| View previous topic :: View next topic |
| Author |
Message |
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
 Posted: Thu Apr 14, 2005 9:15 pm Post subject: |
 |
|
| big_D wrote: | I've followed your tutorial - Shorewall seems to start up fine, with no errors, thanks.
I'm probably missing something really obvious, but when I visit your link to check the firewall all the ports (bar 21, 23 & 80) are closed rather than stealthed.
I've set /etc/shorewall/policy as you indicated - where else should I look for info? |
Could you post your policy and rules files, I'm sure it's something simple.  Don't post the whole thing, just the tail end of the file (the same part I posted in the tutorial).
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
 |
big_D
n00b
Joined: 14 Apr 2005
Posts: 40
Location: UK
|
| Posted: Thu Apr 14, 2005 9:34 pm Post subject: |
|
|
Here you go:
| Code: | ###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net all DROP info
all all DROP info
#LAST LINE -- DO NOT REMOVE |
| Code: | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21 #ftp
ACCEPT fw net tcp 53 #DNS
ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #Unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 5190 #AIM/ICQ
DROP fw net tcp 113 #AUTH/IDENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
The DROP instruction in the last line of the policy was a bit of desperation - it has been set at REJECT previously. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Apr 14, 2005 9:52 pm Post subject: |
|
|
Is this computer connected directly to the internet, or are you behind a fiewall/router appliance?
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
big_D
n00b
Joined: 14 Apr 2005
Posts: 40
Location: UK
|
| Posted: Thu Apr 14, 2005 9:58 pm Post subject: |
|
|
| It's behind a combined router & modem. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Apr 14, 2005 11:08 pm Post subject: |
|
|
| big_D wrote: | | It's behind a combined router & modem. |
If that's the case, then the portscan is stopping at your router/modem, and you'll need to configure that if you want a stealthed firewall.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
big_D
n00b
Joined: 14 Apr 2005
Posts: 40
Location: UK
|
| Posted: Thu Apr 14, 2005 11:30 pm Post subject: |
|
|
I told you it was something really obvious!
It's sorted now, thanks for your help. |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Thu Apr 14, 2005 11:36 pm Post subject: |
|
|
| big_D wrote: | I told you it was something really obvious!
It's sorted now, thanks for your help. |
Sure thing. The tutorial is really designed for people who are connected directly to a lan or modem. If you are behind a router/firewall appliance, then you can use shorewall as a second line of defense, but configuring your router firewall should be your first.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
arthurdent
n00b
Joined: 19 Feb 2005
Posts: 24
|
| Posted: Sat Apr 16, 2005 4:46 pm Post subject: |
|
|
Hi Sith,
Thanks for a most fantastic tutorial. I have been using Fedora Core for a couple of years now and I recently decided to try Gentoo to take my level of Linux understanding up a notch. Whilst I am reasonably PC-savvy I know absolutely nothing about networking so the idea of having to create my own firewall scared the bejasus out of me (Fedora does it all for you). Your tutorial rescued me and made the whole thing a breeze. Thank you!
I do have one question however. When I pop in an audio CD, my apps (eg gnome-cd-player) can't access the CDDB servers to display CD information (artist, title, tracks etc.). How do I set up Shorewall to allow them access to the servers? (Remember I am a networking dunce).
Thanks for a great resource.
Mark |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Sat Apr 16, 2005 4:59 pm Post subject: |
|
|
Check what port is used by CDDB (can be 888, 8880 or anything else really) and then open that port just as you have opened all the rest). You should be able to check the port in the app itself or in the config file for it.
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
arthurdent
n00b
Joined: 19 Feb 2005
Posts: 24
|
| Posted: Sat Apr 16, 2005 5:06 pm Post subject: |
|
|
I'd already tried both 888 and 8880 but neither of them seemed to work.
Do I need to stop and restart Shorewall after making changes to /etc/shorewall/rules? (because I didn't do that - I just editited the rules file and then re-tried the CD Player).
Mark
Edit: I've added both ports 888 and 8880 to /etc/shorewall/rules and stopped and restarted shorewall. Still no joy. |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Sat Apr 16, 2005 9:05 pm Post subject: |
|
|
Yes, you need to restart the Shorewall and flush all the rules. One way to do it is to reboot your PC. second is this
| Code: |
/etc/init.d/shorewall stop
/etc/init.d/shorewall clear
/etc/init.d/shorewall start |
this will stop the firewall, flush the current rules, start the firewall with the new rules.
