Hi all, I'm running a bering firewall on my production system (after upgrading from eigerstien). And very impressed with Bering great job. I managed a complete system upgrade from eigerstein, using wget, and all done remote via ssh, LOT's of planning ahead, *fingers crossed on the first reboot*, and yes I do have a HDD that bering boots from ;o).
I have a couple of question about shorewall and stuff I'm running version 1.3 from on the base install of bering. I was reading the shorewall help and have a question about this line. # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the DEST column. It says I can't use the ORIGINAL DEST it is an ACCEPT rule? My firewall is located in a remote hosting facility and I need to be able to get to it via the "external" interface. My external interface has multiple live IPs on it. I wish to secure it so as SSH is only open/avalialbe on one IP address. I would like to be able to do this? ACCEPT net:202.53.xxx.xxx,203.94.xxx.xxx fw tcp 22 - 67.106.XXX.XXX So as when a port scan/security check happens it won't show SSH open (or closed for that matter) on any of the IPs apart from the single firewall one. I also ran some scans on my firewall usind Nessus (www.nessus.org) and it showed up the following. I scanned my firewall IP, not an IP that I'm DNAT through to the DMZ. > The remote host does not discard TCP SYN packets which have the FIN flag set. Is this something I have to worry about? Is there away to fix this? I also ran an nmap scan on my firewall IP. Port State Service 22/tcp open ssh 113/tcp closed auth 135/tcp closed loc-srv I'm have no idea why 113 and 135 are showing as open. These are my firewall rules. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT fw loc tcp 53 ACCEPT fw loc udp 53 # ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 # ACCEPT loc fw tcp 80 # Mystique DNAT net loc:10.0.100.32 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.33 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.34 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.35 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.40 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.31 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.30 tcp 80 - 67.106.xxx.xxx DNAT net loc:10.0.100.10 tcp 80 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx loc:10.0.100.10 tcp 3389 - 67.106.xxx.xxx DNAT net loc:10.0.100.10 tcp 53 - 67.106.xxx.xxx DNAT net loc:10.0.100.10 udp 53 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx,203.94.xxx.xxx,64.28.xxx.xxx loc:10.0.100.20 tcp 1352 - 67.106.xxx.xxx DNAT net loc:10.0.100.10 tcp ftp - 67.106.xxx.xxx # # Storm/Rogue DNAT net loc:10.0.100.11 tcp 80 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx loc:10.0.100.11 tcp 3389 - 67.106.xxx.xxx DNAT net loc:10.0.100.11 tcp 53 - 67.106.xxx.xxx DNAT net loc:10.0.100.11 udp 53 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx,211.34.xxx.xxx loc:10.0.100.21 tcp 1352 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx loc:10.0.100.22 tcp 1352 - 67.106.xxx.xxx DNAT net loc:10.0.100.22 tcp 25 - 67.106.xxx.xxx DNAT net loc:10.0.100.21 tcp 25 - 67.106.xxx.xxx # Cyclops DNAT net:202.53.xxx.xxx loc:10.0.100.12 tcp 3389 - 67.106.xxx.xxx DNAT net:202.53.xxx.xxx loc:10.0.100.23 tcp 1352 - 67.106.xxx.xxx DNAT net loc:10.0.100.36 tcp 80 - 67.106.xxx.xxx # Wolverine DNAT net:202.53.xxx.xxx loc:10.0.100.13 tcp 3389 - 67.106.xxx.xxx Any feedback on the above would be muchly appreciated before I go too far and put in the rest of my system configuration (40 more servers :o() I'm also trying to figure out how to setup bering to email me my firewall log's on a dialy basis so I can run them through a scanner. And last but not least I wish to upgrade shorewall to 1.4 but I'm a little "scared" to do so as I'm not sure the exact way. As I said earlier I only have SSH access to my firewall so touching things like ssh or shorewall worry me. How can I update shorewall and keep my current rules etc? Thanks all in advance, Best Regards Adam ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html