Shorewall users - Dec 2011 - setup shorewall for specific ports only

Hello
 I would like to setup shorewall for some ports only (i.e allow to surf the
net http and https and access ftp only and nothing else )

I''ve used  the one interface firewall example  with a policy file :
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT          info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info


and on the rules file :
ACCEPT          $FW             net             icmp
ACCEPT          $FW             net             tcp     http,https,ftp


restarted shorewall
But I''ve noticed that I can still send packets on other ports that
those
specified on the rules. ex : running transmission for instance

thanks taking time to reply


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

On 12/28/2011 02:16 AM, mike lan wrote:
> Hello
>  I would like to setup shorewall for some ports only (i.e allow to surf
> the net http and https and access ftp only and nothing else )
> 
> I''ve used  the one interface firewall example  with a policy file
:
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> $FW             net             ACCEPT          info
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> net             all             DROP            info
> # The FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> 
> 
> and on the rules file :
> ACCEPT          $FW             net             icmp
> ACCEPT          $FW             net             tcp     http,https,ftp
> 
> 
> restarted shorewall
> But I''ve noticed that I can still send packets on other ports that
those
> specified on the rules. ex : running transmission for instance
> 
> thanks taking time to reply
> 
The highlighted line there sets the default policy for outgoing traffic
to ACCEPT.  When your ACCEPT rules aren''t matched, outgoing traffic
uses
that default.  Change that ACCEPT to a REJECT or maybe a DROP if you
prefer, and it should work as expected.

-- 
J. Randall Owens | http://www.ghiapet.net/
ProofReading Markup Language | http://www.prml.org/


------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

Hi mike,

just edit your policy file:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             REJECT          info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

And leave your rules file like it is right now

Shorewall will always take a look inside the rules file first and only after not
finding a matching rule here, shorewall will take a look inside the policy file.
That''s why you should be able to ping and make http, https and ftp to
the net, because shorewall finds matching rules in your rule file.

Hope this helps!

Regards
Alex




Von: mike lan [mailto:lan.mike88@gmail.com]
Gesendet: Mittwoch, 28. Dezember 2011 10:17
An: Shorewall Users
Betreff: [Shorewall-users] setup shorewall for specific ports only

Hello
 I would like to setup shorewall for some ports only (i.e allow to surf the net
http and https and access ftp only and nothing else )

I''ve used  the one interface firewall example  with a policy file :
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT          info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info


and on the rules file :
ACCEPT          $FW             net             icmp
ACCEPT          $FW             net             tcp     http,https,ftp


restarted shorewall
But I''ve noticed that I can still send packets on other ports that
those specified on the rules. ex : running transmission for instance

thanks taking time to reply






------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev