[Shorewall-users] LAN server config?

Paul Gear paulgear@bigfoot.com
Wed, 30 Jan 2002 20:57:40 +1000


Jim Hubbard wrote:

> Tom,
> I have a router at home running Shorewall doing great, and I want to
> install
> it on our file/web/mail server at work too.  Problem is, I can't afford
> much downtime futzing around with it.  Can you recommend some Shorewall
> settings?  Here are the particulars:

Hi Jim,

It seems to me that you already know most of what you want.  There are only
a few ambiguities that need to be addressed.

> ...
> 2. The server has a single network card, a static ip (192.168.0.13), and
> is plugged into the security router just like every other box on the
> lan.

Do the requests appear to come from the Internet or the router?  (i.e. Does
the router do unidirectional NAT or bidirectional NAT?)  My guess would be
the former - requests still appear with the true source IP, and your router
does the outgoing translation.  If that is the case, i think you need two
zones, one for internal and one for external - the 'loc' and 'net' zones
provided by default should do the trick.  The 'loc' zone would be
192.168.0.0/24, and 'net' would be everything else.

> 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA
> (both available to the internet and the lan).

Personally, if you are running standard POP3 over the Internet, i think you
are:
    a) crazy,
    b) an ISP, or
    c) both of the above.   :-)
I know users like it, but it really is quite insecure.

> For the LAN, it runs
> SAMBA, SWAT (port 901), and Webmin (port 10000), the last 2 only
> accessible from 192.168.0.10.
> ...

All of your services except SWAT & Webmin can be defined between the 'loc'
zone and the firewall.  You can do the other two with a simple
host-specific override in the rules file.  A separate zone for admin
workstations would require rule duplication (since they would require
access to all the same services as normal workstations).

> ...
> I realize this configuration is somewhat less than ideal.  In the
> future, I plan on replacing the hardware router with a Linux system
> using 3 NIC's to effectively separate Internet, LAN, and a DMZ, but for
> now I need to work with what I've got.

Personally, i don't feel that the 3 NIC model actually offers much more
protection than what you've got, since you would only have to compromise
one system (the firewall) to gain access to the entire network, whereas
your current model requires that two systems (the router and the Linux
server) be compromised, unless the Linux box is compromised through the
port-forwarded services.

> ...
> Right now, the server has NO firewall except what is provided by the
> router, so almost anything would be an improvement.  Would it help to
> configure the server's single NIC to have more than 1 IP?  If so, how?

I don't think it would help.  You can do all you want by defining shorewall
zones.

> Thanks in advance for any suggestions, and thanks again for a great
> piece of software.  Linux newbies like me would be lost without people
> like you making it relatively easy.

Tom has indeed made it very easy!  :-)

Paul
http://paulgear.webhop.net