[Shorewall-users] LAN server config?

Tom Eastep teastep@shorewall.net
Wed, 30 Jan 2002 06:18:50 -0800

On Wednesday 30 January 2002 02:57 am, Paul Gear wrote:
> Do the requests appear to come from the Internet or the router?  (i.e. =
> the router do unidirectional NAT or bidirectional NAT?)  My guess would=
> the former - requests still appear with the true source IP, and your ro=
> does the outgoing translation.  If that is the case, i think you need t=
> zones, one for internal and one for external - the 'loc' and 'net' zone=
> provided by default should do the trick.  The 'loc' zone would be
>, and 'net' would be everything else.

I agree.

> > 3. The server runs a webserver on port 80 and a mailserver/pop3 MTA
> > (both available to the internet and the lan).
> Personally, if you are running standard POP3 over the Internet, i think=
> are:
>     a) crazy,
>     b) an ISP, or
>     c) both of the above.   :-)
> I know users like it, but it really is quite insecure.

Yes -- a VPN solution would definitely be better.

> I don't think it would help.  You can do all you want by defining shore=
> zones.

I agree.

The only thing that I can add is that for NFS, I would open UDP port 111 =
ALL unpriv UDP ports from the NFS client (your server) to the NFS server=20

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net