Shorewall users - Feb 2004 - Outgoing port blocking

On Sat, 14 Feb 2004, Alex Volkov wrote:
> Hi everyone,
>
> I''d like to block all outcoming traffic on certain ports from my
system.
> I have one-interface ( ppp0). From what I understand I have to edit rules
> file. This is something I''m considering putting in it.
>
> ACTION  SOURCE  DEST   PROTO   DESTPORT  SourcePorts                    
OriginalDest
>
> DROP     fw      net    all     ??       32222-32333,32444-32555,etc    
???
>
What problem are you trying to solve? The above is nonsense:

a) Port numbers only pertain to tcp and udp so PROTO=all won''t work.
b) Why is it that you want to restrict the *source* ports?
>
> Is this right? Also, what are the differences between DROP and REJECT? It
seems like the same thing at least to me. Thanks.
>
If you are running a broken 2.4 kernel (most notably, RedHat kernels from
2.4.20-0 up until 2.4.27.x), they *are* the same for TCP.  Otherwise,
REJECT returns a rejection packet (TCP RST or ICMP) while DROP simply
ignores the request.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 14 Feb 2004, Alex Volkov wrote:
> >
> > What problem are you trying to solve? The above is nonsense:
> >
> > a) Port numbers only pertain to tcp and udp so PROTO=all
won''t work.
> > b) Why is it that you want to restrict the *source* ports?
>
>
> While running p0f ( Passive OS Fingerprinting), it showed that my IP
constantly connects to external servers from different ports, like so:
>
> 195.242.XX.XX:32768 --> 193.1.XXX.XX:80
> 195.242.xx.xx:32769 --> 201.112.XX.XXX:80
> 195.242.XX.XX:32770 --> 64.5.XX.XX:80
>
EGads! -- Someone on your computer is Web Surfing!!!!!!!!
> I suspect my ISP logging my activity, which I think isn''t very
good idea.
I think your ISP probably *assumes* that you are web surfing and is
probably completely uninterested. Also, you can''t stop your ISP from
capturing this information.
> I''m not sure if I want to restrict *source* ports, I just
> want my computer won''t contact anything I''m not asking it
too.
>
If you want to restrict output connections to those *types* of connections
that you feel are appropriate, then:

a) Remove the "fw->net ACCEPT" policy.
b) Add rules for the types of traffic that you feel appropriate.

WARNING: I don''t think you know enough about IP to pull this off.
Nevertheless, start with this set of rules:

ACCEPT	fw	net	tcp	80	#HTTP
ACCEPT	fw	net	udp	53	#DNS
ACCEPT	fw	net	tcp	53	# "
ACCEPT	fw	net	tcp	21	#FTP
ACCEPT	fw	net	tcp	110	#POP3
ACCEPT	fw	net	tcp	443	#HTTPS
ACCEPT	fw	net	tcp	25	#SMTP

This will allow outbound: HTTP, DNS, FTP, POP3, HTTPS and SMTP. Note that
this set of rules allows your computer to receive viruses and to spread
them all over the internet -- you simply can''t stop that sort of thing
with a packet filter.

If you try this, please don''t post complaining "Now ICQ
doesn''t work" or
"Now PCAnywhere doesn''t work".
http://www.shorewall.net/ports.htm gives
you some help as will Shorewall FAQ 17.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi everyone,

I''d like to block all outcoming traffic on certain ports from my
system.
I have one-interface ( ppp0). From what I understand I have to edit rules
file. This is something I''m considering putting in it.

ACTION  SOURCE  DEST   PROTO   DESTPORT  SourcePorts                    
OriginalDest

DROP     fw      net    all     ??       32222-32333,32444-32555,etc     ???


Is this right? Also, what are the differences between DROP and REJECT? It seems
like the same thing at least to me. Thanks.

Alex.

