This was the default except for 1000 and 3128. It doesn't work anyway that is why I am asking. 10000 us webmin. I hate running to the server to manage it.
What I would like is to have everything bound to eth0 and deny all but ssh to eth1. -----Original Message----- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: "Lawson, Jim" <[EMAIL PROTECTED]> > Every time I start shore wall squid and everything is denied can > anyone help me setting these up. > I think Jack said to manually do this yesterday I get the same problem. > > > Add a new firewall rule > Action Source Destination Protocol Source ports Destination ports Move > ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,10000 > ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 > ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,10000 > ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 > Add a new firewall rule > If I undestand this correctly, you have made a nice attack point for hackers... Assuming 'net' is Internet, 'fw' is the firewall, and 'loc' is your local lan.. if so, you have your system open for attacks/missuse on dns, samba, squid, ... Here is what you need: ---cut--- #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # access from the internet only to ssh (disable this one too if you don't need it...) ACCEPT net fw tcp 22 # accsess from the lan to the services on the firewall (ssh, dns, ipp, squid) ACCEPT loc fw tcp 22, 53, 631, 3128 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp 53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137 ---cut--- now you only have to decide what to do about port 10000, since I don't know what service you are using it for, or if it's a local service ( lan <-> fw ), so you need to put it in the right ACCEPT line this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... If you need more info... feel free to ask... Regards Thomas
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com