Dansguardian port forwarding 80 to 8081

[gadget]

LMCE has a requirement for it to be the "gateway" , which in my opinion is not the primary function of the home entertainment/automation server. The fact that it is requires 2 NIC's it complicates getting new people starting out with LMCE. If it is going to be the firewall then it needs to be more  configurable than it currently is. 

We don't need to be discussing what the reasoning for implementing a good firewall is, I just want something that is configurable. LMCE needs to improve it's firewall , or take a step back and remove the requirement for it to be the gateway.

gadget

[tschak909]

Well,

Since you HAPPEN to know what that is, perhaps you could help us implement it?

-Thom

[gadget]

Hi Thom,

I will give it a go , but won't have much time to allocate to doing it untill late september as i have some projects going on at work at the moment.
I am also assuming that by implementing  it you would like LMCE to be the gateway and not to remove the 2 NIC requirement.

gadget

[tschak909]

correct, unless you happen to know how to retain all the functionality we provide entirely on one NIC.

-Thom

[schaferj]

I'd also like for our OP to share his information and then invite comments about other ideas in this thread.

A singe nic server is possible, but it would add a lot of complexity.  LinuxMCE is currently designed to be a gateway and this is probably the simplest design for the LinuxMCE functionality.  Perhaps someone else can sketch out how to remove the gateway requirement, but it just seems like it would be a kludge.

So, since our core IS, in fact, a gateway, it seems reasonable that requirements (or at least desires) for typical gateway functionality is at least not absurd.  Several *nix distros have millions of fans and their main purpose is to be a good gateway.

merker2k's recent addition of a simple way to review dhcp leases from the web admin is a great step in the right direction, i think.  Another quick step may be a simple interface to our firewall to make it more flexible.   Further along the path towards robust gateway functionality may be IPS (snort), proxy, content filtering, AV, etc.  (I have share a solution before that adds another firewall behind the core.)

And we're all aware both that LinuxMCE is enormously complex and that developer resources and interests are limited.  As our developers continue to de-appliance-ize from our Pluto heritage, perhaps the use (and incorporation) of standard (sysadmin) packages with LinuxMCE will be more straightforward and offer less interference.

Also, I understand that non-standard changes to the core adds complexity,  breaks things, and generates confusing forum traffic.  And so it's helpful if these are documented well.  But it also seems that one change at the server is simpler than changes at every client.

My observation is simply that our Core is a gateway and to invite discussion of those inherent requirements.

thoughts?
joseph

[tschak909]

I want to make something _VERY_ clear...

We are continuing in the direction of making this system an Appliance. This is the right direction, givn the feature scope of the project.

Sorry, no arguments, or negotiations there. If you want another direction, then roll up your sleeves and make it happen.

-Thom

[dlewis]

Also, I understand that non-standard changes to the core adds complexity,  breaks things, and generates confusing forum traffic.  And so it's helpful if these are documented well.

niz23 has been working with doxygen to get the code base documented for new developers. We're discussing creating a site such as 'doxygen.linuxmce.org' in order to provide a place to have the code documented... We will provide an update once further discussion occurs.

[schaferj]

dlewis, much thanks.  it is very impressive how much progress we are making on so many fronts!

Thom, we may be agreeing.  ;-)   LinuxMCE system is appliance-like, self-configuring, etc.   And the distinction I was trying to make is that it will be less intertwined with a custom distribution-appliance ala pluto-home.    pluto was deeply entangled with the underlying operating system which made it harder to maintain and expand (it had a different audience). 

http://wiki.linuxmce.org/index.php/History

My understanding, and please correct any misunderstanding, is that our target that linuxmce is a standard desktop option distributed as part of kubuntu (and other distros).   So, lmce can install on a standard distro (it does now - pluto didn't) and play nice with other standard packages and systems - including some that allow us to leverage existing sysadmin tools without breaking lmce.

I'm not trying to argue but I do want to understand.  Do I?

thanks,
joseph

[dlewis]

schaferj, we're all familiar with the pluto-home history... Some of the devs were around when pluto was still around.

