Hi, Is there any way I can allow my internal server to bypass the firewall and have direct connection? I usually do it using this rule: # Allow this IP to have direct connection iptables -A FORWARD -i eth0 -d 192.168.1.100/24 -j ACCEPT iptables -A FORWARD -i eth1 -s 192.168.1.100/24 -j ACCEPT How can I convert it to fit shorewall rules? TIA ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Rhon wrote:> Hi, > > Is there any way I can allow my internal server to bypass the firewall > and have direct connection? I usually do it using this rule:You are not "bypassing the firewall"; you are configuring your firewall to allow certain traffic.> > # Allow this IP to have direct connection > iptables -A FORWARD -i eth0 -d 192.168.1.100/24 > <http://192.168.1.100/24> -j ACCEPT > iptables -A FORWARD -i eth1 -s 192.168.1.100/24 > <http://192.168.1.100/24> -j ACCEPT > > How can I convert it to fit shorewall rules?There is no way to directly convert those rules without more information about your setup. When using Shorewall, you must describe your firewall in Shorewall terms (zones, policies and rules) rather than in raw iptables terms (interfaces and networks). So if you will tell us about your network topology and Shorewall configuration, we can then advise you how to configure Shorewall to obtain similar results. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Hi Tom, Thanks for your reply. Here''s some of the details of my firewall /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect net eth1 detect loc eth2 detect dhcp /etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall loc ipv4 net ipv4 /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW net ACCEPT loc net ACCEPT loc fw ACCEPT net all DROP info #THIS LINE MUST BE LAST all all REJECT info I want to allow one host to have direct connection to the Internet. How can I possibly do this? TIA rhon On Tue, Apr 1, 2008 at 1:50 PM, Tom Eastep <teastep@shorewall.net> wrote:> Rhon wrote: > > Hi, > > > > Is there any way I can allow my internal server to bypass the firewall > > and have direct connection? I usually do it using this rule: > > You are not "bypassing the firewall"; you are configuring your firewall to > allow certain traffic. > > > > > # Allow this IP to have direct connection > > iptables -A FORWARD -i eth0 -d 192.168.1.100/24 > > <http://192.168.1.100/24> -j ACCEPT > > iptables -A FORWARD -i eth1 -s 192.168.1.100/24 > > <http://192.168.1.100/24> -j ACCEPT > > > > How can I convert it to fit shorewall rules? > > There is no way to directly convert those rules without more information > about your setup. When using Shorewall, you must describe your firewall in > Shorewall terms (zones, policies and rules) rather than in raw iptables > terms (interfaces and networks). > > So if you will tell us about your network topology and Shorewall > configuration, we can then advise you how to configure Shorewall to obtain > similar results. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Rhon wrote:> Hi Tom, > > Thanks for your reply. Here''s some of the details of my firewall > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > net eth1 detect > ... > /etc/shorewall/policy > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > ... > net all DROP info > ... > I want to allow one host to have direct connection to the Internet. How > can I possibly do this?Based on what you''ve described, your firewall should already be allowing this traffic, since eth0 & eth1 are in the same zone (net). If i remember correctly there''s no restriction on intra-zone traffic, no matter what the policies are. Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Tue, Apr 1, 2008 at 6:54 PM, Paul Gear <paul@gear.dyndns.org> wrote:> > Based on what you''ve described, your firewall should already be allowing > this traffic, since eth0 & eth1 are in the same zone (net). If i > remember correctly there''s no restriction on intra-zone traffic, no > matter what the policies are. > > Paul > > >Is it possible to allow only 192.168.1.100 to have direct access to the internet and REDIRECT all traffic bound to Port 80 to my Squid Proxy server? What I wanted to do is make an exemption to a particular host IP. Thanks alot. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Rhon wrote:> > > On Tue, Apr 1, 2008 at 6:54 PM, Paul Gear <paul@gear.dyndns.org > <mailto:paul@gear.dyndns.org>> wrote: > > > Based on what you''ve described, your firewall should already be allowing > this traffic, since eth0 & eth1 are in the same zone (net). If i > remember correctly there''s no restriction on intra-zone traffic, no > matter what the policies are. > > Paul > > > > Is it possible to allow only 192.168.1.100 <http://192.168.1.100> to > have direct access to the internet and REDIRECT all traffic bound to > Port 80 to my Squid Proxy server? What I wanted to do is make an > exemption to a particular host IP.Assuming that Squid listens on port 3128: REDIRECT loc:!192.168.1.100 3128 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace