thr3ads.net - Shorewall users - [Shorewall-users] policy drop ignored? [Sep 2003]

If this information is useful, please help other people find it:
Share via:

Scott Jibben

2003-Sep-17 13:55 UTC

[Shorewall-users] policy drop ignored?

Hello,

 

I set up a shorewall dual interface firewall and started with that guideline
file to get it running.  I''ve since modified it to support my routing
needs
and have updated it to be similar to the set up as documented on
shorewall.net.

 

I started to set up another Linux box that will be used to handle our mail
services.  I decided to put shorewall on that server so that I can lock it
down too.  After getting Linux installed on it, I had to take care of some
other projects.  When I came back to it, I noticed some rejected packets in
the logwatch report on the new mail server (10.10.1.30/216.17.21.77).

 

At first the packets all appeared to be related to port 135.  Then I started
to see other ports as well.  After a while, it looked like several common
ports were used but also >1024 ports, too.  Here are some of the common port
log items from the mail server:

 

Sep 14 22:47:11 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.15.37.168 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=135 DPT=2689 WINDOW=0 RES=0x00 ACK RST 

URGP=0

Sep 14 22:49:22 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.16.57.8 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=135 DPT=3153 WINDOW=0 RES=0x00 ACK RST 

URGP=0  

Sep 14 22:49:39 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=139 DPT=58364 WINDOW=0 RES=0x00 ACK RST 

URGP=0

Sep 14 22:49:45 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=139 DPT=58365 WINDOW=0 RES=0x00 ACK RST 

URGP=0

Sep 14 22:50:15 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=445 DPT=58364 WINDOW=0 RES=0x00 ACK RST 

URGP=0

Sep 14 22:50:21 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 

OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00 

TTL=254 ID=0 DF PROTO=TCP SPT=445 DPT=58365 WINDOW=0 RES=0x00 ACK RST 

URGP=0

 

I set up another RH9 Linux PC and put it outside of the firewall and used
nmap and ethereal to help figure out the packets that were getting routed
in.  It looks like nmap believes all the ports are closed and I think that
they are, but I''d like to have these packets die at the firewall and
not
inside the network.  The following nmap options will generate the rejected
packets above on the mail server when I comment out the DROP rule for this

server:

 

nmap -v -sS -O -P0 216.17.21.77

 

Basically the packets have one of the following flag combos:

1. RST, ACK

2. SYN (incoming)

3. RST

4. ACK

 

Finally some questions:

When looking at my rules file, I would think that only smtp and pop3 packets
would be allowed to get to the mail server.  Shouldn''t the rules at the
end
of the policy file drop or reject other packet types?

 

By adding the DROP rule (see rules for 10.10.1.30 in rules file below) at
the end of the list of ACCEPT rules, I can force shorewall/iptables to drop
the packets that I don''t want routed through.  I get the feeling that
this
is not how it is supposed to work though.

 

I think that I have included all of shorewall configuration files that will
help figure this out.

 

Please let me know if I have a rule/policy that is allowing this traffic
through and bypassing the default policies.

 

I really like shorewall, it is MUCH easier to set up than iptables. 
I''ve
learned a lot about nessus, nmap, and ethereal, too.  These are some really
cool tools.

 

At this point I''m not concerned about the shorewall set up on my mail
server.  I''m glad that I set shorewall up on that server or I may not
have
detected these other packets for quite some time.  I just want to correct
the firewall so that it is ''correctly'' restricting these
packets before I
finish setting that up.

 

 

SUPPORT INFO

 

Linux Distro:

Redhat 9.0 - 2.4.20-20.9

 

shorewall version:

1.4.6c

 

ip addr show:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100

    link/ether 00:02:b3:97:c7:10 brd ff:ff:ff:ff:ff:ff

    inet 216.17.21.94/27 brd 216.17.21.95 scope global eth0

    inet 216.17.21.66/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.68/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.69/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.70/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.71/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.72/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.74/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.75/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.77/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.78/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.79/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.81/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.82/27 brd 216.17.21.95 scope global secondary eth0

    inet 216.17.21.90/27 brd 216.17.21.95 scope global secondary eth0

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100

    link/ether 00:02:b3:97:c6:e2 brd ff:ff:ff:ff:ff:ff

    inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1

 

ip route show:

216.17.21.64/27 dev eth0  scope link 

10.10.1.0/24 dev eth1  scope link 

169.254.0.0/16 dev eth1  scope link 

127.0.0.0/8 dev lo  scope link 

default via 216.17.21.65 dev eth0

 

What is the 169.254.0.0/16 for above?  This is the first time that I''ve
noticed it.