On Fri, 13 Feb 2004 17:21:28 -0800 (Pacific Standard Time)
Tom Eastep <teastep@shorewall.net> wrote:
> On Sat, 14 Feb 2004, Alex Volkov wrote:
> 
> > Hi everyone,
> >
> > I''d like to block all outcoming traffic on certain ports from
my system.
> > I have one-interface ( ppp0). From what I understand I have to edit
rules
> > file. This is something I''m considering putting in it.
> >
> > ACTION  SOURCE  DEST   PROTO   DESTPORT  SourcePorts                  
OriginalDest
> >
> > DROP     fw      net    all     ??       32222-32333,32444-32555,etc  
???
> >
> 
> What problem are you trying to solve? The above is nonsense:
> 
> a) Port numbers only pertain to tcp and udp so PROTO=all won''t
work.
> b) Why is it that you want to restrict the *source* ports?

While running p0f ( Passive OS Fingerprinting), it showed that my IP constantly
connects to external servers from different ports, like so:

195.242.XX.XX:32768 --> 193.1.XXX.XX:80
195.242.xx.xx:32769 --> 201.112.XX.XXX:80
195.242.XX.XX:32770 --> 64.5.XX.XX:80

I suspect my ISP logging my activity, which I think isn''t very good
idea. I''m not sure if I want to restrict *source* ports, I just
want my computer won''t contact anything I''m not asking it too.

Thanks.

Alex.
> 
> >
> > Is this right? Also, what are the differences between DROP and REJECT?
It seems like the same thing at least to me. Thanks.
> >
> 
> If you are running a broken 2.4 kernel (most notably, RedHat kernels from
> 2.4.20-0 up until 2.4.27.x), they *are* the same for TCP.  Otherwise,
> REJECT returns a rejection packet (TCP RST or ICMP) while DROP simply
> ignores the request.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Thanks for your suggestion. I''ll try this out.

Alex.




