Here are my current shorewall policies and rules. I intended to allow
traffic through to the firewall explicitly via ip address and port # though
I think my rules are flawed. I can still ping an external address which I
thought required port 80 to open and an ACCEPT action for the address in
question.
/etc/shorewall/policy
#SOURCE DEST POLICY
LOG LEVEL LIMIT:BURST
$FW dmz ACCEPT
dmz $FW ACCEPT
info
#dmz $FW REJECT info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
#ACTION SOURCE DEST
PROTO DEST SOURCE ORIGINAL RATE
USER/ MARK
#
PORT PORT(S) DEST LIMIT
GROUP
# ssh
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
tcp aa aa
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp aa aa
# https
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
tcp bbbbb bbbbb
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp bbbbb bbbbb
# Samba services: nmdb
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
udp ccc ccc
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp ccc ccc
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
udp ddd ddd
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp ddd ddd
# Samba services: smdb
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
tcp eee eee
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp eee eee
ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW
tcp fff fff
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp ggg ggg
# Samba services: share browsing
ACCEPT $FW
dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp hhh:iii hhh:iii
# Time server port
ACCEPT dmz $FW udp
123 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
