Hi friends

OK no matter how much i read about shorewall i cant understand it. Here is the senario:

I got two mandrake boxes in a LAN. One is connected to internet via ADSL (i got two network cards in that box).

On the box connected to internet i got shorewall watching the doors.

A couple of months ago i used Webmin to configure shorewall so i could communicate via NFS and it have worked well since then. Until yesterday when i used the "Mandrake wizard" to open another port and it totaly destoyed my nice configuration.

Ofcourse i cant remember the settings i have made (and its not the first time i made the misstake to use the wizard...)

I am the only one using both computers do i really need to have a firewall "between" both computers? It should really save me some google time to have the gates totaly open between the computers. I mean all traffic to the "dangerous" internet passes through the firewall anyway

How do i open the firewall so both computers could freely communicate? Is that done with a policy?

Regards
Klas

Provided you are the only user on both machines, it is debatable whether you need to firewall between them. On one hand, one of the machines is on the Internet, and therefore subject to possible cracking. If someone rooted your Internet enabled machine, without a firewall on the other machine they would own both machines fairly easily. However, as long as you do your level best to secure the Internet enabled machine your odds are pretty low of being rooted, so it s a security vs. convenience issue.

It is not a policy that you need to create full access between machines, but a couple of well written rules. Assuming your ip's are 192.168.0.1 and 192.168.0.2 the following would do it.

These go into the firewall on the machine with 0.1 as its internal IP
iptables -A INPUT -s 192.168.0.2 -p ALL -j ACCEPT
iptables -A OUTPUT -d 192.168.0.2 -p ALL -j ACCEPT

Or you could do it by interface name

iptables -A INPUT -i eth1 -p ALL -j ACCEPT
iptables -A OUTPUT -o eth1 -p ALL -j ACCEPT

On the internal machine you can simply turn off the firewall entirely.

It's early here so if anyone spots a mistake or has a better method, pipe up..;-)

Thanks for reply

Your ideas seems very smart (i checked the man page and i think i understand the meaning), but i have a feeling of that mandrakes "preconfiguredspecialstrangepolicy" settings is messing with me. It would be nice to kick out the wizards and take control. I belive knowledge is the best security.

Mayby you could recomend some nice gui wich is a bit more intuitive then webmins shorewall.

Bye the way i tried your settings and ofcourse it didnt work in my messy firewall

Thanks again
Klas

Klas:
You say you have Mandrake with two ethercards.
One for internet, and one for internal.
I am trying to get a similar setup working. Mandrake 10.0
Both my ethernet cards are the same make and model (SMC 1244TX).
I am having a lot of trouble getting both recognized by the kernel at load time. It looks like default tulip.ko cannot handle two cards.
Since you have this setup working any suggestions?
(Mandrake H/W wizard sees both cards on the PCI bus).
Thanks, Greg

I used the Drakgw wizard (mandrake contolcentral) to configure my shared internet. I have two diffrent network cards so i didnt have your problem.

I suggest you ask the proffesionals in the Hardware LQ forum, i am sure they can help you.

Good luck

Klas

I tried many different GUI's for iptables until realizing there is no good GUI for iptables. The best way to do Linux firewalling IMO is to read the how-to's, and write a firewall script by hand. It sounds harder than it is. Remember the golden rule of iptables: write a rule, test a rule, write another rule, test again. Repeat.

You can try Guarddog or any of the other iptables GUI's if you want, but don't expect miracles. The only way to get the job done right is to do it yourself.

Thanks for your suggestions

Ill try guarddog and dig a bit deeper in the iptables howtos at the same time, you guys will probably hear more from me in the future

Regards Klas