On Fri, 13 Feb 2004 18:38:37 -0800 (Pacific Standard Time)
Tom Eastep <teastep@shorewall.net> wrote:
> On Sat, 14 Feb 2004, Alex Volkov wrote:
> 
> > >
> > > What problem are you trying to solve? The above is nonsense:
> > >
> > > a) Port numbers only pertain to tcp and udp so PROTO=all
won''t work.
> > > b) Why is it that you want to restrict the *source* ports?
> >
> >
> > While running p0f ( Passive OS Fingerprinting), it showed that my IP
constantly connects to external servers from different ports, like so:
> >
> > 195.242.XX.XX:32768 --> 193.1.XXX.XX:80
> > 195.242.xx.xx:32769 --> 201.112.XX.XXX:80
> > 195.242.XX.XX:32770 --> 64.5.XX.XX:80
> >
> 
> EGads! -- Someone on your computer is Web Surfing!!!!!!!!
> 
> > I suspect my ISP logging my activity, which I think isn''t
very good idea.
> 
> I think your ISP probably *assumes* that you are web surfing and is
> probably completely uninterested. Also, you can''t stop your ISP
from
> capturing this information.
> 
> > I''m not sure if I want to restrict *source* ports, I just
> > want my computer won''t contact anything I''m not
asking it too.
> >
> 
> If you want to restrict output connections to those *types* of connections
> that you feel are appropriate, then:
> 
> a) Remove the "fw->net ACCEPT" policy.
> b) Add rules for the types of traffic that you feel appropriate.
> 
> WARNING: I don''t think you know enough about IP to pull this off.
> Nevertheless, start with this set of rules:
> 
> ACCEPT	fw	net	tcp	80	#HTTP
> ACCEPT	fw	net	udp	53	#DNS
> ACCEPT	fw	net	tcp	53	# "
> ACCEPT	fw	net	tcp	21	#FTP
> ACCEPT	fw	net	tcp	110	#POP3
> ACCEPT	fw	net	tcp	443	#HTTPS
> ACCEPT	fw	net	tcp	25	#SMTP
> 
> This will allow outbound: HTTP, DNS, FTP, POP3, HTTPS and SMTP. Note that
> this set of rules allows your computer to receive viruses and to spread
> them all over the internet -- you simply can''t stop that sort of
thing
> with a packet filter.
> 
> If you try this, please don''t post complaining "Now ICQ
doesn''t work" or
> "Now PCAnywhere doesn''t work".
http://www.shorewall.net/ports.htm gives
> you some help as will Shorewall FAQ 17.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Sun, 15 Feb 2004, Alex Volkov wrote:
>
>
> Hi again, Tom.
>
> I''m not sure , but I think you forgot to mention that I need not
only to remove fw --> net ACCEPT policy, but also to add fw --> net DROP (
or at least REJECT ) to policy file. I''m connecting to IMAP4 now with
no problem, however, from what I understand I wouldn''t be able to do so
> if all my outbound traffic was blocked. Reading the documentation,
> I understand that rules file sets the exclusion to POLICY file.
> If no fw --> net DROP policy file exists, I doubt that all my outbound
traffic ( except for HTTP, DNS, FTP, POP3, etc.,) is blocked. Am I missing
something?
>
You have an all->all REJECT policy, right? If so then that will be the
applicable policy. Remember -- RULES ONLY GOVERN THE ESTABLISHMENT OF NEW
CONNECTIONS. Your existing IMAP connections will continue to work
indefinitely.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Saturday 14 February 2004 07:35 pm, Alex Volkov
wrote:
> On Sat, 14 Feb 2004 16:04:36 -0800 (Pacific Standard Time)
>
> Tom Eastep <teastep@shorewall.net> wrote:
> > On Sun, 15 Feb 2004, Alex Volkov wrote:
> > > Hi again, Tom.
> > >
> > > I''m not sure , but I think you forgot to mention that I
need not only
> > > to remove fw --> net ACCEPT policy, but also to add fw -->
net DROP (
> > > or at least REJECT ) to policy file. I''m connecting to
IMAP4 now with
> > > no problem, however, from what I understand I wouldn''t
be able to do so
> > > if all my outbound traffic was blocked. Reading the
documentation, I
> > > understand that rules file sets the exclusion to POLICY file. If
no fw
> > > --> net DROP policy file exists, I doubt that all my outbound
traffic (
> > > except for HTTP, DNS, FTP, POP3, etc.,) is blocked. Am I missing
> > > something?
> >
> > You have an all->all REJECT policy, right?
>
> Right, but anyway this sounds a bit confusing. Coming back to my original
> question, how do I make sure that my outbound ports 32234-32999 are
> blocked. When I installed shorewall, it asked me for a /var/log/messages
> file which i thought will log all drop, reject and allow connection,
> however when I check it, it looks empty. Are there any tools which allow me
> to see all packets allowed and rejected? Thanks.
>
I give up.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Saturday 14 February 2004 07:35 pm, Alex Volkov wrote:
>
> Right, but anyway this sounds a bit confusing.
Alex -- it is explained in the comments at the head of the 
/etc/shorewall/policy file; it is explained in the Introduction to Shorewall 
which is linked from the Documentation page; it is explained in every one of 
the QuickStart Guides; it is explained in the detailed documentation about 
the /etc/shorewall/policy file:

	The first policy in /etc/shorewall/policy that matches a pair of
	zones is the policy that will govern traffic from the first zone
	of the pair to the second. The last policy in the file is

		all	all	REJECT

	This policy matches ANY pair of zones so that if you don''t have an
	explicit policy from ''loc'' to ''net'',
''loc'' to ''all'' or ''all'' to
''net''
	then the all->all REJECT policy will apply.

I''m sorry if that is confusing to you but it is one of the base
principles of
Shorewall and it''s not going to change.
> Coming back to my original 
> question, how do I make sure that my outbound ports 32234-32999 are
> blocked. When I installed shorewall, it asked me for a /var/log/messages
> file which i thought will log all drop, reject and allow connection,
> however when I check it, it looks empty.
No code that I provide prompts you for anything before, during or after 
installation so I don''t know what you are talking about. In most
setups, it
is your syslogd configuration that determines where Shorewall messages are 
logged rather than anything in Shorewall. The LOGFILE setting in 
/etc/shorewall/shorewall.conf is there to tell the /sbin/shorewall program 
where to look for log messages; it has nothing to do with where messages get 
logged.

