William Hamilton wrote: > Hi there not sure of the protocol but I am looking for a config check to > see if ok.
> > Net info > ------------ > /28 address range > External, DMZ, Local network and OpenVPN. > DHCP on VPN and Local > > I have attached config I have written up. Can I request a peer review? > Happy for the configs to enter public domain once debugged/complete (if > of use) I don't know what your definition of 'ok' is because I don't know what you want to allow or disallow. So I can only assume that what you have here is exactly what you intend. One thing that worries me is this comment in your rules file: # Allow ping checks, and other useful ICMP (eg, redirects) You then invoke the AllowICMPs action with ACCEPT. Three problems: a) The AllowICMPs macro only allows those ICMP requests that are required for correct operation of a router; namely fragmentation-needed and time-exceeded. It allows neither echo-request (Ping) nor Redirect. b) AllowICMPs is not a parameterized macro so the "/ACCEPT" is superfluous. c) The Default Actions for both the DROP and REJECT policies invoke AllowICMPs; so there is never any point in invoking that macro in /etc/shorewall/rules unless you have a following DROP or REJECT rule for ICMP. You have incorrectly specified the server port in your ACCEPT rules. Example: ACCEPT loc dmz:$IGN_FUSION:3306 tcp 3306 #mySQL A 'shorewall check' will flag that as an error (assuming that you are running Shorewall-perl; if you aren't running Shorewall-perl, you should be -- see http://www.shorewall.net/Notices.html#Shell-EOL). 'shorewall check' will also issue a warning for the following rule, rightly claiming that it is a policy and should be specified in the policy file: ACCEPT ovpn loc -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
