From: Tom E. <te...@sh...> - 2011-08-05 13:09:42
|
On Fri, 2011-08-05 at 17:28 +1200, tob...@fr... wrote: > Hello, > > I would appreciate any feedback/suggestions on my Shorewall configuration for a standalone laptop Debian Squeeze configuration for ppp0 and wlan0, set out below: > > ------------------ > My current system: > ------------------ > I have successfuly configured Shorewall 4.4.11.6 on my standalone Debian Squeeze laptop for a ppp0 (Mobile broadband) connection using GNOME PPP, works great (refer to bottom of this message for 'ip addr show' and 'ip route show' outputs), using the following: > > /etc/ppp/ip-up.d/mobile: > #!/bin/sh > /sbin/shorewall restart > fi > (Refer: http://sourceforge.net/mailarchive/message.php?msg_id=19774645 ) > > > /etc/shorewall/interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - tcpflags,logmartians,nosmurfs > > > /etc/default/shorewall: > startup=0 > wait_interface="ppp0" > > ----------------------- > What I'm wanting to do: > ----------------------- > I want to configure Shorewall to work with my ppp0 and wlan0 connections. I will use one or the other connection at a time, but I will only be connecting once the desktop is loaded using Wicd. > > I have followed the instructions at http://shorewall.net/Laptop.html , and added the following to: > > /etc/shorewall/interfaces: > net wlan0 detect dhcp,tcpflags,logmartians,nosmurfs > > ----------------------------------- > My concerns with the current setup: > ----------------------------------- > 1. My understanding is that when a connection goes up, shorewall needs to be restarted. I have got that covered for my ppp0 connection in /etc/ppp/ip-up.d/mobile (refer "My current setup" above) but assume I have to do the same with wireless connections by copying: > > /etc/ppp/ip-up.d/mobile > TO: > /etc/wicd/scripts/postconnect/mobile > > (Refer: http://wicd.sourceforge.net/moinmoin/Adding%20pre%20and%20post%20%28dis%29connection%20scripts ) > > If anyone can confirm or trash my understanding and/or assumption on this I would appreciate it. > > > 2. I have read in passing posts about Shorewall that there is a slight delay between connecting to a network and Shorewall restarting. Is this a significant security issue or is there a way around it? > I suggest that you install and configure Shorewall-init. It will close the firewall before the interfaces come up and will automatically restart Shorewall when interfaces come up. a) Make both interfaces optional (set the 'optional' option in /etc/shorewall/interfaces. b) Set REQUIRE_INTERFACE=Yes in shorewall.conf. c) Configure Shorewall-init as described at http://www.shorewall.net/Shorewall-init.html d) Remove the 'wait_interface=' setting from /etc/default/shorewall -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |