Hello, I´m running shorewall 3.0.2 on debian sarge box. I have w2k3 box on eth1 with both public and local ip address running FTP server. I have set proxy arp for this host. Now I try to drop ftp packets from one ip address in internet, but my setup do not work. My setup proxyarp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 195.113.101.221 eth1 eth0 yes yes rules . DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 . zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 wifio ipv4 road ipv4 interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,routefilter,norfc1918,nosmurfs,blacklist loc eth1 detect dhcp,blacklist,routeback,detectnets wifio eth2 detect blacklist road tap0 policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc wifio ACCEPT loc loc ACCEPT loc fw ACCEPT fw net ACCEPT fw wifio ACCEPT fw loc ACCEPT net all DROP all all REJECT wifio net ACCEPT wifio loc ACCEPT wifio fw ACCEPT road loc ACCEPT #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE routing table: 195.113.101.208/30 dev eth0 proto kernel scope link src 195.113.101.210 195.113.101.216/29 dev eth1 proto kernel scope link src 195.113.101.217 172.16.0.0/27 dev eth1 proto kernel scope link src 172.16.0.1 192.168.2.0/24 dev tap0 proto kernel scope link src 192.168.2.1 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 192.168.10.0/24 via 195.113.101.209 dev eth0 172.16.0.0/16 via 172.16.0.30 dev eth1 default via 195.113.101.209 dev eth0 What could be wrong? Why shorell passes ftp conections to my ftp server? Thanks for any help. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Jiří, Jiří Červenka wrote:> Hello, > I´m running shorewall 3.0.2 on debian sarge box. > I have w2k3 box on eth1 with both public and local ip address running > FTP server. > I have set proxy arp for this host. > Now I try to drop ftp packets from one ip address in internet, but my > setup do not work. > My setup > proxyarp > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 195.113.101.221 eth1 eth0 yes yes > > rules > . > DROP net:193.171.155.10 loc:195.113.101.221 tcp 21What about changing this to loc:[local address] in stead of loc:[public address]? Does that help? Otherwise you could also consider the blacklisting feature.> policy: > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc wifio ACCEPT > loc loc ACCEPT > loc fw ACCEPT > fw net ACCEPT > fw wifio ACCEPT > fw loc ACCEPT > net all DROP > all all REJECT > wifio net ACCEPT > wifio loc ACCEPT > wifio fw ACCEPT > road loc ACCEPT > #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEFrom the top of my head i thought that policies are matched in _order_. If that''s the case, this also might not do what you expect, no? -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-19 11:49 UTC
Re: Droping ftp conections from net to loc do not work
note: W2k3 box have public ip address from 195.113.101.216/29 subnet. From the same subnet as eth1 on shorewall box. Thanks for help. Jiří Červenka napsal(a):> Hello, > I´m running shorewall 3.0.2 on debian sarge box. > I have w2k3 box on eth1 with both public and local ip address running > FTP server. > I have set proxy arp for this host. > Now I try to drop ftp packets from one ip address in internet, but my > setup do not work. > My setup > proxyarp > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 195.113.101.221 eth1 eth0 yes yes > > rules > . > DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 > . > zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > > fw firewall > net ipv4 > loc ipv4 > wifio ipv4 > road ipv4 > > interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > tcpflags,routefilter,norfc1918,nosmurfs,blacklist > loc eth1 detect dhcp,blacklist,routeback,detectnets > wifio eth2 detect blacklist > road tap0 > > policy: > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc wifio ACCEPT > loc loc ACCEPT > loc fw ACCEPT > fw net ACCEPT > fw wifio ACCEPT > fw loc ACCEPT > net all DROP > all all REJECT > wifio net ACCEPT > wifio loc ACCEPT > wifio fw ACCEPT > road loc ACCEPT > #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > routing table: > 195.113.101.208/30 dev eth0 proto kernel scope link src 