On Sat, 03 Mar, 2007 at 12:23:10 +0100, Sandy Drobic wrote: <snip>
Can you set up rules for outgoing traffic in Shorewall?
Certainly, and quite easily too. I'll refrain from quoting documentation (too much) and instead you try to give a short high-vantagepoint view: Shorewall uses the concept of 'zones'. Nothing works without them, but you can basically make as many as you want. Interfaces are associated with a zone, and traffic can be allowed/dropped/rejected/nat'ed/proxyarp'ed/etc'ed between zones in more or less any fashion you can think of. Usually a 'single-interface' installation would have just two zones; 'net' and 'fw'. A typical two-interface 'router' setup would have three zones; net, fw and lan. Basically you define a set of policies, and then set up exceptions in the 'rules' file, which has a pretty simple and (to me at least) intuitive layout: <quote> # Example: You want to accept SSH connections to your firewall only # from internet IP addresses 130.252.100.69 and # 130.252.100.70 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # ACCEPT net:130.252.100.69,130.252.100.70 $FW tcp 22 </quote> So to permanently drop specific 'outgoing' traffic it would be something like; DROP lan net tcp 1863 -in /etc/shorewall/rules, followed by shorewall restart As such Shorewall is 'just' a bunch of shell-scripts which parse the config-files to 'compile' iptables statements. This means that it will run on just about anything, even if it may take a while to complete on 'skinny' hardware. In order to alleviate this, Shorewall now includes a 'just read the config and output the iptables statements to a file' option. This way you can have Shorewall create the actual configuration. The created file can then be reused on subsequent boots, where it will just be executed without any parsing at all. I'm by no means an iptables authority, and I'll probably never become one either. This doesn't mean that I don't sometimes want or need firewall configurations more complex than what SuSEfirewall (f.x.) has to offer. What is *does* mean, however, is that the need to add custom iptables rules to some local firewall file invariably makes me shake my head and wonder: "What's the point of having something like SuSEfirewall, if it *still* means that I have to write 'raw' iptables?" Personally I wish SuSE would just drop SuSEfirewall, and include Shorewall instead. I don't expect it to happen anytime soon though, so I recently went ahead and repackaged the rpm to match the SuSE environment. Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they probably contain packaging errors. Still, if someone wants to check them out, contact me privately. /Jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org