1 |
Hello, |
2 |
|
3 |
I set up shorewall on my Gentoo firewall/router for the first time |
4 |
yesterday. I had been using the iptables commands specified in the |
5 |
Gentoo Home Router Guide before. I used this: |
6 |
|
7 |
http://www.shorewall.net/two-interface.htm |
8 |
|
9 |
and ran into some trouble as the two-interface example files installed |
10 |
with the package didn't match the ones described in the above |
11 |
document. I ended up with the following and I was hoping someone |
12 |
could have a quick look and tell me if it's secure enough and not |
13 |
overly redundant. |
14 |
|
15 |
Wireless ath0 is on the local subnet. eth0 is attached to a DSL modem |
16 |
which (unfortunately) also happens to be a router with IP address |
17 |
192.168.1.1. I configured that modem/router to do static NAT and |
18 |
forward all ports to the Gentoo firewall/router and I disabled |
19 |
everything on it I could (DNS, DHCP, etc.). The Gentoo |
20 |
firewall/router provides DNS via dnsmasq and all the machines on the |
21 |
network configure IPs manually so there is no DHCP anywhere. |
22 |
|
23 |
/etc/shorewall/zones: |
24 |
|
25 |
fw firewall |
26 |
net ipv4 |
27 |
loc ipv4 |
28 |
|
29 |
/etc/shorewall/interfaces: |
30 |
|
31 |
# I removed norfc1918 from the net OPTIONS because eth0 |
32 |
# has IP 192.168.1.2 from the modem/router. Bad idea? |
33 |
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians |
34 |
loc ath0 detect tcpflags,detectnets,nosmurfs |
35 |
|
36 |
/etc/shorewall/policy: |
37 |
|
38 |
loc net ACCEPT |
39 |
loc $FW ACCEPT |
40 |
loc all REJECT info |
41 |
$FW net REJECT info |
42 |
$FW loc REJECT info |
43 |
$FW all REJECT info |
44 |
net $FW DROP info |
45 |
net loc DROP info |
46 |
net all DROP info |
47 |
all all REJECT info |
48 |
|
49 |
/etc/shorewall/rules: |
50 |
|
51 |
DNS/ACCEPT $FW net |
52 |
Ping/REJECT net $FW |
53 |
ACCEPT $FW loc icmp |
54 |
ACCEPT $FW net icmp |
55 |
# Bittorrent |
56 |
DNAT net loc:192.168.0.3 tcp 6881:6999 |
57 |
DNAT net loc:192.168.0.3 udp 6881:6999 |
58 |
|
59 |
/etc/shorewall/masq: |
60 |
|
61 |
eth0 ath0 |
62 |
|
63 |
/etc/shorewall/routestopped: |
64 |
|
65 |
ath0 - |
66 |
|
67 |
Should I be using an ipp2p PROTO designation with my Bittorrent rules? |
68 |
|
69 |
Would you bother to run a firewall on the machines connected to the |
70 |
Gentoo firewall/router? |
71 |
|
72 |
- Grant |
73 |
-- |
74 |
gentoo-user@g.o mailing list |