Here is a simple test, run this
| Code: | /etc/init.d/shorewall stop
/etc/init.d/shorewall clear |
Then try to query the CDDB. If it works, look at the rules set - there must be mistake somewhere. Then start the firewall.
| Code: | | /etc/init.d/shorewall start |
If after stoping and flushing rules, you still couldn't connect to CDDB - then the problem is not with Shorewall.
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Sun Apr 17, 2005 3:39 am Post subject: |
|
|
| arthurdent wrote: | | Edit: I've added both ports 888 and 8880 to /etc/shorewall/rules and stopped and restarted shorewall. Still no joy. |
Show me the entries to your rules file, it could be you have the set up backwards (i.e. source net, dest. fw).
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
A.S. Pushkin
Apprentice
Joined: 09 Nov 2002
Posts: 196
Location: dx/dt, dy/dt, dz/dt, t
|
| Posted: Sun Apr 17, 2005 5:27 am Post subject: Deception Tool Kit |
|
|
I, too, find shorewall very nice. I originally thought to use iptables, or even knetfilter or firestarter, but found all of these very complex, due, no doubt, to my lack of knowledge in this area.
I may attempt to use DTK in conjunction with shorewall and offer more confusion factor.
_________________
ASPushkin
"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves."
-- William Pitt {1759-1806 British Statesman} |
|
| Back to top |
|
|
arthurdent
n00b
Joined: 19 Feb 2005
Posts: 24
|
| Posted: Sun Apr 17, 2005 6:02 pm Post subject: |
|
|
Sith & Johnyp,
Thanks very much for your help. Although I had tried stopping and re-starting shorewall I didn't realise that you had to run "clear". Having rebooted (or actually gone to bed and booted up the next day...) it worked!
Thanks again.
Great resource (again)!
Mark |
|
| Back to top |
|
|
kamagurka
Veteran
Joined: 25 Jan 2004
Posts: 1026
Location: /germany/munich
|
| Posted: Mon Apr 18, 2005 5:26 pm Post subject: |
|
|
Strange problem here: when I try starting shorewall, I get this output:
| Code: | mq# /etc/init.d/shorewall start
* Starting firewall...
Warning: Zone loc is empty
Warning: Zone dmz is empty
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/runscript.sh: line 532: 11461 Terminated /sbin/shorewall start >/dev/null |
Afterwards, all traffic to and from my box is stopped, and I have to issue "shorewall clear" to get it working again. Huh?
_________________
If you loved me, you'd all kill yourselves today.
--Spider Jerusalem, the Word |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Mon Apr 18, 2005 6:15 pm Post subject: |
|
|
If you are not doing any NAT (network address translation. For example if your gentoo box does not serve as a firewall to a network) - comment out loc and dmz in your /etc/shorewall/zones file.
Most likely it will still fail after this, but at least we will get the first part resolved.
You may also want to provide your zone,policy and rules files.
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Mon Apr 18, 2005 6:35 pm Post subject: |
|
|
| kamagurka wrote: | Strange problem here: when I try starting shorewall, I get this output:
| Code: | mq# /etc/init.d/shorewall start
* Starting firewall...
Warning: Zone loc is empty
Warning: Zone dmz is empty
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/runscript.sh: line 532: 11461 Terminated /sbin/shorewall start >/dev/null |
Afterwards, all traffic to and from my box is stopped, and I have to issue "shorewall clear" to get it working again. Huh? |
Try starting shorewall without the initscript, using shorewall start, the output should give us a better idea of what is wrong. The two warnings issued before the iptables errors are harmless, and not related to why shorewall is crashing.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
kamagurka
Veteran
Joined: 25 Jan 2004
Posts: 1026
Location: /germany/munich
|
| Posted: Mon Apr 18, 2005 7:04 pm Post subject: |
|
|
| Code: | mq# shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Not available
Packet Mangling: Not available
Multi-port Match: Available
Connection Tracking Match: Not available
Determining Zones...
Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Warning: Zone loc is empty
Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
iptables: No chain/target/match by that name
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
zsh: 13448 terminated shorewall start |
@Johnyp: my config files look just like Sith_Happens wrote in his howto; I didn't change anything there yet.
