Shorewall users - Oct 2003 - IP based virtual hosting

Gentlefolk,

Shorewall is a great piece of software: thank you.

Shorewall behaves exactly as I expect it to, when configured according to
http://www.shorewall.net/standalone.htm. 

I would like to add IP-based virtual hosting, but I find the
documentation confusing. Perhaps I am just too foolish to understand it,
but most of the multiple-public-IP documentation does not appear to apply
to me, because I have only one host, which has only one NIC.

Looking at
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html, I
expected that I would need to:
1. Invoke "/sbin/ip addr add <virtual-host-IP> dev eth0 label
eth0:0"
2. Add a rule like "ACCEPT net $FW:<virtual-host-IP> tcp 80"

Before performing these steps I can not access my web server via
<virtual-host-IP> (which I expect). When I then perform step 1 manually,
outside of the startup scripts, I find that I can remotely access the web
server via <virtual-host-IP>, even though I have not yet performed step
2.

It thus appears that my box is not protected from access via
<virtual-host-IP>.

Is this the wrong way to go about IP-based virtual hosting?

Thank you for your patience.

On Sat, 25 Oct 2003, Art Griesser wrote:
> Gentlefolk,
>
> Shorewall is a great piece of software: thank you.
>
> Shorewall behaves exactly as I expect it to, when configured according to
> http://www.shorewall.net/standalone.htm.
>
> I would like to add IP-based virtual hosting, but I find the
> documentation confusing. Perhaps I am just too foolish to understand it,
> but most of the multiple-public-IP documentation does not appear to apply
> to me, because I have only one host, which has only one NIC.
>
> Looking at
> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html, I
> expected that I would need to:
> 1. Invoke "/sbin/ip addr add <virtual-host-IP> dev eth0 label
eth0:0"
> 2. Add a rule like "ACCEPT net $FW:<virtual-host-IP> tcp
80"
>
> Before performing these steps I can not access my web server via
> <virtual-host-IP> (which I expect). When I then perform step 1
manually,
> outside of the startup scripts, I find that I can remotely access the web
> server via <virtual-host-IP>, even though I have not yet performed
step
> 2.
>
> It thus appears that my box is not protected from access via
> <virtual-host-IP>.
>
> Is this the wrong way to go about IP-based virtual hosting?
>
I haven''t a clue because you haven''t told us anything about
what your
configuration other than you started with the standalone sample.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 2003-10-25 at 21:01, Tom Eastep wrote:
> >
> > It thus appears that my box is not protected from access via
> > <virtual-host-IP>.
> >
> > Is this the wrong way to go about IP-based virtual hosting?
> >
> 
> I haven''t a clue because you haven''t told us anything
about what your
> configuration other than you started with the standalone sample.
> 
What I''m particularly interested in is what rules you have in place
already. If you have:

ACCEPT	net	fw	tcp	80

then that rule does exactly what it says: It allows incoming connections
on tcp port 80 from the ''net'' zone. In particular, it does NOT
restrict
the destination IP address so the rule will match any address that you
have the energy to add to your firewall''s external interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> On Sat, 2003-10-25 at 21:01, Tom Eastep wrote:
> 
> > >
> > > It thus appears that my box is not protected from access via
> > > <virtual-host-IP>.
> > >
> > > Is this the wrong way to go about IP-based virtual hosting?
> > >
> > 
> > I haven''t a clue because you haven''t told us
anything about what your
> > configuration other than you started with the standalone sample.
> > 
> 
> What I''m particularly interested in is what rules you have in
place
> already. If you have:
> 
> ACCEPT  net     fw      tcp     80
> 
> then that rule does exactly what it says: It allows incoming connections
> on tcp port 80 from the ''net'' zone. In particular, it
does NOT restrict
> the destination IP address so the rule will match any address that you
> have the energy to add to your firewall''s external interface.
> 
I guess I am a sufficiently talented fool... that''s exactly what I did
(config files follow).

I wanted the newly added IP to respond only to the www and https ports,
so the modified rules seem to do the trick.



============ interfaces ==============net     eth0            detect         
routefilter,dropunclean,blacklist,tcpflags

============ zone ==============net     Net             Internet

============ policy ============fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

============ rules (brain dead) ==============ACCEPT          net     fw     
icmp    8
ACCEPT          net     fw      tcp     www
ACCEPT          net     fw      tcp     https
ACCEPT          net     fw      udp     domain
ACCEPT          net     fw      tcp     ssh
REDIRECT        net     49999   tcp     23
REDIRECT        net     49999   tcp     110
REDIRECT        net     49999   tcp     111
REDIRECT        net     49999   udp     111
REDIRECT        net     49999   tcp     143
REDIRECT        net     49999   tcp     515
REDIRECT        net     49999   tcp     1080
REDIRECT        net     49999   tcp     1433
REDIRECT        net     49999   tcp     1434
REDIRECT        net     49999   tcp     3128
REDIRECT        net     49999   tcp     12345
REDIRECT        net     49999   tcp     27374

(The redirects are for the portsentry configuration described in the
docs)

======== modified rules (behave as desired) ================# Rules applicable
to all IPs on eth0
ACCEPT          net     fw      tcp     www
ACCEPT          net     fw      tcp     https
# Dynamic blacklisting (also applicable to all IPs on eth0)
# portsentry is configured to blacklist hosts that try to open port 49999
REDIRECT        net     49999   tcp     23
REDIRECT        net     49999   tcp     110
REDIRECT        net     49999   tcp     111
REDIRECT        net     49999   udp     111
REDIRECT        net     49999   tcp     143
REDIRECT        net     49999   tcp     515
REDIRECT        net     49999   tcp     1080
REDIRECT        net     49999   tcp     1433
REDIRECT        net     49999   tcp     1434
REDIRECT        net     49999   tcp     3128
REDIRECT        net     49999   tcp     12345
REDIRECT        net     49999   tcp     27374
# Rules applicable only to one IP on eth0
ACCEPT          net     $FW:<master-IP>      icmp    8
ACCEPT          net     $FW:<master-IP>      udp     domain
ACCEPT          net     $FW:<master-IP>      tcp     ssh

Thank you!

On Sun, 26 Oct 2003, Art Griesser wrote:
>
> I wanted the newly added IP to respond only to the www and https ports,
> so the modified rules seem to do the trick.
>
> Thank you!
You''re welcome.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net