I suggest however that you consult the FAQ; there is an entire section on 
logging.
> Are there any tools which allow me 
> to see all packets allowed and rejected? Thanks.
>
If you read the first FAQ entry in the Logging section, it will take you to a 
page that explains Shorewall logging in detail. Once you have logging 
properly configured, both the "shorewall show log" and "shorewall
logwatch"
commands can be useful as can the "shorewall hits" command.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

|> 
|> You have an all->all REJECT policy, right? 
|
|Right, but anyway this sounds a bit confusing. Coming back to my
|original question, how do I make sure that my outbound ports
|32234-32999 are blocked. 


REJECT:info    lan  net  tcp     80 1024:65535


this rule will log and reject every packet comming from ports
between 1024 and 65535, going to port 80, ie web surfing.
(from zone lan to zone net, put your zones here.)

|When I installed shorewall, it asked me for
|a /var/log/messages file which i thought will log all drop, reject
|and allow connection, however when I check it, it looks empty. Are
|there any tools which allow me to see all packets allowed and
|rejected? Thanks.
|


make sure you log everywhere :

your policies should look like this : (info is the log leve, and
is asking for logging .)


all             all             REJECT         info


your rules should look like this : (info is the log level, and 
is asking for logging .)
ACCEPT:info    lan     fw          tcp     6666 

all your logs should be in some file in /var/log/

ls -lart /var/log/ will give you the last file modified.


did you had a look to 
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html ?

http://www.netfilter.org/documentation/HOWTO/networking-concepts-HOWTO.html ?


bye

-- 
xavier

Alex Volkov wrote:
> 
> While running p0f ( Passive OS Fingerprinting), it showed
> that my IP constantly connects to external servers from
> different ports, like so:
> 
> 195.242.XX.XX:32768 --> 193.1.XXX.XX:80
> 195.242.xx.xx:32769 --> 201.112.XX.XXX:80
> 195.242.XX.XX:32770 --> 64.5.XX.XX:80
> 
> I suspect my ISP logging my activity, which I think isn''t
> very good idea. I''m not sure if I want to restrict *source*
> ports, I just want my computer won''t contact anything I''m
> not asking it too.
I''m still trying to figure out why your thinking about blocking
randomly
assigned source ports.

FWIW: Awhile back, I was running ethereal on my firewall and noticed some
network activity that caught me offguard. At least initially. My first
thought was one omy systems was infected with a virus, but after some
investigating I found...

1) Both W2K systems on my network were polling the windows update sites.
2) My redhat servers were checking in with up2date to see if there were any
new rpm''s
3) My wifes system was running weatherbug and was polling the weatherbug
servers.
4) One of my redhat systems was running the weatherbug equivalent and was
polling its servers.

There were probably a few others, but I eventually determined that it was
not a virus.

Steve Cowles

On Fri, 13 Feb 2004 18:38:37 -0800 (Pacific Standard Time)
Tom Eastep <teastep@shorewall.net> wrote:
> On Sat, 14 Feb 2004, Alex Volkov wrote:
> 
> > >
> > > What problem are you trying to solve? The above is nonsense:
> > >
> > > a) Port numbers only pertain to tcp and udp so PROTO=all
won''t work.
> > > b) Why is it that you want to restrict the *source* ports?
> >
> >
> > While running p0f ( Passive OS Fingerprinting), it showed that my IP
constantly connects to external servers from different ports, like so:
> >
> > 195.242.XX.XX:32768 --> 193.1.XXX.XX:80
> > 195.242.xx.xx:32769 --> 201.112.XX.XXX:80
> > 195.242.XX.XX:32770 --> 64.5.XX.XX:80
> >
> 
> EGads! -- Someone on your computer is Web Surfing!!!!!!!!
> 
> > I suspect my ISP logging my activity, which I think isn''t
very good idea.
> 
> I think your ISP probably *assumes* that you are web surfing and is
> probably completely uninterested. Also, you can''t stop your ISP
from
> capturing this information.
> 
> > I''m not sure if I want to restrict *source* ports, I just
> > want my computer won''t contact anything I''m not
asking it too.
> >
> 
> If you want to restrict output connections to those *types* of connections
> that you feel are appropriate, then:
> 
> a) Remove the "fw->net ACCEPT" policy.
> b) Add rules for the types of traffic that you feel appropriate.
> 
> WARNING: I don''t think you know enough about IP to pull this off.
> Nevertheless, start with this set of rules:
> 
> ACCEPT	fw	net	tcp	80	#HTTP
> ACCEPT	fw	net	udp	53	#DNS
> ACCEPT	fw	net	tcp	53	# "
> ACCEPT	fw	net	tcp	21	#FTP
> ACCEPT	fw	net	tcp	110	#POP3
> ACCEPT	fw	net	tcp	443	#HTTPS
> ACCEPT	fw	net	tcp	25	#SMTP
> 
> This will allow outbound: HTTP, DNS, FTP, POP3, HTTPS and SMTP. 


