AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
# but logs the connection so I can keep an eye on this potential security hole.Chain INPUT (policy ACCEPT 0 packets, 0 bytes) The following rule allows active FTP to work in these cases # code from processing the command and setting up the proper expectation. This prevents the FTP connection tracking # Some FTP clients seem prone to sending the PORT command split over two packets. LOG:$LOG net:64.126.128.0/18 dmz tcp smtpĪCCEPT net dmz tcp smtps,# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.ĪCCEPT net loc:192.168.1.3 tcp 113,4000:4100ĪCCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 # Internet to ALL - drop NewNotSyn packets # Stop my idiotic work laptop from sending to the net with an HP source/dest IP address #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ etc/shorewall/action.Mirrors: #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE Mirrors # Accept traffic from Shorewall Mirrors etc/shorewall/blacklist: #ADDRESS/SUBNET PROTOCOL PORT Openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server Openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC Rule before the SNAT rules generated by entries in The following proxyarp file that allows me toĪccess the DSL "Modem" using its default IP address etc/shorewall/masq (Note the cute trick here and in #LAST LINE - ADD YOUR ENTRIES ABOVE THIS LINE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES BEFORE THIS ONE - DO NOT REMOVE etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal Is wide open so from a security point of view, the firewall system is Note that the firewalllocal network interface etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT:BURST #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT SUBSYSLOCK=/var/lock/subsys/shorewall-liteĬONFIG_PATH=/usr/share/shorewall-lite:/usr/share/shorewall/configfiles:/usr/share/shorewall PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
0 Comments
Read More
Leave a Reply. |