Hi, I am new to shorewall and I am trying to setup shorewall (v4.5.5.4) on a Redhat host to protect itself. As a test, I would setup a policy to allow corporate hosts to access the Redhat through ssh, not from the rest. From the host, it can initiate all the traffic out. I modified hosts, zones and rules files in /etc/shorewall: # cat hosts #ZONE HOST(S) OPTIONS Corp eth0:10.0.0.0/8 # cat zones #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # Fw firewall Net ipv4 Corp ipv4 # cat rules SECTION NEW SSH(ACCEPT) corp $FW SSH(DROP) net $FW After I started shorewall, I noticed that the policy is "DROP" not "ACCEPT" from corp to fw. Why? Thanks. [root@dmz1 shorewall]# shorewall show policies Shorewall 4.5.5.4 Policies at dmz1.corp.com - Tue Jul 17 11:47:54 EDT 2012 fw => net ACCEPT using chain fw2net fw => corp DROP using chain fw2corp net => fw DROP using chain net2fw net => corp DROP using chain net2corp corp => fw DROP using chain corp2fw corp => net DROP using chain corp2net [root@njdmzrp1 shorewall]# Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 18/07/12 01:52, Ruiyuan Jiang wrote:> Hi, > > I am new to shorewall and I am trying to setup shorewall (v4.5.5.4) on a Redhat host to protect itself. As a test, I would setup a policy to allow corporate hosts to access the Redhat through ssh, not from the rest. From the host, it can initiate all the traffic out. > > I modified hosts, zones and rules files in /etc/shorewall: > ... > After I started shorewall, I noticed that the policy is "DROP" not "ACCEPT" from corp to fw. Why? Thanks. > > [root@dmz1 shorewall]# shorewall show policies > Shorewall 4.5.5.4 Policies at dmz1.corp.com - Tue Jul 17 11:47:54 EDT 2012 > > fw => net ACCEPT using chain fw2net > fw => corp DROP using chain fw2corp > net => fw DROP using chain net2fw > net => corp DROP using chain net2corp > corp => fw DROP using chain corp2fw > corp => net DROP using chain corp2net > [root@njdmzrp1 shorewall]#Hi Ruiyuan, Shorewall won''t start without a policy covering each interface combination, so you must also have something relevant in the policies file - what is it? I think you may be misunderstanding the policies and rules distinction. It might be worth reviewing the information about them in http://shorewall.net/Introduction.html#Concepts Regards, Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi, Paul Sorry I did not include the content of policy file. In the policy file, it has: #SOURCE DEST POLICY LOG LEVEL LIMIT: CONNLIMIT: $FW net ACCEPT Net all DROP info All all DROP info>From the doc, is it supposed that rules file first then policy file?"For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied." Ruiyuan Jiang -----Original Message----- From: Paul Gear [mailto:paul@gear.dyndns.org] Sent: Tuesday, July 17, 2012 5:06 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Policies for one interface On 18/07/12 01:52, Ruiyuan Jiang wrote:> Hi, > > I am new to shorewall and I am trying to setup shorewall (v4.5.5.4) on a Redhat host to protect itself. As a test, I would setup a policy to allow corporate hosts to access the Redhat through ssh, not from the rest. From the host, it can initiate all the traffic out. > > I modified hosts, zones and rules files in /etc/shorewall: > ... > After I started shorewall, I noticed that the policy is "DROP" not "ACCEPT" from corp to fw. Why? Thanks. > > [root@dmz1 shorewall]# shorewall show policies > Shorewall 4.5.5.4 Policies at dmz1.corp.com - Tue Jul 17 11:47:54 EDT 2012 > > fw => net ACCEPT using chain fw2net > fw => corp DROP using chain fw2corp > net => fw DROP using chain net2fw > net => corp DROP using chain net2corp > corp => fw DROP using chain corp2fw > corp => net DROP using chain corp2net > [root@njdmzrp1 shorewall]#Hi Ruiyuan, Shorewall won''t start without a policy covering each interface combination, so you must also have something relevant in the policies file - what is it? I think you may be misunderstanding the policies and rules distinction. It might be worth reviewing the information about them in http://shorewall.net/Introduction.html#Concepts Regards, Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 18/07/12 07:14, Ruiyuan Jiang wrote:> Hi, Paul > > Sorry I did not include the content of policy file. In the policy > file, it has: > > #SOURCE DEST POLICY LOG LEVEL LIMIT: CONNLIMIT: > > $FW net ACCEPT > Net all DROP info > All all DROP infoThat matches exactly what you''re seeing in your ''shorewall show policies'' output, which is expected.>> From the doc, is it supposed that rules file first then policy >> file?Yes, but ''shorewall show policies'' only shows you what you already know you have configured through the policy file. It will have no effect on the ssh ACCEPT rule you have configured from corp2fw. (Use ''shorewall show corp2fw'' to see this - you''ll see a RELATED,ESTABLISHED rule first, then the ssh rule, then a chain to the policy. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/