-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Nebinger wrote:
>>If shorewall is so easy, then just email >>to me the config files for a 3 nic network, with DMZ based web server, >>and only internally (LAN) initiated connections allowed, in the form >>of config files, OK? > > >Sure, there's 5 files you'd need to set up and, as per your request, it is >limited to web service on DMZ box and outbound connections only. Took me >all of 5 minutes to sketch this out and yes, it would work as-is. > >Hand-coding the iptables rules, while instructional, is really painful when >you're trying to work with a production server. When you get down to it, >iptables is not super difficult to learn, but the syntax and nuances can be >a pain to try to get straight. > >It is for that reason that I tend to push folks away from direct iptables >coding when the messages come up on the list; it is typically much simpler >to say 'set up shorewall like this' than it is to get them to understand >about defining the connection tracking rules before the general rules, >manage the default policies, include the bits and pieces of iptables that >can filter out bogus tcp/udp packets, etc. etc. I certainly wasn't trying >to rain on your educational parade. > >/etc/shorewall/interfaces: ># Assumes you're getting IP address from dhcp server >net eth0 detect dhcp,routefilter,norfc1918,tcpflags ># Assumes you're serving dhcp to internal systems >loc eth1 detect dhcp,tcpflags ># Assumes DMZ has fixed IP addresses >dmz eth2 detect tcpflags > >/etc/shorewall/masq: ># All outgoing traffic should be masqueraded as coming from the primary card >eth0 eth1 >eth0 eth2 > >/etc/shorewall/policy: ># Allow any outbound traffic from local network >loc net ACCEPT ># Allow any outbound traffic initiated from the DMZ >dmz net ACCEPT ># Allow traffic between DMZ and local zone >dmz loc ACCEPT >loc dmz ACCEPT ># Drop any incoming packets >net all DROP ># throw away the rest >all all REJECT > >/etc/shorewall/zones: >net Net Internet >loc Local Local Networks >dmz DMZ Demilitarized Zone > >/etc/shorewall/rules: ># Allow ports 80, 443 to go to the DMZ via dnat ># Assumes web server is at ip address below >DNAT net dmz:192.168.1.10 tcp 80,443 > > > I think it might be important to point out here how Shorewall handles/uses these files. I don't use Shorewall, so I can't really shed light on it. But these config files are really only one side of the mirror. Just my 2ยข. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHi4qLYGSSmmWCZMRAqTAAKDPZKtENYbobogeq5HWpjMJf9NT3gCfen9m elbeSFll/aKFpRZhJj4GgFE= =wSn/ -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list
