On 04/03/2016 01:58 AM, Thomas Schneider wrote: > OK. > > In the guide " Configuration Files Tips and Hints" you advise against > usage of DNS Names. > I have resolved the DNS names and I understand this article to highlight > the risk if the provider changes things on their hand. > However, I don't know how to mitigate this risk with a restrictive > rule-set in dmz that should only allow access to the update servers. > > I have now modified masq config file accordingly: > root@pc4-svp:/etc/shorewall# cat masq > #INTERFACE SOURCE ADDRESS > UMB_IF 10.0.0.0/24 217.8.50.86 > UMB_IF 10.1.0.0/24 217.8.50.86 > > However, I believe I should then correct interfaces config file and set > proxyarp=0 for zone dmz. > Would you recommend to set the same options for zone dmz as configured > for zone loc (adjusting nets=10.1.0.0/24)? > root@pc4-svp:/etc/shorewall# cat interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net UMB_IF - > optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp > net UMP_IF - > optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags > loc INT_IF - > dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback > vpn TUN_IF+ - physical=tun+,ignore=1 > dmz DMZ_IF - > routeback,proxyarp=1,required,wait=30 > > After shorewall reset I have started apt update on a different client in > loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached dump. > The dump still shows no DNS rules loc->net and dmz->net
> By the way: > When creating dump file, I get this output indicating an issue with file > /proc/net/nf_conntrack: > root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt > grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden > This file does neither exist on my Debian 8 server nor on my Debian Sid > notebook. > Install the conntrack package. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
