public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] {OT} Shorewall config check
@ 2007-02-09 17:02 Grant
  0 siblings, 0 replies; only message in thread
From: Grant @ 2007-02-09 17:02 UTC (permalink / raw
  To: Gentoo mailing list

Hello,

I set up shorewall on my Gentoo firewall/router for the first time
yesterday.  I had been using the iptables commands specified in the
Gentoo Home Router Guide before.  I used this:

http://www.shorewall.net/two-interface.htm

and ran into some trouble as the two-interface example files installed
with the package didn't match the ones described in the above
document.  I ended up with the following and I was hoping someone
could have a quick look and tell me if it's secure enough and not
overly redundant.

Wireless ath0 is on the local subnet.  eth0 is attached to a DSL modem
which (unfortunately) also happens to be a router with IP address
192.168.1.1.  I configured that modem/router to do static NAT and
forward all ports to the Gentoo firewall/router and I disabled
everything on it I could (DNS, DHCP, etc.).  The Gentoo
firewall/router provides DNS via dnsmasq and all the machines on the
network configure IPs manually so there is no DHCP anywhere.

/etc/shorewall/zones:

fw     firewall
net     ipv4
loc     ipv4

/etc/shorewall/interfaces:

# I removed norfc1918 from the net OPTIONS because eth0
# has IP 192.168.1.2 from the modem/router.  Bad idea?
net     eth0     detect     tcpflags,routefilter,nosmurfs,logmartians
loc     ath0     detect     tcpflags,detectnets,nosmurfs

/etc/shorewall/policy:

loc     net     ACCEPT
loc     $FW     ACCEPT
loc     all     REJECT     info
$FW     net     REJECT     info
$FW     loc     REJECT     info
$FW     all     REJECT     info
net     $FW     DROP     info
net     loc     DROP     info
net     all     DROP     info
all     all     REJECT     info

/etc/shorewall/rules:

DNS/ACCEPT     $FW     net
Ping/REJECT     net     $FW
ACCEPT     $FW     loc     icmp
ACCEPT     $FW     net     icmp
# Bittorrent
DNAT     net     loc:192.168.0.3     tcp     6881:6999
DNAT     net     loc:192.168.0.3     udp     6881:6999

/etc/shorewall/masq:

eth0     ath0

/etc/shorewall/routestopped:

ath0     -

Should I be using an ipp2p PROTO designation with my Bittorrent rules?

Would you bother to run a firewall on the machines connected to the
Gentoo firewall/router?

- Grant
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2007-02-09 17:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-09 17:02 [gentoo-user] {OT} Shorewall config check Grant

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox