On 11/12/10 1:18 PM, mike lan wrote: > > > On Sat, Oct 9, 2010 at 8:02 PM, Christ Schlacta <[email protected] > <mailto:[email protected]>> wrote: > > sounds pretty simple, your policy file should only have > all all drop > and your rules should have something like > ACCEPT src dest tcp 8080 > > replace src and dest with the appropriate src and dest, or use > 0.0.0.0/0 <http://0.0.0.0/0> to let anything from or to anywhere on > port 8080 pass. > > anything else should be trivial if you follow the howtos. > > > I"ve setup correcty shorewall as stand alone firewall as described on > the shorewall guide , still I don't know how to make a "drop all policy". > and allow ONLY connection to specific ip adress at specific port on the > lan or to the internet > here is an example : > > my policy file has only this line uncommented : ( to implement drop all > policy ?!) > > all all DROP info > > > my rules files : ( let's say, I allow only accept from my pc to ip > adress 66.249.92.104 (google.com <http://google.com>) only > > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > > Ping(DROP) net $FW > > # Permit all ICMP traffic FROM the firewall TO the net zone > > ACCEPT $FW net icmp > ACCEPT $FW net:66.249.92.104 http > > sudo shorewall restart > > is that the correct way to do it ? >
Well yes and no -- that rule will allow you to connect to http://66.249.92.104 but it will not allow you to connect generally to http://google.com. google.com resolves to an ever-changing set of IP addresses. If you 'dig google.com', you will notice that the TTL for the A records is 5 minutes (300 seconds). If you repeat the 'dig' 10 minutes later, the list of A records returned will likely be totally different. For example: ;; ANSWER SECTION: google.com. 300 IN A 74.125.127.147 google.com. 300 IN A 74.125.127.99 google.com. 300 IN A 74.125.127.103 google.com. 300 IN A 74.125.127.104 google.com. 300 IN A 74.125.127.105 google.com. 300 IN A 74.125.127.106 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
