Beta 9 Firewall Entry

Home Page Forums Network Management ZeroShell Beta 9 Firewall Entry

This topic contains 2 replies, has 0 voices, and was last updated by  sludgman 11 years ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #41169

    sludgman
    Member

    Howdy,

    I was using BETA 10 with the ALIX Drivers on a CF until you suggested to get the HTTP Proxy working to move back to 9.

    A few recent power outages messed up the configuration so I reinstalled Beta 9 and am trying to get my firewall back together but no matter what I try, my final drop ANY ANY entry is dropping everything even if there is a previous match before it.

    I should probably note ETH01 is a NAT interface connected to a Comcast Cable Modem and is dynamically assigned an IP address., ETH00 is connected to a Linksys switch static at 192.168.0.1. The two workstations are 192.168.0.2 and 192.168.0.3.

    For Example HTTP:

    0 0 ACCEPT tcp — ETH01 ETH00 0.0.0.0 192.168.0.0/24 tcp spt:80
    0 0 ACCEPT tcp — ETH01 ETH00 0.0.0.0 192.168.0.0/24 state ESTABLISHED tcp spt:80

    And the final entry in the table:

    0 0 LOG all — * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 15 LOG flags 0 level 4 prefix `FORWARD/041′
    0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0

    From what I remember these entries are identical to the old ones I had in BETA 10 but perhaps someone can point out a fundamental error or just a mistake.

    That is just a small example of what I am looking to accomplish, I have a ton of other entries that match the HTTP one but with other ports but if we can get the one working I can get the others working.

    Thanks in advance,

    Matt

    #46878

    imported_fulvio
    Participant

    Try these:

    0 0 ACCEPT tcp — ETH00 ETH01 192.168.0.0/24 0.0.0.0 tcp dpt:80
    0 0 ACCEPT tcp — ETH01 ETH00 0.0.0.0 192.168.0.0/24 state ESTABLISHED tcp spt:80

    note dpt:80 instead of spt:80 in the first rule.

    In any case make no sense put two rules for any protocol you would to like to enable. You could substitute the second rule with tne more generic one:

    0 0 ACCEPT tcp — ETH01 ETH00 0.0.0.0 192.168.0.0/24 state ESTABLISHED, RELATED

    Regards
    Fulvio

    #46879

    sludgman
    Member

    Well I had originally tried the rule with TCP 80 and Established in the same entry but a colleague at work told me it looked like they were ANDing instead of ORing and with the adoption of two separate rules they were ORing, perhaps you could clarify that for me a bit more, I thought it didn’t make sense having 2 lines for 1 protocol either.

    #46880

    sludgman
    Member

    And it would appear I have solved my problem.

    Instead of leaving the Source IP blank and letting it fill in 0.0.0.0/0 I was putting in 0.0.0.0 without a /0, not sure if it is a syntax error or not but that seemed to make it work…perhaps you could explain if not, no problems.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.