Shorewall for web server?
Jeffrey Tadlock
linux at elfshadow.net
Mon Dec 26 13:11:29 UTC 2005
Timothy Murphy wrote:
> I have shorewall working perfectly on my little home LAN,
> using the two-interfaces configuration
> (from <http://www.shorewall.net/two-interface.htm>).
>
> Now I'd like to allow access to a web-server (httpd)
> on my shorewall machine - a desktop computer
> connected to the internet through an ADSL modem.
>
> I'm finding this surprisingly difficult;
> I've added the two lines
>
> DNAT net loc:192.168.1.1 tcp 80 - 86.43.71.228
> DNAT net loc:192.168.1.1 tcp www
>
> to the shorewall rules (and re-started shorewall and httpd)
You may not want to run a webserver on your firewall from a security
standpoint, but that aside...
The firewall interfaces are part of the fw zone, not the local zone.
From the Shorewall "Some Things to Keep in Mind" section:
"All IP addresses configured on firewall interfaces are in the $FW (fw)
zone. If 192.168.1.254 is the IP address of your internal interface then
you can write “$FW:192.168.1.254” in a rule but you may not write
“loc:192.168.1.254”. Similarly, it is nonsensical to add 192.168.1.254
to the loc zone using an entry in /etc/shorewall/hosts."
Setting the rule to reflect your firewall zone will probably work.
-J
More information about the fedora-list
mailing list