[tschak909]

It's very difficult to decouple things from the underlying distribution... Right now, we are focusing on our kubuntu under-pinnings.

-Thom

[schaferj]

Team,

My hat is off to all the devs - including those that brought deep and invaluable knowledge from pluto and without whom we wouldn't have the progress we enjoy today.  And to all who contribute their talents and time.  I remember pluto and acknowledge our history simply to clarify my understanding of our direction.

It's extremely hard to decouple and understand that it's not always a top priority.  And progress will allow us to focus on lmce functionality and let the distro give us a great os and complementary tools that we can leverage.

And in a nod to the original topic, I'd like to leverage dansguardian (& other complementary gw functionality).   ;-)

thanks again,
joseph

[anupindi007]

sorry guys for delay in replying..  Please find shorewall.conf file details.

-->
##############################################################################
#  /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
#  match your setup
#
#  This program is under GPL
#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002,2003,2004,2005,
#      2006,2007 - Tom Eastep (teastep@shorewall.net)
#
#  For information about the settings in this file, type "man shorewall.conf"
#
#  Additional information is available at
#  http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
#             S T A R T U P   E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
#                    V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#                              C O M P I L E R
#      (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################

SHOREWALL_COMPILER=

###############################################################################
#                L O G G I N G
###############################################################################

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################
#   L O C A T I O N     O F   F I L E S   A N D   D I R E C T O R I E S
###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=""

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################
#      D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################
#         F I R E W A L L     O P T I O N S
###############################################################################

##anupindi007 changed = On ##IP_FORWARDING=Keep
IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=Yes

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

EXPAND_POLICIES=Yes

KEEP_RT_TABLES=No

DELETE_THEN_ADD=Yes

MULTICAST=No

DONT_LOAD=

###############################################################################
#         P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE
<--

/etc/shorewall/interfaces file looks like:
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0 detect dhcp,tcpflags
loc eth1 detect dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/rules file looks like:
#SECTION RELATED
SECTION NEW
ACCEPT net fw tcp 88
ACCEPT loc net tcp 80
REDIRECT loc 8081 tcp www
ACCEPT net fw tcp 22
ACCEPT loc fw tcp 22
ACCEPT net fw icmp
ACCEPT loc loc icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE


/etc/shorewall/masq files looks like:
#INTERFACE      SOURCE      ADDRESS      PROTO   PORT(S)   IPSEC   MARK
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE


/etc/shorewall/policy file looks like:
#SOURCE      DEST      POLICY      LOG      LIMIT:BURST
#                  LEVEL
loc all ACCEPT
net all DROP
fw all ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zone file looks like:
#ZONE   TYPE      OPTIONS      IN         OUT
#               OPTIONS         OPTIONS
fw   firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Please let me know if you required dansgaurdian.conf and tinyproxy.conf files too.
Thanks,
anupindi007

[wierdbeard65]

Thanks for posting this!

I have Dan's guardian set up (I've actually partnered it with Squid and a virus sweeper called HavP) but seeing your config files wouldn't hurt if anyone is having trouble getting all this to play nicely.

Has the shorewall installation affected the MCE install at all? (I.e. as far as you know, has anything been broken?)

Assuming I can duplicate your success, I'll put it on the Wiki (unless someone else gets there first! )

[anupindi007]

Hi,
I haven't tested with Squid but I have configured shorewall and shorewall is working well with MCE with out any problems.   But Yesterday I had issues with RAID(broken) I don't think shorewall is anything to do with RAID(mdadm - I have already posted details too).  I will post the rest dansguardian.conf and tinyproxy.conf files too and I appreciate if you test from your end before posting in wiki.


Please go through the draft dansgaurdian installation steps at wiki:
http://en.wikipedia.org/wiki/User:Anupindi007

Thanks,
Srinivas

[colinjones]

anupindi - please, for small snippets use a [ code ] block, for large ones use pastebin.com