Hi again, Tom.

I''m not sure , but I think you forgot to mention that I need not only
to remove fw --> net ACCEPT policy, but also to add fw --> net DROP ( or
at least REJECT ) to policy file. I''m connecting to IMAP4 now with no
problem, however, from what I understand I wouldn''t be able to do so
if all my outbound traffic was blocked. Reading the documentation,
I understand that rules file sets the exclusion to POLICY file.
If no fw --> net DROP policy file exists, I doubt that all my outbound
traffic ( except for HTTP, DNS, FTP, POP3, etc.,) is blocked. Am I missing
something?

Alex.



Note that
> this set of rules allows your computer to receive viruses and to spread
> them all over the internet -- you simply can''t stop that sort of
thing
> with a packet filter.
> 
> If you try this, please don''t post complaining "Now ICQ
doesn''t work" or
> "Now PCAnywhere doesn''t work".
http://www.shorewall.net/ports.htm gives
> you some help as will Shorewall FAQ 17.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Sat, 14 Feb 2004 16:04:36 -0800 (Pacific Standard Time)
Tom Eastep <teastep@shorewall.net> wrote:
> On Sun, 15 Feb 2004, Alex Volkov wrote:
> 
> >
> >
> > Hi again, Tom.
> >
> > I''m not sure , but I think you forgot to mention that I need
not only to remove fw --> net ACCEPT policy, but also to add fw --> net
DROP ( or at least REJECT ) to policy file. I''m connecting to IMAP4 now
with no problem, however, from what I understand I wouldn''t be able to
do so
> > if all my outbound traffic was blocked. Reading the documentation,
> > I understand that rules file sets the exclusion to POLICY file.
> > If no fw --> net DROP policy file exists, I doubt that all my
outbound traffic ( except for HTTP, DNS, FTP, POP3, etc.,) is blocked. Am I
missing something?
> >
> 
> You have an all->all REJECT policy, right? 
Right, but anyway this sounds a bit confusing. Coming back to my original
question, how do I make sure that my outbound ports 32234-32999 are blocked.
When I installed shorewall, it asked me for a /var/log/messages file which i
thought will log all drop, reject and allow connection, however when I check it,
it looks empty. Are there any tools which allow me to see all packets allowed
and rejected? Thanks.

Alex.
 
If so then that will be the
> applicable policy. Remember -- RULES ONLY GOVERN THE ESTABLISHMENT OF NEW
> CONNECTIONS. Your existing IMAP connections will continue to work
> indefinitely.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Saturday 14 February 2004 06:42 pm, Cowles, Steve wrote:
>
> FWIW: Awhile back, I was running ethereal on my firewall and noticed some
> network activity that caught me offguard. At least initially. My first
> thought was one omy systems was infected with a virus, but after some
> investigating I found...
>
> 1) Both W2K systems on my network were polling the windows update sites.
> 2) My redhat servers were checking in with up2date to see if there were any
> new rpm''s
> 3) My wifes system was running weatherbug and was polling the weatherbug
> servers.
> 4) One of my redhat systems was running the weatherbug equivalent and was
> polling its servers.
>
> There were probably a few others, 
I have three IM accounts that produce continuous chatter. Also Anti-Virus 
updates are checked every hour. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net