[Shorewall-users] Parameterized Samples Withdrawn

Cowles, Steve Steve@SteveCowles.com
Tue, 9 Apr 2002 10:22:47 -0500


> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Tuesday, April 09, 2002 8:21 AM
> To: Paul Gear
> Cc: Shorewall Users
> Subject: Re: [Shorewall-users] Parameterized Samples Withdrawn
> 
> 
> On Tue, 9 Apr 2002, Paul Gear wrote:
> 
> > My AU$0.02: way to go, Tom - you tell 'em!  :-)
> >
> 
> I knew you'd be pleased :-)
> 
> >
> > I agree that there is a need for sample configurations, but 
> > not for the *parameterized* samples previously provided.
> > As Tom has stated, they give the wrong impression about using
> > Shorewall.  The parameter is simply a convenient place to put
> > frequently used hosts and things.  It should not be used to
> > define all your trusted ports - that's what the rules file
> > is for.
> >
> 
> I agree entirely.
> 
> > Tom, what about publishing the unparameterized samples i 
> > previously sent you?  I think it would be good if all the
> > interfaces and rules were commented out by default, with
> > explanations of what each one does if uncommented.  I'd
> > be happy to maintain and (partially) support them if people 
> > find them useful.
> >
> 
> I'll dig them out and have a look.

Whew!!! Talk about stirring up a hornets nest.

Personally, I would like to see unparameterized samples that have a common
30,000 foot documented format. i.e. In the rules file, have sections
defining each zone->zone combination. This would allow all of us to start on
the same page (so to speak). I know when someone makes a post to this list
where they are referencing the current parameterized example files, I just
ignore them because I do not feel like trying to cross reference the
parameters to which shorewall file they are being used in. Call me lazy, but
I would rather respond to someone's question with... under the
internet->local section of the rules file -- add the following rule.

FWIW: I use the following format in my rules file.

############################################################################
########################### Internet -> Local ##############################
############################################################################
#RESULT CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) ADDRESS
#
# Define the services that will be made available from the Internet to
# Local LAN systems.

# Accept/Forward inbound tcp port 81 to IIS Server port 80 (OWA) -
192.168.9.2
# Accept/Forward inbound tcp port 1723 (PPTP) to PPTP Server - 192.168.9.3
# Accept/Forward inbound gre protocol requests to PPTP server - 192.168.9.3
 
ACCEPT  net       loc:192.168.9.2:80  tcp   81             -     all
ACCEPT  net       loc:192.168.9.3     tcp   1723           -     all
ACCEPT  net       loc:192.168.9.3     47    -              -     all


############################################################################
########################### Local -> Internet ##############################
############################################################################
#RESULT CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) ADDRESS
 
# Allow "all" traffic from private LAN to Internet. This is
# accomplished by adding the following policy and masq file entries.
 
# policy file: loc             net             ACCEPT
# masq file:   eth0            192.168.9.0/24
 
# Only list exceptions to the above here.
 
REJECT:info loc   net             tcp   6667


Furthermore, (so that we are all starting from the same page) I would like
to see an "initial" install script for shorewall that prompts for basic
network design parameters similar to how the "firewall in a box"
manufactures like netgear, linksys, etc... do. Then the install script
creates a standard set of shorewall parameter files. Something like the
following:

1) Which interface is external? (eth0/eth1)
2) Is the external interface's ip address assigned through DHCP?
3) Does the external interface require PPPoE? <groan!>
4) DNS servers that the firewall will use for name resolution?
5) Which interface is internal? (eth0/eth1)
6) What is the LAN address of the internal interface? (192.168.1.0/24)

With any of the above prompts, a context sensitive help would be available
that outlines (at a 30,000 foot view) what should be entered for each
prompt. By default, the initial install script would create all the
necessary shorewall configs files (based on the above prompts) with a
default policy of DENY all inbound traffic.

Now that we are all starting on the same page, create detailed documentation
that describes (chapter 1) theory of operation for shorewall/net-filter and
also chapters on how to modify the default to fit your current requirements.
i.e. port forwarding. BTW: Tom, you already have a good start on this.

For those super newbies, I found the following netgear site rather
interesting. Maybe we could adapt its format to fit shorewall.

http://www.netgear-support.com/ts/doc/ispguide.htm

Just my two bits
Steve Cowles