> i setup a postfix email server and i am using the webmin
> upload/download module to upload files and save files directly to a
> server or download directly from the server. I also use this and
> another server for OpenVPN connections. Both servers run the same
> version of shorewall.
>
> Basically I want to do this: allow unrestricted VPN traffic to flow
> through the servers (which works now, thanks to your articles), but
> not allow access to any service to anyone unless they are on the vpn.
> (unable to check email, download files, or do anything to my server) I
> will need to allow the email server to receive emails at any time of
> course. I was thinking something like this in the macro.files
Your description is way to vague to seriously help you write the
policies and rules. By VPN traffic "flowing though the server" I assume
you mean access to services on the machine the user is connected to by
OpenVPN? (Or do you have connecting both your machines by VPN in mind?
Or maybe even a virtual LAN for you and your friends?)
> PARAM 10.0.8.0 - TCP 22 #comment
I would not start by thinking about Macros. First, get the basic
policies and rules done, then you can think about using custom Macros to
package it up.
As I do understand you, you do not want a lot of rules anyway.
> for all the ports i need open...80, 443, 22, etc
>
> I am using Webmin to configure shorewall, except when i have to
> manually do something. I just dont want the server touched by anyone
> not on vpn (mainly me and friends) except port 80 and 110 and 22 i
> guess.
You forgot port 1194 to actually permit the OpenSVN connections, and
port 25 for your SMTP...
Assuming you followed the docs, and also have a vpn named zone
associated with the tun+ devices -- this would outline what you want (IF
I guessed correctly what you have in mind):
# policies
vpn fw ACCEPT # allow full access to all services for
# all trusted VPN users
# rules
ACCEPT net fw udp 1194 # OpenVPN access (using UDP)
ACCEPT net fw tcp ssh
ACCEPT net fw tcp http
ACCEPT net fw tcp 25
However, do note that this merely is a pointer to start with, since we
do not know any details about your setup. Do not just copy-n-paste them.
Also I do assume you actually got the recommended net2all and all2all
policies of DROP and REJECT respectively, as per the docs. These always
come last after any other custom policy.
> And unfortunately i am a total newbie, but digging the opensource
> thing and learning linux, reading, etc, but security seems important,
> so i wanted to ask the list if anyone has a quick solution so i dont
> get hacked 5min after bringing the servers online or if the above
> looks like it might work.
You want to go back to the docs, especially the Quick-Start Guide. :)
Seems to me you did not properly understand the basic Shorewall concept
of zones, which is utterly important to set up the policies and rules
(which you can think of as exceptions to the policies).
We can't write the entire Shorewall configuration for you -- but if you
post your existing setup along with a clear and precise description of
what you want to accomplish, we may be able to help you correct it, if
need be.
karsten
--
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
