[email protected] writes: > Simon Hobson <[email protected]> writes: > >> [email protected] wrote: >> >>> I plan to make a home network; one can see my plan here: >>> >>> https://dl.dropboxusercontent.com/u/56020882/HomeNetwork_01.png > >>> I shall use shorewall as firewall. This should be a firewall with 4 >>> interfaces.
>>> My question is: should I use for wireless LAN ( wlan0) dmz zone also, as >>> for web server ( eth2)? >> >> I'd be more inclined to make it it's own zone OR to make it part of >> the loc zone. There really isn't any right or wrong answer - as a lot >> depends on your requirements and attitude to risk. >> If you put it in it's own zone, then you can have fairly fine grained >> control of how much access to the loc zone any wireless device has. >> But you also need to consider the restrictions it may impose - many >> "IOT" things expect the end user to have a "flat" network where all >> devices have access to each other and can be found by simple broadcast >> packets. Some of these may be difficult, or even impossible, to use >> when connected to a different network to the computer you want to use >> it from (whether that's accessing a WiFi device from wired computer, >> or a wired device from a WiFi computer/tablet/phone. > Then, I change plan for my home network. > > It remain as is, that is: > My ISP > |-- Cable modem > .....|-- Bubba 2, the headless power pc box with WAN ( eth0 -- to my ISP), > .........LAN ( eth1 -- to my home LAN wired network ) and > .........USB WiFi dongle as Access Point ( wlan0 -- to my home wireless LAN: > WLAN) The image can be seen here too: https://www.dropbox.com/s/shbcf2ukcj429v1/HomeNetwork_02.png?dl=0 So I would set up shorewall for this network as: interfaces [code] #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians wloc wlan0 detect tcpflags,nosmurfs,routefilter,logmartians [/code] masq [code] [/code] rules [code] #ACTION SOURCE DEST PROTO # # LDAP # LDAP(ACCEPT) $FW net LDAP(ACCEPT) net $FW LDAPS(ACCEPT) $FW net LDAPS(ACCEPT) net $FW # # Accept bittorrent # BitTorrent32(ACCEPT) $FW net tcp BitTorrent32(ACCEPT) net $FW tcp BitTorrent(ACCEPT) $FW net tcp BitTorrent(ACCEPT) net $FW tcp # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW SSH(ACCEPT) wloc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW Ping(ACCEPT) wloc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being # flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW wloc icmp ACCEPT $FW net icmp ACCEPT all all icmp time-exceeded # traceroute ACCEPT all all tcp http,https [/code] zones [code] #ZONE TYPE OPTIONS # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 wloc ipv4 [/code] Should I do some 'route' commands to get this home network working? Any advices will be appreciated! -- Regards from Pal ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
