On 8/28/2013 8:43 PM, Tom Eastep wrote: > On 8/28/2013 4:43 PM, Tom Eastep wrote: >> On 8/28/2013 3:44 PM, Thomas Harold wrote: >> >> Shorewall 4.5.4 Dump at fw2-sec - Wed Aug 28 18:31:52 EDT 2013 >> ----- >> >> Support for /etc/shorewall/stoppedrules wasn't added until Shorewall >> 4.5.8. In 4.5.8, you must use /etc/shorewall/routestopped. >> > > In 4.5.4, you must use /etc/shorewall/routestopped. > -----
Thanks for the heads-up. I'm not sure the following rules do exactly what I was looking for, but the nmap testing shows those ports are open when shorewall has been stopped. Goals met. Goals (when shorewall is stopped): - Allow icmp (ping) from everywhere to the interface - Allow tcp/22 only on the internal (bond0) interface - Allow udp/123 only on the internal (bond0) interface - Allow tcp/880 from everywhere /etc/shorewall/routestopped bond0 - - icmp bond0 - - tcp 22 bond0 - - udp 123 bond0 - - tcp 880 want1 - source icmp want1 - source tcp 880 wancbl - source icmp wancbl - source tcp 880 Maybe not the cleanest looking iptables -L output, but it works: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:880 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc Chain OUTPUT (policy ACCEPT) target prot opt source destination ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
