Reuben D. Budiardja
2003-Nov-12 12:52 UTC
[Shorewall-users] output thru USB for Zaurus PDA got REJECT
Hello,
I have a Zaurus SL 5500 PDA that I connect to my machine thru the USB, using
usbnet kernel module. The Zaurus has SSH server, and when I shorewall is not
running I can SSH to it. However, after starting shorewall, I got the
following:
Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0
DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.201 DST=192.168.129.1 LEN=40 TOS=0x10 PREC=0x00 TTL=255 ID=0
DF PROTO=TCP SPT=22 DPT=50238 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 12 15:52:38 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0
DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
etc.
when trying to SSH to 192.168.129.201, which is the IP of the Zaurus thru USB.
I am not sure what to add in the rules or interface file. Could anyone help?
Thanks.
RDB
--
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy
something, don''t you? Really, I''m not out to destroy
Microsoft. That will just be a completely unintentional
side effect."
- Linus Torvalds -
Alex Martin
2003-Nov-12 14:35 UTC
[Shorewall-users] output thru USB for Zaurus PDA got REJECT
Hello,
I am not sure how you have your firewall set up. So note I am guessing
here... Based on the standalone setup guide
(http://www.shorewall.net/standalone.htm):
I assume you have a zone defined for your usb0 interface in
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
norfc1918,tcpflags,blacklist
usb usb0 detect
#EOF
And a corresponding zone defined in /etc/shorewall/zones:
#ZONE DISPLAY COMMENTS
net Net Internet
usb usb zone for usb0 interface
#EOF
Then, assuming that something similar to above is configured, and that the
rest of your configuration follows the standalone guide,
http://www.shorewall.net/standalone.htm, then you just need to add the
proper rule for ssh in /etc/shorewall/rules:
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S)
ADDRESS
ACCEPT fw usb tcp ssh
#EOF
I am not familiar with usb network interfaces, but I assume that they behave
just like a regular net interface (eth0 say).
If this does not clear things up, please reply with the output requested at
http://www.shorewall.net/support.htm and that will provide enough
information to understand and solve your problem.
I am pretty sure that you do not have the zone and/or interface defined, as
well as a default policy, as usually a policy such as net2all is the source
of a log message instead of OUTPUT:REJECT.
In summary, please go through the guide for standalone servers, assuming
that is your setup, then post the info from the support link above, and I am
sure we can solve your problem.
Doing my best,
Alex Martin
http://www.rettc.com
----- Original Message -----
From: "Reuben D. Budiardja" <techlist@voyager.phys.utk.edu>
To: <shorewall-users@lists.shorewall.net>
Sent: Wednesday, November 12, 2003 1:55 PM
Subject: [Shorewall-users] output thru USB for Zaurus PDA got REJECT
Hello,
I have a Zaurus SL 5500 PDA that I connect to my machine thru the USB, using
usbnet kernel module. The Zaurus has SSH server, and when I shorewall is not
running I can SSH to it. However, after starting shorewall, I got the
following:
Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0
DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.201 DST=192.168.129.1 LEN=40 TOS=0x10 PREC=0x00 TTL=255 ID=0
DF PROTO=TCP SPT=22 DPT=50238 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 12 15:52:38 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0
SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0
DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
etc.
when trying to SSH to 192.168.129.201, which is the IP of the Zaurus thru
USB.
I am not sure what to add in the rules or interface file. Could anyone help?
Thanks.
RDB
--
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy
something, don''t you? Really, I''m not out to destroy
Microsoft. That will just be a completely unintentional
side effect."
- Linus Torvalds -
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Alex Martin
2003-Nov-12 14:45 UTC
[Shorewall-users] output thru USB for Zaurus PDA got REJECT
Oh, please note that the badly linewrapped OPTIONS for /etc/shorewall/interfaces may not apply to your setup, the options below are for a public machine, please see the documentation for adding the correct options, if you are on a private network, you will want to change those definitely. ----- Original Message ----- From: "Alex Martin" <shorewall@rettc.com> To: <techlist@voyager.phys.utk.edu>; "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Wednesday, November 12, 2003 3:39 PM Subject: Re: [Shorewall-users] output thru USB for Zaurus PDA got REJECT> Hello, > > I am not sure how you have your firewall set up. So note I am guessing > here... Based on the standalone setup guide > (http://www.shorewall.net/standalone.htm): > > I assume you have a zone defined for your usb0 interface in > /etc/shorewall/interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect > norfc1918,tcpflags,blacklist > usb usb0 detect > #EOF > > And a corresponding zone defined in /etc/shorewall/zones: > #ZONE DISPLAY COMMENTS > net Net Internet > usb usb zone for usb0 interface > #EOF > > Then, assuming that something similar to above is configured, and that the > rest of your configuration follows the standalone guide, > http://www.shorewall.net/standalone.htm, then you just need to add the > proper rule for ssh in /etc/shorewall/rules: > #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) > ADDRESS > ACCEPT fw usb tcpssh> #EOF > > I am not familiar with usb network interfaces, but I assume that theybehave> just like a regular net interface (eth0 say). > > If this does not clear things up, please reply with the output requestedat> http://www.shorewall.net/support.htm and that will provide enough > information to understand and solve your problem. > > I am pretty sure that you do not have the zone and/or interface defined,as> well as a default policy, as usually a policy such as net2all is thesource> of a log message instead of