Shorewall users - Oct 2010 - setup standalone interface shorewall on an untrusted lan

Hello
 I''m a newbie  shorewall user , trying to setup shorewall on an
untrusted
lan network where I only connect to proxy server 8080 port and a website at
port 8080
and drop any other ip on the lan

how to do that with shorewall ?
thanks taking time to reply


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

El sáb, 09-10-2010 a las 19:24 +0000, mike lan escribió:
> Hello 
>  I'm a newbie  shorewall user , trying to setup shorewall on an
> untrusted lan network where I only connect to proxy server 8080 port
> and a website at port 8080 
> and drop any other ip on the lan 
Place here your files policy and rules and show us what you are trying,
from them we may try to help you.

Regards,
Rodolfo Pilas




------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

sounds pretty simple, your policy file should only have
all    all    drop
and your rules should have something like
ACCEPT    src    dest    tcp    8080

replace src and dest with the appropriate src and dest, or use 0.0.0.0/0 
to let anything from or to anywhere on port 8080 pass.

anything else should be trivial if you follow the howtos.

On 10/9/2010 12:24 PM, mike lan wrote:
> Hello
>  I''m a newbie  shorewall user , trying to setup shorewall on an 
> untrusted lan network where I only connect to proxy server 8080 port 
> and a website at port 8080
> and drop any other ip on the lan
>
> how to do that with shorewall ?
> thanks taking time to reply
>
>
>
>
>
>
>
>
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com> wrote:
>  sounds pretty simple, your policy file should only have
> all    all    drop
> and your rules should have something like
> ACCEPT    src    dest    tcp    8080
>
> replace src and dest with the appropriate src and dest, or use 0.0.0.0/0to
let anything from or to anywhere on port 8080 pass.
>
> anything else should be trivial if you follow the howtos.
>
>
>
what are the appropiate src and dest ?
I''ve put $FW as src
but what do i need to put as "dest" , I''ve assigned it the ip
adress on the
lan

and I got on "shorewall start"
  ERROR: Missing destination zone : /etc/shorewall/rules (line 19)


------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

On 10/14/10 2:59 PM, mike lan wrote:
> 
> 
> On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com
> <mailto:aarcane@gmail.com>> wrote:
> 
>     sounds pretty simple, your policy file should only have
>     all    all    drop
>     and your rules should have something like
>     ACCEPT    src    dest    tcp    8080
> 
>     replace src and dest with the appropriate src and dest, or use
>     0.0.0.0/0 <http://0.0.0.0/0> to let anything from or to anywhere
on
>     port 8080 pass.
> 
>     anything else should be trivial if you follow the howtos.
> 
> 
> 
> what are the appropiate src and dest ?
> I''ve put $FW as src
> but what do i need to put as "dest" , I''ve assigned it
the ip adress on
> the lan
> 
> and I got on "shorewall start"
>   ERROR: Missing destination zone : /etc/shorewall/rules (line 19)
Please start by following the standalone Quickstart Guide
(http://www.shorewall.net/standalone.htm). That will give you a working
firewall that allows all outgoing connections. It has two zones:

	1. $FW = fw
	2. net

You are welcome to try to modify the configuration that you will get
from that HOWTO to do what you want.

a) Add a REJECT policy for fw->net
b) Add all necessary fw->net ACCEPT rules for the outgoing traffic that
you want to allow. Don''t forget:

	1. DNS
	2. Distribution Updates

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com> wrote:
>  sounds pretty simple, your policy file should only have
> all    all    drop
> and your rules should have something like
> ACCEPT    src    dest    tcp    8080
>
> replace src and dest with the appropriate src and dest, or use 0.0.0.0/0to
let anything from or to anywhere on port 8080 pass.
>
> anything else should be trivial if you follow the howtos.
>
>
I"ve setup correcty shorewall as stand alone firewall as described on the
shorewall guide , still I don''t know how to make a "drop all
policy".
and allow ONLY connection to specific  ip adress at specific port on the lan
or to the internet
here is an example :

my policy file has only this line uncommented : ( to implement drop all
policy ?!)

all             all             DROP            info


my rules files : ( let''s say, I allow only accept from my pc to ip
adress
66.249.92.104 (google.com) only

# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..

Ping(DROP)      net             $FW

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT          $FW             net             icmp
ACCEPT          $FW             net:66.249.92.104   http

sudo shorewall restart

is that the correct way to do it ?

thanks for taking time to reply


------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev

On 11/12/10 1:18 PM, mike lan wrote:
> 
> 
> On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com
> <mailto:aarcane@gmail.com>> wrote:
> 
>     sounds pretty simple, your policy file should only have
>     all    all    drop
>     and your rules should have something like
>     ACCEPT    src    dest    tcp    8080
> 
>     replace src and dest with the appropriate src and dest, or use
>     0.0.0.0/0 <http://0.0.0.0/0> to let anything from or to anywhere
on
>     port 8080 pass.
> 
>     anything else should be trivial if you follow the howtos.
> 
> 
> I"ve setup correcty shorewall as stand alone firewall as described on
> the shorewall guide , still I don''t know how to make a "drop
all policy".
> and allow ONLY connection to specific  ip adress at specific port on the
> lan or to the internet
> here is an example :
> 
> my policy file has only this line uncommented : ( to implement drop all
> policy ?!)
> 
> all             all             DROP            info
> 
> 
> my rules files : ( let''s say, I allow only accept from my pc to ip
> adress 66.249.92.104 (google.com <http://google.com>) only
> 
> # Drop Ping from the "bad" net zone.. and prevent your log from
being
> flooded..
> 
> Ping(DROP)      net             $FW
> 
> # Permit all ICMP traffic FROM the firewall TO the net zone
> 
> ACCEPT          $FW             net             icmp
> ACCEPT          $FW             net:66.249.92.104   http
> 
> sudo shorewall restart
> 
> is that the correct way to do it ?
> 
Well yes and no -- that rule will allow you to connect to
http://66.249.92.104 but it will not allow you to connect generally to
http://google.com. google.com resolves to an ever-changing set of IP
addresses. If you ''dig google.com'', you will notice that the
TTL for the
A records is 5 minutes (300 seconds). If you repeat the ''dig''
10 minutes
later, the list of A records returned will likely be totally different.
For example:

;; ANSWER SECTION:
google.com.		300	IN	A	74.125.127.147
google.com.		300	IN	A	74.125.127.99
google.com.		300	IN	A	74.125.127.103
google.com.		300	IN	A	74.125.127.104
google.com.		300	IN	A	74.125.127.105
google.com.		300	IN	A	74.125.127.106

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev

On 11/12/10 1:34 PM, Tom Eastep wrote:
> On 11/12/10 1:18 PM, mike lan wrote:
>>
>> is that the correct way to do it ?
>>
> 
> Well yes and no
I should have mentioned that Shorewall FAQ #39 discusses this general
topic further.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev