Re: [leaf-devel] how is shorwall.lrp produced for Bering uClibc?

[Paul Traina]

Hmm, OK, there are a couple patches in here I assume you didn't want 
anymore... based upon your changelog saying you weren't going to set up 
default stuff anymore in /etc?

Specifically:
Tom Eastep wrote:
--- /home/teastep/Shorewall/Shorewall2/interfaces       2005-04-08 
10:19:05.000000000 -0700
+++ ./interfaces        2005-04-11 13:03:40.000000000 -0700
@@ -204,4 +204,6 @@
 ##############################################################################
 #ZONE   INTERFACE      BROADCAST       OPTIONS
 #
+net     eth0            detect          dhcp,routefilter,norfc1918
+loc     eth1            detect         dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
and

diff -au /home/teastep/Shorewall/Shorewall2/masq ./masq
--- /home/teastep/Shorewall/Shorewall2/masq     2004-12-31 09:41:44.000000000 
-0800
+++ ./masq      2005-02-02 13:10:52.000000000 -0800
@@ -197,4 +197,5 @@
 #
 ###############################################################################
 #INTERFACE             SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
+eth0                   eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
and
diff -au /home/teastep/Shorewall/Shorewall2/policy ./policy
--- /home/teastep/Shorewall/Shorewall2/policy	2005-03-30 07:03:32.000000000 -0800
+++ ./policy	2005-04-06 10:11:20.000000000 -0700
@@ -68,24 +68,24 @@
 #			and the size of an acceptable burst. If not specified,
 #			TCP connections are not limited.
 #
-#	Example:
+#	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
 #	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
-#
-#	#SOURCE		DEST		POLICY		LOG
-#	#						LEVEL
-#	loc		net		ACCEPT
-#	net		all		DROP		info
-#	#
-#	# THE FOLLOWING POLICY MUST BE LAST
-#	#	
-#	all		all		REJECT		info 
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #						LEVEL
+loc		net		ACCEPT
+net		all		DROP		ULOG
+# If you want open access to the Internet from your Firewall
+# remove the comment from the following line.
+#fw             net             ACCEPT
+
+#
+# THE FOLLOWING POLICY MUST BE LAST
+#	
+all		all		REJECT		ULOG
 #LAST LINE -- DO NOT REMOVE
and
diff -au /home/teastep/Shorewall/Shorewall2/rules ./rules
--- /home/teastep/Shorewall/Shorewall2/rules    2005-03-01 10:29:15.000000000 
-0800
+++ ./rules     2005-04-11 13:05:09.000000000 -0700
@@ -330,4 +330,26 @@
 
####################################################################################################
 #ACTION  SOURCE                DEST            PROTO   DEST    SOURCE     
ORIGINAL     RATE            USER/
 #                                              PORT    PORT(S)    DEST         
LIMIT           GROUP
+#      Accept DNS connections from the firewall to the network
+#
+ACCEPT          fw              net             tcp     53
+ACCEPT          fw              net             udp     53
+#       Accept SSH connections from the local network for administration
+#
+ACCEPT          loc             fw              tcp     22
+#       Allow Ping To Firewall
+#
+ACCEPT          loc             fw              icmp    8
+ACCEPT          net             fw              icmp    8
+#
+#      Allow all ICMP types (including ping) From Firewall
+#
+ACCEPT          fw              loc             icmp
+ACCEPT          fw              net             icmp
+#
+# Bering specific rules:
+# allow loc to fw udp/53 for local/caching DNS servers to work
+# allow loc to fw tcp/80 for weblet to work
+ACCEPT          loc       fw            udp     53
+ACCEPT          loc       fw            tcp     80
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
and
--- /home/teastep/Shorewall/Shorewall2/zones    2005-02-02 07:39:59.000000000 
-0800
+++ ./zones     2005-02-02 13:10:52.000000000 -0800
@@ -11,15 +11,9 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#--------------------------------------------------------------------------------
-# Example zones:
 #
-#    You have a three interface firewall with internet, local and DMZ 
interfaces.
-#
-#      #ZONE   DISPLAY         COMMENTS
-#      net     Internet        The big bad Internet
-#      loc     Local           Local Network
-#      dmz     DMZ             Demilitarized zone.
-#
-#ZONE                  DISPLAY         COMMENTS
+#ZONE  DISPLAY         COMMENTS
+net    Net             Internet
+loc    Local           Local networks
+#dmz   DMZ             Demilitarized zone
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
The stuff in shorewall.conf and to start and stop I assumed were ok to 
keep.  Which way do you want me to go?  Blank, or KP-style defaults?

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel