Shorewall users - Aug 2006 - Blocking an internal host from accessing the Internet

Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I am 
trying to block a host on my internal network from reaching the
WAN and therefore the internet.  I am using shorewall to configure my
iptables firewall but am having trouble crafting a proper rule.

I am currently trying: (in /etc/shorewall/rules)

REJECT loc:192.168.0.13 inet
DROP loc:192.168.0.13 inet

which works, however, it does not take effect right away.  I want the 
firewall to either tear down the connections that exist between that 
host on my network and the internet or just disconnect it entirely.

thank you,
Kevin


-- 
In Vino Veritas
It''s back: http://astroturfgarden.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I am
> trying to block a host on my internal network from reaching the
> WAN and therefore the internet.  I am using shorewall to configure my
> iptables firewall but am having trouble crafting a proper rule.
>
> I am currently trying: (in /etc/shorewall/rules)
>
> REJECT loc:192.168.0.13 inet
> DROP loc:192.168.0.13 inet
>
> which works, however, it does not take effect right away.  I want the
> firewall to either tear down the connections that exist between that
> host on my network and the internet or just disconnect it entirely.
 google cutter

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

John Andersen wrote on 8/3/2006 7:40 PM:
> On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
>> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I am
>> trying to block a host on my internal network from reaching the
 >
>  google cutter
> 
Wow, that is such a cool little utility!  Thank you for the pointer. 
Downloaded, and I''ll try it out tonight.

thanks,
K

-- 
In Vino Veritas
http://astroturfgarden.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

i think the program is here :-

http://www.lowth.com/cutter/

it works great and able to cut most of the connection immediately.
what a nice little useful tool.


On 8/4/06, Kevin T. Neely <ktneely@astroturfgarden.com>
wrote:
> John Andersen wrote on 8/3/2006 7:40 PM:
> > On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
> >> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I
am
> >> trying to block a host on my internal network from reaching the
>  >
> >  google cutter
> >
>
> Wow, that is such a cool little utility!  Thank you for the pointer.
> Downloaded, and I''ll try it out tonight.
>
> thanks,
> K
>
> --
> In Vino Veritas
> http://astroturfgarden.com
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-- 
Regards,

Wong Chee Chun
Network Engineer
Softmy Co. Ltd
(http://www.softmy.com)

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

John Andersen wrote on 8/3/2006 7:40 PM:
> On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
>> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I am
>> trying to block a host on my internal network from reaching the
> 
>  google cutter
> 
Sadly, this did not work as well as I''d hoped.  on the firewall, I get 
"No matching connections found"  when I run this against the RFC 1918
IP
address on the home network.  However, that computer is still connected 
to AIM, etc.

If I reboot that computer, however, it will not be able to connect to 
the internet until I change the firewall rules back to allowing it to 
connect.

thanks,
K


-- 
In Vino Veritas
http://astroturfgarden.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Kevin T. Neely wrote:
> John Andersen wrote on 8/3/2006 7:40 PM:
>> On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
>>> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06  I
am
>>> trying to block a host on my internal network from reaching the
>>  google cutter
>>
> 
> Sadly, this did not work as well as I''d hoped.  on the firewall, I
get
> "No matching connections found"  when I run this against the RFC
1918 IP
> address on the home network.  However, that computer is still connected 
> to AIM, etc.
> 
> If I reboot that computer, however, it will not be able to connect to 
> the internet until I change the firewall rules back to allowing it to 
> connect.
Once you get to a 2.6.16/17 kernel, you can use the
''conntrack'' tool from the
Netfilter team.

In the mean time:

a) In your original post, you mentioned having both a DROP and a REJECT rule --
I suggest only the REJECT rule (having two rules is silly -- whichever is first
will be the only one that has any effect).

b) Secondly, if you put the REJECT rule in both the NEW and the ESTABLISHED
sections of the rules file, it will do more or less what you want.

Rather then using /etc/shorewall/rules, another alternative is to set
BLACKLISTNEWONLY=No in shorewall.conf -- then you can:

	shorewall reject <IP ADDRESS>

And all traffic from <IP ADDRESS> will be rejected.

You can re-enable traffic from <IP ADDRESS> using

	shorewall allow <IP ADDRESS>

Note that this is not a good approach if you have a large static blacklist (from
/etc/shorewall/blacklist) because every packet entering your firewall will be
sequentially checked against both the static and dynamic lists.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote on 8/4/2006 11:11 AM:
> Kevin T. Neely wrote:
>> John Andersen wrote on 8/3/2006 7:40 PM:
>>> On Thursday 03 August 2006 15:24, Kevin T. Neely wrote:
>>>> Hello, I am a new shorewall user, running 3.0.4 on XUbuntu 6.06
I am
>>
>> If I reboot that computer, however, it will not be able to connect to 
>> the internet until I change the firewall rules back to allowing it to 
>> connect.
> 
> Once you get to a 2.6.16/17 kernel, you can use the
''conntrack'' tool from the
> Netfilter team.
> 
> In the mean time:
> 
> b) Secondly, if you put the REJECT rule in both the NEW and the ESTABLISHED
> sections of the rules file, it will do more or less what you want.
> 
> Rather then using /etc/shorewall/rules, another alternative is to set
> BLACKLISTNEWONLY=No in shorewall.conf -- then you can:
> 
> 	shorewall reject <IP ADDRESS>
This is a really helpful idea.  What I had hacked together thus far was 
to maintain a "rules.night" and "rules.day".  Then, in cron,
I ran a
script that would copy the appropriate one to "rules" and restart the 
shorewall server.  It makes a lot more sense to use the "shorewall 
reject" method of doing things.

Is there any reason that ''conntrack'' would be a better option?
It seems
to me that keeping everything w/in shorewall might just be the best 
option.  There are probably situations for each, but this seems to be 
pretty decent to me for my simple situation.

thank you!
K

-- 
In Vino Veritas
http://astroturfgarden.com


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Kevin T. Neely wrote:
> 
> 
> This is a really helpful idea.  What I had hacked together thus far was 
> to maintain a "rules.night" and "rules.day".  Then, in
cron, I ran a
> script that would copy the appropriate one to "rules" and restart
the
> shorewall server.  It makes a lot more sense to use the "shorewall 
> reject" method of doing things.
You could improve on your current method. See:

http://www.shorewall.net/configuration_file_basics.htm#Levels
http://www.shorewall.net/configuration_file_basics.htm#id2507486
http://www.shorewall.net/starting_and_stopping_shorewall.htm#AltConfig
http://www1.shorewall.net/starting_and_stopping_shorewall.htm#Saved
> 
> Is there any reason that ''conntrack'' would be a better
option?  It seems
> to me that keeping everything w/in shorewall might just be the best 
> option.  There are probably situations for each, but this seems to be 
> pretty decent to me for my simple situation.
The Shorewall-only method has a per-packet cost. If that cost doesn''t
cause you
a performance problem then go for it...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642