Hi,
I've been successfully using shorewall in our K12 school since the 2.x
days initially on Mandrake and now on Debian. Because of that my config
has got quite complicated. The firewall has a working MultiISP setup
with four interfaces (I've renamed them with udev to easy their
identification): lan-if, dmz-if, snt-if and dnt-if (one of the providers
(the one on dnt-if) is a DSL provider, and thus there is a ppp0 too)
and five zones: loc, dmz, okt, kag and net (okt and kag are for special
organizations at our site, connected to dmz-if).
Until now I've used blacklisting to control the students Internet access
(there was a simple application through which the teacher could
ad/remove the IPs in the classroom to the blacklist file, and then
reload shorewall). Then there was a proposal to allow teachers to block
students access to some parts of the Internet (Facebook). I've decided
to modernize the firewall setup with removing blacklisting, and adding
dynamic zones instead.
The firewall host is a Debian Wheezy up to date install, with the
xtables-addons installed.
Capabilities:
Shorewall has detected the following iptables/netfilter capabilities:
NAT (NAT_ENABLED): Available
Packet Mangling (MANGLE_ENABLED): Available
Multi-port Match (MULTIPORT): Available
Extended Multi-port Match (XMULIPORT): Available
Connection Tracking Match (CONNTRACK_MATCH): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH):
Available
Packet Type Match (USEPKTTYPE): Available
Policy Match (POLICY_MATCH): Available
Physdev Match (PHYSDEV_MATCH): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Packet length Match (LENGTH_MATCH): Available
IP range Match(IPRANGE_MATCH): Available
Recent Match (RECENT_MATCH): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Ipset Match (IPSET_MATCH): Available
CONNMARK Target (CONNMARK): Available
Extended CONNMARK Target (XCONNMARK): Available
Connmark Match (CONNMARK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Raw Table (RAW_TABLE): Available
Rawpost Table (RAWPOST_TABLE): Available
IPP2P Match (IPP2P_MATCH): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Extended REJECT (ENHANCED_REJECT): Available
Repeat match (KLUDGEFREE): Available
MARK Target (MARK): Available
Extended MARK Target (XMARK): Available
Extended MARK Target 2 (EXMARK): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Comments (COMMENTS): Available
Address Type Match (ADDRTYPE): Available
TCPMSS Match (TCPMSS_MATCH): Available
Hashlimit Match (HASHLIMIT_MATCH): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Realm Match (REALM_MATCH): Available
Helper Match (HELPER_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Time Match (TIME_MATCH): Available
Goto Support (GOTO_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Available
IPMARK Target (IPMARK_TARGET): Available
LOG Target (LOG_TARGET): Available
ULOG Target (ULOG_TARGET): Available
NFLOG Target (NFLOG_TARGET): Available
Persistent SNAT (PERSISTENT_SNAT): Available
TPROXY Target (TPROXY_TARGET): Available
FLOW Classifier (FLOW_FILTER): Available
fwmark route mask (FWMARK_RT_MASK): Available
Mark in any table (MARK_ANYWHERE): Available
Header Match (HEADER_MATCH): Not available
ACCOUNT Target (ACCOUNT_TARGET): Available
AUDIT Target (AUDIT_TARGET): Available
ipset V5 (IPSET_V5): Available
Condition Match (CONDITION_MATCH): Available
Statistic Match (STATISTIC_MATCH): Available
IMQ Target (IMQ_TARGET): Not available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Geo IP match: Not available
iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Available
The zones file has:
fw firewall
net ipv4
loc ipv4
dmz ipv4
okt ipv4
kag ipv4
nonet:loc ipv4
nocom:loc ipv4
(nocom and nonet are the two new dynamic zones I try to introduce)
The corresponding lines from hosts are:
nonet lan-if:dynamic
nocom lan-if:dynamic
And on interfaces the interesting line has:
loc lan-if detect
routeback,bridge,tcpflags,dhcp,nosmurfs,blacklist
I know it differs from the documentation by specifying non-default
options, but I would like to keep at least blacklist for now until the
dynamic zones get fully tested. The ipsets are generated as:
Name: nocom_lanif_3
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16504
References: 24
Members:
Name: nonet_lanif_3
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16504
References: 12
Members:
I've observed two strange/misunderstood behaviors/errors:
1. shorewall show dynamic nonet
returns nothing and trying to add an IP address to any of the dynamic
pools fails:
shorewall add lan-if:10.255.255.136 nonet
ERROR: Zone nonet, interface lan-if is does not have a dynamic host
list
2. In the rules files I couldn't specify the name of the dynamic zone,
only the name of the generated ipset (this could be related to the
previous or by design)
Thanks for any idea!
Cheers
Geza Gemes
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