 

shorewall.conf:

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGRATE
LOGBURST
LOGUNCLEAN=info

BLACKLIST_LOGLEVEL
LOGNEWNOTSYN=info

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

STATEDIR=/var/lib/shorewall

MODULESDIR
FW=fw

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=Yes

TC_ENABLED=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=No

NAT_BEFORE_RULES=No

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

NEWNOTSYN=Yes

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

 

params:

LOG=info

 

zones:

net   Net         Internet

loc   Local       Local networks

ose   OffsiteEmps Off-site employees

 

interfaces:

net   eth0        detect

norfc1918,routefilter,dropunclean,blacklist,tcpflags,newnotsyn

loc   eth1        detect

 

hosts:

loc         eth1:10.10.1.0/24

net         eth0:0.0.0.0/0

ose         eth0:24.163.215.41

 

routestopped:

eth1        -

 

policy:

loc         net         ACCEPT

fw          net         ACCEPT

fw          loc         ACCEPT

loc         fw          REJECT            $LOG

ose         all         CONTINUE

net         all         DROP        $LOG        10/sec:40

all         all         REJECT            $LOG

 

masq:

eth0              eth1

 

nat:

216.17.21.66      eth0        10.10.1.250 no                no

216.17.21.68      eth0        10.10.1.249 no                no

216.17.21.69      eth0        10.10.1.201 no                no

216.17.21.70      eth0        10.10.1.248 no                no

216.17.21.71      eth0        10.10.1.202 no                no

216.17.21.72      eth0        10.10.1.247 no                no

216.17.21.74      eth0        10.10.1.203 no                no

216.17.21.75      eth0        10.10.1.246 no                no

216.17.21.77      eth0        10.10.1.30  no                no

216.17.21.78      eth0        10.10.1.11  no                no

216.17.21.79      eth0        10.10.1.12  no                no

216.17.21.81      eth0        10.10.1.200 no                no

216.17.21.82      eth0        10.10.1.199 no                no

216.17.21.90      eth0        10.10.1.101 no                no

 

rules:
############################################################################

