On Fri, 2011-08-05 at 17:28 +1200, [email protected] wrote: > Hello, > > I would appreciate any feedback/suggestions on my Shorewall configuration for > a standalone laptop Debian Squeeze configuration for ppp0 and wlan0, set out > below: > > ------------------ > My current system: > ------------------ > I have successfuly configured Shorewall 4.4.11.6 on my standalone Debian > Squeeze laptop for a ppp0 (Mobile broadband) connection using GNOME PPP, > works great (refer to bottom of this message for 'ip addr show' and 'ip route > show' outputs), using the following: > > /etc/ppp/ip-up.d/mobile: > #!/bin/sh > /sbin/shorewall restart > fi > (Refer: http://sourceforge.net/mailarchive/message.php?msg_id=19774645 ) > > > /etc/shorewall/interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - tcpflags,logmartians,nosmurfs > > > /etc/default/shorewall: > startup=0 > wait_interface="ppp0" > > ----------------------- > What I'm wanting to do: > ----------------------- > I want to configure Shorewall to work with my ppp0 and wlan0 connections. I > will use one or the other connection at a time, but I will only be connecting > once the desktop is loaded using Wicd. > > I have followed the instructions at http://shorewall.net/Laptop.html , and > added the following to: > > /etc/shorewall/interfaces: > net wlan0 detect dhcp,tcpflags,logmartians,nosmurfs > > ----------------------------------- > My concerns with the current setup: > ----------------------------------- > 1. My understanding is that when a connection goes up, shorewall needs to be > restarted. I have got that covered for my ppp0 connection in > /etc/ppp/ip-up.d/mobile (refer "My current setup" above) but assume I have to > do the same with wireless connections by copying: > > /etc/ppp/ip-up.d/mobile > TO: > /etc/wicd/scripts/postconnect/mobile > > (Refer: > http://wicd.sourceforge.net/moinmoin/Adding%20pre%20and%20post%20%28dis%29connection%20scripts > ) > > If anyone can confirm or trash my understanding and/or assumption on this I > would appreciate it. > > > 2. I have read in passing posts about Shorewall that there is a slight delay > between connecting to a network and Shorewall restarting. Is this a > significant security issue or is there a way around it? >
I suggest that you install and configure Shorewall-init. It will close the firewall before the interfaces come up and will automatically restart Shorewall when interfaces come up. a) Make both interfaces optional (set the 'optional' option in /etc/shorewall/interfaces. b) Set REQUIRE_INTERFACE=Yes in shorewall.conf. c) Configure Shorewall-init as described at http://www.shorewall.net/Shorewall-init.html d) Remove the 'wait_interface=' setting from /etc/default/shorewall -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