_________________
If you loved me, you'd all kill yourselves today.
--Spider Jerusalem, the Word |
|
| Back to top |
|
|
gifti
n00b
Joined: 03 Jan 2004
Posts: 13
|
| Posted: Mon Apr 18, 2005 7:18 pm Post subject: |
|
|
Hi,
I'm not sure this question belong here, but I will take a shot anyhow. I'm running shorewall and sshd with a number of users. I would like to restrict ssh access to one user at a time, unless it is myself. I should always be permitted to login disregarding other users. The user that is allowed to login should not necessarily be limited to one connection. Is this a firewall job or how can this be done?
thx
g |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Mon Apr 18, 2005 7:35 pm Post subject: |
|
|
kamagurka
just looked at my output and Iptables/Netfilter featerus all read - Avaliable.
Are you sure you compiled your kernel with iptables/netfilter?
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Mon Apr 18, 2005 7:38 pm Post subject: |
|
|
gifti
No, this may be an SSH feature, or you may want to look into tcp_wrappers (tcpd). I really don't think you can set something like this with iptables/netfilter (shorewall). And even if it's possible - i think it may be very-very difficult to do it with firewall (if possible at all).
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Mon Apr 18, 2005 8:31 pm Post subject: |
|
|
| Johnyp wrote: | kamagurka
just looked at my output and Iptables/Netfilter featerus all read - Avaliable.
Are you sure you compiled your kernel with iptables/netfilter? |
Agreed, go back through the how-to and make sure you've correctly configured your kernel (Section 2) then re-emerge iptables.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
kamagurka
Veteran
Joined: 25 Jan 2004
Posts: 1026
Location: /germany/munich
|
| Posted: Mon Apr 18, 2005 9:25 pm Post subject: |
|
|
I have definetely enabled "Network packet filtering" in my kernel. Your howto doesn't provide information on this, but in there I enabled the following:
| Code: | <M> Connection tracking (required for masq/NAT)
<M> IP tables support (required for filtering/masq/NAT)
<M> limit match support
<M> IP range match support
<M> MAC address match support
<M> Packet type match support
<M> netfilter MARK match support
<M> Multiple port match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> DSCP match support
<M> AH/ESP match support
<M> LENGTH match support
<M> TTL match support
<M> tcpmss match support
<M> Owner match support
<M> Packet filtering
<M> REJECT target support
<M> Full NAT |
Did I miss anything or something?
_________________
If you loved me, you'd all kill yourselves today.
--Spider Jerusalem, the Word |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
| Posted: Mon Apr 18, 2005 9:33 pm Post subject: |
|
|
M stands for - to install as a module. I belive you need to change it to *, so it's compiled normally into kernel and not as a module. But i may be wrong here.
_________________
Gentoo Unanswered Questions- Give it a try! |
|
| Back to top |
|
|
Sith_Happens
Veteran
Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park
|
| Posted: Mon Apr 18, 2005 10:55 pm Post subject: |
|
|
| kamagurka wrote: | | I have definetely enabled "Network packet filtering" in my kernel. Your howto doesn't provide information on this, but in there I enabled the following |
What do you mean my how-to "doesn't provide information" on how to do this?  | Sith_Happens wrote: | Section 2: Kernel Configuration
Before we begin, let's make sure that you've compiled your kernel with the built in packet filtering capabilities Shorewall is supposed to take advantage of. So, run: | Code: | cd /usr/src/linux
make menuconfig |
Then check to make sure you have netfilter compiled into your kernel:
| Code: | # For 2.6 kernels look under:
Device Drivers --->
Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
# For 2.4 kernels look under:
Networking options --->
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
<*> IP Tables Support (required for filtering/masq/NAT)
|
If you don't have netfilter compiled into your kernel, then press "y" to add the option, and recompile/install your kernel just like you did when you first installed Gentoo. For Genkernel users, you'll want to run genkernel --menuconfig kernel, verify that the netfilter option is included, then allow genkernel to recompile/install your kernel. |
Read the tutorial, follow it as it is written. I wouldn't be so PO'ed, except I told you where to look for kernel configuration in the tutorial in the post right above yours!  Kernel modules need to be loaded separately from the kernel manually using modprobe or automatically at boot by adding them to /etc/modules.autoload.d/kernel-<2.6 or 2.4>.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall |
|
| Back to top |
|
|
|
Networking & Security
