[Shorewall-users] Quick Start Guide (fwd)

Tom Eastep teastep@shorewall.net
Wed, 10 Apr 2002 06:26:23 -0700 (Pacific Daylight Time)


On Wed, 10 Apr 2002, Richard Kimber wrote:

> On Tue, 9 Apr 2002 17:20:47 -0700 (Pacific Daylight Time)
> Tom Eastep <teastep@shorewall.net> wrote:
>
> > Version 1.0 of the Quick Start Guide and accompanying sample
> > configurations is available at:
> >
> > http://www.shorewall.net/shorewall_quickstart_guide.htm.
> >
> > Comments and suggestions are most welcome.
>
> Impressively quickly done.
>
> I have a few idiot questions that arise:
>
> I wasn't clear about the zones in a standalone system.  The document
> implies that you just have "net", but shouldn't there be a zone for the
> machine too, i.e. for 127.0.0.1?

That's the 'fw' zone that is described in the Guide.

> I thought there ought to be a rule that
> permits everything that doesn't go outside the machine, otherwise you may
> not be able to print, which I can't with the default setup, (using CUPS).
>

Shorewall NEVER restricts traffic through 127.0.0.1. If you have problems
with printing, there is something else involved.

> Also, I assume my CM is outside the fw and is thus part of the net zone,
> but I wasn't clear how to define a rule that allowed me to get my browser
> to connect to it's IP (192.168.100.1) to read the status info, given the
> norfc1918 option.

If you have that requiremenent then you can't use 'norfc1918'.

> I tried
> ACCEPT   net:192.168.100.1  fw tcp 80
> but that didn't work
>

Er -- your browser is in the firewall which is connecting to the CM,
right? So your rule is backward.

> FYI one tiny typo in ZONE line of interfaces: "Much match"  "Must match" ?
>

Thanks.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net