I'm working on setting up a new router/server/etc. box. I'm using Proxmox as the base system (Debian Lenny basically). I'm trying to figure out the right way to configure Shorewall on it.I've looked at some of the bridging info but they seem to all be talking about single-interface setups. Could someone look over my setup and give me some input into the proper way to set this up so that I can do all the normal Shorewall things properly like blocking like normal, port forwards, etc. ?
I think my current setup mostly works, but I'm seeing messages like:Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840 RES=0x00 SYN URGP=0
(some of these are from external machines to a virtual machine and mention eth1 as the physical - this one is both virtual machines)
I'm assuming something isn't setup quite right. :)
My setup is:
eth0 - external (internet)
eth1 - internal (not configured - the physical interface to the lan)
vmbr0 - the ProxMox bridge interface on eth1
/etc/network/interfaces:
# network interface settings
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
iface eth1 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.10.42.1
netmask 255.255.255.0
broadcast 10.10.42.255
bridge_ports eth1
bridge_stp off
bridge_fd 0
##################################3
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc vmbr0 detect tcpflags,dhcp,nosmurfs #####################################################/etc/shorewall/policy (wide open for now, but obviously should be locked later)
################ #Testing Section # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. loc net ACCEPT loc $FW ACCEPT loc all ACCEPT # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW loc ACCEPT $FW all ACCEPT # # Policies for traffic originating from the Internet zone (net) # net $FW ACCEPT net loc ACCEPT net all ACCEPT ################################################## # THE FOLLOWING POLICY MUST BE LAST all all REJECT info ######################################################### Thanks! Mark II -- Mark D. Montgomery II http://www.techiem2.net
binqlOOkx61Hy.bin
Description: PGP Public Key
pgp5rWtCIxXkD.pgp
Description: PGP Digital Signature
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
