Hi there not sure of the protocol but I am looking for a config check to see if ok. Net info ------------ /28 address range External, DMZ, Local network and OpenVPN. DHCP on VPN and Local I have attached config I have written up. Can I request a peer review? Happy for the configs to enter public domain once debugged/complete (if of use) tia W ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
William Hamilton wrote:> Hi there not sure of the protocol but I am looking for a config check to > see if ok.> > Net info > ------------ > /28 address range > External, DMZ, Local network and OpenVPN. > DHCP on VPN and Local > > I have attached config I have written up. Can I request a peer review? > Happy for the configs to enter public domain once debugged/complete (if > of use)I don''t know what your definition of ''ok'' is because I don''t know what you want to allow or disallow. So I can only assume that what you have here is exactly what you intend. One thing that worries me is this comment in your rules file: # Allow ping checks, and other useful ICMP (eg, redirects) You then invoke the AllowICMPs action with ACCEPT. Three problems: a) The AllowICMPs macro only allows those ICMP requests that are required for correct operation of a router; namely fragmentation-needed and time-exceeded. It allows neither echo-request (Ping) nor Redirect. b) AllowICMPs is not a parameterized macro so the "/ACCEPT" is superfluous. c) The Default Actions for both the DROP and REJECT policies invoke AllowICMPs; so there is never any point in invoking that macro in /etc/shorewall/rules unless you have a following DROP or REJECT rule for ICMP. You have incorrectly specified the server port in your ACCEPT rules. Example: ACCEPT loc dmz:$IGN_FUSION:3306 tcp 3306 #mySQL A ''shorewall check'' will flag that as an error (assuming that you are running Shorewall-perl; if you aren''t running Shorewall-perl, you should be -- see http://www.shorewall.net/Notices.html#Shell-EOL). ''shorewall check'' will also issue a warning for the following rule, rightly claiming that it is a policy and should be specified in the policy file: ACCEPT ovpn loc -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
2009/10/2 Tom Eastep <teastep@shorewall.net>> William Hamilton wrote: > > Hi there not sure of the protocol but I am looking for a config check to > > see if ok. > > > > > > > Net info > > ------------ > > /28 address range > > External, DMZ, Local network and OpenVPN. > > DHCP on VPN and Local > > > > I have attached config I have written up. Can I request a peer review? > > Happy for the configs to enter public domain once debugged/complete (if > > of use) > > I don''t know what your definition of ''ok'' is because I don''t know what > you want to allow or disallow. So I can only assume that what you have > here is exactly what you intend. > > One thing that worries me is this comment in your rules file: > > # Allow ping checks, and other useful ICMP (eg, redirects) > > You then invoke the AllowICMPs action with ACCEPT. Three problems: > > a) The AllowICMPs macro only allows those ICMP requests that are > required for correct operation of a router; namely > fragmentation-needed and time-exceeded. It allows neither > echo-request (Ping) nor Redirect. > > b) AllowICMPs is not a parameterized macro so the "/ACCEPT" is > superfluous. > > c) The Default Actions for both the DROP and REJECT policies invoke > AllowICMPs; so there is never any point in invoking that macro in > /etc/shorewall/rules unless you have a following DROP or REJECT rule > for ICMP. > > You have incorrectly specified the server port in your ACCEPT rules. > Example: > > ACCEPT loc dmz:$IGN_FUSION:3306 tcp 3306 #mySQL > > A ''shorewall check'' will flag that as an error (assuming that you are > running Shorewall-perl; if you aren''t running Shorewall-perl, you should > be -- see http://www.shorewall.net/Notices.html#Shell-EOL). > > ''shorewall check'' will also issue a warning for the following rule, > rightly claiming that it is a policy and should be specified in the > policy file: > > ACCEPT ovpn loc > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > Excellent thanks for that Tom, I made the suggested changes and have now > started using shorewall-perl too. Installing the firewall now and bits over > the weekend. DMZ works fine which is good but internal traffic does not get > out at this stage.Will debug some more and come back with update. Once scripts working I will put up on here and sample if people would like. W ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
William Hamilton wrote:> Will debug some more and come back with update. Once scripts working I > will put up on here and sample if people would like.One more thing; you are inconsistent in your use of variables to specify interfaces; you use them in /etc/shorewall/interfaces but not in /etc/shorewall/proxyarp. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf