[Shorewall-newbies] firewall setup error help! please! asap
alex at rettc.com
Sun Dec 7 21:51:42 PST 2003
Read my original long post. Then read it again. Then read the excellent
documentation at www.shorewall.net.
The rules do not need to be in place. They will be bounced, and logged,
this way, you can add the rules as needed.
If this is a live system, then, you will have to be careful, to avoid
downtime. But that is the way the ball bounces.
By dmz is a notation for a zone. Francesca was asking if you had a dmz.
A zone is like net or loc in your case. Sometimes people have a net a
loc and a dmz. By treating different zones with separate rules, and by
nature of their being segmented physically from each other (separte nics
on the firewall), it provides for more security. In your case, I
understand that you are using the loc zone as a dmz (demilitarized
zone). Usually, if you can separate a local lan from a segement with
public servers, this is a better setup. If you had a bunch of windows
boxes in your loc zone, and they all had file sharing, and one was a
webserver that you had allowed the internet access to, and that server
got hacked then the hacker would have access to all of your loc network.
By having a dmz, with servers separated from a group of users machines,
if the webserver was hacked, the local network of user machines would be
safe. Also, usually on a masqueraded lan, the policy is to allow all loc
to net traffic. For a dmz (which is named loc in your case), you do not
want a accept all loc to lan policy. This is because, say, you have a
windows web server, it gets hacked, a trojan is installed, and it tries
to get outbound on port 7000. If you had an accept loc to net policy,
you would not see this traffic in your logs. In your case (dmz type
network) you want to have "deny all" policies with explicit allowance
rules for best security. Of course, this is up to you.
If you make a fresh two interface install, the watch the logs, and add
rules as necessary, you will have less than five minutes of downtime,
because it is quick and easy to enable traffic. Or, as you should know
what traffic will be allowed, you could have the rules setup before
hand. But as a newbie, I would recommend no rules and watching the logs
so you can learn.
# Example: Accept www requests to the firewall.
# ACCEPT net fw tcp http
More simply, to accept port 21 from the internet to server ip 126.96.36.199 in
the loc zone,
ACCEPT net loc:188.8.131.52 tcp 21
With all of the time and bandwidth that you and I and Francesca have
spent (a few hours of back and forth) you could have spent reading the
excellent documentation at www.shorewall.net, and your problem probably
would have been solved a while ago.
Please take some time to read the documentation. We are here to help,
but not hold hands. I am not trying to be mean or anything, it is just a
little frustrating. Tom has spent countless hours(months, years)
providing some of the best open source project documentation I have seen.
Look at the two interface guide. Your only difference from that is that
you have public ip's behind the firewall. So, you do not need
masquerading. Also, make sure your policy has "accept loc net" commented
out. Watch the logs. Otherwise, I think no changes need be made except
for your custom rules.
Sterling Martin wrote:
> ps... if i were to comment these out ...wouldn't i then have to make
> sure all my rules to allow data in and out were in place first ?
> otherwise things that are "supposed" to be allowed in or out will be
> bounced, right? for example people trying to view our website would see
> nothing and people trying to upload files simply couldn't login etc...
> just wondering .... be nice, remember newbie's ask dumb questions :)
>> > Ok. The policy file you have created makes most of your rules
>> > obsolete.
>> > >loc net ACCEPT
>> > >net loc ACCEPT
>> > the above allows all traffic between your loc and net zones!!!! thus,
>> > any net2loc or loc2net rules are useless. This is a good way to get
>> > hacked. If you had windows boxes in the loc zone, I bet they did get
>> > hacked.
>> > > # remove the comment from the following line.
>> > > fw net ACCEPT
>> Lets be fair .. Looks like some one with out a clue set this up ( The
>> Original Person not Sterling ) .. And this is newbies .. (I would grab
>> at least the two interface examples and work from there)
>> And yes .. lose all the shorewall files .. reload .. slash and burn ..
> Cell phone ‘switch’ rules are taking effect — find out more here.
More information about the Shorewall-newbies