Few questions about shorewall


#1

Hello,

I have to convert an iptables configuration in Nethserver shorewall rules…

For exemple:
Two isolated green lan,
In one lan a Windows server that have two shares, a MSsql server, and a firebird database.
In the other lan few clients must see the shares folders and access to the databases.

It seem there various way to do this:

  1. create the “share service” on the “Network Services” module and open to the private side.

  2. create a firewall “service” object. and create a specific rules to enable this service.

What is the best way to proceed?

Other question:
I’d made two CIDR subnet for lan1 and lan2.
When I create a firewall rule lan1 to lan2 two with ANY services… What mean ANY?

  1. any network services present in the “Network Services”?
  2. any network services present in the "Network Services"and firewall services objects?
  3. any as anything?

(Filippo Carletti) #2
  1. create a firewall object (network services are for services running on NethServer)

Any service, i.e. any port (1-65535).
In iptables lingo:
iptables -A FORWARD -s lan1 -d lan2 -j ACCEPT


#3

Sorry, but no!
with the rules:
lan1 to lan2 accept any
lan2 to lan 1 accept any

the client on lan1 didn’t see any share on the server :confused:


(Filippo Carletti) #4

Could you please show the output of shorewall show?


#5

I bring this server at home tomorrow to do this

More details here: VLANs not working:


#6

With the iptables configuration files I’ve got…
All is closed, and only few thing are open to access the server, and to restrict at the maximum ressources access… and protect the virtual private lan from the public lan.
Even icmp is restricted…

I will make
CIDR object for subnets.
host groups for bunches of computers, printer and server.
services, to specify with service I will open/close ( ICMP, windows shares, datavase ports…)

But there’s iptables rules, anti sniffer and kernel protection, I don’t have the minor idea how to implement…
Is Nethserver has sort of rules by default?

Edit: is a client station can be in two hosts groups at the same time?
Unfortunatly, I can create the firewall objects because It’s not possible to create empty object :disappointed_relieved:


#7

Finally, I had created all my hosts.
Only after, I was able to create the host groups.
I had define a bunch of services like Netbios, Mssql, PostgreSQL…

How to block ICMP?

Is worth to create a new zone for the server before made each specific rules? Or it’s better to let it in a green zone?


(Filippo Carletti) #8

Not sure, but I think that shorewall has some protection rules built-in.
If you need a closed firewal to a zone, I’d use a green and blue setup, because access from green to blue is open by default (so you need only to close some ports if needed) and blue to green is closed (so you need to open some ports).
For example, a real case scenario I have: mail server on green, second network need to access only mail (no other services, windows servers, printers etc), so I connected it to the blue and opened only mail ports (143 and 587).


#9

I’m stuck here, with the search result that don’t work as expected, I can’t go ahead.

I significantly reduce the number of firewall objects using the “ip range” objects, but I can’t go under 10 objects :disappointed_relieved:


#10

I’m creating rules for each group objet in a green zone to access specific service to the server on another greenzone.

The server don’t need to access to internet except for one service, one application (Teamviewer)
If I create a new zone for this server.

  • I will need to do the same as above.
  • I will need to create one specific rules to Teamviewer access to internet.
    But how to deal with the proxy filter?

(Filippo Carletti) #11

zone are a “complex” concept, we thought about removing them from the interface because they are rarely needed.
A zone is a network usually behind a router with a custom policy.
Most times, a cidr object will be enough to create a rule without using zones.


#12

Perhaps an well detailed article on the wiki :grin: can help a lot.
The possibility to create a zone can be a good feature… In a specific deployment scenario.

I remember in an other thead to hilight the fact that we don’t know exactly, in details, how the actual zones are working.
We know green>blue>orange>red but with no more details.
What the exacts rules behind the hood?
Whar are the rules beetween blues and green ( reject or drop ?)

Ps: there’s a subliminal message in this post :laughing:


#13

Re-read the doc:

The firewall implements two default policies editable from the page Firewall rules -> Configure:

Allowed: all traffic from green to red is allowed
Blocked: all traffic from green to red network is blocked. Specific traffic must be allowed with custom rules.
Firewall policies allow inter-zone traffic accordingly to this schema:

GREEN -> BLUE -> ORANGE -> RED
Traffic is allowed from left to right, blocked from right to left.

But how its block from right to left? I mean it’s DROP or REJECT?


(Filippo Carletti) #14

Most of block rules are drop and are logged. See /etc/shorewall/policy for details.


#15

You enlight my day :kissing_heart:
Thank you