I am new to the list but impressed with shorewall & the archives
(though I can't find a way to search the archives other than
downloading the lot & mounting them locally). I've installed 1.2.12
which is the package in the Debian stable release tree, it's on
kernel 2.4.18-586tsc and iptables 1.2.6a. I have an ADSL connection
with a fixed IP and four IPs on top of that gateway one. Currently I
use all four for wife, my and kids' computers and the crucial server
which serves up http,https,smtp,pop3 & ssh and runs ntp to keep time
and whatever it needs for the DNS. At the moment I don't need the
server to do any more but would like to have a new local net behind
the server running samba (as we all have to use M$ sadly) and I'd
like to put more machines in there so I can get linux back in.
I think I'm "firewall-IQ-challenged" so apologies if I'm looking
through answers to these questions somewhere obvious.
1) is the 1.3 tree a development tree and 1.2 the stable? Even if
so, am I right to guess from the development history that I should
still be safe to point my sources.list at:
deb http://security.dsi.unimi.it/~lorenzo/debian ./
and move to the 1.3.8 version?
2) I want to put the firewall in front of some local machines which
will run on a 100Mbs hub and move my www and Email server to a dmz
running off a different interface on the firewall using proxyarp:
I've got the loc zone working with masquerading and everything simple
seems to work fine (no samba yet!).
I have got proxyarp working to some extent except that it seems to
block DNS lookups by the server in the dmz despite the fact that the
same rules allow lookups from the loc zone (with masquerading). That
cripples things but doesn't generate shorewall error messages so I
think I've misunderstood proxyarp. Do I need different subnet masks
on the firewall & server in the dmz? One thing I read seems to say
"yes" another "no".
3) Finally a philosophy issue almost. My reading around firewalling
suggests to me that I'd be safest with:
all all DROP info
as the only policy and then use explicit rules to allow only exactly
what I want, both outgoing and incoming. Most of the shorewall
examples I have read seem to start with more tolerant policies.
Anyone worked on my paranoid mode and willing to share config e.g.s
Enough for now. Hoping someone can help.
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@...