Shorewall users - Sep 2006 - how to firewall on one interface only, no routing between interfaces

Consider this topology:  

  net <-> server <-> loc

Where the desired configuration is:
  net is the internet (eth0).
  loc is a private subnet (eth1).
  server serves both sides.
  No packets are routed from net->loc or loc->net, the
    two networks are entirely separated. 
  Firewall must be active on the net side and handles packets
    net<->server.
  loc side is wide open (all packets server<->loc pass).

How?

So far I''ve tried.

1.  removing all references to "loc" from interfaces, rules, etc.
Result, no packets would pass from server <-> loc.  

2.  Using a rule entry

ACCEPT  loc:192.168.1.0/24  fw all

Result - still firewalled, for instance, PING doesn''t work
from loc->server.

Thanks,

David Mathog
Manager, Sequence Analysis Facility, Biology Division, Caltech

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

David Mathog wrote:
> Consider this topology:  
> 
>   net <-> server <-> loc
> 
> Where the desired configuration is:
>   net is the internet (eth0).
>   loc is a private subnet (eth1).
>   server serves both sides.
>   No packets are routed from net->loc or loc->net, the
>     two networks are entirely separated. 
>   Firewall must be active on the net side and handles packets
>     net<->server.
>   loc side is wide open (all packets server<->loc pass).
> 
> How?
> 
> So far I''ve tried.
> 
> 1.  removing all references to "loc" from interfaces, rules, etc.
> Result, no packets would pass from server <-> loc.  
> 
> 2.  Using a rule entry
> 
> ACCEPT  loc:192.168.1.0/24  fw all
> 
> Result - still firewalled, for instance, PING doesn''t work
> from loc->server.
> 
> Thanks,
> 
Start with the basic two-interface configuration.

a) Remove all entries from /etc/shorewall/masq.
b) Remove all loc<->$FW rules
c) Add these two policies:
	loc	$FW	ACCEPT
	$FW	loc	ACCEPT
d) Remove this policy
	loc	net	ACCEPT
e) set IP_FORWARDING=Off in shorewall.conf
d) Configure net<->$FW rules/policies as required.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> 
> David Mathog wrote:
> > Consider this topology:  
> > 
> >   net <-> server <-> loc
> > 
> > Where the desired configuration is:
> >   net is the internet (eth0).
> >   loc is a private subnet (eth1).
> >   server serves both sides.
> >   No packets are routed from net->loc or loc->net, the
> >     two networks are entirely separated. 
> >   Firewall must be active on the net side and handles packets
> >     net<->server.
> >   loc side is wide open (all packets server<->loc pass).
> > 
> > How?
> > 
> > So far I''ve tried.
> > 
> > 1.  removing all references to "loc" from interfaces, rules,
etc.
> > Result, no packets would pass from server <-> loc.  
> > 
> > 2.  Using a rule entry
> > 
> > ACCEPT  loc:192.168.1.0/24  fw all
> > 
> > Result - still firewalled, for instance, PING doesn''t work
> > from loc->server.
> > 
> > Thanks,
> > 
> 
> Start with the basic two-interface configuration.
> 
> a) Remove all entries from /etc/shorewall/masq.
> b) Remove all loc<->$FW rules
> c) Add these two policies:
> 	loc	$FW	ACCEPT
> 	$FW	loc	ACCEPT
> d) Remove this policy
> 	loc	net	ACCEPT
> e) set IP_FORWARDING=Off in shorewall.conf
> d) Configure net<->$FW rules/policies as required.
Done and shorewall restarted.  There are still rules active
on the loc side. For instance, ping from "loc" to server is
still blocked.  That interface is mostly open, nmap for
instance shows known servers on the loc side.

iptables --list -n | egrep -i "chain|192.168"

still shows these entries, not sure which would affect ping:

Chain reject (10 references)
DROP       all  --  192.168.1.255        0.0.0.0/0
Chain smurfs (0 references)
LOG        all  --  192.168.1.255        0.0.0.0/0           LOG flags 0
level 6 prefix `Shorewall:smurfs:DROP:''
DROP       all  --  192.168.1.255        0.0.0.0/0

Again, I''m trying to completely disable all firewall activity
on the "loc" side of the server.  It should act exactly like
"/etc/rc.d/init.d/iptables off" on that side.  I''m thinking
maybe some of the "anywhere" entries are coming into play.
Here is the full output of:

  iptables --list

after your suggested configuration changes were put in
and /etc/rc.d/init.d/shorewall restart

Chain AllowICMPs (2 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp
fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp
time-exceeded

Chain Drop (1 references)
target     prot opt source               destination
RejectAuth  all  --  anywhere             anywhere
dropBcast  all  --  anywhere             anywhere
AllowICMPs  icmp --  anywhere             anywhere
dropInvalid  all  --  anywhere             anywhere
DropSMB    all  --  anywhere             anywhere
DropUPnP   all  --  anywhere             anywhere
dropNotSyn  tcp  --  anywhere             anywhere
DropDNSrep  all  --  anywhere             anywhere

Chain DropDNSrep (2 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain DropSMB (1 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere            udp dpt:135
DROP       udp  --  anywhere             anywhere            udp
dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp
dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere            tcp dpt:135
DROP       tcp  --  anywhere             anywhere            tcp
dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere            tcp
dpt:microsoft-ds

Chain DropUPnP (2 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere            udp dpt:1900

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
eth0_in    all  --  anywhere             anywhere
eth1_in    all  --  anywhere             anywhere
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Shorewall:INPUT:REJECT:''
reject     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
eth0_fwd   all  --  anywhere             anywhere
eth1_fwd   all  --  anywhere             anywhere
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Shorewall:FORWARD:REJECT:''
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
fw2net     all  --  anywhere             anywhere
fw2loc     all  --  anywhere             anywhere
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Shorewall:OUTPUT:REJECT:''
reject     all  --  anywhere             anywhere

Chain Reject (4 references)
target     prot opt source               destination
RejectAuth  all  --  anywhere             anywhere
dropBcast  all  --  anywhere             anywhere
AllowICMPs  icmp --  anywhere             anywhere
dropInvalid  all  --  anywhere             anywhere
RejectSMB  all  --  anywhere             anywhere
DropUPnP   all  --  anywhere             anywhere
dropNotSyn  tcp  --  anywhere             anywhere
DropDNSrep  all  --  anywhere             anywhere

Chain RejectAuth (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:auth

Chain RejectSMB (1 references)
target     prot opt source               destination
reject     udp  --  anywhere             anywhere            udp dpt:135
reject     udp  --  anywhere             anywhere            udp
dpts:netbios-ns:netbios-ssn
reject     udp  --  anywhere             anywhere            udp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere            tcp dpt:135
reject     tcp  --  anywhere             anywhere            tcp
dpt:netbios-ssn
reject     tcp  --  anywhere             anywhere            tcp
dpt:microsoft-ds

Chain all2all (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Shorewall:all2all:REJECT:''
reject     all  --  anywhere             anywhere

Chain dropBcast (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE broadcast
DROP       all  --  anywhere             anywhere            PKTTYPE multicast

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp
flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (4 references)
target     prot opt source               destination

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state
INVALID,NEW
net2all    all  --  anywhere             anywhere

Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state
INVALID,NEW
net2fw     all  --  anywhere             anywhere

Chain eth1_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state
INVALID,NEW
all2all    all  --  anywhere             anywhere

Chain eth1_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state
INVALID,NEW
loc2fw     all  --  anywhere             anywhere

Chain fw2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain fw2net (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain loc2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain net2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain net2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
net2all    all  --  anywhere             anywhere

Chain reject (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE broadcast
DROP       all  --  anywhere             anywhere            PKTTYPE multicast
DROP       all  --  broadcast-12.caltech.edu  anywhere
DROP       all  --  192.168.1.255        anywhere
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with
icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere            reject-with
icmp-host-unreachable
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain shorewall (0 references)
target     prot opt source               destination

Chain smurfs (0 references)
target     prot opt source               destination
LOG        all  --  broadcast-12.caltech.edu  anywhere            LOG
level info prefix `Shorewall:smurfs:DROP:''
DROP       all  --  broadcast-12.caltech.edu  anywhere
LOG        all  --  192.168.1.255        anywhere            LOG level
info prefix `Shorewall:smurfs:DROP:''
DROP       all  --  192.168.1.255        anywhere
LOG        all  --  255.255.255.255      anywhere            LOG level
info prefix `Shorewall:smurfs:DROP:''
DROP       all  --  255.255.255.255      anywhere
LOG        all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG
level info prefix `Shorewall:smurfs:DROP:''
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

shorewall version reports: 2.4.1 (this is what comes with Mandriva 2006).

Thanks,

David Mathog
Manager, Sequence Analysis Facility, Biology Division, Caltech

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

David Mathog wrote:
> 
>> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
>>
>> David Mathog wrote:
>>> Consider this topology:  
>>>
>>>   net <-> server <-> loc
>>>
>>> Where the desired configuration is:
>>>   net is the internet (eth0).
>>>   loc is a private subnet (eth1).
>>>   server serves both sides.
>>>   No packets are routed from net->loc or loc->net, the
>>>     two networks are entirely separated. 
>>>   Firewall must be active on the net side and handles packets
>>>     net<->server.
>>>   loc side is wide open (all packets server<->loc pass).
>>>
>>> How?
>>>
>>> So far I''ve tried.
>>>
>>> 1.  removing all references to "loc" from interfaces,
rules, etc.
>>> Result, no packets would pass from server <-> loc.  
>>>
>>> 2.  Using a rule entry
>>>
>>> ACCEPT  loc:192.168.1.0/24  fw all
>>>
>>> Result - still firewalled, for instance, PING doesn''t work
>>> from loc->server.
>>>
>>> Thanks,
>>>
>> Start with the basic two-interface configuration.
>>
>> a) Remove all entries from /etc/shorewall/masq.
>> b) Remove all loc<->$FW rules
>> c) Add these two policies:
>> 	loc	$FW	ACCEPT
>> 	$FW	loc	ACCEPT
>> d) Remove this policy
>> 	loc	net	ACCEPT
>> e) set IP_FORWARDING=Off in shorewall.conf
>> d) Configure net<->$FW rules/policies as required.
> 
> Done and shorewall restarted.  There are still rules active
> on the loc side. For instance, ping from "loc" to server is
> still blocked.  That interface is mostly open, nmap for
> instance shows known servers on the loc side.
> 
> iptables --list -n | egrep -i "chain|192.168"
> 
> still shows these entries, not sure which would affect ping:
> 
> Chain reject (10 references)
> DROP       all  --  192.168.1.255        0.0.0.0/0
> Chain smurfs (0 references)
> LOG        all  --  192.168.1.255        0.0.0.0/0           LOG flags 0
> level 6 prefix `Shorewall:smurfs:DROP:''
> DROP       all  --  192.168.1.255        0.0.0.0/0
> 
> Again, I''m trying to completely disable all firewall activity
> on the "loc" side of the server.  It should act exactly like
> "/etc/rc.d/init.d/iptables off" on that side.  I''m
thinking
> maybe some of the "anywhere" entries are coming into play.
> Here is the full output of:
> 
>   iptables --list
The Shorewall support guide specifically asks that you NOT post the output of
that command. The default behavior of --list makes the output nearly useless.

