From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1ECzip-0003sp-Lc for garchives@archives.gentoo.org; Wed, 07 Sep 2005 13:12:16 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j87D7jPa020484; Wed, 7 Sep 2005 13:07:45 GMT Received: from vms048pub.verizon.net (vms048pub.verizon.net [206.46.252.48]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j87D3E1D026879 for ; Wed, 7 Sep 2005 13:03:14 GMT Received: from mail.joat.com ([71.114.131.89]) by vms048.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMG00561736NIC5@vms048.mailsrvcs.net> for gentoo-user@lists.gentoo.org; Wed, 07 Sep 2005 08:06:42 -0500 (CDT) Received: from localhost (cornholio.joat.com [127.0.0.1]) by mail.joat.com (Postfix) with ESMTP id 8A83E65D6 for ; Wed, 07 Sep 2005 09:06:41 -0400 (EDT) Received: from mail.joat.com ([127.0.0.1]) by localhost (cornholio [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15610-07 for ; Wed, 07 Sep 2005 09:06:33 -0400 (EDT) Received: from cdnebinge (jnet.state.pa.us [206.224.31.162]) by mail.joat.com (Postfix) with ESMTP for ; Wed, 07 Sep 2005 09:06:33 -0400 (EDT) Date: Wed, 07 Sep 2005 09:08:06 -0400 From: "Dave Nebinger" Subject: RE: [gentoo-user] Re: iptables example on Gentoo In-reply-to: <431E2E2A.3070806@gmail.com> To: Message-id: <002c01c5b3ad$314fe1c0$4501010a@jnetlab.lcl> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Mailer: Microsoft Outlook, Build 10.0.6626 Content-type: text/plain; charset=us-ascii Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal DomainKey-Signature: a=rsa-sha1; b=S7e8beVUkpjSGYglRO8pH7xJVBpRuerCIXdHRlA+U5rLDyhv6LIhpHrG81yQzu2ECpgJCql+wZf797624uDd0qcHig59x79iQSXkjW17z7QO7b/j0RbmqGVGZ4FZkdGwvY78tVWUqrZ3K5EXvZxRwNvdKlsCvorIWLd8wWJ0t5s=; c=nofws; d=joat.com; q=dns; s=selector1 X-Virus-Scanned: amavisd-new 2.3.2 (20050629) at joat.com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id j87D3E1D026879 X-Archives-Salt: 616f7eb3-9932-45be-b911-d043c7b81e22 X-Archives-Hash: 6cb0eac441fa3dc8c2f3d40d0e43b840 > I think it might be important to point out here how Shorewall > handles/uses these files. I don't use Shorewall, so I can't really > shed light on it. But these config files are really only one side of > the mirror. Actually these files are typically the only ones you'll need to edit... /etc/shorewall/interfaces defines the interfaces that will be available to shorewall and provides some logical names for rules mapping. /etc/shorewall/masq defines the masquerades to use and provides a quick and easy way to say things like "eth1 traffic going out on eth0 should be masqueraded". /etc/shorewall/policy defines the default policies on the interfaces. /etc/shorewall/zones defines human-readable names for the interfaces, although I haven't really seen them used for much they are critical to the functionality (you'll get weird startup failure messages if they're missing). /etc/shorewall/rules is the critical file, and it defines the rules for what traffic will be allowed. My rules file, for example, indicates that incoming mail and other services are either allowed for the router box to handle or forwarded into the DMZ. It also defines what traffic to block (i.e. outbound windblows networking ports), what hosts to block (ip addresses that hit the ssh daemon), etc. Other files that you might edit are /etc/shorewall/blacklist, an optional blacklist file to block all traffic from these hosts, and /etc/shorewall/shorewall.conf, the general shorewall configuration file. Many other files exist in the directory but I'm willing to bet that 95% of the time you won't need to modify them. -- gentoo-user@gentoo.org mailing list