[Shorewall-users] Hosts

Tom Eastep teastep@shorewall.net
Wed, 10 Apr 2002 09:14:44 -0700 (Pacific Daylight Time)


On Wed, 10 Apr 2002, Jim Hubbard wrote:

> I have a server behind a seperate hardware firewall.  The server handles
> some requests from the local network (smb, web, and mail) and from the
> internet (web & mail).  I have three zones defined for the server's single
> interface; adm, loc, and net.  In the hosts file, I defined the first 2 like
> this:
>
> adm		eth0:192.168.0.10		routestopped
> loc		eth0:192.168.0.0/24	routestopped
>
> The adm zone is also filtered by mac in the rules since it gets access to
> management tools (swat & webmin).  But incoming requests from my net zone,
> which since undefined should default to (0.0.0.0/0) got dropped by my
> all2all policy until I specified it in the hosts file like this:
>
> net		eth0:0.0.0.0/0
>
> Yes, I know my config is somewhat less than ideal, but I've got to make do
> with the hardware I have for now.  My point is that the zone defaults
> mentioned in the docs DO need to be specified in the hosts file (at least in
> this case).
>
> From the docs:
> "If you don't define any hosts for a zone, the hosts in the zone default to
> i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the
> zone.
>
> Note 1: You probably DON'T want to specify any hosts for your internet zone
> since the hosts that you specify will be the only ones that you will be able
> to access without adding additional rules."
>
> Or have I overlooked something?
>

What do your 'zones' and 'interfaces' files look like?

> While I'm at it, how can I deny rfc1918 ip's in my net zone and still accept
> them in the others?  The only thing I've come up with is to filter
> everything in loc by mac address too.
>
>

Why do you need to? Doesn't your outer firewall already filter these?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net