From: K <sho...@du...> - 2005-12-09 09:03:29
|
Hi Peter. First, I'm no expert and may be wrong about this. I run shorewall but doesn't remember specific setup by hand, but: I understand it like you want these services accessible from the = internet? Then the rules you want normally are "net" to "fw", witch you may also have?!? The problem with limiting outgoing connections from i.e. the web service = on the fw is that port 80 for http is only used when connection from the = client to the server. The server sends information back out on different ports. Maybe some of the macros etc. can be used? I don't know. The rules you have listed makes it possible for the fw to connect to = there services on external serves. (in the 'net' zone) This will also only have effect on traffic form the firewall it selves. = Not locale machines you may have. my to cents (or =F8re, since I'm from Norway) Kristian. -----Original Message----- From: sho...@li... [mailto:sho...@li...] On Behalf Of Petr Sent: 9. desember 2005 09:36 To: sho...@li... Subject: [Shorewall-users] default deny policy for outgoing traffic Hi, I have standalone web server with shorewall and want to disable default 'outgoing accept policy' and implement 'outgoing deny policy'. I know I need to change this line in 'policy' file fw net ACCEPT to fw net DROP but what to add to 'rules' file to not kill my server services? There is running: www sftp mail sshd What outgoing legal traffic I can imagine: dns ping ssh ntp (time synchronization) So I think I should add to 'rules' file: #dns ACCEPT fw net udp - 53 #ntp ACCEPT fw net udp - 123 #ssh ACCEPT fw net tcp - 22 #ping ACCEPT fw net icmp Am I right? Did I forgot anything? Any ideas? Thanks, Petr ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log = files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id=16865&op=3Dick _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |