Shoreline Firewall (Shorewall)

Hi,

I use the pptp daemon (poptop) on a debian 3.0 system.
Everything works like a charm but something is a bit
annoying: When I close the vpn connection to my server I
have to wait several minutes before it accepts a new vpn
connection. The log file shows the same starting sequence
but the client never gets authentificated. Is it a problem
of the pptp daemon? Should I post this again to the
poptop mailing list or has anybody had the same problem
and was able to solve it?

Tia,
Ulf

I am new to the list but impressed with shorewall & the archives 
(though I can't find a way to search the archives other than 
downloading the lot & mounting them locally).  I've installed 1.2.12 
which is the package in the Debian stable release tree, it's on 
kernel 2.4.18-586tsc and iptables 1.2.6a.  I have an ADSL connection 
with a fixed IP and four IPs on top of that gateway one.  Currently I 
use all four for wife, my and kids' computers and the crucial server 
which serves up http,https,smtp,pop3 & ssh and runs ntp to keep time 
and whatever it needs for the DNS.  At the moment I don't need the
server to do any more but would like to have a new local net behind 
the server running samba (as we all have to use M$ sadly) and I'd 
like to put more machines in there so I can get linux back in.

I think I'm "firewall-IQ-challenged" so apologies if I'm looking 
through answers to these questions somewhere obvious.

1) is the 1.3 tree a development tree and 1.2 the stable?  Even if 
so, am I right to guess from the development history that I should 
still be safe to point my sources.list at:
	deb http://security.dsi.unimi.it/~lorenzo/debian ./ 
and move to the 1.3.8 version?

2) I want to put the firewall in front of some local machines which 
will run on a 100Mbs hub and move my www and Email server to a dmz 
running off a different interface on the firewall using proxyarp: 

I've got the loc zone working with masquerading and everything simple 
seems to work fine (no samba yet!).  

I have got proxyarp working to some extent except that it seems to 
block DNS lookups by the server in the dmz despite the fact that the 
same rules allow lookups from the loc zone (with masquerading).  That 
cripples things but doesn't generate shorewall error messages so I 
think I've misunderstood proxyarp.  Do I need different subnet masks 
on the firewall & server in the dmz?  One thing I read seems to say 
"yes" another "no".

3) Finally a philosophy issue almost.  My reading around firewalling 
suggests to me that I'd be safest with:
	all all DROP info
as the only policy and then use explicit rules to allow only exactly 
what I want, both outgoing and incoming.  Most of the shorewall 
examples I have read seem to start with more tolerant policies.  
Anyone worked on my paranoid mode and willing to share config e.g.s

Enough for now.  Hoping someone can help.

Chris

PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
   and Therapeutic Communities; practice, research, 
   teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@...

Hello,

I use this directive in my policy file:
net             all             DROP            info

I get a lot of entries in my syslog file (apparently
through edonkey clients?) like this:

Sep 21 22:06:29 debian kernel: Shorewall:net2all:DROP:IN=ppp0
 OUT= MAC= SRC=217.127.164.189 DST=217.81.34.208 LEN=46 TOS=0x00
 PREC=0x00 TTL=113 ID=52473 PROTO=UDP SPT=1074 DPT=4665 LEN=26


Is it possible to exclude the logging of those destination
ports through shorewall? Any hints?

Tia,
Ulf