Hi Pete, Just a few more comments on your configuration:
On 08/07/2013 09:34 AM, Pete Geenhuizen wrote: > > On 08/06/2013 04:54 PM, Tom Eastep wrote: >> On 8/6/2013 10:11 AM, Pete Geenhuizen wrote: >> Why don't you simply have an ACCEPT policy from $FW to net? In >> /etc/shorewall/policy: >> >> $FW net ACCEPT >> > Thanks Tom for the suggestion, and please forgive my ignorance, but > wouldn't this open the firewall to anything? The above policy is for traffic FROM the firewall TO net. (The source zone is listed first.) > ... > Perhaps I have something else in the rules file creating a problem, so > here are the rules that I have > SECTION NEW > > ACCEPT net $FW > DNAT net loc:XXX.XXX.XXX.13 tcp 22 2222 > DNAT net loc:XXX.XXX.XXX.2 tcp http,https,imap,imaps,smtp > > Invalid(DROP) net all Be careful with this one - i would recommend putting it at the end of your rules if you bother keeping it. New connections are also invalid, which means that any other net to anything rules after it will be dropped. > ... > Ping(DROP) net $FW I personally find blocking ping causes more problems than it solves. It has been a long time since Linux has seen a ping-based vulnerability, and it's an important troubleshooting tool. Regards, Paul ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
