Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

shorewall - How to specify an domain?

272 views
Skip to first unread message

Frank Dreyfus

unread,
May 20, 2009, 12:05:00 AM5/20/09
to
Hi,

I'm a complete novice with shorewall.

I need to allow traffic to/from a specific domain. I don't see any
facility that permits this type of rule.

Specifically I need to allow hamachi traffic through the firewall. I
have a ham0 interface which seems to work, partially. But when I try to
make a hamachi connection to another machine (either incoming or
outgoing) it needs to connect to an hamachi server. That server is
generally bibi.hamachi.cc; but I think that can change so I'd like to
allow all hamachi.cc instead. The ports used at both ends appear to be
arbitrary but the protocol seems to always be udp.

As another example, we use an external service to verify credit cards
before we accept them. This requires connection to that external
service.

So how do you enable this kind of domain specific traffic?

Since I'm new to this, an example would be greatly appreciated.


Thanks,


Frank

Bit Twister

unread,
May 20, 2009, 2:05:34 AM5/20/09
to
On Wed, 20 May 2009 04:05:00 GMT, Frank Dreyfus wrote:
> Hi,
>
> I'm a complete novice with shorewall.
>
> I need to allow traffic to/from a specific domain. I don't see any
> facility that permits this type of rule.

rules would be a place to pass/allow that traffic.

> So how do you enable this kind of domain specific traffic?
>
> Since I'm new to this, an example would be greatly appreciated.

http://www.shorewall.net/configuration_file_basics.htm#dnsnames


More documentation found at http://www.shorewall.net/Documentation_Index.html
if you have not installed the shorewall-doc package.

Moe Trin

unread,
May 20, 2009, 11:59:45 PM5/20/09
to
On Wed, 20 May 2009 Usenet newsgroup alt.os.linux.mandriva, in article
<Xns9C1125092E6adf...@207.115.17.102>, Frank Dreyfus wrote:

>I need to allow traffic to/from a specific domain. I don't see any
>facility that permits this type of rule.

It can be done, but there is some risk. The firewall code that actually
does the block/pass stuff works on IP addresses, not domain or host
names. That makes your firewall overly dependent on DNS, which can
be the source of a Denial Of Service attack.

>Specifically I need to allow hamachi traffic through the firewall. I
>have a ham0 interface which seems to work, partially. But when I try
>to make a hamachi connection to another machine (either incoming or
>outgoing) it needs to connect to an hamachi server. That server is
>generally bibi.hamachi.cc; but I think that can change so I'd like to
>allow all hamachi.cc instead.

[compton ~]$ host bibi.hamachi.cc
bibi.hamachi.cc is a nickname for hamachi.frontend.logmein.com.akadns.net
hamachi.frontend.logmein.com.akadns.net has address 69.25.21.223
[compton ~]$ host 69.25.21.223
223.21.25.69.IN-ADDR.ARPA domain name pointer ssl-03.hamachi.cc
223.21.25.69.IN-ADDR.ARPA domain name pointer ssl-04.hamachi.cc
223.21.25.69.IN-ADDR.ARPA domain name pointer bravo.hamachi.cc
[compton ~]$ arinwhois 69.25.21.223
[whois.arin.net]
Internap Network Services Corporation PNAP-12-2002 (NET-69-25-0-0-1)
69.25.0.0 - 69.25.255.255
LOGMEIN, INC. INAP-WDC002-LOGMEIN-15117 (NET-69-25-20-0-1)
69.25.20.0 - 69.25.21.255

# ARIN WHOIS database, last updated 2009-05-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[compton ~]$

See a little consistency problem? You have a further problem in
that 'cc' (Cocos (Keeling) Island in the Indian Ocean about 1000 miles
or 1700 km Southwest of Singapore) is a "vanity" domain that allows
use of the domain name from elsewhere because there is no Internet in
that "country". So, where is hamachi.cc? Currently, Woburn Mass,
USA, although they have _other_ IP space in Los Angeles and the UK.

Old guy

0 new messages