[Shorewall-users] Using Nessus from behind Shorewall

Alex Martin shorewall at rettc.com
Thu Dec 4 02:53:35 PST 2003

Check out whitelisting:


I am not sure if this still works under the latest versions, I can't imagine why

The doc's suggest this will work for versions >= 1.3.1 which of course includes

First you define a /etc/shorewall/zone entry and a /etc/shorewall/hosts entry
for 'somenewzone' as a sub-zone of 'loc' from the standard three interface

Then you add /etc/shorewall/policy entries to effectively "whitelist" your new
sub-zone to whatever degree you specify.
After defining a policy, you can still allow/drop specific traffic with
/etc/shorewall/rules to be explicit.

In your case 'somenewzone' might define a single host.

I would like to know if this works for you, please post back. If I have a bit of
time I will try it myself.

Behavior defined in /etc/shorewall/routestopped is only functional when the
firewall is stopped.

There are instructions for earlier versions of shorewall if you search for
"whitelist" on www.shorewall.net as well.

Alex Martin

----- Original Message ----- 
From: "franco segna" <fsegna at web.de>
To: <shorewall-users at lists.shorewall.net>
Sent: Thursday, December 04, 2003 1:50 AM
Subject: [Shorewall-users] Using Nessus from behind Shorewall

> I'm using Nessus (a remote vulnerability scanning tool)  from behind
> Shorewall (now 1.4.5) running on various platforms (from Red Hat to
> Bering) with full satisfaction.
> To make full use of the Nessus features I must usually restart shorewall
> with  very permissive policies (the meaning of firewall is completely
> lost) for the time needed to conduct the remote tests, and then revert
> to the "armored" configuration.
> My question is : is the use of the 'routestopped" file a better way than
> using alternate config files ?
> The requirements of Nessus are:
> OUTBOUND ICMP except Time Exceeded, Timestamp Reply, Address
>     Mask Reply, and Destination unreachable (Echo Reply being
>     (ab)used by some backdoor protocols)
> OUTBOUND TCP & UDP from any port to any port
> INBOUND UDP from any port to any port
> INBOUND ICMP Destination Unreachable, Echo Reply, Address Mask
>     Reply, Timestamp Reply, Time Exceeded
> INBOUND non-SYN TCP from any port to any port
> My trials with routestopped were unsuccessful. Thanks in advance for any
> help
> Franco
> -- 
> Franco Segna  -  fsegna at web.de
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list