El 11/07/11 11:49, mikecoan escribió: > Greetings, > > I am a new user of Shorewall. thanks Tom for all your work and your > unbelievable responsiveness on this list. You must not sleep :) > > I recently switched the firewall for our small network to Shorewall. > Everything is working great. I am running Shorewall on openSuse 11.4. I > want to make sure that all security patches for the OS are applied. > Naturally connections from the firewall to the net are blocked by default. > > My first thought is to add a rule allowing access from the firewall to > the particular mirror that I use for openSuse updates (ftp.utexas.edu). > openSuse uses wget for updates and the ftp.utexas.edu accepts http as > well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 > > The Rule would then be: > > ACCEPT $FW net:146.6.54.21 tcp 21 > > or else > > ACCEPT $FW net:146.6.54.21 tcp 80 > > or even > > ACCEPT $FW net:146.6.54.21 tcp 21,80 > > To my untrained eye this seems pretty safe. If necessary I could comment > out the rule when not checking or updates and restart shorewall. I just > wondered if this is okay adn what other people do to update the OS that > is running shorewall. > > Mike >
You can also use : ACCEPT $FW net:146.6.54.21 tcp and allow any port on tcp protocol to 146.6.54.21 Anyways, i use a policy rule for $FW /etc/shorewall/policy : $FW all ACCEPT that allow all traffic from Firewall to local net, internet, etc, so i dont need such rule in /etc/shorewall/rules ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