195.113.101.210 > 195.113.101.216/29 dev eth1 proto kernel scope link src 195.113.101.217 > 172.16.0.0/27 dev eth1 proto kernel scope link src 172.16.0.1 > 192.168.2.0/24 dev tap0 proto kernel scope link src 192.168.2.1 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 > 192.168.10.0/24 via 195.113.101.209 dev eth0 > 172.16.0.0/16 via 172.16.0.30 dev eth1 > default via 195.113.101.209 dev eth0 > > What could be wrong? Why shorell passes ftp conections to my ftp server? > > Thanks for any help. > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > __________ Informace od NOD32 1990 (20070119) __________ > > Tato zprava byla proverena antivirovym systemem NOD32. > http://www.nod32.cz > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-19 12:03 UTC
Re: Droping ftp conections from net to loc do not work
Pieter Ennes napsal(a):> Hi Jiří, > > Jiří Červenka wrote: > >> Hello, >> I´m running shorewall 3.0.2 on debian sarge box. >> I have w2k3 box on eth1 with both public and local ip address running >> FTP server. >> I have set proxy arp for this host. >> Now I try to drop ftp packets from one ip address in internet, but my >> setup do not work. >> My setup >> proxyarp >> #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >> 195.113.101.221 eth1 eth0 yes yes >> >> rules >> . >> DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 >> > > What about changing this to loc:[local address] in stead of loc:[public > address]? Does that help? > > Otherwise you could also consider the blacklisting feature. >No, this do not help. The conections from net goes directly to my FTP server public ip addres to port 21.> >> policy: >> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >> loc net ACCEPT >> loc wifio ACCEPT >> loc loc ACCEPT >> loc fw ACCEPT >> fw net ACCEPT >> fw wifio ACCEPT >> fw loc ACCEPT >> net all DROP >> all all REJECT >> wifio net ACCEPT >> wifio loc ACCEPT >> wifio fw ACCEPT >> road loc ACCEPT >> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> > > From the top of my head i thought that policies are matched in _order_. > If that''s the case, this also might not do what you expect, no? >I´m not sure what do you mean, so I tried to move net all drop policy to top of the list, but this won´t help to. Jiri ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, Jiří Červenka wrote:>> What about changing this to loc:[local address] in stead of loc:[public >> address]? Does that help? >> >> Otherwise you could also consider the blacklisting feature. >> > No, this do not help. The conections from net goes directly to my FTP > server public ip addres to port 21.What exactly doesn''t help, replacing the IP address or using the blacklist?>>> policy: >>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >>> loc net ACCEPT >>> loc wifio ACCEPT >>> loc loc ACCEPT >>> loc fw ACCEPT >>> fw net ACCEPT >>> fw wifio ACCEPT >>> fw loc ACCEPT >>> net all DROP >>> all all REJECT >>> wifio net ACCEPT >>> wifio loc ACCEPT >>> wifio fw ACCEPT >>> road loc ACCEPT >>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >>> >> From the top of my head i thought that policies are matched in _order_. >> If that''s the case, this also might not do what you expect, no? >> > I´m not sure what do you mean, so I tried to move net all drop policy to > top of the list, but this won´t help to.Well, in the comment in that file it says: "For each source/destination pair, the file is processed in order until a match is found ("all" will match any client or server)." So i don''t think your bottom policies will ever be reached because you have put them behind an ''all all reject''. -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-19 12:37 UTC
Re: Droping ftp conections from net to loc do not work
Pieter Ennes napsal(a):> Hi, > > Jiří Červenka wrote: > > >>> What about changing this to loc:[local address] in stead of loc:[public >>> address]? Does that help? >>> >>> Otherwise you could also consider the blacklisting feature. >>> >>> >> No, this do not help. The conections from net goes directly to my FTP >> server public ip addres to port 21. >> > > What exactly doesn''t help, replacing the IP address or using the blacklist? >Using black list helped, replacing not. But I want to be able to control this by rules file.> >>>> policy: >>>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >>>> loc net ACCEPT >>>> loc wifio ACCEPT >>>> loc loc ACCEPT >>>> loc fw ACCEPT >>>> fw net ACCEPT >>>> fw wifio ACCEPT >>>> fw loc ACCEPT >>>> net all DROP >>>> all all REJECT >>>> wifio net ACCEPT >>>> wifio loc ACCEPT >>>> wifio fw ACCEPT >>>> road loc ACCEPT >>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >>>> >>>> >>> From the top of my head i thought that policies are matched in _order_. >>> If that''s the case, this also might not do what you expect, no? >>> >>> >> I´m not sure what do you mean, so I tried to move net all drop policy to >> top of the list, but this won´t help to. >> > > Well, in the comment in that file it says: > > "For each source/destination pair, the file is processed in order until > a match is found ("all" will match any client or server)." > > So i don''t think your bottom policies will ever be reached because you > have put them behind an ''all all reject''. >Now I understand. Thanks. Nevertheless, still I ´m not sure why DROP rule in rule did not work. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, Jiří Červenka wrote:> Using black list helped, replacing not. But I want to be able to control > this by rules file.Ok, and I left my mind somewhere, the local IP didn''t make sense anyhow.>>>>> policy: >>>>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >>>>> loc net ACCEPT >>>>> loc wifio ACCEPT >>>>> loc loc ACCEPT >>>>> loc fw ACCEPT >>>>> fw net ACCEPT >>>>> fw wifio ACCEPT >>>>> fw loc ACCEPT >>>>> net all DROP >>>>> all all REJECT >>>>> wifio net ACCEPT >>>>> wifio loc ACCEPT >>>>> wifio fw ACCEPT >>>>> road loc ACCEPT >>>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEHow come you have a net -> all DROP policy and still you seem to accept connections from exactly that yo your ftp server? Based on the policies, that traffic should be dropped, even without the additional rule you mentioned earlier. Is there any rule in your rules file that is accepting net -> loc traffic? If you want to drop FTP traffic, that rule should be at least _above_ any rule accepting it. Otherwise, please send your rules file, or the information that is normally requested at http://www.shorewall.net/support.htm. -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-19 19:09 UTC
Re: Droping ftp conections from net to loc do not work
Pieter Ennes napsal(a):> Hi, > > Jiří Červenka wrote: > >> Using black list helped, replacing not. But I want to be able to control >> this by rules file. >> > > Ok, and I left my mind somewhere, the local IP didn''t make sense anyhow. > > >>>>>> policy: >>>>>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >>>>>> loc net ACCEPT >>>>>> loc wifio ACCEPT >>>>>> loc loc ACCEPT >>>>>> loc fw ACCEPT >>>>>> fw net ACCEPT >>>>>> fw wifio ACCEPT >>>>>> fw loc ACCEPT >>>>>> net all DROP >>>>>> all all REJECT >>>>>> wifio net ACCEPT >>>>>> wifio loc ACCEPT >>>>>> wifio fw ACCEPT >>>>>> road loc ACCEPT >>>>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >>>>>> > > How come you have a net -> all DROP policy and still you seem to accept > connections from exactly that yo your ftp server? Based on the policies, > that traffic should be dropped, even without the additional rule you > mentioned earlier. > > Is there any rule in your rules file that is accepting net -> loc > traffic? If you want to drop FTP traffic, that rule should be at least > _above_ any rule accepting it. > > Otherwise, please send your rules file, or the information that is > normally requested at http://www.shorewall.net/support.htm. >My rules file: #ACCEPT net:147.32.240.25 loc:172.16.0.21 ACCEPT all all icmp 8 - - 1/sec:5 ACCEPT all all icmp 0 - - 1/sec:5 LOG:info all fw tcp ssh DROP net:202.194.9.3 all tcp ssh DROP net:163.20.160.25 all tcp ssh DROP net:211.157.108.19 all tcp ssh DROP net:218.191.218.143 all tcp ssh DROP net:80.144.163.152 all DROP net:202.156.251.82 all DROP net:213.248.65.1 all DROP net:217.16.27.121 all DROP net:210.148.115.76 all DROP net:207.246.138.140 all DROP net:207.246.138.137 all DROP