[Shorewall-users] Using Nessus from behind Shorewall
shorewall at rettc.com
Thu Dec 4 02:53:35 PST 2003
Check out whitelisting:
I am not sure if this still works under the latest versions, I can't imagine why
The doc's suggest this will work for versions >= 1.3.1 which of course includes
First you define a /etc/shorewall/zone entry and a /etc/shorewall/hosts entry
for 'somenewzone' as a sub-zone of 'loc' from the standard three interface
Then you add /etc/shorewall/policy entries to effectively "whitelist" your new
sub-zone to whatever degree you specify.
After defining a policy, you can still allow/drop specific traffic with
/etc/shorewall/rules to be explicit.
In your case 'somenewzone' might define a single host.
I would like to know if this works for you, please post back. If I have a bit of
time I will try it myself.
Behavior defined in /etc/shorewall/routestopped is only functional when the
firewall is stopped.
There are instructions for earlier versions of shorewall if you search for
"whitelist" on www.shorewall.net as well.
----- Original Message -----
From: "franco segna" <fsegna at web.de>
To: <shorewall-users at lists.shorewall.net>
Sent: Thursday, December 04, 2003 1:50 AM
Subject: [Shorewall-users] Using Nessus from behind Shorewall
> I'm using Nessus (a remote vulnerability scanning tool) from behind
> Shorewall (now 1.4.5) running on various platforms (from Red Hat to
> Bering) with full satisfaction.
> To make full use of the Nessus features I must usually restart shorewall
> with very permissive policies (the meaning of firewall is completely
> lost) for the time needed to conduct the remote tests, and then revert
> to the "armored" configuration.
> My question is : is the use of the 'routestopped" file a better way than
> using alternate config files ?
> The requirements of Nessus are:
> OUTBOUND ICMP except Time Exceeded, Timestamp Reply, Address
> Mask Reply, and Destination unreachable (Echo Reply being
> (ab)used by some backdoor protocols)
> OUTBOUND TCP & UDP from any port to any port
> INBOUND UDP from any port to any port
> INBOUND ICMP Destination Unreachable, Echo Reply, Address Mask
> Reply, Timestamp Reply, Time Exceeded
> INBOUND non-SYN TCP from any port to any port
> My trials with routestopped were unsuccessful. Thanks in advance for any
> Franco Segna - fsegna at web.de
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
More information about the Shorewall-users