Hi, I''m a shorewall novice. I want to set up a server at home mostly to practise ahead of purchasing a hosted service. I have an old computer that I will use. It will sit behind my D-link router, and the router will be forward packets destined for an arbitrary large port number (as my ISP blocks ports < 1024) to the server computer. I have a spare NIC and thought that I could add that and use one NIC to receive incoming traffic and the other for local connections from my computer. The first NIC could then have a firewall setup to block all incoming traffic other than the special port number, while the other was unfirewalled so that it was easy to connect too. In practise though both NICs will be connected to the same switch that all the computers are connected to. Is that a risky setup in itself; is it in fact redundant to use a firewall behind the router? Do I, and can I, prevent traffic from passing from NIC to the other inside the computer? HB ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, 24 Sep 2007 20:30:34 +0200, hotbelgo@gmail.com said:> In practise though both > NICs will be connected to the same switch that all the computers are > connected to.Why? A more usual approach would be to connect the router to one NIC and to connect the other NIC to the switch.> Is that a risky setup in itself; is it in fact redundant to use a > firewall behind the router?If it''s a NAT-ing router, which it probably is, then to some extent it is redundant. However, you can have more fine-grained control on the firewall itself. For example, if you don''t forward port 22 from the router to the firewall, no one will be able to access ssh (on the standard port). If you do forward it, you can control which IP addresses can access ssh by using Shorewall on the firewall.> Do I, and can I, prevent traffic from > passing from NIC to the other inside the computer?Can you? Yes: Shorewall would typically have the Internet-facing NIC in zone "net" and the switch-facing NIC in zone "loc"; whether traffic flows between them is determined by Shorewall (the ''policy'' and ''rules'' files mainly). Should you? That''s up to you. If you want systems connected to your switch to be able to access the Internet then you''d best allow traffic to flow one NIC to the other (''loc'' to ''net''). If you want to forward some incoming connections to systems other than your firewall then yes again. Advice: set up the connections as specified above then read the Shorewall Two Interface QuickStart guide. Tom''s put a huge amount of effort into writing some of the best Open Source product documentation available anywhere. If you''re going to use his software, the least you could do is read his documentation. Keith -- Keith Edmunds +---------------------------------------------------------------------+ | Tiger Computing Ltd | Helping businesses make the most of Linux | | "The Linux Company" | http://www.tiger-computing.co.uk | +---------------------------------------------------------------------+ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hot Belgo wrote:> > In practise though > both NICs will be connected to the same switch that all the computers > are connected to. >If you want to get practice using Shorewall in a two-interface configuration, I strongly recommend that you not do that. Connect one interface to the router, the other to the switch and reconfigure your local systems to use a different IP network (so that the Shorewall box''s external and internal IP networks are not the same). And if you want to get practice using Shorewall in a one-interface configuration (which is common in a hosted environment), then don''t bother at all with the second NIC. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hiii!!! All :) In this momment I have two nic, lan and wan, but in the lan have via proxyarp many server. None special config for this, but resolv dns failed some time. Best conf for this case exist!?! And howto convert REDIRECT lan 53 tcp domain - to DNS/REDIRECT !?! Thx. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodrigo Cortes wrote:> Hiii!!! All :) > > In this momment I have two nic, lan and wan, but in the lan have via > proxyarp many server. None special config for this, but resolv dns failed > some time. Best conf for this case exist!?!Do you have any evidence whatsoever that this problem is caused by your Shorewall configuration?> > And howto convert REDIRECT lan 53 tcp domain - to > DNS/REDIRECT !?! >Two things: a) REDIRECT currently doesn''t work with Macros under Shorewall-perl. I''ll fix it for 4.0.4. b) Why do you want to do that in the first place? TCP is rarely used DNS name resolution and the rule makes no sense for zone transfers (the other place where DNS uses TCP). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Well evidence not, is only a question about the conf. And the tcp is a error when type udp ^^ -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Martes, 25 de Septiembre de 2007 15:29 To: Shorewall Users Subject: Re: [Shorewall-users] one nic proxyarp/lan Rodrigo Cortes wrote:> Hiii!!! All :) > > In this momment I have two nic, lan and wan, but in the lan have via > proxyarp many server. None special config for this, but resolv dns > failed some time. Best conf for this case exist!?!Do you have any evidence whatsoever that this problem is caused by your Shorewall configuration?> > And howto convert REDIRECT lan 53 tcp domain - to > DNS/REDIRECT !?! >Two things: a) REDIRECT currently doesn''t work with Macros under Shorewall-perl. I''ll fix it for 4.0.4. b) Why do you want to do that in the first place? TCP is rarely used DNS name resolution and the rule makes no sense for zone transfers (the other place where DNS uses TCP). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> > a) REDIRECT currently doesn''t work with Macros under Shorewall-perl. I''ll > fix it for 4.0.4.The attached patch seems to correct the problem. Simple use this in your rules file: DNS/REDIRECT lan -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi all!!! I have one error with this macros when rules say HTTP/REDIRECT lan:!exception !destination_exception How to put this !? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodrigo Cortes wrote:> Hi all!!! > > I have one error with this macros when rules say HTTP/REDIRECT > lan:!exception !destination_exception > > How to put this !?The destination exception must go in the ORIGINAL DEST column -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
But i dont understood T_T Original rules: REDIRECT lan:!exception_ip_lan 3328 tcp www - !exception_external_ip_or_another_net. Thx ^^ HTTP/REDIRECT lan:!exception_ip_lan !!??!! -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Jueves, 27 de Septiembre de 2007 14:34 To: Shorewall Users Subject: Re: [Shorewall-users] http/redirect Rodrigo Cortes wrote:> Hi all!!! > > I have one error with this macros when rules say HTTP/REDIRECT > lan:!exception !destination_exception > > How to put this !?The destination exception must go in the ORIGINAL DEST column -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodrigo Cortes wrote:> But i dont understood T_T > > Original rules: REDIRECT lan:!exception_ip_lan 3328 tcp www > - !exception_external_ip_or_another_net. >The original rule was nonsense then. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Rodrigo Cortes wrote: >> But i dont understood T_T >> >> Original rules: REDIRECT lan:!exception_ip_lan 3328 tcp www >> - !exception_external_ip_or_another_net. >> >Sorry -- I misread the folded rule; and I have no more time to mess with this until the weekend. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Tom Eastep wrote: >> Rodrigo Cortes wrote: >>> But i dont understood T_T >>> >>> Original rules: REDIRECT lan:!exception_ip_lan 3328 tcp www >>> - !exception_external_ip_or_another_net. >>> > > Sorry -- I misread the folded rule; and I have no more time to mess with > this until the weekend. >But the following rule works for me: HTTP/REDIRECT loc:!192.168.2.0/24 3128 - - - !206.124.146.177 So if you are having problems, please show the output of: shorewall trace check -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thx !!! works ^^ -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Jueves, 27 de Septiembre de 2007 15:58 To: Shorewall Users Subject: Re: [Shorewall-users] http/redirect Tom Eastep wrote:> Tom Eastep wrote: >> Rodrigo Cortes wrote: >>> But i dont understood T_T >>> >>> Original rules: REDIRECT lan:!exception_ip_lan 3328 tcp www >>> - !exception_external_ip_or_another_net. >>> > > Sorry -- I misread the folded rule; and I have no more time to mess > with this until the weekend. >But the following rule works for me: HTTP/REDIRECT loc:!192.168.2.0/24 3128 - - - !206.124.146.177 So if you are having problems, please show the output of: shorewall trace check -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/