[Shorewall-users] Using Nessus from behind Shorewall

franco segna fsegna at web.de
Thu Dec 4 09:50:27 PST 2003

I'm using Nessus (a remote vulnerability scanning tool)  from behind 
Shorewall (now 1.4.5) running on various platforms (from Red Hat to 
Bering) with full satisfaction.
To make full use of the Nessus features I must usually restart shorewall 
with  very permissive policies (the meaning of firewall is completely 
lost) for the time needed to conduct the remote tests, and then revert 
to the "armored" configuration.

My question is : is the use of the 'routestopped" file a better way than 
using alternate config files ?
The requirements of Nessus are:

OUTBOUND ICMP except Time Exceeded, Timestamp Reply, Address 
    Mask Reply, and Destination unreachable (Echo Reply being 
    (ab)used by some backdoor protocols)
OUTBOUND TCP & UDP from any port to any port
INBOUND UDP from any port to any port
INBOUND ICMP Destination Unreachable, Echo Reply, Address Mask
    Reply, Timestamp Reply, Time Exceeded
INBOUND non-SYN TCP from any port to any port

My trials with routestopped were unsuccessful. Thanks in advance for any 



Franco Segna  -  fsegna at web.de

More information about the Shorewall-users mailing list