Re: Shorewall

To	Debian CZ/SK project discussion list <czdebian-l zavinac debian bod cz>
From	Martin Slouf <mar zavinac centrum bod cz>
Date	Fri, 10 Mar 2006 02:13:03 +0100
Mail-followup-to	Debian CZ/SK project discussion list <czdebian-l zavinac debian bod cz>
User-agent	Mutt/1.5.11+cvs20060126

mozne to je, lehce se to lisi, v zavislosti na verzi shorewallu -- nicmene
odlisnosti nejsou tak zasadni.  napr. pro v.3.0 (debian unstable):

klicovy je soubor hosts, kde se nastavi prave ty rozsahy, pak uz je to snadny
-- kazdy rozsah je pojmenovan (vlastni zona) a lze s nim zachazet jako se
zonou.

predpokladam, ze ucel je, aby pocitace z lokalni site mohli pristupovat na
ruzne sluzby, zatimco pocitace z internetu se k temto sluzbam nedostali,
pricemz pocitac ma jen jedno rozhrani a pocitace z internetu se k nemu dostanou
nepr. pres port forwarding?  nize vyseky z me konfigurace:

- - - - /etc/shorewall/hosts

#ZONE           HOST(S)                         OPTIONS

net             eth0:!192.168.2.0/24
loc             eth0:192.168.2.0/24

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

- - - - /etc/shorewall/interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS

-        eth0           detect          dhcp

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

- - - - /etc/shorewall/policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL

$FW             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

$FW             loc             ACCEPT
loc             $FW             ACCEPT

#LAST LINE -- DO NOT REMOVE

- - - - /etc/shorewall/zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS

fw      firewall
net     ipv4
loc     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

- - - - /etc/shorewall/rules

ACCEPT   net            $FW             tcp     ssh
ACCEPT   net            $FW             tcp     8080
ACCEPT   net            $FW             tcp     8443
ACCEPT   net            $FW             tcp     2401
ACCEPT   net            $FW             tcp     5901
ACCEPT   net            $FW             tcp     5902

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

doufam ze pomohlo.

pro dalsi info se lze obratit na dokumentaci shorewallu.

m.

On Thu, Mar 09, 2006 at 06:12:44PM +0100, Dodik zavinac xnetpn bod sk wrote:
> Dobry den,
> chcel by som vediet ci je mozne(a ak ano tak ako) nastavit shorewall tak
> aby pre ip 192.168.111.x platili ine nastavenia(napriklad blokovanie
> portov) ako pre ip 192.168.112.x ???
> 
> A este jedna otazka ktoru som mal polozit asi skor je, ze ci je mozne aby
> shorewall pracoval s dvoma rozsahmi(111.x a 112.x) na eth1???
> 
> za odpovede velmi pekne dakujem...
> 
> S pozdravom Dodik
> ________________________________________________
> CZdebian-l maillist  -  CZdebian-l zavinac debian bod cz
> http://www.debian.cz/mailman/listinfo/czdebian-l
> E-mail (un)subscriptions: czdebian-l-request zavinac debian bod cz

Partial thread listing:

Re: Shorewall, (pokračuje)
- Martin Slouf
  - Dodik