> If shorewall is so easy, then just email > to me the config files for a 3 nic network, with DMZ based web server, > and only internally (LAN) initiated connections allowed, in the form > of config files, OK?
Sure, there's 5 files you'd need to set up and, as per your request, it is limited to web service on DMZ box and outbound connections only. Took me all of 5 minutes to sketch this out and yes, it would work as-is. Hand-coding the iptables rules, while instructional, is really painful when you're trying to work with a production server. When you get down to it, iptables is not super difficult to learn, but the syntax and nuances can be a pain to try to get straight. It is for that reason that I tend to push folks away from direct iptables coding when the messages come up on the list; it is typically much simpler to say 'set up shorewall like this' than it is to get them to understand about defining the connection tracking rules before the general rules, manage the default policies, include the bits and pieces of iptables that can filter out bogus tcp/udp packets, etc. etc. I certainly wasn't trying to rain on your educational parade. /etc/shorewall/interfaces: # Assumes you're getting IP address from dhcp server net eth0 detect dhcp,routefilter,norfc1918,tcpflags # Assumes you're serving dhcp to internal systems loc eth1 detect dhcp,tcpflags # Assumes DMZ has fixed IP addresses dmz eth2 detect tcpflags /etc/shorewall/masq: # All outgoing traffic should be masqueraded as coming from the primary card eth0 eth1 eth0 eth2 /etc/shorewall/policy: # Allow any outbound traffic from local network loc net ACCEPT # Allow any outbound traffic initiated from the DMZ dmz net ACCEPT # Allow traffic between DMZ and local zone dmz loc ACCEPT loc dmz ACCEPT # Drop any incoming packets net all DROP # throw away the rest all all REJECT /etc/shorewall/zones: net Net Internet loc Local Local Networks dmz DMZ Demilitarized Zone /etc/shorewall/rules: # Allow ports 80, 443 to go to the DMZ via dnat # Assumes web server is at ip address below DNAT net dmz:192.168.1.10 tcp 80,443 -- gentoo-user@gentoo.org mailing list
