Shorewall locks me out (even when stopped) NEWBIE ALERT

In your interfaces file, eth0 should be part of the "net" zone, not "loc".

Also, in your rules file, those should be "ACCEPT net fw …." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc).

See if that helps. You can even comment loc out of the zones file, it's what I do.

Dave

You can also use easier syntax in your rules file. For example, instead of the two lines you have for tcp ports 80 and 443, you can simply specify one rule:

AllowWeb net fw

There are numerous predefined Allow* rules available such as AllowSSH, AllowSMTP, AllowFTP, and so on.

You can also limit access to specific ip addresses. Like this to allow your firewall to access tcp 80 and 443 only on the specified ip address (there's usually no need to allow your firewall to access every possible website as a client):

AllowWeb fw net:123.123.123.123

Even easier: no firewall at all.

Now, before you reply that I'm an idiot, consider the circumstance of the typical linode: it's NOT a gateway protecting other machines, and it's NOT a personal use workstation. It's a standalone server. The ONLY ports that should have a process listening to them are ports for which you specifically configured a server, such as a web server, or a mail server. Any other services should simply be disabled. Any port on which you are running a service, you'll pass through the firewall, right? And any port you'd block, there shouldn't be anything listening anyway, right?

Now, of course there are circumstances and uses for a linode where a firewall can make sense. But for many common uses, a firewall is just an unnecessary complication.

Interesting point. But there are a number of issues with that path.

Given that modern firewalls like shorewall can be configured in just a few minutes and the minimal cpu-usage cost, I think the ROI is easily justified in having a firewall on every server.

1. As shown in my previous post, a firewall can block outgoing traffic as well.

IMHO, it isn't a good idea for servers to be allowed to make outgoing connections to any ip address on any port.

For example, a Debian-based server might be allowed to connect to port 80 of a specific Debian mirror site so it can get updates, but not be allowed any other outgoing connection to other websites.

A server that is allowed to make outgoing connections without any restrictions is open to numerous automated attacks that can easily be prevented simply by restricting outbound connections.

2. A firewall can do things such as blocking requests from invalid ip addresses (for example, 127.0.0.1 or other local ip addresses coming in from the internet is obviously spoofed). It can block invalid tcp packets, bogons, etc. It can provide traffic-shaping so one busy service (http) doesn't prevent other services (ssh) from functioning well.

Given this, it is hard to imagine anyone not running a firewall on a server–especially when it is exposed to the public.

@dmuench:

In your interfaces file, eth0 should be part of the "net" zone, not "loc".

Also, in your rules file, those should be "ACCEPT net fw …." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc).

See if that helps. You can even comment loc out of the zones file, it's what I do.

Dave

Bingo! That fixed it!

Thanks!!!!