Hello I''m a newbie shorewall user , trying to setup shorewall on an untrusted lan network where I only connect to proxy server 8080 port and a website at port 8080 and drop any other ip on the lan how to do that with shorewall ? thanks taking time to reply ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
Rodolfo Pilas
2010-Oct-09 19:35 UTC
Re: setup standalone interface shorewall on an untrusted lan
El sáb, 09-10-2010 a las 19:24 +0000, mike lan escribió:> Hello > I'm a newbie shorewall user , trying to setup shorewall on an > untrusted lan network where I only connect to proxy server 8080 port > and a website at port 8080 > and drop any other ip on the lanPlace here your files policy and rules and show us what you are trying, from them we may try to help you. Regards, Rodolfo Pilas ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Christ Schlacta
2010-Oct-09 20:02 UTC
Re: setup standalone interface shorewall on an untrusted lan
sounds pretty simple, your policy file should only have all all drop and your rules should have something like ACCEPT src dest tcp 8080 replace src and dest with the appropriate src and dest, or use 0.0.0.0/0 to let anything from or to anywhere on port 8080 pass. anything else should be trivial if you follow the howtos. On 10/9/2010 12:24 PM, mike lan wrote:> Hello > I''m a newbie shorewall user , trying to setup shorewall on an > untrusted lan network where I only connect to proxy server 8080 port > and a website at port 8080 > and drop any other ip on the lan > > how to do that with shorewall ? > thanks taking time to reply > > > > > > > > > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
mike lan
2010-Oct-14 21:59 UTC
Re: setup standalone interface shorewall on an untrusted lan
On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com> wrote:> sounds pretty simple, your policy file should only have > all all drop > and your rules should have something like > ACCEPT src dest tcp 8080 > > replace src and dest with the appropriate src and dest, or use 0.0.0.0/0to let anything from or to anywhere on port 8080 pass. > > anything else should be trivial if you follow the howtos. > > >what are the appropiate src and dest ? I''ve put $FW as src but what do i need to put as "dest" , I''ve assigned it the ip adress on the lan and I got on "shorewall start" ERROR: Missing destination zone : /etc/shorewall/rules (line 19) ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
Tom Eastep
2010-Oct-15 02:43 UTC
Re: setup standalone interface shorewall on an untrusted lan
On 10/14/10 2:59 PM, mike lan wrote:> > > On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com > <mailto:aarcane@gmail.com>> wrote: > > sounds pretty simple, your policy file should only have > all all drop > and your rules should have something like > ACCEPT src dest tcp 8080 > > replace src and dest with the appropriate src and dest, or use > 0.0.0.0/0 <http://0.0.0.0/0> to let anything from or to anywhere on > port 8080 pass. > > anything else should be trivial if you follow the howtos. > > > > what are the appropiate src and dest ? > I''ve put $FW as src > but what do i need to put as "dest" , I''ve assigned it the ip adress on > the lan > > and I got on "shorewall start" > ERROR: Missing destination zone : /etc/shorewall/rules (line 19)Please start by following the standalone Quickstart Guide (http://www.shorewall.net/standalone.htm). That will give you a working firewall that allows all outgoing connections. It has two zones: 1. $FW = fw 2. net You are welcome to try to modify the configuration that you will get from that HOWTO to do what you want. a) Add a REJECT policy for fw->net b) Add all necessary fw->net ACCEPT rules for the outgoing traffic that you want to allow. Don''t forget: 1. DNS 2. Distribution Updates -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
mike lan
2010-Nov-12 21:18 UTC
Re: setup standalone interface shorewall on an untrusted lan
On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com> wrote:> sounds pretty simple, your policy file should only have > all all drop > and your rules should have something like > ACCEPT src dest tcp 8080 > > replace src and dest with the appropriate src and dest, or use 0.0.0.0/0to let anything from or to anywhere on port 8080 pass. > > anything else should be trivial if you follow the howtos. > >I"ve setup correcty shorewall as stand alone firewall as described on the shorewall guide , still I don''t know how to make a "drop all policy". and allow ONLY connection to specific ip adress at specific port on the lan or to the internet here is an example : my policy file has only this line uncommented : ( to implement drop all policy ?!) all all DROP info my rules files : ( let''s say, I allow only accept from my pc to ip adress 66.249.92.104 (google.com) only # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp ACCEPT $FW net:66.249.92.104 http sudo shorewall restart is that the correct way to do it ? thanks for taking time to reply ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
Tom Eastep
2010-Nov-12 21:34 UTC
Re: setup standalone interface shorewall on an untrusted lan
On 11/12/10 1:18 PM, mike lan wrote:> > > On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <aarcane@gmail.com > <mailto:aarcane@gmail.com>> wrote: > > sounds pretty simple, your policy file should only have > all all drop > and your rules should have something like > ACCEPT src dest tcp 8080 > > replace src and dest with the appropriate src and dest, or use > 0.0.0.0/0 <http://0.0.0.0/0> to let anything from or to anywhere on > port 8080 pass. > > anything else should be trivial if you follow the howtos. > > > I"ve setup correcty shorewall as stand alone firewall as described on > the shorewall guide , still I don''t know how to make a "drop all policy". > and allow ONLY connection to specific ip adress at specific port on the > lan or to the internet > here is an example : > > my policy file has only this line uncommented : ( to implement drop all > policy ?!) > > all all DROP info > > > my rules files : ( let''s say, I allow only accept from my pc to ip > adress 66.249.92.104 (google.com <http://google.com>) only > > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > > Ping(DROP) net $FW > > # Permit all ICMP traffic FROM the firewall TO the net zone > > ACCEPT $FW net icmp > ACCEPT $FW net:66.249.92.104 http > > sudo shorewall restart > > is that the correct way to do it ? >Well yes and no -- that rule will allow you to connect to http://66.249.92.104 but it will not allow you to connect generally to http://google.com. google.com resolves to an ever-changing set of IP addresses. If you ''dig google.com'', you will notice that the TTL for the A records is 5 minutes (300 seconds). If you repeat the ''dig'' 10 minutes later, the list of A records returned will likely be totally different. For example: ;; ANSWER SECTION: google.com. 300 IN A 74.125.127.147 google.com. 300 IN A 74.125.127.99 google.com. 300 IN A 74.125.127.103 google.com. 300 IN A 74.125.127.104 google.com. 300 IN A 74.125.127.105 google.com. 300 IN A 74.125.127.106 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
Tom Eastep
2010-Nov-12 21:40 UTC
Re: setup standalone interface shorewall on an untrusted lan
On 11/12/10 1:34 PM, Tom Eastep wrote:> On 11/12/10 1:18 PM, mike lan wrote:>> >> is that the correct way to do it ? >> > > Well yes and noI should have mentioned that Shorewall FAQ #39 discusses this general topic further. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev