Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Can you check my shorewall conf?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Thesniperofdeath
n00b
n00b


Joined: 07 Jan 2011
Posts: 32
Location: Canada
PostPosted: Sat Feb 12, 2011 2:03 am    Post subject: Can you check my shorewall conf? Reply with quote
It seems a bit slower I want it to make it faster.Feel to suggest any improvements.
I have a modem and gateway(wireless too) before the lan and wlan.
net = Internet,lan0 = lan connection.wlan0 = wireless connection.

Zones:
Code:
#ZONE   TYPE      OPTIONS      IN         OUT
#               OPTIONS         OPTIONS
fw   firewall
net   ipv4
lan   ipv4
wlan   ipv4


Interfaces
Code:
#ZONE   INTERFACE   BROADCAST   OPTIONS
net   ppp0      detect      
lan     eth0            detect          dhcp,routefilter,nosmurfs
wlan    wlan0           detect          dhcp,routefilter,nosmurfs


Policy:
Code:
#SOURCE   DEST   POLICY      LOG   LIMIT:      CONNLIMIT:
#            LEVEL   BURST      MASK
net   lan   ACCEPT      -
net   wlan   ACCEPT      -
lan   net   ACCEPT      -
wlan   net   ACCEPT      -
net   $FW   DROP      -
$FW   net   DROP      -

#IN
lan     $FW     ACCEPT      -
wlan    $FW     ACCEPT      -
$FW     lan     ACCEPT      -
$FW     wlan    ACCEPT      -
wlan    lan     DROP      -
lan     wlan    DROP      -


Rules:
Code:
#ACTION      SOURCE      DEST      PROTO   DEST   SOURCE      ORIGINAL   RATE      USER/   MARK   CONNLIMIT   TIME         HEADERS
#                     PORT   PORT(S)      DEST      LIMIT      GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS(ACCEPT)     lan        fw
DNS(ACCEPT)     wlan        fw
DNS(ACCEPT)     fw           lan
DNS(ACCEPT)     fw           wlan
DNS(ACCEPT)     lan        net
DNS(ACCEPT)     wlan        net
DNS(ACCEPT)     net        lan
DNS(ACCEPT)     net        wlan
FTP(ACCEPT)   lan      fw
FTP(ACCEPT)   wlan      fw
FTP(ACCEPT)   fw      lan
FTP(ACCEPT)   fw      wlan
Auth(REJECT)    net        all
SVN(ACCEPT)     lan        fw
SVN(ACCEPT)     wlan        fw
SVN(ACCEPT)     fw           lan
SVN(ACCEPT)     fw           wlan
SVN(ACCEPT)     lan        net
SVN(ACCEPT)     wlan        net
SVN(ACCEPT)     net        lan
SVN(ACCEPT)     net        wlan
Rsync(ACCEPT)   lan        fw
Rsync(ACCEPT)   wlan        fw
Rsync(ACCEPT)   fw           lan
Rsync(ACCEPT)   fw           wlan
Rsync(ACCEPT)   lan        net
Rsync(ACCEPT)   wlan        net
Rsync(ACCEPT)   net        lan
Rsync(ACCEPT)   net        wlan
Ping(ACCEPT)    lan        fw
Ping(ACCEPT)    wlan        fw
Web(ACCEPT)   lan      net
Web(ACCEPT)   wlan      net
Web(ACCEPT)   net      lan
Web(ACCEPT)   net      wlan
NTP(ACCEPT)     lan        fw
NTP(ACCEPT)     wlan        fw
NTP(ACCEPT)     fw           lan
NTP(ACCEPT)     fw           wlan
SSH(REJECT)   lan      fw
SSH(REJECT)   wlan      fw
SSH(REJECT)   net      fw

Web(ACCEPT)     fw      lan
Web(ACCEPT)     fw      wlan
SSH(REJECT)     fw         net
SSH(REJECT)     net         all
ACCEPT          lan        fw                      tcp     443
ACCEPT          wlan        fw                      tcp     443
ACCEPT          fw           lan                     tcp     443
ACCEPT          fw           wlan                    tcp     443

DROP            net        fw                      tcp     1863
DROP            lan        fw                      tcp     1863
DROP            wlan        fw                      tcp     1863

DROP             net        fw                      tcp     135
DROP             lan        fw                      tcp     135
DROP             wlan        fw                      tcp     135
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
PostPosted: Fri Feb 18, 2011 11:22 pm    Post subject: Re: Can you check my shorewall conf? Reply with quote
That's an awful lot of stuff to ask people to read through 8)

To verify things I suggest using nmap to port scan your firewall from various places. That is the best way to check a firewall.

Some of the nmap scans you can do them on the box itself but for best results you want to do it from another device if you can.

OK it will be hard to test your modem connection but if you can get another internet connected machine to scan yours then you will know exactly what is getting through.

Also, watch the logs - there are daemons to do this as well. logwatch and friends.

Cheers
Jon
Back to top
View user's profile Send private message
gami
Apprentice
Apprentice


Joined: 02 Jun 2006
Posts: 297
PostPosted: Sat Feb 19, 2011 12:14 am    Post subject: Reply with quote
It's not quite clear from your post what your network topology looks like. But looking at your policy file, I'd like to flag a big warning. It opens up all incoming traffic from the outside (net) into your network. I suggest you compare your settings with the excellent examples given at the shorewall web site (http://www.shorewall.net).

To test your settings from the outside, you could use the free service at http://nmap-online.com/.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy