Re: [Shorewall-users] Close ALL PORT

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

2012/10/24 Simon Hobson <li...@th...>

> I.S.C. William wrote:
>
> >For it is exactly what I want, block all access to the local network
> >(loc) to internet (net) and similar as net2loc, that only can select
> >that port open.
> >
> >You say that I need one more rule, I could mention that but I need
> >to accomplish this?
>
> You need to take a step back. It's not enough to talk about blocking
> traffic TO a zone, all policies apply to traffic FROM one zone TO
> another zone. These zones are the first and second columns of the
> policy file.
>
> I'd suggest you should make a full list of all the zone-zone
> combinations like this :
>
> fw   loc
> fw   net
> fw   vpn
>
> loc  fw
> loc  loc
> loc  net
> loc  vpn
>
> net  fw
> net  loc
> net  vpn
>
> vpn  fw
> vpn  loc
> vpn  net
>
> all  all
>
> I've included loc-loc, that's only needed if you have more than one
> network in your loc zone and the firewall is passing traffic between
> them. All-all is a 'catch all' for anything not more explicitly
> listed.
>
> Against each combination, decide whether you want to allow traffic
> (ACCEPT), or block it (DROP or REJECT). The difference between DROP
> and REJECT is that DROP will silently discard the packet, while
> REJECT will reply to the packet (an ICMP response I think, but that
> could be wrong).
> It's common to use REJECT for outbound traffic (any->net, so your
> internal clients "fail" quickly rather than doing nothing for a while
> and then failing), and DROP for inbound traffic (net->any, so an
> attacker just gets no response to probes).
>
> Once you've decided on the policy, only then do you think about
> rules. The POLICY applies to all traffic between the two zones which
> isn't mentioned in a RULE, rules apply to specific traffic with more
> detailed criteria.
>
>
> If you have an ACCEPT policy, then all traffic is allowed unless you
> have a rule which blocks it. Eg, if you generally want outbound
> traffic allowed (policy - loc  net  ACCEPT), but wanted to prevent
> SMTP traffic that didn't come from your internal firewall, you might
> add the RULEs :
> SMTP/ACCEPT  loc:<mail server ip>  net
> SMTP/REJECT  loc                   net
>
> These rules explicitly allow mail from your mail server (so it's not
> caught by the next rule), and then reject anything else.
>
>
> If you have a REJECT or DROP policy, then you'll need rules to allow
> all traffic you want to allow. So for the same mail, you'd just need
> one RULE :
> SMTP/ACCEPT  loc:<mail server ip>  net
>
>
Excellent explanation ... thank you very much ...

Greetings!