2012/10/24 Simon Hobson <[email protected]>
> I.S.C. William wrote:
>
> >For it is exactly what I want, block all access to the local network
> >(loc) to internet (net) and similar as net2loc, that only can select
> >that port open.
> >
> >You say that I need one more rule, I could mention that but I need
> >to accomplish this?
>
> You need to take a step back. It's not enough to talk about blocking
> traffic TO a zone, all policies apply to traffic FROM one zone TO
> another zone. These zones are the first and second columns of the
> policy file.
>
> I'd suggest you should make a full list of all the zone-zone
> combinations like this :
>
> fw loc
> fw net
> fw vpn
>
> loc fw
> loc loc
> loc net
> loc vpn
>
> net fw
> net loc
> net vpn
>
> vpn fw
> vpn loc
> vpn net
>
> all all
>
> I've included loc-loc, that's only needed if you have more than one
> network in your loc zone and the firewall is passing traffic between
> them. All-all is a 'catch all' for anything not more explicitly
> listed.
>
> Against each combination, decide whether you want to allow traffic
> (ACCEPT), or block it (DROP or REJECT). The difference between DROP
> and REJECT is that DROP will silently discard the packet, while
> REJECT will reply to the packet (an ICMP response I think, but that
> could be wrong).
> It's common to use REJECT for outbound traffic (any->net, so your
> internal clients "fail" quickly rather than doing nothing for a while
> and then failing), and DROP for inbound traffic (net->any, so an
> attacker just gets no response to probes).
>
> Once you've decided on the policy, only then do you think about
> rules. The POLICY applies to all traffic between the two zones which
> isn't mentioned in a RULE, rules apply to specific traffic with more
> detailed criteria.
>
>
> If you have an ACCEPT policy, then all traffic is allowed unless you
> have a rule which blocks it. Eg, if you generally want outbound
> traffic allowed (policy - loc net ACCEPT), but wanted to prevent
> SMTP traffic that didn't come from your internal firewall, you might
> add the RULEs :
> SMTP/ACCEPT loc:<mail server ip> net
> SMTP/REJECT loc net
>
> These rules explicitly allow mail from your mail server (so it's not
> caught by the next rule), and then reject anything else.
>
>
> If you have a REJECT or DROP policy, then you'll need rules to allow
> all traffic you want to allow. So for the same mail, you'd just need
> one RULE :
> SMTP/ACCEPT loc:<mail server ip> net
>
>
Excellent explanation ... thank you very much ...
Greetings!
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