##

#ACTION           SOURCE            DEST        PROTO DEST  SOURCE

ORIGINAL

#                                         PORT  PORT(S)     DEST

#

#     Reject attempts by trojans to call home

#

REJECT:$LOG loc         net         tcp   6667

#

#     Reject NETBIOS packets because our policy is accept

#

REJECT            loc         net         tcp   137,445

REJECT            loc         net         udp   137:139

#

#     drop local to firewall traffic if not 10.10.1.0/24

#

DROP:$LOG   loc:!10.10.1.0/24 fw

#

#     Accept DNS connections from the firewall to the network

#

ACCEPT            fw          net         tcp   53

ACCEPT            fw          net         udp   53

ACCEPT            loc         net         tcp   domain

ACCEPT            loc         net         udp   domain

#

#     Accept DHCP connections from the firewall to/from the network

#

ACCEPT            loc         fw          udp   67

ACCEPT            fw          loc         udp   68

#

#     Accept traceroute connections from loc/fw to the network

#

ACCEPT            loc         fw          udp   33434:33523

ACCEPT            fw          net         udp   33434:33523

ACCEPT            fw          loc         icmp  11

#

#     Accept SSH connections from the local network for administration

#

ACCEPT            loc         fw          tcp   22

#

#     Accept VNC connections from the local network for administration

#

ACCEPT            loc         fw          tcp   5900:5903

ACCEPT            fw          loc         tcp   5900:5903

#

#     Allow Ping To And From Firewall

#

ACCEPT            loc         fw          icmp  8

ACCEPT            net         fw          icmp  8

ACCEPT            fw          loc         icmp  8

ACCEPT            fw          net         icmp  8

#

#     Allow Samba fw connections to/from loc

#

ACCEPT            fw          loc         udp   137:139

ACCEPT            fw          loc         tcp   137,139,445

ACCEPT            fw          loc         udp   1024: 137

ACCEPT            loc         fw          udp   137:139

ACCEPT            loc         fw          tcp   137,139,445

ACCEPT            loc         fw          udp   1024: 137

#

#     jcs-ldns01

#     services: dns

#

ACCEPT            net         loc:10.10.1.11    tcp   domain

ACCEPT            net         loc:10.10.1.11    udp   domain

#

#     jcs-ldns02

#     services: dns

#

ACCEPT            net         loc:10.10.1.12    tcp   domain

ACCEPT            net         loc:10.10.1.12    udp   domain

#

#

#     jcs-lmail01

#     aka: mail.jibben.com

#     services: pop3, smtp, imap, imaps

#

ACCEPT            net         loc:10.10.1.30    tcp   smtp

ACCEPT            ose         loc:10.10.1.30    tcp   pop3

ACCEPT            ose         loc:10.10.1.30    tcp   smtp

#this catches the extra packets coming through, but shouldn''t the
policy
drop them???

