:> I''ve already have a 3 interface setup running for months now. I just > added a forth zone/interface and want to lock it down to the point > where I can use it as an public AP with no worries of anyone screwing > around with the firewall itself. I have services on the fw zone such > as squid and DNS running. I don''t want the AP users to be able to even > reach this. > > You can currently reach services running on the fw zone since you have to enable > wifi > fw > for > wifi > net > to work, >That is nonsense. You don''t need wifi->fw for wifi-net to work.> or are you saying that you can have > wifi > net > without > wifi > fwThat''s exactly what I''m saying.> > or am I missing something here. traffic won''t go out to the net unless > wifi > fw policy is enabled. > > Am I mistaken here, but it does''t seem possible to hide the firewall''s > presense from the dmz or wifi zone unless I had the entire firewall > setup in bridge mode correct? >I don''t know what you mean by ''hide the firewall''s presense'' but you do not need to enable wifi->fw for wifi-net to work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ok got it working just a stupid mistake when I was testing it without the wifi > fw, I had the DNS configure wrong in my WiFi router, it was trying still to use the fw''s DNS server. When I was testing I try browsing to a web page or pinging an outside domain. I just tried again but this time pinged a numeric IP directly and caught my mistake. (kicking self) Everything works perfect now. I was thinking of making a rule to allow the DMZ and wifi zones access to fw''s DNS server, but I''m just going to be paranoid and use my ISP''s DNS server instead. Is there anyway possilbe for a hacker to do anything to reach the fw box? Say for example a buffer overrun was found in the TCPIP stack on the fw, or linux netfilter etc. etc. It would be possible then to access the fw right? Oh by the way Tom thank you for making shorewall, I consider the best linux firewall app. very powerfull easy to configure I love it. On 8/8/06, Tom Eastep <teastep@shorewall.net> wrote:> Kinnaert wrote: > > I''ve already have a 3 interface setup running for months now. I just > > added a forth zone/interface and want to lock it down to the point > > where I can use it as an public AP with no worries of anyone screwing > > around with the firewall itself. I have services on the fw zone such > > as squid and DNS running. I don''t want the AP users to be able to even > > reach this. > > > > You can currently reach services running on the fw zone since you have to enable > > wifi > fw > > for > > wifi > net > > to work, > > > > That is nonsense. You don''t need wifi->fw for wifi-net to work. > > > or are you saying that you can have > > wifi > net > > without > > wifi > fw > > That''s exactly what I''m saying. > > > > > or am I missing something here. traffic won''t go out to the net unless > > wifi > fw policy is enabled. > > > > Am I mistaken here, but it does''t seem possible to hide the firewall''s > > presense from the dmz or wifi zone unless I had the entire firewall > > setup in bridge mode correct? > > > > I don''t know what you mean by ''hide the firewall''s presense'' but you do not need > to enable wifi->fw for wifi-net to work. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-08 22:49 UTC
Re: how to block all dmz traffic from fw but allow to net
Kinnaert wrote:> > Is there anyway possilbe for a hacker to do anything to reach the fw > box? Say for example a buffer overrun was found in the TCPIP stack on > the fw, or linux netfilter etc. etc. It would be possible then to > access the fw right?Sure -- but if there are those kinds of vulnerabilities in the Linux TCP stack and/or in Netfilter then they are equally exploitable from the outside.> > Oh by the way Tom thank you for making shorewall, I consider the best > linux firewall app. very powerfull easy to configure I love it. >Thanks -- glad that it is working well for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642