On Fri, 29 Aug 2003 14:42:46 -0700
Cam Ellison <cam@ellisonet.ca> wrote:
> * Steve Lamb (grey@dmiyu.org) wrote:
> I beg to differ. When I installed shorewall, it gave some
> not-very-comprehensible options, and then did not give me what I
> wanted or needed.
Erm, how hard can it be? For a single box, 1 interface:
Edit interfaces. Add it as zone net, interface, detect.
Now edit policy. Accept $FW to net and net to $FW. Drop net to all, and all
to all.
Type shorewall restart.
You've now got your network interface accepting packets to the $FW (aka,
the machine you're sitting on) and allowing packets out from the $FW to the
net.
Need a 2nd interface and NAT?
Edit interfaces. Add 2nd interface as loc, interface, detect.
Edit policy again. Accept loc to $FW, $FW to loc, loc to net and net to loc.
Edit masq. Tell it the interface you want to masq out of and the interface
you want to masq.
Edit shorewall.conf, make sure that masq is turned on and packet forwarding is
turned on.
Type shorewall restart.
Congrats. You now have a machine doing NAT. Need to lock it down a bit?
Either edit policy to change the defaults of accept to reject or leave it. Go
into rules. Common tasks:
Port forward for NATed game machines and the like:
DNAT net loc:192.168.0.1 tcp 9090
Locking down a service to the outside world:
REJECT net $FW tcp 139
Accepting a service when policy is reject:
ACCEPT net $FW tcp 139
There, in about 5 minutes I just gave a primer that covers about 80-90% of
installs using Shorewall. I doubt you could do the same. Shorewall is not
that hard.
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
Attachment:
pgpBpA2_VzxER.pgp
Description: PGP signature