On Tue, 2003-06-03 at 17:07, Ian David Laws wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday 03 June 2003 18:58, Richard wrote:
user-0ceicg1.ca
I would be interested in, how you set up shorewall and I do believe Tom would like to know as well since it is his firewall.
My setup is not all that complicated. I'm using ver 1.4.2 right now. I begin with the basic two interface setup. I had to switch eth0 and eth1 as eth1 is my connection to the cable modem. The Policy file is set to DROP all inputs to eth1. As I now use the Vonage VoIP system for my phone, I changed the rules to the following: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw udp 53 ACCEPT fw loc udp 53 ACCEPT loc fw tcp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 ACCEPT fw loc tcp 22 ACCEPT loc fw tcp 20 ACCEPT fw loc tcp 20 ACCEPT loc fw tcp 21 #ACCEPT fw loc tcp 21 DNAT net loc:192.168.1.147 udp 5060 DNAT net loc:192.168.1.147 udp 5061 DNAT net loc:192.168.1.147 udp 10100:10500 ACCEPT loc fw udp 123 ACCEPT fw loc udp 123 # changed net to loc and loc to net on udp port 123 to test the voip #ACCEPT loc net udp 5061 ACCEPT loc fw udp 69 ACCEPT fw loc udp 69 ACCEPT fw loc udp 67 ACCEPT fw loc udp 68 ACCEPT loc fw udp 67 ACCEPT loc fw udp 68 #ACCEPT loc net udp 10100:10500 ACCEPT fw loc tcp 631 ACCEPT loc fw tcp 631 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 #DROP net fw icmp 8 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE So far as I can tell, all my external ports are closed or stealth, depending on how you want to call them, and the phone system works better than Verizon did. My subnet of 5 computers including two Winstuff works fine. Can you see anything I should be concerned about? If you can see anything that might interest Tom I will send it to him but I know he is extremely busy helping others. I have considered going back to one of the 1.3 versions to be sure everything was ok as I had no problems then. Regards, Richard