Please "shorewall clear" and test pinging from the local net again.
Does it work?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> David Mathog wrote:
>>> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
>>>
>>> David Mathog wrote:
>>>> Consider this topology:  
>>>>
>>>>   net <-> server <-> loc
>>>>
>>>> Where the desired configuration is:
>>>>   net is the internet (eth0).
>>>>   loc is a private subnet (eth1).
>>>>   server serves both sides.
>>>>   No packets are routed from net->loc or loc->net, the
>>>>     two networks are entirely separated. 
>>>>   Firewall must be active on the net side and handles packets
>>>>     net<->server.
>>>>   loc side is wide open (all packets server<->loc pass).
>>>>
>>>> How?
>>>>
>>>> So far I''ve tried.
>>>>
>>>> 1.  removing all references to "loc" from interfaces,
rules, etc.
>>>> Result, no packets would pass from server <-> loc.  
>>>>
>>>> 2.  Using a rule entry
>>>>
>>>> ACCEPT  loc:192.168.1.0/24  fw all
>>>>
>>>> Result - still firewalled, for instance, PING doesn''t
work
>>>> from loc->server.
>>>>
>>>> Thanks,
>>>>
>>> Start with the basic two-interface configuration.
>>>
>>> a) Remove all entries from /etc/shorewall/masq.
>>> b) Remove all loc<->$FW rules
>>> c) Add these two policies:
>>> 	loc	$FW	ACCEPT
>>> 	$FW	loc	ACCEPT
>>> d) Remove this policy
>>> 	loc	net	ACCEPT
>>> e) set IP_FORWARDING=Off in shorewall.conf
>>> d) Configure net<->$FW rules/policies as required.
>> Done and shorewall restarted.  There are still rules active
>> on the loc side. For instance, ping from "loc" to server is
>> still blocked.  That interface is mostly open, nmap for
>> instance shows known servers on the loc side.
>>
>> iptables --list -n | egrep -i "chain|192.168"
>>
>> still shows these entries, not sure which would affect ping:
>>
>> Chain reject (10 references)
>> DROP       all  --  192.168.1.255        0.0.0.0/0
>> Chain smurfs (0 references)
>> LOG        all  --  192.168.1.255        0.0.0.0/0           LOG flags
0
>> level 6 prefix `Shorewall:smurfs:DROP:''
>> DROP       all  --  192.168.1.255        0.0.0.0/0
>>
>> Again, I''m trying to completely disable all firewall activity
>> on the "loc" side of the server.  It should act exactly like
>> "/etc/rc.d/init.d/iptables off" on that side.  I''m
thinking
>> maybe some of the "anywhere" entries are coming into play.
>> Here is the full output of:
>>
>>   iptables --list
> 
> The Shorewall support guide specifically asks that you NOT post the output
of
> that command. The default behavior of --list makes the output nearly
useless.
That having been said, here are some excerpts:

Although you can''t tell from the default --list output, traffic
entering on eth1
is sent down the eth1_in chain.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
eth0_in    all  --  anywhere             anywhere
eth1_in    all  --  anywhere             anywhere

The traffic is subjected to dynamic blacklisting then sent down the loc2fw
chain.

Chain eth1_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state
INVALID,NEW
loc2fw     all  --  anywhere             anywhere

There are no dynamic blacklisting rules.

Chain dynamic (4 references)
target     prot opt source               destination

And loc2fw accepts everything.

Chain loc2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Hence my suggestion that you disable Shorewall and be sure that you can ping;
because from the above, there are *no* firewall rules stopping loc->fw
traffic.

You may find that /proc/sys/net/ipv4/icmp_echo_ignore_all is set.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

> >   iptables --list
> 
> The Shorewall support guide specifically asks that you NOT post the
output of
> that command. The default behavior of --list makes the output nearly
useless.

Sorry, didn''t see that injunction.  I suggest that for some
future version of shorewall you implement "shorewall report"
which prepares all the information you do want to see in exactly
the format you will want to see it.
> 
> Please "shorewall clear" and test pinging from the local net
again.
Does it work?

Oh for crying out loud.  No, it doesn''t - no ping on either
interface (which otherwise work fine).  First time I''ve
seen a NIC which would work perfectly in all other aspects but not
return pings with the firewall disabled.

Rebooted failsafe and turned on network and
one port - still no.  Nothing in the BIOS to control this,
possibly a glitch in the forcedeth 0.57 driver, some network
config I missed in Mandriva 2006, or a funny problem with
the motherboard (SuperMicro H8DC8).

Rebooted using SLAX (forcedeth 0.54) and under that OS the
machine can be pinged.  So it''s not a hardware problem
on the motherboard.

Either way the lack of a ping is not a shorewall problem.

Thanks,

David Mathog
Manager, Sequence Analysis Facility, Biology Division, Caltech

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

> You may find that /proc/sys/net/ipv4/icmp_echo_ignore_all is set.
Bingo.  msec rears its ugly head again.  For security level 4
and up msec turns off icmp_echo.  The fix is:

% cd /etc/security/msec
% cat >level.local <<EOD
from mseclib import *

accept_icmp_echo(yes)
accept_broadcasted_icmp_echo(yes)
password_aging(99999)
set_shell_timeout(0)
EOD
% msec

Ok, technically only the  first three lines of level.local are
required to fix this problem, but who knows what utility
might require broadcasted icmp_echo as well.  The other two
effectively disable password aging (which is fine here
since there''s no user access and it''s a pain to have root 
passwords expire) and shell timeout (ditto, secure and valid
sessions on servers shouldn''t expire).

