RE: [expert] shore wall

[Lawson, Jim]

This was the default except for 1000 and 3128. It doesn't work anyway that
is why I am asking.
10000 us webmin. I hate running to the server to manage it.

What I would like is to have everything bound to eth0 and deny all but ssh
to eth1.

-----Original Message-----
From: Thomas Backlund [mailto:[EMAIL PROTECTED]
Sent: Friday, November 14, 2003 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: [expert] shore wall


From: "Lawson, Jim" <[EMAIL PROTECTED]>
> Every time I start shore wall squid and everything is denied can
> anyone help me setting these up.
> I think Jack said to manually do this yesterday I get the same problem.
>
>
> Add a new firewall rule
> Action Source Destination Protocol Source ports Destination ports Move
> ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,10000
> ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631
> ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,10000
> ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631
> Add a new firewall rule
>

If I undestand this correctly, you have made a nice attack point for
hackers...

Assuming 'net' is Internet, 'fw' is the firewall, and 'loc' is your local
lan..
if so, you have your system open for attacks/missuse on dns, samba, squid,
...


Here is what you need:
---cut---
#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE     ORIGINAL
#
PORT    PORT(S)    DEST
#
# access from the internet only to ssh (disable this one too if you don't
need it...)
ACCEPT          net             fw                      tcp         22

# accsess from the lan to the services on the firewall (ssh, dns, ipp,
squid)
ACCEPT          loc             fw                      tcp     22, 53, 631,
3128
ACCEPT          loc             fw                      udp     53

# Let the services on the firewall get net access (dns, squid http port)
ACCEPT          fw              net                     tcp     53, 80
ACCEPT          fw              net                     udp    53

# Special Samba rules between the lan and the firewall
ACCEPT         loc             fw                      udp     137:139,445
ACCEPT         loc             fw                      tcp     137,139,445
ACCEPT         loc             fw                      udp     1024:
137
ACCEPT         fw              loc                     udp     137:139,445
ACCEPT         fw              loc                     tcp     137,139,445
ACCEPT         fw              loc                     udp     1024:
137
---cut---

now you only have to decide what to do about port 10000,
since I don't know what service you are using it for, or if it's
a local service ( lan <-> fw ), so you need to put it in the
right ACCEPT line

this is all you need as the conntrack modules keeps the returning
info/packets happy, and you should have a secured firewall...

If you need more info... feel free to ask...

Regards

Thomas





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com