Re: Multiple firewall profiles with shorewall
On 10/26/06, Douglas Tutty <firstname.lastname@example.org> wrote:
On Thu, Oct 26, 2006 at 12:13:53PM -0400, celejar wrote:
> I use shorewall to create a local (personal) firewall on my sid
> machine. I have a wireless nic which is sometimes connected to my
> private wireless network which I control and can secure (with WPA or
> WPA2), and sometimes to other networks which are insecure (eg. airport
> hotspot). I use ifscheme to manage the different network
> configurations, and I obviously have different security assumptions
> about the two situations. What is the standard way to have shorewall
> treat the two situations differently? I'm using the Madwifi driver, so
> a simple trick is to simply bring up the card as ath0 on the private
> network and ath1 on the public network and to write shorewall config
> files accordingly, but this is a bit of a kludge and not portable to
> other drivers.
> The most straightforward technique I can think of is to call pre-up
> scripts in /etc/network/interfaces that will manipulate the shorewall
> config files (eg. modify /etc/shorewall/zones , policy, and/or rules)
> but I'm wondering if there's a more standard way to do this - it seems
> like a fairly common requirement.
How would you treat the two networks differently? What ports would you
have open on one and not the other? There may be more than shorewall to
I doubt I'd want to open port 22 and allow brute force ssh attacks,
for example. There also other services that I run for the benefit of
my local systems that I would either have to stop or take much more
care to harden.
take into consideration. If a firewall is just the last step of
securing the box, how do you, for example, tell ssh to allow connections
from one and not the other if they are both ath0.
That's exactly why I want the firewall to block ssh connections when
I'm on a public network
Personally, I like your kludge with ath0/ath1. I don't know to what you
refer as not portable to other drivers. If it changed to eth0/1 you
would have to change the shorewall config file anyway.
I believe that many (most?) drivers don't offer you a choice of names
for the interfaces they find.
Could you use an alias in /etc/network/interfaces to have more than one
IP address on the one card? Can ifscheme create ath0/1 itself. If
either of these works, then shorewall can have a fixed config.
I believe that they are both possible, but I don't understand how the
former would solve the problem, and the latter seems to involve what
I'm calling the Madwifi kludge. I may just be misunderstanding your
suggestion; please explain further if that's the case.
Then again, I've never done wireless networking.
Thanks for the ideas!