With that the inside network seems to be fully open, and the
outside network pretty locked down, which was the goal.

Thanks!

David Mathog
mathog@caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

David Mathog wrote:
>>>   iptables --list
>> The Shorewall support guide specifically asks that you NOT post the
> output of
>> that command. The default behavior of --list makes the output nearly
> useless.
> 
> Sorry, didn''t see that injunction.  I suggest that for some
> future version of shorewall you implement "shorewall report"
> which prepares all the information you do want to see in exactly
> the format you will want to see it.
For future reference:

In currently-supported versions (which do not include 2.4.1), the
"shorewall
dump" command serves that purpose. In 2.4 and earlier versions,
"shorewall
status" served a similar purpose. This is documented in the 3.x and 2.x
support
guides respectively.

Regards,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi

very often on a server with medium traffic and with about 40 sites , 
shorewall goes on  "STOP"  status .
Why ? Is there any way to investigate why it went  to "STOP" status ?

I wish to receive an email when the firewall goes to STOP so I can 
restart it .
Is it possible ?


Thank you
Graziano

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Graziano wrote:
> Hi
> 
> very often on a server with medium traffic and with about 40 sites , 
> shorewall goes on  "STOP"  status .
> Why ? Is there any way to investigate why it went  to "STOP"
status ?
> 
> I wish to receive an email when the firewall goes to STOP so I can 
> restart it .
> Is it possible ?
Shorewall *cannot go into stop status by itself*. Once "shorewall
[re]start"
completes, there is *no Shorewall code running in your system whatsoever*. So
you either have a) A cron job; or b) a DHCP client; or c) ??? that is clearing
iptables.

This is *not* a Shorewall problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hello

A) surely no

B) I have no idea what is a DHCP client

C)  I don''t know 

is it possible that an user on my server without root privileges can
turn off shorewall (executing a shorewall clear) ?

By the way now on my /etc/stop file I insert this command

echo ''ALERT - SHOREWALL STOPPED on:'' `date` `who` `hostname` |
mail -s
"SHOREWALL STOPPED `hostname` " dreamlink@usa.net

at least I am advised when it goes off . if you have any idea to find
point C) ....

Thank you

Graziano

Graziano wrote:

Hi

very often on a server with medium traffic and with about 40 sites , 
shorewall goes on  "STOP"  status .
Why ? Is there any way to investigate why it went  to "STOP" status ?

I wish to receive an email when the firewall goes to STOP so I can 
restart it .
Is it possible ?

Shorewall *cannot go into stop status by itself*. Once "shorewall
[re]start"
completes, there is *no Shorewall code running in your system whatsoever*. So
you either have a) A cron job; or b) a DHCP client; or c) ??? that is clearing
iptables.

This is *not* a Shorewall problem.

-Tom

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Graziano wrote:
> Hello
> 
> A) surely no
Well, this problem comes up every month or so and at least have of the people
reporting it eventually find that a cron job doing something with iptables.
> B) I have no idea what is a DHCP client
Does your internet connection have a dynamic IP address? If so, when the IP
address is renewed/changed, the script that gets run may try to modify the
iptables configuration.
> C)  I don''t know
> 
> is it possible that an user on my server without root privileges can
> turn off shorewall (executing a shorewall clear) ?
> 
> By the way now on my /etc/stop file I insert this command
> 
> echo ''ALERT - SHOREWALL STOPPED on:'' `date` `who`
`hostname` | mail -s
> "SHOREWALL STOPPED `hostname` " dreamlink@usa.net
> 
> at least I am advised when it goes off .
Not necessarily. If a script is executing /etc/init.d/iptables restart or
something similar then /etc/shorewall/stop (which is what I assume you meant)
will not get run.
> if you have any idea to find
> point C) ....
Look at your logs!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Graziano wrote:
>> Hello
>>
>> A) surely no
> 
> Well, this problem comes up every month or so and at least have of the
people
I of course meant "..half of the..."

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642