Hello! I have a question regarding the rules .. I have the following policy Polici my rules: loc loc ACCEPT loc all REJECT info net all DROP info fw all ACCEPT vpn all ACCEPT My question is ... taking this rule, with that I have closed all ports on the computer, it is not necessary to close some other port placing RULES? I just want to close everything and open only the ports I want. Thanks .. ------ Mi duda es ya que quiero es saber si con esas politicas ya no es necesario cerrar algĂșn puerto mas dentro de la reglas (RULES) ya que lo que quiero es poder cerrar TODOS los puertos, para que solamente pueda abrir aquellos que yo realmente necesite sin cerrar alguno mas. Saludos .. -- William... ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
I.S.C. William wrote:>I have a question regarding the rules .. > >I have the following policy Polici my rules: > >loc loc ACCEPT >loc all REJECT info >net all DROP info >fw all ACCEPT >vpn all ACCEPT > >My question is ... taking this rule, with that I have closed all >ports on the computer, it is not necessary to close some other port >placing RULES? > >I just want to close everything and open only the ports I want.Those policies will allow all traffic that originates in the loc and vpn zones or on the firewall itself. Traffic originating from the net zone will be blocked. Assuming "net" is "the internet" and loc and vpn are internal, then you will have free access internally and TO the internet, but there will be no inbound traffic FROM the internet allowed. If that is what you want, then you need add no other rules. If you want to restrict outbound traffic, or intra-zone internal traffic, then you''ll need to either add rules to block what you don''t want to allow - or change the policies accordingly and add rules to allow what you want to allow. PS - it''s really bad etiquette to send requests directly to individuals rather than just to the mailing list. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
2012/10/23 Simon Hobson <linux@thehobsons.co.uk>> I.S.C. William wrote: > > >I have a question regarding the rules .. > > > >I have the following policy Polici my rules: > > > >loc loc ACCEPT > >loc all REJECT info > >net all DROP info > >fw all ACCEPT > >vpn all ACCEPT > > > >My question is ... taking this rule, with that I have closed all > >ports on the computer, it is not necessary to close some other port > >placing RULES? > > > >I just want to close everything and open only the ports I want. > > Those policies will allow all traffic that originates in the loc and > vpn zones or on the firewall itself. Traffic originating from the net > zone will be blocked. Assuming "net" is "the internet" and loc and > vpn are internal, then you will have free access internally and TO > the internet, but there will be no inbound traffic FROM the internet > allowed. > > If that is what you want, then you need add no other rules. > > If you want to restrict outbound traffic, or intra-zone internal > traffic, then you''ll need to either add rules to block what you don''t > want to allow - or change the policies accordingly and add rules to > allow what you want to allow. > > > PS - it''s really bad etiquette to send requests directly to > individuals rather than just to the mailing list. > > -- > Simon Hobson >Thanks Simmon .. For it is exactly what I want, block all access to the local network (loc) to internet (net) and similar as net2loc, that only can select that port open. You say that I need one more rule, I could mention that but I need to accomplish this? Note: If you understand what''s wrong route it to an individual, as did one of them speak Spanish and could help me, since my current language is Spanish. Thank you. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
I.S.C. William wrote:>For it is exactly what I want, block all access to the local network >(loc) to internet (net) and similar as net2loc, that only can select >that port open. > >You say that I need one more rule, I could mention that but I need >to accomplish this?You need to take a step back. It''s not enough to talk about blocking traffic TO a zone, all policies apply to traffic FROM one zone TO another zone. These zones are the first and second columns of the policy file. I''d suggest you should make a full list of all the zone-zone combinations like this : fw loc fw net fw vpn loc fw loc loc loc net loc vpn net fw net loc net vpn vpn fw vpn loc vpn net all all I''ve included loc-loc, that''s only needed if you have more than one network in your loc zone and the firewall is passing traffic between them. All-all is a ''catch all'' for anything not more explicitly listed. Against each combination, decide whether you want to allow traffic (ACCEPT), or block it (DROP or REJECT). The difference between DROP and REJECT is that DROP will silently discard the packet, while REJECT will reply to the packet (an ICMP response I think, but that could be wrong). It''s common to use REJECT for outbound traffic (any->net, so your internal clients "fail" quickly rather than doing nothing for a while and then failing), and DROP for inbound traffic (net->any, so an attacker just gets no response to probes). Once you''ve decided on the policy, only then do you think about rules. The POLICY applies to all traffic between the two zones which isn''t mentioned in a RULE, rules apply to specific traffic with more detailed criteria. If you have an ACCEPT policy, then all traffic is allowed unless you have a rule which blocks it. Eg, if you generally want outbound traffic allowed (policy - loc net ACCEPT), but wanted to prevent SMTP traffic that didn''t come from your internal firewall, you might add the RULEs : SMTP/ACCEPT loc:<mail server ip> net SMTP/REJECT loc net These rules explicitly allow mail from your mail server (so it''s not caught by the next rule), and then reject anything else. If you have a REJECT or DROP policy, then you''ll need rules to allow all traffic you want to allow. So for the same mail, you''d just need one RULE : SMTP/ACCEPT loc:<mail server ip> net -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
2012/10/24 Simon Hobson <linux@thehobsons.co.uk>> I.S.C. William wrote: > > >For it is exactly what I want, block all access to the local network > >(loc) to internet (net) and similar as net2loc, that only can select > >that port open. > > > >You say that I need one more rule, I could mention that but I need > >to accomplish this? > > You need to take a step back. It''s not enough to talk about blocking > traffic TO a zone, all policies apply to traffic FROM one zone TO > another zone. These zones are the first and second columns of the > policy file. > > I''d suggest you should make a full list of all the zone-zone > combinations like this : > > fw loc > fw net > fw vpn > > loc fw > loc loc > loc net > loc vpn > > net fw > net loc > net vpn > > vpn fw > vpn loc > vpn net > > all all > > I''ve included loc-loc, that''s only needed if you have more than one > network in your loc zone and the firewall is passing traffic between > them. All-all is a ''catch all'' for anything not more explicitly > listed. > > Against each combination, decide whether you want to allow traffic > (ACCEPT), or block it (DROP or REJECT). The difference between DROP > and REJECT is that DROP will silently discard the packet, while > REJECT will reply to the packet (an ICMP response I think, but that > could be wrong). > It''s common to use REJECT for outbound traffic (any->net, so your > internal clients "fail" quickly rather than doing nothing for a while > and then failing), and DROP for inbound traffic (net->any, so an > attacker just gets no response to probes). > > Once you''ve decided on the policy, only then do you think about > rules. The POLICY applies to all traffic between the two zones which > isn''t mentioned in a RULE, rules apply to specific traffic with more > detailed criteria. > > > If you have an ACCEPT policy, then all traffic is allowed unless you > have a rule which blocks it. Eg, if you generally want outbound > traffic allowed (policy - loc net ACCEPT), but wanted to prevent > SMTP traffic that didn''t come from your internal firewall, you might > add the RULEs : > SMTP/ACCEPT loc:<mail server ip> net > SMTP/REJECT loc net > > These rules explicitly allow mail from your mail server (so it''s not > caught by the next rule), and then reject anything else. > > > If you have a REJECT or DROP policy, then you''ll need rules to allow > all traffic you want to allow. So for the same mail, you''d just need > one RULE : > SMTP/ACCEPT loc:<mail server ip> net > >Excellent explanation ... thank you very much ... Greetings! ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct