System: Bering-uClibc 2.4.2, uClibc 0.9.20 Rev 1, linux 2.4.32, and shorewall 3.0.7 This is a very basic (almost default) Bering setup. This is the first time I''ve tried to modify the Rules file since I set up the firewall 3-4 years ago. I wish to inhibit (REJECT or DROP) outgoing connections to www.myspace.com from one computer (a windows PC) on the loc zone. I''ve tried several variations of the rules shown below. Neither the DROP nor the REJECT actions appear to work (i.e., I am still able to connect an IE browser to the myspace web site). I determined which IP addresses to use in these rules via ping www.myspace.com. It appears they use an IP hopping scheme amongst a limited set of IPs that change rather frequently. I''ve tried both www and http in the protocol column. I''ve also tried adding these rules to the ESTABLISHED section in addition to the NEW section. Nothing seems to work. Following the recommended guidelines for requesting assistance, I''ve attached a gzipped Shorewall dump created after successfully connecting to the undesired web site while Shorewall was running with these rules in place. Offending entries in Rules file (NEW Section): # Disallow outgoing connection requests to myspace.com DROP loc:192.168.1.3 net:63.135.80.45 tcp www - - DROP loc:192.168.1.3 net:63.135.80.46 tcp www - - DROP loc:192.168.1.3 net:63.135.80.47 tcp www - - DROP loc:192.168.1.3 net:216.178.39.11 tcp www - - DROP loc:192.168.1.3 net:216.178.39.12 tcp www - - DROP loc:192.168.1.3 net:216.178.39.129 tcp www - - DROP loc:192.168.1.3 net:64.86.183.91 tcp www - - DROP loc:192.168.1.3 net:64.86.183.146 tcp www - - Any assistance provided will be greatly appreciated. Please let me know if any additional information is required. mike ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Michael wrote:> System: Bering-uClibc 2.4.2, uClibc 0.9.20 Rev 1, linux 2.4.32, and > shorewall 3.0.7 > > This is a very basic (almost default) Bering setup. This is the first time > I''ve tried to modify the Rules file since I set up the firewall 3-4 years > ago. I wish to inhibit (REJECT or DROP) outgoing connections to > www.myspace.com from one computer (a windows PC) on the loc zone.You are trying to use the wrong tool. Shorewall has always been about keeping the bad guys out rather than policing the surfing habits of your users. For that job, Squid ACLs are a better approach. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Michael wrote:> > Following the recommended guidelines for requesting assistance, I''ve > attached a gzipped Shorewall dump created after successfully connecting to > the undesired web site while Shorewall was running with these rules in > place.There is no connections at all from 192.168.1.3. There are no active connections at all. Are you sure this computer is using your Bering box as a gateway and not the neighbor''s unsecured wifi? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I realized after I sent the dump file that the IP address of the machine had changed from 192.168.1.3 to 192.168.1.2 so I modified the rules and re-executed the connection attempt and produced a new DUMP file (attached). Based upon the initial response to my inquiry I did not think this would get any further attention, so I did not think this new DUMP would be needed or reviewed. Sorry for the confusion. And thank you for the continued interest. mike ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Saturday, August 16, 2008 4:07 PM Subject: Re: [Shorewall-users] Trouble REJECTING undesired connection(s)> ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
michael hall wrote:> I realized after I sent the dump file that the IP address of the machine > had changed from 192.168.1.3 to 192.168.1.2 so I modified the rules and > re-executed the connection attempt and produced a new DUMP file > (attached). Based upon the initial response to my inquiry I did not > think this would get any further attention, so I did not think this new > DUMP would be needed or reviewed. Sorry for the confusion. And thank you > for the continued interest.I''m not particularly interested -- I was just pointing out that there were no connections through your Bering box at all. You can look at the output of ''shorewall dump'' yourself; you don''t need to send it to me. The ''loc2net'' chain handles all connection attempts from the ''loc'' zone to the ''net'' zone. From that chain: 3 144 DROP tcp -- * * 192.168.1.2 63.135.80.47 tcp dpt:80 3 144 DROP tcp -- * * 192.168.1.2 216.178.39.11 tcp dpt:80 3 144 DROP tcp -- * * 192.168.1.2 216.178.39.12 tcp dpt:80 So your firewall did drop 9 packets from 192.168.1.2 headed for banned IP addresses. For managing loc->net, REJECT is a better approach than DROP since it stops the client from retrying. But if you look at the current connections (they are right after the Mangle Table rules), you see the following (I''ve deleted UDP connections): tcp 6 431928 ESTABLISHED src=192.168.1.6 dst=207.46.209.124 sport=3493 dport=80 src=207.46.209.124 dst=71.196.133.42 sport=80 dport=3493 [ASSURED] use=1 mark=0 tcp 6 431978 ESTABLISHED src=192.168.1.6 dst=207.46.209.124 sport=3575 dport=443 src=207.46.209.124 dst=71.196.133.42 sport=443 dport=3575 [ASSURED] use=1 mark=0 So there are two connections from 192.168.1.6 to 207.46.209.124:80. Since neither of those are reflected in your rules, I don''t understand what you are reporting. Again, if 192.168.1.2 is connected to any web site, it isn''t connected through the Bering box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/