Shorewall users - Nov 2007 - Strict fw rules, best practice?

Hi all,

Thanks for a great software by the way.

I have some questions which I don''t find any answers for in the online
documentation.

I''d like some guidelines for setting up a little stricter rules than
in the default zones in the three interface example, and having used
other firewall before I have some questions about what is the best way
setting up things.

Example: I want ntp from a group of internal server be able to access
ntp on a two servers in a dmz, and nothing else.

I have configured shorewall like this:

Interfaces:
-     eth0            detect
-     eth1            detect

Zones:
dmz     ipv4
serv1:dmz        ipv4
loc     ipv4
serv2:loc        ipv4

Hosts:
net eth0:192.168.1.0/24
serv1 eth0:192.168.1.1,192.168.1.2
loc eth1:192.168.2.0/24
serv2 eth1:192.168.2.1,192.168.2.2

Rules:
NTP/ACCEPT    serv2              serv1

This works as expected, but is this the way to do it? Doing the config
this way will create loads of zones. But I can''t figure out any other
way, so can someone enlighten me if I''m on the right track or not :)

I use shorewall 3.4.4.

BR
Robert Lindgren

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Robert Lindgren wrote:
> 
> I''d like some guidelines for setting up a little stricter rules
than
> in the default zones in the three interface example, and having used
> other firewall before I have some questions about what is the best way
> setting up things.
> 
> Example: I want ntp from a group of internal server be able to access
> ntp on a two servers in a dmz, and nothing else.
> 
> I have configured shorewall like this:
> 
> Interfaces:
> -     eth0            detect
> -     eth1            detect
> 
> Zones:
> dmz     ipv4
> serv1:dmz        ipv4
> loc     ipv4
> serv2:loc        ipv4
> 
> Hosts:
> net eth0:192.168.1.0/24
> serv1 eth0:192.168.1.1,192.168.1.2
> loc eth1:192.168.2.0/24
> serv2 eth1:192.168.2.1,192.168.2.2
> 
> Rules:
> NTP/ACCEPT    serv2              serv1
> 
> This works as expected, but is this the way to do it? Doing the config
> this way will create loads of zones. But I can''t figure out any
other
> way, so can someone enlighten me if I''m on the right track or not
:)
> 
> I use shorewall 3.4.4.
I would qualify the SOURCE and DEST in /etc/shorewall/rules rather than
create 1000s of zones.

/etc/shorewall/interfaces:

net	eth0	...
loc	eth1	...

/etc/shorewall/rules:

NTP/ACCEPT	loc:192.168.3.2,192.168.2.2	net:192.168.1.1,192.168.1.2

You can use shell variables in place of the individual addresses to make
writing the rules easier (see
http://www.shorewall.net/configuration_file_basics.html#Variables).

/etc/shorewall/params

SERV1=192.168.1.1,192.168.1.2
SERV2=192.168.2.1,192.168.2.2

/etc/shorewall/rules:

NTP/ACCEPT	loc:$SERV2	net:$SERV1

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

> I would qualify the SOURCE and DEST in /etc/shorewall/rules rather than
> create 1000s of zones.
Hi Tom,

Thanks, that was what I was looking for!!

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/