net:151.204.222.219 all DROP net:24.224.234.197 all DROP net:64.12.163.139 all DROP net:201.17.162.107 all DROP net:24.177.122.14 all DROP net:86.127.183.96 all DROP net:193.171.155.10 loc:195.113.101.221 tcp 21 DROP net:221.127.10.244 all DROP net:218.167.46.142 all DROP net loc:195.113.101.220 tcp 135 DROP net loc:195.113.101.220 udp 135 DROP net loc:195.113.101.219 tcp 25 DROP net loc:172.16.0.25 all DROP net all udp 161 DROP net all udp 162 DROP fw net tcp 161 DROP fw net tcp 162 DROP loc:172.16.0.3 loc:195.113.101.218 udp 55 53 DROP loc net tcp 25 ACCEPT loc fw tcp 1201 - - 2/sec:5 # SSH ACCEPT net fw:195.113.101.210 tcp 1201 - - 2/sec:5 # SSH (docasne) ACCEPT net fw:195.113.101.210 tcp 25 - - 2/sec:5 # SMTP ACCEPT net fw:195.113.101.217 tcp 25 - - 2/sec:5 ACCEPT net fw:195.113.101.210 tcp 110 # POP3 ACCEPT net fw:195.113.101.210 tcp 80 # POP3 ACCEPT fw all tcp 3128 ACCEPT loc fw tcp 21 ACCEPT loc loc:195.113.101.221 ACCEPT net fw:195.113.101.217 tcp 21 ACCEPT net fw:172.16.0.1 tcp 21 ACCEPT net:88.146.126.102 fw tcp 3306 ACCEPT loc:172.16.22.5 fw tcp 3306 ACCEPT net loc:172.16.26.2 tcp 25 #durci posta ACCEPT net fw:195.113.101.217 tcp 1202 # FTP ACCEPT net fw:195.113.101.217 tcp 80 # HTTP ACCEPT net fw:195.113.101.217 tcp 443 # HTTPS ACCEPT loc fw:195.113.101.217 tcp 80 # HTTP ACCEPT loc fw:172.16.0.1 tcp 80 # HTTP #ACCEPT net:192.168.10.2 fw:195.113.101.217 tcp 80 #ACCEPT fw:195.113.101.217 net:192.168.10.2 ACCEPT loc fw tcp 3306 ACCEPT loc net:195.39.14.220 tcp 15001 #ACCEPT net loc:195.113.101.210 tcp 25 # SMTP ACCEPT net loc:195.113.101.219 tcp 110 # POP3 ACCEPT loc:172.16.0.2 fw:172.16.0.1 tcp 25 ACCEPT loc:195.113.101.219 fw tcp 25 ACCEPT fw loc:172.16.0.2 tcp 25 ACCEPT fw loc:195.113.101.219 tcp 25 ACCEPT all loc:195.113.101.218 tcp 21 #ftp ACCEPT net loc:195.113.101.220 tcp 3389 ACCEPT net loc:195.113.101.221 tcp 3389 ACCEPT loc:195.113.101.220 net all ACCEPT loc:195.113.101.221 net all ACCEPT net loc:195.113.101.221 tcp 8081 ACCEPT net loc:195.113.101.221 tcp 21 ACCEPT net loc:195.113.101.221 tcp 8888 ACCEPT fw:195.113.101.210 net:195.113.101.209 tcp 161 ACCEPT fw:195.113.101.210 net:195.113.101.209 udp 161 ACCEPT fw loc tcp 161 ACCEPT fw loc udp 161 REDIRECT loc 3128 tcp 80 - !172.16.0.1 DNAT net loc:172.16.0.25 tcp 12345 - 195.113.101.210 DNAT net loc:172.16.0.19 tcp 3389 - 195.113.101.210 DNAT net loc:172.16.0.18 tcp 12001 - 195.113.101.217 DNAT net loc:172.16.0.18 udp 12001 - 195.113.101.217 #DNAT net loc:172.16.0.14 tcp 12002 - 195.113.101.206 #DNAT net loc:172.16.0.14 udp 12002 - 195.113.101.206 DNAT net loc:172.16.11.10 tcp 80 - 195.113.101.210 #DNAT net loc:172.16.0.4 tcp 2100 - 195.113.101.206 DNAT net loc:172.16.0.18 udp 7001 - 195.113.101.210 DNAT loc loc:172.16.0.18 tcp 7001 - 195.113.101.210 DNAT net loc:172.16.0.18 udp 9221 - 195.113.101.210 DNAT net loc:172.16.0.18 tcp 9221 - 195.113.101.210 DNAT net loc:172.16.0.14 tcp 7000 - 195.113.101.210 DNAT net loc:172.16.0.14 udp 7000 - 195.113.101.210 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka wrote:> Hello, > I´m running shorewall 3.0.2 on debian sarge box. > I have w2k3 box on eth1 with both public and local ip address running > FTP server. > I have set proxy arp for this host. > Now I try to drop ftp packets from one ip address in internet, but my > setup do not work.Exactly what does that mean? Does it mean that even with the DROP rule in place, you can start a new FTP client on 193.171.155.10 and have it connect to 195.113.101.221? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-19 21:18 UTC
Re: Droping ftp conections from net to loc do not work
