[Shorewall-users] fw to fw question

Phil DeVries pdevries at ebw-electronics.com
Wed Sep 22 14:05:26 PDT 2004


Hi.  I'm a happy shorewall user.  I found something that looks
like a possible bug.

I'm using shorewall on a single computer at home.  I'm using the
privoxy proxy server and dansguardian content filter.  I
configured shorewall based on the "one interface" example
from the shorewall.net website.  I set the firewall up so that
users cannot directly connect to port 80 or to the proxy server,
but the only path to port 80 is through the dansguardian
content filter.  The relevant section of my "rules" file is:

#WWW (Forced Proxy Server)
#    Dansguardian (content filter) is set up to accept connections
#    on port 8080, and connect to the proxy server on port 8118
#    Privoxy (Advertising blocker) is set up to accept connections
#    on port 8118, and connect to the internet on port 80.
#    Both Dansguardian and Privoxy run under the user 'proxy'
#    The two "ACCEPT" rules explicitly permit user 'proxy' to
#    connect to the Privoxy server and to the internet. 
#    The two "DROP" rules prevent all other connections to
#    internal port 8118 or to external port 80.
#    The "ACCEPT fw fw" rule accepts all other internal trafic.
#    I think this is a bug in SHORWALL--without this line
#    all other internal traffic is blocked! 
ACCEPT		fw	net	tcp	80	- - - proxy
ACCEPT		fw	fw	tcp	8118	- - - proxy
DROP		fw	fw	tcp	8118
DROP		fw	net	tcp	80
ACCEPT		fw	fw

The "bug" is, (as also noted in the comment), once I set up a
single firewall to firewall rule, all other firewall to firewall
connections (all internal local traffic) is blocked.  I need to
explicitly tell the firewall that all other internal traffic is
ok.

I don't need an answer to this since I've got everything working
as I want.  I'm not a list subscriber, so please copy me if you
want me to be involved in any follow up on this.  Thanks.

Philip DeVries


More information about the Shorewall-users mailing list