Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish (without doing a reboot). Thanks Samson Solutions Inc www.samson-solutions.ca ---------------------------------------------------------------------- This mail sent through Horde-Toaster (http://qmailtoaster.clikka.com/)
For the second part of your question:
/etc/shorewall/shorewall.conf:
ADMINISABSENTMINDED
(Added at version 1.4.7) - The value of this variable affects
Shorewall''s stopped state
<http://www.shorewall.net/starting_and_stopping_shorewall.htm>. When
ADMINISABSENTMINDES=No, only traffic to/from those addresses listed
in /etc/shorewall/routestopped is accepted when Shorewall is
stopped.When ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in /etc/shorewall/routestopped, connections that were
active when Shorewall stopped continue to work and all new
connections from the firewall system itself are allowed. If this
variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.
For the first part:
Look at dynamic blacklisting, and search the mailing list archives for
snort. I remember a thread about this not too long ago.
http://www.shorewall.net/blacklisting_support.htm
Using snort, you can easily write a script to blacklist people based on
their "snortiness." I think a suitable script is in the archives.
Alex Martin
http://www.rettc.com
shorewall@samson-solutions.ca wrote:
>Hello
>
>I am looking for a way to have snort to dynamically update my shorewall
config.
>I have seen software out there but I would like to see if anyone had tried
this
>first.
>
>Aslo I would like to know if there is a way clear the Netfilter tables when
I do
>a shorewall restart. The reason being is that when I make a change to my
>firewall setting I want all connections to have to re-establish (without
doing a
>reboot).
>
>Thanks
>Samson Solutions Inc
>www.samson-solutions.ca
>
>----------------------------------------------------------------------
>This mail sent through Horde-Toaster (http://qmailtoaster.clikka.com/)
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>
>
Alex Martin wrote:> For the second part of your question: > > /etc/shorewall/shorewall.conf: > > ADMINISABSENTMINDED > > (Added at version 1.4.7) - The value of this variable affects > Shorewall''s stopped state > <http://www.shorewall.net/starting_and_stopping_shorewall.htm>. When > ADMINISABSENTMINDES=No, only traffic to/from those addresses listed > in /etc/shorewall/routestopped is accepted when Shorewall is > stopped.When ADMINISABSENTMINDED=Yes, in addition to traffic to/from > addresses in /etc/shorewall/routestopped, connections that were > active when Shorewall stopped continue to work and all new > connections from the firewall system itself are allowed. If this > variable is not set or is given the empty value then > ADMINISABSENTMINDED=No is assumed. >ADMINISABSENTMINDED does not address the OP''s original concern.>> Aslo I would like to know if there is a way clear the Netfilter tables >> when I do >> a shorewall restart. The reason being is that when I make a change to my >> firewall setting I want all connections to have to re-establish >> (without doing a >> reboot). >>The only way to clear the conntrack table is to unload the ipt_conntrack module (which requires that all modules that are dependent on that module are first unloaded). Obviously, this requires that Netfilter is compiled as modules. Unfortunately, some modules cannot be unloaded while there are connections using them which leads to a "Catch 22" condition... This state of affairs has been whined about for years on the Netfilter list but no changes have been forthcoming. You may wish to investigate the ''cutter'' utility -- it allows the breaking of individual connections. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > > >ADMINISABSENTMINDED does not address the OP''s original concern. > > >Quoting the OP " The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish " In my experience, ADMINISABSENTMINDED=no and a shorewall stop will drop all connections not in routestopped, and thus connections must be reestablished. Ignoring "clearing netfilter tables", it seems this would work for his need? What am I missing here. Alex Martin http://www.rettc.com
Alex Martin wrote:>> > Quoting the OP " > > The reason being is that when I make a change to my > firewall setting I want all connections to have to re-establish > > " > > In my experience, ADMINISABSENTMINDED=no and a shorewall stop will drop > all connections not in routestopped, and thus connections must be > reestablished.It does not remove the contrack entries -- is simply deletes the rule(s) that allows packets in the ESTABLISHED and RELATED states. Once Shorewall is started again, these rules are re-added and the old connections come to life again. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, I tried blocking P2P networking on my inet gateway using IPP2P with no result, now I''m giving a try to l7 ( http://l7-filter.sourceforge.net/ ). It actually works like charm! Wow, what a powerful tool. Now, what about Shorewall and L7? I want to match everything in it''s own chain (loc2net, wifi2net etc...), and I''d like to have an universal action ruleset. I did define an action: run_iptables -A $CHAIN -m layer7 --l7proto bittorrent -j DROP but this matches only SYN packets, the rest is accepted by RELATED,ESTABLISHED. Is there a way to put my custom DropP2P chain before the --state rule? thx Jan P.S. it looks fast, I''ll probably want to use it instead of per-port classification whatsoever :)
Jan Schermer wrote:> > I did define an action: > > run_iptables -A $CHAIN -m layer7 --l7proto bittorrent -j DROP > > but this matches only SYN packets, the rest is accepted by > RELATED,ESTABLISHED. > > Is there a way to put my custom DropP2P chain before the --state rule?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Jan Schermer wrote: > > >>I did define an action: >> >>run_iptables -A $CHAIN -m layer7 --l7proto bittorrent -j DROP >> >>but this matches only SYN packets, the rest is accepted by >>RELATED,ESTABLISHED. >> >>Is there a way to put my custom DropP2P chain before the --state rule? > > > No. >And you should really read the Layer7 documentation to understand why what you are trying to do is a bad idea anyway. Layer7, like ipp2p, should be used to limit the effect of P2P rather than to try to eradicate it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I know, but I need to match all traffic anyway... Jan Tom Eastep wrote:> Tom Eastep wrote: > >>Jan Schermer wrote: >> >> >> >>>I did define an action: >>> >>>run_iptables -A $CHAIN -m layer7 --l7proto bittorrent -j DROP >>> >>>but this matches only SYN packets, the rest is accepted by >>>RELATED,ESTABLISHED. >>> >>>Is there a way to put my custom DropP2P chain before the --state rule? >> >> >>No. >> > > > And you should really read the Layer7 documentation to understand why > what you are trying to do is a bad idea anyway. Layer7, like ipp2p, > should be used to limit the effect of P2P rather than to try to > eradicate it. > > -Tom
Jan Schermer wrote:> I know, but I need to match all traffic anyway... >Then do as the L7 docs suggest and mark packets in the mangle table -- you can even classify packets directly for QOS if your iptables/kernel support the CLASSIFY target and you are running Shorewall 2.2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok, I''ll take a look at it, I just want to filter it out for now :) but thanks Jan Tom Eastep wrote:> Jan Schermer wrote: > >>I know, but I need to match all traffic anyway... >> > > > Then do as the L7 docs suggest and mark packets in the mangle table -- > you can even classify packets directly for QOS if your iptables/kernel > support the CLASSIFY target and you are running Shorewall 2.2. > > -Tom
Hi there,> I am looking for a way to have snort to dynamically update my shorewall config. > I have seen software out there but I would like to see if anyone had tried this > first. > > Aslo I would like to know if there is a way clear the Netfilter tables when I do > a shorewall restart. The reason being is that when I make a change to my > firewall setting I want all connections to have to re-establish (without doing a > reboot).There are some apps that parse snort logs and execute iptables commands to protect your network. I guess somne customization will be needed to work with shorewall. Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
I have a mail server sitting behind a content filtering mail gateway also running shorewall. Shorewall is currently just doing IP Masquerading for the mail server, but I''m getting to the point where I want it to have to send its outbound mail to the shorewall box for content filtering (spam/antivirus). Since masq isn''t used for access control (thanks Tom) I assume I''m wanting to use a REDIRECT rule here. Something perhaps like: REDIRECT loc 25 tcp 25 - !10.0.0.0/8 ACCEPT fw net tcp 25 Is this the correct way to accomplish this?
Karsten Bräckelmann
2005-Mar-01 22:19 UTC
Re: REDIRECT for a mail server behind a firewall?
Please do not Reply to an unrelated thread simply removing all quoted text, when you mean to open a new thread. The In-Reply-To and References headers are set and properly used by good mail clients...> I have a mail server sitting behind a content filtering mail gateway > also running shorewall. Shorewall is currently just doing IP > Masquerading for the mail server, but I''m getting to the point where I > want it to have to send its outbound mail to the shorewall box for > content filtering (spam/antivirus). Since masq isn''t used for access > control (thanks Tom) I assume I''m wanting to use a REDIRECT rule here. > Something perhaps like: > > REDIRECT loc 25 tcp 25 - !10.0.0.0/8 > ACCEPT fw net tcp 25 > > Is this the correct way to accomplish this?If I got that right, that''s not the correct way. REDIRECT causes the connection request to be redirected to a port on the local (firewall) system. [1] Which in this case means, connection requests to the fw system on port 25 will be redirected to port 25 on the very same machine... Didn''t try this, but it would be interesting if this will be detected as a config error on starting shorewall, or if it actually would bring down the server easily with one single connection request. ;) I believe, the easiest solution would be to use the content filtering gateway as a Mail Relay in the mail servers config, no? If you want to take precautions at the firewall level, DNAT should be what you need: DNAT loc fw tcp 25 - !10.0.0.0/8 This should "capture" all outbound connections to port 25 to a destination other than 10.0.0.0/8 passing the firewall, redirecting the connection to the firewall itself. HTH karsten [1] http://shorewall.net/Documentation.htm#Rules -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862