Re: Shorewall

To	"Debian CZ/SK project discussion list" <czdebian-l zavinac debian bod cz>
From	Dodik zavinac xnetpn bod sk
Date	Fri, 10 Mar 2006 14:12:06 +0100 (CET)
Importance	Normal
User-agent	SquirrelMail/1.4.6 [CVS]
No asi som zle napisal co potrebujem :)
Mal som skor na mylimi nieco take, ze net mi ide cez eth0 a na eth1 mam
siet 192.168.111.x  a 192.168.112.x a na 111.x by som chcel niektore
sluzby zakazat a na 112.x by som chcel toho povolit viac...



> mozne to je, lehce se to lisi, v zavislosti na verzi shorewallu -- nicmene
> odlisnosti nejsou tak zasadni.  napr. pro v.3.0 (debian unstable):
>
> klicovy je soubor hosts, kde se nastavi prave ty rozsahy, pak uz je to
> snadny
> -- kazdy rozsah je pojmenovan (vlastni zona) a lze s nim zachazet jako se
> zonou.
>
> predpokladam, ze ucel je, aby pocitace z lokalni site mohli pristupovat na
> ruzne sluzby, zatimco pocitace z internetu se k temto sluzbam nedostali,
> pricemz pocitac ma jen jedno rozhrani a pocitace z internetu se k nemu
> dostanou
> nepr. pres port forwarding?  nize vyseky z me konfigurace:
>
> - - - - /etc/shorewall/hosts
>
> #ZONE           HOST(S)                         OPTIONS
>
> net             eth0:!192.168.2.0/24
> loc             eth0:192.168.2.0/24
>
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
> - - - - /etc/shorewall/interfaces
>
> #ZONE    INTERFACE      BROADCAST       OPTIONS
>
> -        eth0           detect          dhcp
>
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> - - - - /etc/shorewall/policy
>
> #SOURCE         DEST            POLICY          LOG
> LIMIT:BURST
> #                                               LEVEL
>
> $FW             net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> $FW             loc             ACCEPT
> loc             $FW             ACCEPT
>
> #LAST LINE -- DO NOT REMOVE
>
> - - - - /etc/shorewall/zones
>
> #ZONE   TYPE    OPTIONS                 IN                      OUT
> #                                       OPTIONS                 OPTIONS
>
> fw      firewall
> net     ipv4
> loc     ipv4
>
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>
> - - - - /etc/shorewall/rules
>
> ACCEPT   net            $FW             tcp     ssh
> ACCEPT   net            $FW             tcp     8080
> ACCEPT   net            $FW             tcp     8443
> ACCEPT   net            $FW             tcp     2401
> ACCEPT   net            $FW             tcp     5901
> ACCEPT   net            $FW             tcp     5902
>
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> doufam ze pomohlo.
>
> pro dalsi info se lze obratit na dokumentaci shorewallu.
>
> m.
>
> On Thu, Mar 09, 2006 at 06:12:44PM +0100, Dodik zavinac xnetpn bod sk wrote:
>> Dobry den,
>> chcel by som vediet ci je mozne(a ak ano tak ako) nastavit shorewall tak
>> aby pre ip 192.168.111.x platili ine nastavenia(napriklad blokovanie
>> portov) ako pre ip 192.168.112.x ???
>>
>> A este jedna otazka ktoru som mal polozit asi skor je, ze ci je mozne
>> aby
>> shorewall pracoval s dvoma rozsahmi(111.x a 112.x) na eth1???
>>
>> za odpovede velmi pekne dakujem...
>>
>> S pozdravom Dodik
>> ________________________________________________
>> CZdebian-l maillist  -  CZdebian-l zavinac debian bod cz
>> http://www.debian.cz/mailman/listinfo/czdebian-l
>> E-mail (un)subscriptions: czdebian-l-request zavinac debian bod cz
> ________________________________________________
> CZdebian-l maillist  -  CZdebian-l zavinac debian bod cz
> http://www.debian.cz/mailman/listinfo/czdebian-l
> E-mail (un)subscriptions: czdebian-l-request zavinac debian bod cz
>
>
> ________ Information from NOD32 ________
> This message was checked by NOD32 Antivirus System for Linux Mail Server.
> http://www.nod32.com
>
Partial thread listing:
Re: Shorewall, (pokračuje)