Re: OT: Re: Firewalling: best approach?
Greetz,
Firstly I'm only top posting to keep with the flow...
secondly, I agree with Mark, I've used shorewall and found it really
easy to use especially when you are lazy++ like me...
After installing shorewall "apt-get install shorewall shorewall-docs"
you will need to set:
Firewall:~# vi /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places:
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
On the Debian package version of shorewall, /etc/shorewall is rather empty. Luckily, we're provided with default configuration files in /usr/share/doc/shorewall/default-config
Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:
Firewall:~# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now our /etc/shorewall directory should have default copies of all the config files. Next we modify a few of them to get our firewall in basic working order. I'm only going to cover the basic configurations necessary to get the firewall working. Please read the documentation in each config file you edit so you can fully understand what each step is really doing!
Taken from: http://www.cyberdogtech.com/firewalls/firewall/
Take a look at that website it has a couple of nice tips... also read
the conf files, that should help alot aswell :)
Good luck....
M. Maas wrote:
Hi,
Listen I don't want to be an ass... No really.. I don't!
But would the use shorewall not make it easier? Or even the IPcop
distribution?
Seriously, I'd like to know the reasoning behind choosing the manual
route instead of a easier automated one.
Thanks,
Mark
Bradley Alexander wrote:
I am trying to configure a firewall, but nailing down the configuration
is eluding me. The box is running Debian stable. I have tried with
iproute2 (I'm including a description below), but not gotten the
intended effect. I have tried the lartc list, to no avail. A friend of
mine suggested setting up a virtual server for one set of interfaces and
running the other set on the native machine. Which is the best approach
to this? Muddling through the iproute2 configuration, or the virtual
server route? If virtual server, which would be the best one? Qemu? Xen?
VMware player or server (Free as in beer, but not is in speech)?
Basically, I have a rackmount server with six network interfaces (2
onboard and a quad card). eth0 is the internal network, eth1 is a kiosk
network, eth2 is a DMZ/wireless network. On the outbound side, eth3 is a
DSL connection and eth4 is a cablemodem connection.
What I am trying to do is route all internal traffic out the DSL
connection (eth0 to eth3), and the two dmzs, kiosk and wireless out the
cable connection (eth1 and eth2 to eth4). Thus far as I have been unable
to get this to work.
For the sake of the discussion, the internal network is 10.1.1.0/24, the
kiosk is 172.16.1.0/24 and the dmz/wireless is 192.168.1.0/24. The dsl
line is 1.2.3.4 and the cable line is 9.8.7.6.
I added the following to rt_tables:
1 internal
2 kiosk
3 dmz
then created a script
ip rule add from 10.1.1.0/24 table internal
ip route add default via 1.2.3.4 dev eth3 table internal
ip rule add from 172.16.1.0/24 table kiosk
ip route add default via 9.8.7.6 dev eth4 table kiosk
ip rule add from 192.168.1.0/24 table dmz
ip route add default via 9.8.7.6 dev eth4 table dmz
When I run this script, it does not do what I expect, especially after
running the firewall rules atop it. I thought I had it nailed, but it
wasn't working as expected, and I really couldn't test very well.
I'm hoping some kind soul on this list might have a few minutes for an
email exchange to help me get this sorted out. If so, please email me
off-list. I'm sure its probably something that I overlooked, but I'm at
a loss as to what.
Regards,
--b
--
------------------------------------------------------------------------
*Clifford W. Hansen*
Web Developer / Linux Administrator
*NiGhTHawK Productions*
*E*: *cliffordh@wbs.co.za* <mailto:cliffordh@wbs.co.za>
*M*: +27 82 883 8677
This email and all contents are subject to the following disclaimer:
Unauthorised use of characters, images, sounds, odors, severed limbs,
noodles, wierd dreams,
strange looking fruit, oxygen, and certain parts of Jupiter are strictly
forbidden.
If I find you violating, or molesting my property in any way, I will
employ a pair of burly convicts to find you,
kidnap you, and perform god-awful sexual experiments on you until you
lose the ability to sound out vowels.
I don't know why you are still reading this, but by doing so you have
proven that you have far too much time on
your hands, and you should go plant a tree, or read a book or something.
------------------------------------------------------------------------
(\ /) (\ /) (\ /) (\ /)
(^.^) (-.-) (b.d) (O.o)
(b d) (> <) (o o) (> <)
These are Little rabbits, and only one of them is being screwed over by
Telkom, can you guess which one?
Every time Telkom tells a lie, one of them dies. So please, -please-
Telkom - think of the innocent little rabbits!
------------------------------------------------------------------------
Reply to: