I have to convert an iptables configuration in Nethserver shorewall rules…
For exemple:
Two isolated green lan,
In one lan a Windows server that have two shares, a MSsql server, and a firebird database.
In the other lan few clients must see the shares folders and access to the databases.
It seem there various way to do this:
create the “share service” on the “Network Services” module and open to the private side.
create a firewall “service” object. and create a specific rules to enable this service.
What is the best way to proceed?
Other question:
I’d made two CIDR subnet for lan1 and lan2.
When I create a firewall rule lan1 to lan2 two with ANY services… What mean ANY?
any network services present in the “Network Services”?
any network services present in the "Network Services"and firewall services objects?
With the iptables configuration files I’ve got…
All is closed, and only few thing are open to access the server, and to restrict at the maximum ressources access… and protect the virtual private lan from the public lan.
Even icmp is restricted…
I will make
CIDR object for subnets.
host groups for bunches of computers, printer and server.
services, to specify with service I will open/close ( ICMP, windows shares, datavase ports…)
But there’s iptables rules, anti sniffer and kernel protection, I don’t have the minor idea how to implement…
Is Nethserver has sort of rules by default?
Edit: is a client station can be in two hosts groups at the same time?
Unfortunatly, I can create the firewall objects because It’s not possible to create empty object
Finally, I had created all my hosts.
Only after, I was able to create the host groups.
I had define a bunch of services like Netbios, Mssql, PostgreSQL…
How to block ICMP?
Is worth to create a new zone for the server before made each specific rules? Or it’s better to let it in a green zone?
Not sure, but I think that shorewall has some protection rules built-in.
If you need a closed firewal to a zone, I’d use a green and blue setup, because access from green to blue is open by default (so you need only to close some ports if needed) and blue to green is closed (so you need to open some ports).
For example, a real case scenario I have: mail server on green, second network need to access only mail (no other services, windows servers, printers etc), so I connected it to the blue and opened only mail ports (143 and 587).
zone are a “complex” concept, we thought about removing them from the interface because they are rarely needed.
A zone is a network usually behind a router with a custom policy.
Most times, a cidr object will be enough to create a rule without using zones.
Perhaps an well detailed article on the wiki can help a lot.
The possibility to create a zone can be a good feature… In a specific deployment scenario.
I remember in an other thead to hilight the fact that we don’t know exactly, in details, how the actual zones are working.
We know green>blue>orange>red but with no more details.
What the exacts rules behind the hood?
Whar are the rules beetween blues and green ( reject or drop ?)
The firewall implements two default policies editable from the page Firewall rules → Configure:
Allowed: all traffic from green to red is allowed
Blocked: all traffic from green to red network is blocked. Specific traffic must be allowed with custom rules.
Firewall policies allow inter-zone traffic accordingly to this schema:
GREEN → BLUE → ORANGE → RED
Traffic is allowed from left to right, blocked from right to left.
But how its block from right to left? I mean it’s DROP or REJECT?