2009/10/2 Tom Eastep <[email protected]>
> William Hamilton wrote:
> > Hi there not sure of the protocol but I am looking for a config check to
> > see if ok.
>
>
>
> >
> > Net info
> > ------------
> > /28 address range
> > External, DMZ, Local network and OpenVPN.
> > DHCP on VPN and Local
> >
> > I have attached config I have written up. Can I request a peer review?
> > Happy for the configs to enter public domain once debugged/complete (if
> > of use)
>
> I don't know what your definition of 'ok' is because I don't know what
> you want to allow or disallow. So I can only assume that what you have
> here is exactly what you intend.
>
> One thing that worries me is this comment in your rules file:
>
> # Allow ping checks, and other useful ICMP (eg, redirects)
>
> You then invoke the AllowICMPs action with ACCEPT. Three problems:
>
> a) The AllowICMPs macro only allows those ICMP requests that are
> required for correct operation of a router; namely
> fragmentation-needed and time-exceeded. It allows neither
> echo-request (Ping) nor Redirect.
>
> b) AllowICMPs is not a parameterized macro so the "/ACCEPT" is
> superfluous.
>
> c) The Default Actions for both the DROP and REJECT policies invoke
> AllowICMPs; so there is never any point in invoking that macro in
> /etc/shorewall/rules unless you have a following DROP or REJECT rule
> for ICMP.
>
> You have incorrectly specified the server port in your ACCEPT rules.
> Example:
>
> ACCEPT loc dmz:$IGN_FUSION:3306 tcp 3306 #mySQL
>
> A 'shorewall check' will flag that as an error (assuming that you are
> running Shorewall-perl; if you aren't running Shorewall-perl, you should
> be -- see http://www.shorewall.net/Notices.html#Shell-EOL).
>
> 'shorewall check' will also issue a warning for the following rule,
> rightly claiming that it is a policy and should be specified in the
> policy file:
>
> ACCEPT ovpn loc
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
> Excellent thanks for that Tom, I made the suggested changes and have now
> started using shorewall-perl too. Installing the firewall now and bits over
> the weekend. DMZ works fine which is good but internal traffic does not get
> out at this stage.
Will debug some more and come back with update. Once scripts working I will
put up on here and sample if people would like.
W
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