OUTPUT:REJECT. > > In summary, please go through the guide for standalone servers, assuming > that is your setup, then post the info from the support link above, and Iam> sure we can solve your problem. > > Doing my best, > > Alex Martin > http://www.rettc.com > > > ----- Original Message ----- > From: "Reuben D. Budiardja" <techlist@voyager.phys.utk.edu> > To: <shorewall-users@lists.shorewall.net> > Sent: Wednesday, November 12, 2003 1:55 PM > Subject: [Shorewall-users] output thru USB for Zaurus PDA got REJECT > > > > Hello, > > I have a Zaurus SL 5500 PDA that I connect to my machine thru the USB,using> usbnet kernel module. The Zaurus has SSH server, and when I shorewall isnot> running I can SSH to it. However, after starting shorewall, I got the > following: > > Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0 > SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64ID=0> DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > Nov 12 15:52:35 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0 > SRC=192.168.129.201 DST=192.168.129.1 LEN=40 TOS=0x10 PREC=0x00 TTL=255ID=0> DF PROTO=TCP SPT=22 DPT=50238 WINDOW=0 RES=0x00 ACK RST URGP=0 > > Nov 12 15:52:38 voyager kernel: Shorewall:OUTPUT:REJECT:IN= OUT=usb0 > SRC=192.168.129.1 DST=192.168.129.201 LEN=60 TOS=0x10 PREC=0x00 TTL=64ID=0> DF PROTO=TCP SPT=50238 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > etc. > > when trying to SSH to 192.168.129.201, which is the IP of the Zaurus thru > USB. > I am not sure what to add in the rules or interface file. Could anyonehelp?> > Thanks. > RDB > -- > Reuben D. Budiardja > Department of Physics and Astronomy > The University of Tennessee, Knoxville, TN > --------------------------------------------------------- > "To be a nemesis, you have to actively try to destroy > something, don''t you? Really, I''m not out to destroy > Microsoft. That will just be a completely unintentional > side effect." > - Linus Torvalds - > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Reuben D. Budiardja
2003-Nov-12 14:57 UTC
[Shorewall-users] output thru USB for Zaurus PDA got REJECT
On Wednesday 12 November 2003 05:39 pm, Alex Martin wrote:> Hello, > > I am not sure how you have your firewall set up. So note I am guessing > here... Based on the standalone setup guide > (http://www.shorewall.net/standalone.htm): ><snip> OK, your reply answered my question. And yes, sorry I did not include it, but I followed the standalone guide. Basically I just was not sure what to put in zones and interfaces for usb. I did as you suggested, and then in policy I just added: fw usb ACCEPT usb fw ACCEPT since I basically "trust" all trafic in USB and don''t really want to bother to add for all ports that I''m gonna use in rules. Please let me know if that''s not secure/not the correct way of doing it. Thanks again. RDB -- Reuben D. Budiardja Department of Physics and Astronomy The University of Tennessee, Knoxville, TN --------------------------------------------------------- "To be a nemesis, you have to actively try to destroy something, don''t you? Really, I''m not out to destroy Microsoft. That will just be a completely unintentional side effect." - Linus Torvalds -
Alex Martin
2003-Nov-12 15:20 UTC
[Shorewall-users] output thru USB for Zaurus PDA got REJECT
In reply to the security question, If you do trust all traffic between ''fw'' and ''usb'' then the policy below is fine, but in terms of security that is not optimal. Unless you have a LOT of rules that would need to be added, the default policy is used usually so that unknown traffic is logged (/etc/shorewall/policy: fw usb REJECT info, etc), so that you can be aware of strange network activities. But this is up to the user''s discretion. I would guess you are in a relatively safe environment. But, ignoring security, having logging by default reject policy to alert you of unexpected network traffic could be useful if you are not incredibly familiar with the systems and software you are playing with. Note that the default policy in the standalone guide is "fw net ACCEPT" but where I use shorewall for standalone public servers I modify the policy to reject by default and explicitly allow by rules what outbound traffic from the fw (which is a public server) is allowed. This has saved one of my test boxes from a rootkit/trojan installation, as the naive hacker was not aware of the firewalling mechanism of linux or the specific configuration I was using (shorewall), thus the trojan was rendered useless (no outbound access per default attempts). FYI this intrusion was a result of having a non-chroot''ed anonymous ftp server without the latest security patches. OT, how''s the linux PDA treating you? Regards, Alex Martin http://www.rettc.com ----- Original Message ----- From: "Reuben D. Budiardja" <techlist@voyager.phys.utk.edu> To: "Alex Martin" <shorewall@rettc.com>; "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Wednesday, November 12, 2003 4:01 PM Subject: Re: [Shorewall-users] output thru USB for Zaurus PDA got REJECT On Wednesday 12 November 2003 05:39 pm, Alex Martin wrote:> Hello, > > I am not sure how you have your firewall set up. So note I am guessing > here... Based on the standalone setup guide > (http://www.shorewall.net/standalone.htm): ><snip> OK, your reply answered my question. And yes, sorry I did not include it, but I followed the standalone guide. Basically I just was not sure what to put in zones and interfaces for usb. I did as you suggested, and then in policy I just added: fw usb ACCEPT usb fw ACCEPT since I basically "trust" all trafic in USB and don''t really want to bother to add for all ports that I''m gonna use in rules. Please let me know if that''s not secure/not the correct way of doing it. Thanks again. RDB -- Reuben D. Budiardja Department of Physics and Astronomy The University of Tennessee, Knoxville, TN --------------------------------------------------------- "To be a nemesis, you have to actively try to destroy something, don''t you? Really, I''m not out to destroy Microsoft. That will just be a completely unintentional side effect." - Linus Torvalds -