[Shorewall-newbies] firewall setup error help! please! asap

Alex Martin alex at rettc.com
Sun Dec 7 21:51:42 PST 2003

Read my original long post. Then read it again. Then read the excellent 
documentation at www.shorewall.net.

The rules do not need to be in place. They will be bounced, and logged, 
this way, you can add the rules as needed.

If this is a live system, then, you will have to be careful, to avoid 
downtime. But that is the way the ball bounces.

By dmz is a notation for a zone. Francesca was asking if you had a dmz. 
A zone is like net or loc in your case. Sometimes people have a net a 
loc and a dmz. By treating different zones with separate rules, and by 
nature of their being segmented physically from each other (separte nics 
on the firewall), it provides for more security. In your case, I 
understand that you are using the loc zone as a dmz (demilitarized 
zone). Usually, if you can separate a local lan from a segement with 
public servers, this is a better setup. If you had a bunch of windows 
boxes in your loc zone, and they all had file sharing, and one was a 
webserver that you had allowed the internet access to, and that server 
got hacked then the hacker would have access to all of your loc network. 
By having a dmz, with servers separated from a group of users machines, 
if the webserver was hacked, the local network of user machines would be 
safe. Also, usually on a masqueraded lan, the policy is to allow all loc 
to net traffic. For a dmz (which is named loc in your case), you do not 
want a accept all loc to lan policy. This is because, say, you have a 
windows web server, it gets hacked, a trojan is installed, and it tries 
to get outbound on port 7000. If you had an accept loc to net policy, 
you would not see this traffic in your logs. In your case (dmz type 
network) you want to have "deny all" policies with explicit allowance 
rules for best security. Of course, this is up to you.

If you make a fresh two interface install, the watch the logs, and add 
rules as necessary, you will have less than five minutes of downtime, 
because it is quick and easy to enable traffic. Or, as you should know 
what traffic will be allowed, you could have the rules setup before 
hand. But as a newbie, I would recommend no rules and watching the logs 
so you can learn.

from /etc/shorewall/rules:
#       Example:        Accept www requests to the firewall.
#       ACCEPT          net             fw      tcp     http

More simply, to accept port 21 from the internet to server ip in 
the loc zone,
ACCEPT	net	loc:	tcp	21


With all of the time and bandwidth that you and I and Francesca have 
spent (a few hours of back and forth) you could have spent reading the 
excellent documentation at www.shorewall.net, and your problem probably 
would have been solved a while ago.

Please take some time to read the documentation. We are here to help, 
but not hold hands. I am not trying to be mean or anything, it is just a 
little frustrating. Tom has spent countless hours(months, years) 
providing some of the best open source project documentation I have seen.

Look at the two interface guide. Your only difference from that is that 
you have public ip's behind the firewall. So, you do not need 
masquerading. Also, make sure your policy has "accept loc net" commented 
out. Watch the logs. Otherwise, I think no changes need be made except 
for your custom rules.

Alex Martin

Sterling Martin wrote:

> ps... if i were to comment these out ...wouldn't i then have to make 
> sure all my rules to allow data in and out were in place first  ?  
> otherwise things that are "supposed" to be allowed in or out will be 
> bounced, right? for example people trying to view our website would see 
> nothing and people trying to upload files simply couldn't login etc... 
> right....
> just wondering .... be nice, remember newbie's ask dumb questions  :)
>> Hello,
>> > Ok. The policy file you have created makes most of your rules
>> > obsolete.
>> >
>> >  >loc             net             ACCEPT
>> >  >net             loc             ACCEPT
>> >
>> > the above allows all traffic between your loc and net zones!!!! thus,
>> > any net2loc or loc2net rules are useless. This is a good way to get
>> > hacked. If you had windows boxes in the loc zone, I bet they did get
>> > hacked.
>> >
>> >  > # remove the comment from the following line.
>> >  > fw             net             ACCEPT
>> >
>> >
>> Lets be fair .. Looks like some one with out a clue set this up ( The
>> Original Person not Sterling  ) .. And this is newbies .. (I would grab
>> at least the two interface examples and work from there)
>> And yes .. lose all the shorewall files .. reload .. slash and burn ..
>> Francesca
> _________________________________________________________________
> Cell phone ‘switch’ rules are taking effect — find out more here. 
> http://special.msn.com/msnbc/consumeradvocate.armx

More information about the Shorewall-newbies mailing list