Dave Nebinger <dnebinger <at> joat.com> writes: > > > If shorewall is so easy, then just email > > to me the config files for a 3 nic network, with DMZ based web server, > > and only internally (LAN) initiated connections allowed, in the form > > of config files, OK? > > Sure, there's 5 files you'd need to set up and, as per your request, it is > limited to web service on DMZ box and outbound connections only. Took me > all of 5 minutes to sketch this out and yes, it would work as-is. >
The cable modem is a single static IP. Internally I route everything statically from the lan to to firewall, via a gateway(no dhcp). likewise on the dmz web sever. > Hand-coding the iptables rules, while instructional, is really painful when > you're trying to work with a production server. When you get down to it, > iptables is not super difficult to learn, but the syntax and nuances can be > a pain to try to get straight. OK, I agree. > It is for that reason that I tend to push folks away from direct iptables > coding when the messages come up on the list; it is typically much simpler > to say 'set up shorewall like this' than it is to get them to understand > about defining the connection tracking rules before the general rules, > manage the default policies, include the bits and pieces of iptables that > can filter out bogus tcp/udp packets, etc. etc. I certainly wasn't trying > to rain on your educational parade. It's not a parade, it's what old-timers do, it's how I learn. > /etc/shorewall/interfaces: > # Assumes you're getting IP address from dhcp server > net eth0 detect dhcp,routefilter,norfc1918,tcpflags > # Assumes you're serving dhcp to internal systems > loc eth1 detect dhcp,tcpflags how about for a static loc eht1 detect tcpflags <????????> > # Assumes DMZ has fixed IP addresses > dmz eth2 detect tcpflags > > /etc/shorewall/masq: > # All outgoing traffic should be masqueraded as coming from the primary card > eth0 eth1 > eth0 eth2 > /etc/shorewall/policy: > # Allow any outbound traffic from local network > loc net ACCEPT > # Allow any outbound traffic initiated from the DMZ > dmz net ACCEPT > # Allow traffic between DMZ and local zone > dmz loc ACCEPT > loc dmz ACCEPT > # Drop any incoming packets > net all DROP > # throw away the rest > all all REJECT > /etc/shorewall/zones: > net Net Internet > loc Local Local Networks > dmz DMZ Demilitarized Zone > /etc/shorewall/rules: > # Allow ports 80, 443 to go to the DMZ via dnat > # Assumes web server is at ip address below > DNAT net dmz:192.168.1.10 tcp 80,443 Dave, Thanks for your help. I think I've got enough here to get it basically working. One I make the rulesets more complex, I'll use shorewall generated rules and configs to see what I have missed. Thanks for your patience, James -- gentoo-user@gentoo.org mailing list
