I've got shorewall from the shorewall website, instead of from Mandrake as suggested in the shorewall guide. It seems to be much easier to use and I've set it up on my server/gateway box.
Later I'll have some hardware available to seperate the gateway from the file server but this is what I am stuck with right now.
So anyway I've got these for policies. Note that there is no masq interface. Now what I *think* this says is:
############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc fw ACCEPT fw net ACCEPT
1. Accept all packets from the local net to the internet. 2. Accept all packets from the local net to the firewall box. 3. Accept all packets from the firewall box to the internet.
So basically the local network and the firewall box can talk to anyone but, as defined below, not anyone can talk back.
# # If you want open access to the internet from your firewall, uncomment the # following line #fw net ACCEPT net all DROP info net fw DROP info net loc DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
4. Drop all packets broadcasted from the internet. 5. Drop all packets from the internet to the firewall box. 6. Drop all packets from the internet to the local net. 7. Reject all universally broadcasted packets.
The only rules I have defined so far are:
ACCEPT net fw tcp 22 #(ssh) ACCEPT net fw icmp 8 #(ping)
So anyway here is the big question: Given that I have physical security on the local net and firewall boxes, is this a safe basic setup?
Note that netstat gives:
[EMAIL PROTECTED] root]# netstat -ntupl Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN 905/rpc.statd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 11987/slapd tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 3520/xinetd tcp 0 0 127.0.0.1:32775 0.0.0.0:* LISTEN 3520/xinetd tcp 0 0 0.0.0.0:8200 0.0.0.0:* LISTEN 31439/httpd-perl tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 7846/smbd tcp 0 0 0.0.0.0:1007 0.0.0.0:* LISTEN 22451/rpc.rquotad tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 783/portmap tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31455/httpd tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 4409/X tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 4097/perl tcp 0 0 0.0.0.0:10001 0.0.0.0:* LISTEN 4207/perl tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3520/xinetd tcp 0 0 192.168.1.253:53 0.0.0.0:* LISTEN 3469/named tcp 0 0 208.152.4.207:53 0.0.0.0:* LISTEN 3469/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3469/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3495/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 3551/cupsd tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 3520/xinetd tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 4089/(squid) tcp 0 0 0.0.0.0:953 0.0.0.0:* LISTEN 3469/named tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 31455/httpd tcp 0 0 0.0.0.0:34844 0.0.0.0:* LISTEN 22482/rpc.mountd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 11987/slapd tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN 4154/lisa udp 0 0 0.0.0.0:32768 0.0.0.0:* 905/rpc.statd udp 0 0 0.0.0.0:2049 0.0.0.0:* - udp 0 0 0.0.0.0:32769 0.0.0.0:* 3469/named udp 0 0 192.168.1.253:137 0.0.0.0:* 7856/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 7856/nmbd udp 0 0 192.168.1.253:138 0.0.0.0:* 7856/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 7856/nmbd udp 0 0 0.0.0.0:10000 0.0.0.0:* 4097/perl udp 0 0 0.0.0.0:10001 0.0.0.0:* 4207/perl udp 0 0 192.168.1.253:53 0.0.0.0:* 3469/named udp 0 0 208.152.4.207:53 0.0.0.0:* 3469/named udp 0 0 127.0.0.1:53 0.0.0.0:* 3469/named udp 0 0 0.0.0.0:3130 0.0.0.0:* 4089/(squid) udp 0 0 0.0.0.0:7741 0.0.0.0:* 4154/lisa udp 0 0 0.0.0.0:67 0.0.0.0:* 3664/dhcpd udp 65280 0 0.0.0.0:68 0.0.0.0:* 798/dhcpcd udp 0 0 0.0.0.0:3401 0.0.0.0:* 4089/(squid) udp 0 0 0.0.0.0:32855 0.0.0.0:* - udp 0 0 0.0.0.0:32856 0.0.0.0:* 22482/rpc.mountd udp 0 0 0.0.0.0:4827 0.0.0.0:* 4089/(squid) udp 0 0 0.0.0.0:1004 0.0.0.0:* 22451/rpc.rquotad udp 0 0 0.0.0.0:111 0.0.0.0:* 783/portmap udp 0 0 0.0.0.0:631 0.0.0.0:* 3551/cupsd [EMAIL PROTECTED] root]#
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
