Hi, I have the following config files with Shorewall 4.08: [root@localhost shorewall]# cat zones fw firewall net ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 [root@localhost shorewall]# cat interfaces net eth0 detect routefilter,tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs corp eth4 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs,routeback kvm eth3 detect tcpflags,nosmurfs road tun+ [root@localhost shorewall]# cat rules DNAT net dmz:172.18.222.130:443 tcp 443 - 45.124.144.12 DNAT net dmz:172.18.222.134:443 tcp 443 - 45.124.144.44 I need to only allow a list of IPs and subnets to 172.18.222.130. My OS does not support ipsets without patching so I was going to create a sub zone of net called netok. Does this look sane? zones fw firewall net ipv4 netok ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 interfaces - eth0 detect routefilter,tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs corp eth4 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs,routeback kvm eth3 detect tcpflags,nosmurfs road tun+ hosts net eth0 netok eth0:122.55.62.0/24 netok eth0:125.55.62.0/24 netok eth0:152.55.62.0/24 netok eth0:125.55.52.55 rules DNAT net dmz:172.18.222.134:443 tcp 443 - 45.124.144.44 DNAT netok dmz:172.18.222.130:443 tcp 443 - 45.124.144.12 policy net netok NONE netok net NONE ... Does anyone see a problem with this? Thanks, Pete ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Pete wrote:> I have the following config files with Shorewall 4.08:There has never been a release called 4.08....> Does anyone see a problem with this?I presume that you used the Shorewall Whitelisting HOWTO (http://www.shorewall.net/whitelisting_under_shorewall.htm) to prepare this configuration? If so, you may have missed the significance of the CONTINUE policies unless you have set IMPLICIT_CONTINUE=Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Thanks Tom! Here is the version: # shorewall version 4.0.8 Is it also ok to have just the following in the hosts for the net zone? hosts net eth0 Thanks, Pete On Tue, Jan 5, 2010 at 5:54 PM, Tom Eastep <teastep@shorewall.net> wrote:> Pete wrote: > > > I have the following config files with Shorewall 4.08: > > There has never been a release called 4.08.... > > > Does anyone see a problem with this? > > I presume that you used the Shorewall Whitelisting HOWTO > (http://www.shorewall.net/whitelisting_under_shorewall.htm) to prepare > this configuration? If so, you may have missed the significance of the > CONTINUE policies unless you have set IMPLICIT_CONTINUE=Yes. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon''s best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and > easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Pete wrote:> Thanks Tom! > > Here is the version: > # shorewall version > 4.0.8 > > Is it also ok to have just the following in the hosts for the net zone? > hosts > net eth0net eth0:0.0.0.0/0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev