[NTLUG:Discuss] Firewalls
Greg Edwards
greg at nas-inet.com
Wed Mar 19 10:40:00 CST 2003
A couple weeks ago we had a thread going about firewall and ipchains
setup. Since then I've come across a tool that some may find useful.
It's called shorewall (http://www.shorewall.net) and comes with Mandrake
9.0. Overall it's got an interesting approach to it's setup method and
once you get the concept it's pretty slick, IMO. It's open source under
the GNU GPL license.
The overall concept is that you divide your network into zones and set
you policies based on the source and/or destination zone. For example
you can set all input from the "net" zone (external network) to DROP and
then set which ports, sources, destinations, etc. are viewed as
exceptions to the policy. The config files make it so that you never
have to write an ipchain command yourself, well almost never.
It took me a couple days to get it all figured out and setup the way I
wanted it. If you don't read ALL the docs, like I usually do, you can
have a basic setup in half an hour or so. It's documentation is pretty
good both inline in the config files and HTML.
However, finding out how to keep your router from dropping internal
traffic is somewhat obscure. I had to dig real deep to find a passing
mention of how to setup a manual ipchain rule in the common config file.
To get the kernel routing to run normally you need to override the
default FORWARD which is to drop packets. The docs go into great length
about how routing works but don't bother to mention that the firewall
kills local routing by default or how to turn it back on.
--
Greg Edwards
New Age Software, Inc. - http://www.nas-inet.com
======================================================
Galactic Outlaw - http://goutlaw.nas-inet.com
The ultimate cyberspace adventure!
More information about the Discuss
mailing list