[Shorewall-newbies] firewall setup error help! please! asap

Ron Shannon rshannon at cruzcom.com
Sun Dec 7 19:53:48 PST 2003


You wrote: 
 
> interfaces ....
> 
> ##############################################################
> ################
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     eth0            detect          dhcp,routefilter,norfc1918
> loc     eth1            detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

This above is fine, though it's pretty odd to have a DHCP server serving your external IP in a colocation facility. If your external (net) network interface is statically addressed, you don't need the "dhcp" part.
 
> policy file
> 
> 
> ##############################################################
> #################
> #SOURCE         DEST            POLICY          LOG LEVEL     
>   LIMIT:BURST
> loc             net             ACCEPT
> net             loc             ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw             net             ACCEPT
> #net            all             DROP            ULOG
> all             all             REJECT          ULOG
> #net            fw              DROP    icmp    8
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

This policy file is currently allowing ALL traffic to flow through your firewall. In other words, you don't have a firweall. Comment (insert # at beginning of line) the "net loc ACCEPT" line immediately. Also comment our or delete the "LIMIT:BURST" if it's on a separate line.. not needed.

> 
> and here is the rules file..... does it look right to you.... 
> pleasssssssssssse feel free to comment on how to make it 
> better.... i would 
> like to be able to make it so that people can only ftp to on 
> port or ip 
> address on one server but not sure how that's done cause as 
> you can see it's 
> wide open "persay"

Looks like you forgot to include the rules file, which has the nitty gritty.

Ron


More information about the Shorewall-newbies mailing list