Wed, 10 Apr 2002 12:44:55 -0400
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Tom Eastep
> Sent: Wednesday, April 10, 2002 12:15 PM
> To: Jim Hubbard
> Cc: firstname.lastname@example.org
> Subject: Re: [Shorewall-users] Hosts
> On Wed, 10 Apr 2002, Jim Hubbard wrote:
> > I have a server behind a seperate hardware firewall. The server handles
> > some requests from the local network (smb, web, and mail) and from the
> > internet (web & mail). I have three zones defined for the
> server's single
> > interface; adm, loc, and net. In the hosts file, I defined the
> first 2 like
> > this:
> > adm eth0:192.168.0.10 routestopped
> > loc eth0:192.168.0.0/24 routestopped
> > The adm zone is also filtered by mac in the rules since it gets
> access to
> > management tools (swat & webmin). But incoming requests from
> my net zone,
> > which since undefined should default to (0.0.0.0/0) got dropped by my
> > all2all policy until I specified it in the hosts file like this:
> > net eth0:0.0.0.0/0
> > Yes, I know my config is somewhat less than ideal, but I've got
> to make do
> > with the hardware I have for now. My point is that the zone defaults
> > mentioned in the docs DO need to be specified in the hosts file
> (at least in
> > this case).
> > From the docs:
> > "If you don't define any hosts for a zone, the hosts in the
> zone default to
> > i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the
> interfaces to the
> > zone.
> > Note 1: You probably DON'T want to specify any hosts for your
> internet zone
> > since the hosts that you specify will be the only ones that you
> will be able
> > to access without adding additional rules."
> > Or have I overlooked something?
> What do your 'zones' and 'interfaces' files look like?
Actually, instead of the ip's listed above I've defined them as parameters
like this in "params"
So my hosts file is actually:
#ZONE HOST(S) OPTIONS
adm eth0:$ADM_IPS routestopped
loc eth0:$LOC_IPS routestopped
I don't know why I prefer it this way, it's just less clutter I guess.
Anyway here are zones & interfaces:
#ZONE DISPLAY COMMENTS
adm Admin Local Administrator
loc Local Local Network
net Net Internet
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 192.168.0.255 routestopped,multi,blacklist
> > While I'm at it, how can I deny rfc1918 ip's in my net zone and
> still accept
> > them in the others? The only thing I've come up with is to filter
> > everything in loc by mac address too.
> Why do you need to? Doesn't your outer firewall already filter these?
My outer hardware firewall (Netgear RO318) cannot block certain addresses on
the outside from getting in. A port is either open to everyone (and
forwarded to the server) or it's closed. Curiously, I can restrict ip's on
the inside from accessing outside services. Go figure. Filtering loc by
mac wouldn't be a big deal for me since we only have about 8 local users. I
was just wondering if there was a better way.