Marco Salimu
2009-Nov-25 06:15 UTC
Re: Ref: Block local net to access internet but access DMZ webserver
Hi Tom and others Hope this mail finds you ok Thanks for many help you have provided to me and they have been working well. On this issue, i have not yet succeeded to block local net to access internet but continue accessing DMZ. I think the Main reason is that local net are getting internet through proxy server at Firewall server. so if i block local net the shorewall does not see the local net accessing internet rather the firewall int self. pls help> Good point Tom, Thanks > > On 10/18/09, Tom Eastep <teastep@shorewall.net> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Red Baron wrote: >>> Without your configs, this wont be exact, bu assuming your zones are >>> named as you said, add this to your rules >>> >>> >>> DROP local:<host ip> net >> >> It is a bit friendlier to your users to use REJECT rather than DROP for >> outgoing rules. >> >> - -Tom >> - -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkrbXmIACgkQO/MAbZfjDLIEZQCfbgHfN7fvQmwTlvqnaaNxjMxU >> F98An3VPmmWgJMGyax+vNPNa7oG6dEgU >> =8HL0 >> -----END PGP SIGNATURE----- >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and >> stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > -- > Sent from my mobile device > > >-- with rgds Marco Salimu IT Manager [ P.o. Box 1546] Mob: +255 784 370294 | +255 715 370294 Tel: +255 27 8218 | Fax: +255 27 8273 Email: ******************************* marco@seda.or.tz | smarcos2001@yahoo.com smarcos2001@hotmail.com | marco_salim@wvi.org Marco.magnus@gmail.com ******************************** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep
2009-Nov-25 15:53 UTC
Re: Ref: Block local net to access internet but access DMZ webserver
Marco Salimu wrote:> Hi Tom and others > Hope this mail finds you ok > Thanks for many help you have provided to me and they have been working well. > > On this issue, i have not yet succeeded to block local net to access > internet but continue accessing DMZ. > > I think the Main reason is that local net are getting internet through > proxy server at Firewall server. so if i block local net the shorewall > does not see the local net accessing internet rather the firewall int > self.Change the loc->net policy to REJECT and add a log level to the LOG LEVEL column in /etc/shorewall/policy. Example: REJECT loc net info Note that you may have to add a rule or two to get that to work. For example, you might have to add: DNS(ACCEPT) loc net so that your local hosts can resolve DNS names. And if that doesn''t do what you want, please follow the instructions at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july