Tom Eastep napsal(a):> Jiří Červenka wrote: > >> Hello, >> I´m running shorewall 3.0.2 on debian sarge box. >> I have w2k3 box on eth1 with both public and local ip address running >> FTP server. >> I have set proxy arp for this host. >> Now I try to drop ftp packets from one ip address in internet, but my >> setup do not work. >> > > Exactly what does that mean? Does it mean that even with the DROP rule in > place, you can start a new FTP client on 193.171.155.10 and have it connect > to 195.113.101.221? > > -Tom >Yes exactly. I have to put 193.171.155.10 into blacklist file to prevent new FTP conections. DROP rule in rules file have no efect. Jiri> ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > __________ Informace od NOD32 1990 (20070119) __________ > > Tato zprava byla proverena antivirovym systemem NOD32. > http://www.nod32.cz > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > __________ Informace od NOD32 1990 (20070119) __________ > > Tato zprava byla proverena antivirovym systemem NOD32. > http://www.nod32.cz > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka wrote:> > Tom Eastep napsal(a): >> Jiří Červenka wrote: >> >>> Hello, >>> I´m running shorewall 3.0.2 on debian sarge box. >>> I have w2k3 box on eth1 with both public and local ip address running >>> FTP server. >>> I have set proxy arp for this host. >>> Now I try to drop ftp packets from one ip address in internet, but my >>> setup do not work. >>> >> Exactly what does that mean? Does it mean that even with the DROP rule in >> place, you can start a new FTP client on 193.171.155.10 and have it connect >> to 195.113.101.221? >> >> -Tom >> > Yes exactly. I have to put 193.171.155.10 into blacklist file to prevent > new FTP conections. DROP rule in rules file have no efect.Then I would like to see the output of "shorewall dump" collected as follows: a) With no FTP session from 193.171.155.10, "shorewall dump > dump1.txt" b) "shorewall reset" c) Establish an FTP session from 193.171.155.10 d) "shorewall dump > dump2.txt" Send me the two dump files. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka
2007-Jan-20 11:05 UTC
Re: Droping ftp conections from net to loc do not work
Tom Eastep napsal(a):> Jiří Červenka wrote: > >> Tom Eastep napsal(a): >> >>> Jiří Červenka wrote: >>> >>> >>>> Hello, >>>> I´m running shorewall 3.0.2 on debian sarge box. >>>> I have w2k3 box on eth1 with both public and local ip address running >>>> FTP server. >>>> I have set proxy arp for this host. >>>> Now I try to drop ftp packets from one ip address in internet, but my >>>> setup do not work. >>>> >>>> >>> Exactly what does that mean? Does it mean that even with the DROP rule in >>> place, you can start a new FTP client on 193.171.155.10 and have it connect >>> to 195.113.101.221? >>> >>> -Tom >>> >>> >> Yes exactly. I have to put 193.171.155.10 into blacklist file to prevent >> new FTP conections. DROP rule in rules file have no efect. >> > > Then I would like to see the output of "shorewall dump" collected as follows: > > a) With no FTP session from 193.171.155.10, "shorewall dump > dump1.txt" > b) "shorewall reset" > c) Establish an FTP session from 193.171.155.10 > d) "shorewall dump > dump2.txt" > > Send me the two dump files. > > Thanks, > -Tom >I´m not able to simulate FTP session from 193.171.155.10, because I have no access to this machine, in fact some script kiddie was trying to log in to my FTP server using brute force attack. I tried to establish connection from my personal public IP address and in this case shorewall worked as usual. FTP conection from my public ip address was dropped. It is strange because the only thing I changed in configuration was the ip address in drop rule for FTP conections. Dump files are here: http://rapidshare.com/files/12526259/dumps.zip.html Thanks, Jiri ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jiří Červenka wrote:> > I´m not able to simulate FTP session from 193.171.155.10, because I have > no access to this machine, in fact some script kiddie was trying to log > in to my FTP server using brute force attack. > I tried to establish connection from my personal public IP address and > in this case shorewall worked as usual. > FTP conection from my public ip address was dropped. It is strange > because the only thing I changed in configuration was the ip address in > drop rule for FTP conections. > Dump files are here: http://rapidshare.com/files/12526259/dumps.zip.htmlI suspect that the attacker was not establishing a new TCP connection then but rather was reusing an existing one. You have BLACKLISTNEWONLY=No in your shorewall.conf file so that blacklist entries can stop existing connections. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV