On Wed, 2003-06-04 at 04:41, Ian David Laws wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 04 June 2003 01:16, Richard wrote:
On Tue, 2003-06-03 at 17:07, Ian David Laws wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday 03 June 2003 18:58, Richard wrote:
user-0ceicg1.ca
I would be interested in, how you set up shorewall and I do believe Tom would like to know as well since it is his firewall.
My setup is not all that complicated. I'm using ver 1.4.2 right now. I begin with the basic two interface setup. I had to switch eth0 and eth1 as eth1 is my connection to the cable modem. The Policy file is set to DROP all inputs to eth1. As I now use the Vonage VoIP system for my phone, I changed the rules to the following:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# ACCEPT fw net tcp 53
ACCEPT fw net udp 53 ACCEPT loc fw udp 53 ACCEPT fw loc udp 53 ACCEPT loc fw tcp 53
Do you have your own DNS server and are send info of your DNS to the net then okay. But if not you do not need the TCP port (transfer data) open it is enough when UDP (query) is open
I have a DNS server but only to the subnet. Closed the tcp 53.
# # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 ACCEPT fw loc tcp 22 ACCEPT loc fw tcp 20 ACCEPT fw loc tcp 20 ACCEPT loc fw tcp 21 #ACCEPT fw loc tcp 21
Why use ftp when sftp or scp is just as good. (Putty for M$ machines)
Primarily cause I'm a bit dumb!. I just learned how to do sftp and scp after I setup my vsftp server. Will probably disable that eventually. Since I'm only using it for my local net there's not much chance of someone screwing with my machines.
DNAT net loc:192.168.1.147 udp 5060 DNAT net loc:192.168.1.147 udp 5061 DNAT net loc:192.168.1.147 udp 10100:10500 ACCEPT loc fw udp 123 ACCEPT fw loc udp 123 # changed net to loc and loc to net on udp port 123 to test the voip #ACCEPT loc net udp 5061
ACCEPT loc fw udp 69 ACCEPT fw loc udp 69 ACCEPT fw loc udp 67 ACCEPT fw loc udp 68 ACCEPT loc fw udp 67 ACCEPT loc fw udp 68
? Not sure why this, never used a dummy terminal or TFTP
These are ports the Vonage Techie said I needed to use their VoIP for my phone system. I'm still experimenting with what is needed to do that system. Will gradually kill each one and insure the phone still works.
#ACCEPT loc net udp 10100:10500 ACCEPT fw loc tcp 631 ACCEPT loc fw tcp 631 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 # ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 #DROP net fw icmp 8
Why allow ping onto your firewall from the Internet?? Again cause I'm a bit dumb, but learning thanks to folks like you.
# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<snip> looking good.
Ian Thanks Ian for your suggestions. Now I'm off to figure out the hows and whys of tcpwrappers and ssh.
Regards, Richard