Ricardo,
>> >> I am a new user of Shorewall. thanks Tom for all your work and your >> unbelievable responsiveness on this list. You must not sleep :) >> >> I recently switched the firewall for our small network to Shorewall. >> Everything is working great. I am running Shorewall on openSuse 11.4. I >> want to make sure that all security patches for the OS are applied. >> Naturally connections from the firewall to the net are blocked by default. >> >> My first thought is to add a rule allowing access from the firewall to >> the particular mirror that I use for openSuse updates (ftp.utexas.edu). >> openSuse uses wget for updates and the ftp.utexas.edu accepts http as >> well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 >> >> The Rule would then be: >> >> ACCEPT $FW net:146.6.54.21 tcp 21 >> >> or else >> >> ACCEPT $FW net:146.6.54.21 tcp 80 >> >> or even >> >> ACCEPT $FW net:146.6.54.21 tcp 21,80 >> >> To my untrained eye this seems pretty safe. If necessary I could comment >> out the rule when not checking or updates and restart shorewall. I just >> wondered if this is okay adn what other people do to update the OS that >> is running shorewall. >> >> Mike >> > > You can also use : > > ACCEPT $FW net:146.6.54.21 tcp > > and allow any port on tcp protocol to 146.6.54.21 > > Anyways, i use a policy rule for $FW /etc/shorewall/policy : > > $FW all ACCEPT > > that allow all traffic from Firewall to local net, internet, etc, so i > dont need such rule in /etc/shorewall/rules Thanks for the response. I tend to minimize allowable connections from the firewall. Your policy rule would simplify my Rules file. I ahve a caching nameserver on the firewall and allow DNS from the firewall to the net. If I changed the policy rule I could eliminate that rule. I am a little reluctant to change the policy to allow all connections from the firewall to the net, but maybe it is not a big problem. Mike -- Michael A. Coan Woodlawn Foundation 524 North Avenue, Suite 203 New Rochelle, NY 10801-3410 Tel: 914-632-3778 Fax: 914-632-5502 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
