Hello list, Hello Tom, I''m trying to set up shorewall for the following
situation:
A server linked to the outside world via a static ip (currently
192.168.* but later it will have a "real" one, but fixed/static).
Some virtual machines, all done with kvm, they''ll all have their
fixed/static ip adresses.
The connections look great, I can easily fine tune who may connect how
(rules file).
What I can''t get running: blacklist-ing, all the connections get
through, nothing gets blacklisted. (ping from 192.168.2.100 (physically
outside machine) to the kvm guest gets through, but should be blocked by
blacklist).
So my question is, what am I doing wrong? I read that blacklist only
makes sense with interfaces, but as soon as I''ll apply that to
br0:eth0,
I''ll get the messages ("Bridge Ports may not have options").
Plus I''ve got a more general question: Is my configuration correct for
the above setup?
I hope, I didn''t get the whole thing totally wrong.
TIA!
Greetings
Michael
PS: My configuration:
=========================================dpkg -l|grep shorewall
ii shorewall 4.0.15-1 Shoreline
Firewall, netfilter configurator -
ii shorewall-common 4.0.15-1 Shoreline
Firewall, netfilter configurator -
ii shorewall-doc 4.0.15-1
documentation for Shoreline Firewall (Shorew
ii shorewall-perl 4.0.15-1 Shoreline
Firewall, Netfilter configurator (
ii shorewall-shell 4.0.15-1 Shoreline
Firewall, Netfilter configurator (
=========================================/etc/shorewall/zones:
fw firewall
world ipv4
loc:world bport
net:world bport
=========================================/etc/shorewall/interfaces:
world br0 detect blacklist,bridge,routeback
net br0:eth0 detect
loc br0:vnet0 detect
=========================================$ grep BLACK
/etc/shorewall/shorewall.conf
BLACKLIST_LOGLEVEL=info
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
BLACKLIST_DISPOSITION=DROP
=========================================/etc/shorewall/policy:
loc net ACCEPT
$FW world ACCEPT
net all DROP info
net loc DROP info
all all REJECT info
=========================================/etc/shorewall/blacklist:
192.168.2.100/32 - - ### test
=========================================$ ifconfig
br0 Link encap:Ethernet HWaddr 00:30:48:d4:02:70
inet addr:192.168.2.107 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fed4:260/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:75866968 errors:0 dropped:0 overruns:0 frame:0
TX packets:41857 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:102290937721 (95.2 GiB) TX bytes:11120904 (10.6 MiB)
eth0 Link encap:Ethernet HWaddr 00:30:48:d4:02:70
inet6 addr: fe80::230:48ff:fed4:260/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:75867470 errors:0 dropped:0 overruns:0 frame:0
TX packets:42945 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:103353564746 (96.2 GiB) TX bytes:11242012 (10.7 MiB)
Memory:da020000-da040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4470 errors:0 dropped:0 overruns:0 frame:0
TX packets:4470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4563943 (4.3 MiB) TX bytes:4563943 (4.3 MiB)
virbr0 Link encap:Ethernet HWaddr 3a:ac:28:5b:62:66
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::38ac:28ff:fe5b:6264/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
vnet0 Link encap:Ethernet HWaddr 00:ff:e2:8a:51:81
inet6 addr: fe80::2ff:e2ff:fe8a:5180/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1595 errors:0 dropped:0 overruns:0 frame:0
TX packets:14152930 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:203054 (198.2 KiB) TX bytes:19251256789 (17.9 GiB)
=========================================$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.003048d40260 no eth0
vnet0
virbr0 8000.000000000000 yes
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
Michael Kress wrote:> > So my question is, what am I doing wrong?Nothing -- There is no way currently to apply blacklisting to a bridge port. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Michael Kress wrote: > >> So my question is, what am I doing wrong? > > Nothing -- There is no way currently to apply blacklisting to a bridge port.But then, there is absolutely no reason that you must use a bridge with KVM. I use a routed configuration (http://www.shorewall.net/KVM.html) and, with proxy arp, it can do everything that your bridge is doing; plus, all of the interface options are available. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Nothing -- There is no way currently to apply blacklisting to a bridge port. >So how could I block individuals with my setup as posted before? Thx Greetings Michael ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Hi for all .. Just now I am implementing a similar setup, but with diferent aproach . My host system is bridged, but with no valid IP, just a class C to be managed within internal network . Then all my guests have theyer own public IP AND a Class C IP, and all run theyer own shorewall, with especific configuration . I beleave this is more secure, what do you thing Mr. Eastep ? Fábio Rabelo 2009/3/6 Tom Eastep <teastep@shorewall.net>> Tom Eastep wrote: > > Michael Kress wrote: > > > >> So my question is, what am I doing wrong? > > > > Nothing -- There is no way currently to apply blacklisting to a bridge > port. > > But then, there is absolutely no reason that you must use a bridge with > KVM. I use a routed configuration (http://www.shorewall.net/KVM.html) > and, with proxy arp, it can do everything that your bridge is doing; > plus, all of the interface options are available. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, > CA > -OSBC tackles the biggest issue in open source: Open Sourcing the > Enterprise > -Strategies to boost innovation and cut costs with open source > participation > -Receive a $600 discount off the registration fee with the source code: > SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Michael Kress wrote:> Tom Eastep wrote: >> Nothing -- There is no way currently to apply blacklisting to a bridge port. >> > > So how could I block individuals with my setup as posted before?In Shorewall 4.2.7, you will be able to specify the ''blacklist'' option (among others) on a bridge port. Would you like to try an early release? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Fábio Rabelo wrote:> Hi for all .. > > Just now I am implementing a similar setup, but with diferent aproach . > > My host system is bridged, but with no valid IP, just a class C to be > managed within internal network . > > Then all my guests have theyer own public IP AND a Class C IP, and all > run theyer own shorewall, with especific configuration . > > I beleave this is more secure, what do you thing Mr. Eastep ?Either way can be made secure. A single Shorewall configuration is less work to set up. Again, I like a routed configuration -- the only time that a routed configuration doesn''t work is if the guests have dynamic IP addresses and the ISP tracks MAC addresses. In that case, I don''t believe it is possible to successfully run a dhcp relay on the firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Michael Kress wrote:> Tom Eastep wrote: >> Nothing -- There is no way currently to apply blacklisting to a bridge port. >> > > So how could I block individuals with my setup as posted before?There actually *is* a way. Change your interfaces file to look like this: world br0 detect bridge,routeback - br0:eth0 detect loc br0:vnet0 detect And add a hosts file as follows: net eth0:0.0.0.0/0 blacklist -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> There actually *is* a way. > > Change your interfaces file to look like this: > > world br0 detect bridge,routeback > - br0:eth0 detect > loc br0:vnet0 detect > > And add a hosts file as follows: > > net eth0:0.0.0.0/0 blacklist > >Oh, delighted to know that there is one! :-) I will try it and give you feedback, but first I''d like to give you feedback on your other mail ... (I accidentally posted this with another account, so it didn''t get through to the list, you may discard it if it isn''t being done automatically). Tom Eastep wrote:> > Michael Kress wrote: > > > >> >> So how could I block individuals with my setup as posted before? >> >> >> > > > > In Shorewall 4.2.7, you will be able to specify the ''blacklist'' option > > (among others) on a bridge port. Would you like to try an early release? > > >Hi Tom, I''m sorry, but I won''t have the time to test this as this server is going into production soon. I succeeded now with the setup below. (I hope this is secure enough.) The trick was to use two interface setup with proxyarp. I have explicitly omitted eth0 from the bridge. blacklisting works like a charm now, which was my original question. Thanks for pointing me to the solution for my prob. Regards Michael $ brctl show bridge name bridge id STP enabled interfaces dmz0 8000.00ff01953a0e yes vnet0 virbr0 8000.000000000000 yes ================================interfaces: net eth0 detect tcpflags,routefilter,nosmurfs,logmartians,blacklist kvm dmz0 detect blacklist,routeback,nosmurfs ================================policy: kvm net ACCEPT net all DROP info $FW net ACCEPT all all REJECT info ================================proxyarp: 192.168.2.149 dmz0 eth0 no yes ================================rules: SSH/ACCEPT net $FW SSH/ACCEPT net kvm HTTP/ACCEPT net kvm HTTPS/ACCEPT net kvm ... and so on ================================zones: fw firewall net ipv4 kvm ipv4 -- Michael Kress, kress@hal.saar.de http://www.michael-kress.de / http://kress.net P E N G U I N S A R E C O O L ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> There actually *is* a way. > > Change your interfaces file to look like this: > > world br0 detect bridge,routeback > - br0:eth0 detect > loc br0:vnet0 detect > > And add a hosts file as follows: > > net eth0:0.0.0.0/0 blacklist >Cool, thanks for your tip I can confirm it to be working. So which of the two ways is the preferred way, the two interface way with proxyarp or the bridge way? I guess as regards to security there''s no difference. What about future versions of shorewall, which way will be "more compatible"? If you''d like to include my bridge example in the docs, see below. Regards Michael PS: Here''s my setup: ===================================blacklist 210.107.0.0/17 #"boranet" ....... (long blacklist) ===================================hosts net eth0:0.0.0.0/0 blacklist ===================================interfaces world br0 detect bridge,routeback - br0:eth0 detect kvm br0:vnet0 detect ===================================policy kvm net ACCEPT net all DROP info all kvm DROP info all $FW DROP info $FW all ACCEPT all all REJECT info ===================================routestopped eth0 - ===================================rules SSH/ACCEPT net $FW Ping/ACCEPT net $FW SSH/ACCEPT net kvm ... lots of other rules ===================================shorewall.conf STARTUP_ENABLED=Yes VERBOSITY=1 SHOREWALL_COMPILER=perl LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVEL=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=keep IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILEIPSECFILE=zones LOCKFILEDROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none" RSH_COMMAND=''ssh ${root}@${system} ${command}'' RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIXDISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTLSAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=1 EXPORTPARAMS=No EXPAND_POLICIES=No EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=No DONT_LOADBLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP ===================================zones fw firewall world ipv4 net:world bport kvm:world bport ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Michael Kress wrote:> Cool, thanks for your tip I can confirm it to be working. > So which of the two ways is the preferred way, the two interface way > with proxyarp or the bridge way?As I''ve said a couple of times in this thread, I prefer the routed configuration.> I guess as regards to security there''s no difference.Actually, the routed configuration gives you more control. You can define fw->net and fw->dmz policies and rules whereas with the bridge, you cannot.> What about future versions of shorewall, which way will be "more > compatible"?Shorewall will always work on a router.> > If you''d like to include my bridge example in the docs, see below. >Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H