Varun, If you're using Shorewall under Webmin, your file called "policy" in "/etc/shorewall" should look something like this:
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # $FW all ACCEPT - loc $FW ACCEPT - all all REJECT info #LAST LINE -- DO NOT REMOVE I have some extra rules in here that allow me to access my firewall from local clients and also to access the net from the firewall itself. Also, if you're Masquerading you need to make sure that's configured as well. Regarding your original Internet Access problem, how are you handling logons for your fat and thin clients? Is everyone performing a local logon or are you doing unified logons through NIS or LDAP? If you're doing local logons for your LTSP/squid server, you can apply firewall rules in shorewall based on users and/or groups. Apparently, user/group based rules only apply to the machine shorewall is running on, so you could limit access to the net from your LTSP clients that way. I believe the solutions Kai mentioned would work equally as well, perhaps better using only squid. From what I've read so far, I believe his solution also requires installing and enabling IDENT on the server and clients that will be hitting accessing squid. As Jim has mentioned before, which me see the light, simple firewall rules aren't going to help due to the fact all of the instances of Mozilla (or any other browser) your LTSP clients are running are actually running on the server. So as far as the firewall's concerned, he'll apply rules to your LTSP clients as if it was your LTSP server (in your case the firewall itself) originating the traffic. This creates a situation in which your server becomes a bit of a paranoid schizophrenic. - Jason On Tue, 2004-05-04 at 22:26, Varun wrote: > Hello Lanman, > I am just not able to set the rules. > Right now I have only 2 NIC one for net and one lan. I will have three > on my new server. > In the meantime I need to learn howto do the settings. > I don't know where I am making the msitake. I have tried all settings in > " *default Policies* " > But the moment I add any policies it blocks net acccess to my lan. I > hope I am doing > the settings in the right section. > I have pasted my shorewall details as left now. With this my lan has net > access. > Tell me where I am going wrong and which are sections where I need to do > any settings. I could not see the ' fw ' option . > I feel strongly it should work but I have to get it. I hope to achieve > that with your help. > I will also have look if any tutorial is available on the net on > Webmin. > > *************shorewall settings ************ > > _*Shorewall version 1.4.8*_ > > _*Network Zones*_ > > (zones) > > *Zone ID Displayed name Description Move* > > net Net Internet zone > > lan SAALan Local > > _*Network Interfaces*_ > > (interfaces) > > *Interface Zone name Broadcast address > Options Move* > > eth0 net Automatic > None > > eth1 lan Automatic > None > > _*Default Policies*_ > > (policy) > > *Source zone Destination zone Policy > Syslog level Traffic limit* > > Any Any > ACCEPT None None > > > > Anything just blocks net to lan. > > > > _*Firewall Rules*_ > > (rules) > > *No firewall rules have been defined yet.* > > > > _*Types of Service*_ > > (tos) > > *Left as default* > > _*Masquerading*_ > > (masq) > > *No masquerading rules have been defined yet.* > > _*Static NAT*_ > > (nat) > > *No static NAT entries have been defined yet.* > > _*Proxy ARP*_ > > (proxyarp) > > *No proxy ARP addresses have been defined yet.* > > * * > > I am not sure about this option ! > > _*When Stopped*_ > > (routestopped) > > * * > > *No addresses to be accessible when stopped have been defined yet.* > > _*VPN Tunnels*_ > > (tunnels) > > No VPN tunnels to allow have been defined yet. > > > ************* end shorewall ************** > > Thanks in advance > > Varun > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
