Gentoo Archives: gentoo-user

From: Grant <emailgrant@×××××.com>
To: Gentoo mailing list <gentoo-user@l.g.o>
Subject: [gentoo-user] {OT} Shorewall config check
Date: Fri, 09 Feb 2007 17:08:05
Message-Id: 49bf44f10702090902s2f5572dcq87f9c4e11d0026d7@mail.gmail.com
1 Hello,
2
3 I set up shorewall on my Gentoo firewall/router for the first time
4 yesterday. I had been using the iptables commands specified in the
5 Gentoo Home Router Guide before. I used this:
6
7 http://www.shorewall.net/two-interface.htm
8
9 and ran into some trouble as the two-interface example files installed
10 with the package didn't match the ones described in the above
11 document. I ended up with the following and I was hoping someone
12 could have a quick look and tell me if it's secure enough and not
13 overly redundant.
14
15 Wireless ath0 is on the local subnet. eth0 is attached to a DSL modem
16 which (unfortunately) also happens to be a router with IP address
17 192.168.1.1. I configured that modem/router to do static NAT and
18 forward all ports to the Gentoo firewall/router and I disabled
19 everything on it I could (DNS, DHCP, etc.). The Gentoo
20 firewall/router provides DNS via dnsmasq and all the machines on the
21 network configure IPs manually so there is no DHCP anywhere.
22
23 /etc/shorewall/zones:
24
25 fw firewall
26 net ipv4
27 loc ipv4
28
29 /etc/shorewall/interfaces:
30
31 # I removed norfc1918 from the net OPTIONS because eth0
32 # has IP 192.168.1.2 from the modem/router. Bad idea?
33 net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
34 loc ath0 detect tcpflags,detectnets,nosmurfs
35
36 /etc/shorewall/policy:
37
38 loc net ACCEPT
39 loc $FW ACCEPT
40 loc all REJECT info
41 $FW net REJECT info
42 $FW loc REJECT info
43 $FW all REJECT info
44 net $FW DROP info
45 net loc DROP info
46 net all DROP info
47 all all REJECT info
48
49 /etc/shorewall/rules:
50
51 DNS/ACCEPT $FW net
52 Ping/REJECT net $FW
53 ACCEPT $FW loc icmp
54 ACCEPT $FW net icmp
55 # Bittorrent
56 DNAT net loc:192.168.0.3 tcp 6881:6999
57 DNAT net loc:192.168.0.3 udp 6881:6999
58
59 /etc/shorewall/masq:
60
61 eth0 ath0
62
63 /etc/shorewall/routestopped:
64
65 ath0 -
66
67 Should I be using an ipp2p PROTO designation with my Bittorrent rules?
68
69 Would you bother to run a firewall on the machines connected to the
70 Gentoo firewall/router?
71
72 - Grant
73 --
74 gentoo-user@g.o mailing list