DROP:$LOG   net         loc:10.10.1.30    all

#

#     jcs-inetd01

#     aka: dev.jibben.com

#     services: http, ftp, pcany

#

ACCEPT            net         loc:10.10.1.250   tcp   http

ACCEPT            net         loc:10.10.1.250   tcp   ftp

ACCEPT            net         loc:10.10.1.250   tcp   5631

ACCEPT            net         loc:10.10.1.250   udp   5632

#ACCEPT           net         loc:10.10.1.250   tcp   5800

#ACCEPT           net         loc:10.10.1.250   tcp   5900

#

#     jcs-winet01

#

#     aka: www.jibben.com

#     services: http, pcany, vnc

ACCEPT            net         loc:10.10.1.249   tcp   http

ACCEPT            net         loc:10.10.1.249   tcp   5631

ACCEPT            net         loc:10.10.1.249   udp   5632

#

#     aka: www.y2corn.com, www.weirdsciencerocks.com

#     services: http, ftp, ftp (on port 77)

#

ACCEPT            net         loc:10.10.1.201   tcp   http

ACCEPT            net         loc:10.10.1.201   tcp   ftp

ACCEPT            net         loc:10.10.1.201   tcp   77

#

#     aka: www.jibbensoftware.com

#     services: http, https, ftp

#

ACCEPT            net         loc:10.10.1.248   tcp   http

#ACCEPT           net         loc:10.10.1.248   tcp   https

ACCEPT            net         loc:10.10.1.248   tcp   ftp

#

#     aka: www.alba-ker.com, www.tomlommel.com

#     services: http, ftp

#

ACCEPT            net         loc:10.10.1.202   tcp   http

ACCEPT            net         loc:10.10.1.202   tcp   ftp

#

#     jcs-winetd02

#     aka: dev5.jibben.com

#     services: http, pcany, vnc

#

ACCEPT            net         loc:10.10.1.247   tcp   http

ACCEPT            net         loc:10.10.1.247   tcp   5631

ACCEPT            net         loc:10.10.1.247   udp   5632

#ACCEPT           net         loc:10.10.1.247   tcp   5800

#ACCEPT           net         loc:10.10.1.247   tcp   5900

#

#     ServerX

#     aka: www.visionarymail.com

#     services: http, https, ftp, pop3, smtp, imap, imaps, pcany

(8000-8001), vpn-pptp (1723), gre

#

ACCEPT            net         loc:10.10.1.203   tcp   http

ACCEPT            net         loc:10.10.1.203   tcp   https

ACCEPT            net         loc:10.10.1.203   tcp   ftp

ACCEPT            net         loc:10.10.1.203   tcp   pop3

ACCEPT            net         loc:10.10.1.203   tcp   smtp

ACCEPT            net         loc:10.10.1.203   tcp   imap

ACCEPT            net         loc:10.10.1.203   tcp   imaps

ACCEPT            net         loc:10.10.1.203   tcp   8000

ACCEPT            net         loc:10.10.1.203   udp   8001

ACCEPT            net         loc:10.10.1.203   tcp   1723

ACCEPT            net         loc:10.10.1.203   gre

#

#     jcs-winetd07

#     aka: devmx.jibben.com

#     services: http, pcany, vnc

#

ACCEPT            net         loc:10.10.1.246   tcp   http

ACCEPT            net         loc:10.10.1.246   tcp   5631

ACCEPT            net         loc:10.10.1.246   udp   5632

#ACCEPT           net         loc:10.10.1.246   tcp   5800

#ACCEPT           net         loc:10.10.1.246   tcp   5900

#

#     jcs-wsql2k-01

#     services: pcany, ms-sql-s, ms-sql-m, vnc

#

ACCEPT            ose         loc:10.10.1.200   tcp   ms-sql-s

ACCEPT            ose         loc:10.10.1.200   udp   ms-sql-s

ACCEPT            ose         loc:10.10.1.200   tcp   ms-sql-m

ACCEPT            ose         loc:10.10.1.200   udp   ms-sql-m

ACCEPT            net         loc:10.10.1.200   tcp   5631

ACCEPT            net         loc:10.10.1.200   udp   5632

#ACCEPT           net         loc:10.10.1.200   tcp   5800

#ACCEPT           net         loc:10.10.1.200   tcp   5900

#

#     jcs-wsql7-01

#     services: pcany, ms-sql-s, ms-sql-m, vnc

#

ACCEPT            ose         loc:10.10.1.199   tcp   ms-sql-s

ACCEPT            ose         loc:10.10.1.199   udp   ms-sql-s

ACCEPT            ose         loc:10.10.1.199   tcp   ms-sql-m

ACCEPT            ose         loc:10.10.1.199   udp   ms-sql-m

ACCEPT            net         loc:10.10.1.199   tcp   5631

ACCEPT            net         loc:10.10.1.199   udp   5632

#ACCEPT           net         loc:10.10.1.199   tcp   5800

#ACCEPT           net         loc:10.10.1.199   tcp   5900

#

#     jcs-wdev07

#     services: kazaa, vnc

#

ACCEPT            net         loc:10.10.1.101   tcp   1214

ACCEPT            net         loc:10.10.1.101   tcp   3017

ACCEPT            net         loc:10.10.1.101   udp   3017

ACCEPT            net         loc:10.10.1.101   tcp   http

#ACCEPT           net         loc:10.10.1.101   tcp   5800

ACCEPT            net         loc:10.10.1.101   tcp   5900

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

 

Scott Jibben
Certified Macromedia ColdFusion Developer
Jibben Consulting Services, Inc.
[Email] scott@jibben.com
[Web] http://www.jibben.com
[Voice] 763-757-5626
[Fax] 763-862-8371

Tom Eastep

2003-Sep-17 15:12 UTC

head link

[Shorewall-users] policy drop ignored?

On Wed, 2003-09-17 at 13:55, Scott Jibben wrote:
> I started to set up another Linux box that will be used to handle our mail
> services.  I decided to put shorewall on that server so that I can lock it
> down too.  After getting Linux installed on it, I had to take care of some
> other projects.  When I came back to it, I noticed some rejected packets in
> the logwatch report on the new mail server (10.10.1.30/216.17.21.77).
Did you follow the instructions at http://shorewall.net/standalone.htm?
> 
>  
> 
> At first the packets all appeared to be related to port 135.  Then I
started
> to see other ports as well.  After a while, it looked like several common
> ports were used but also >1024 ports, too.  Here are some of the common
port
> log items from the mail server:
> 
>  
> 
> Sep 14 22:47:11 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0 
> 
> OUT=eth0 SRC=216.17.21.77 DST=216.15.37.168 LEN=40 TOS=0x00 PREC=0x00 
> 
> TTL=254 ID=0 DF PROTO=TCP SPT=135 DPT=2689 WINDOW=0 RES=0x00 ACK RST 
> 
> URGP=0
> 
As explained in FAQ 17, when you get messages generated out of the
INPUT, OUTPUT or FORWARD chains that means that the source or
destination is not in any zone or (which appears to be your case),
packets are being routed back to the same zone and address group that
they came in on and you don''t have the ''routeback''
option specified.

The real question in your case is "Why are packets *from* 216.17.21.77
coming in on eth0? -- 216.17.21.77 is a local address according to your
ip route output below."
> 
> I set up another RH9 Linux PC and put it outside of the firewall and used
> nmap and ethereal to help figure out the packets that were getting routed
> in.  It looks like nmap believes all the ports are closed and I think that
> they are, but I''d like to have these packets die at the firewall
and not
> inside the network.  The following nmap options will generate the rejected
> packets above on the mail server when I comment out the DROP rule for this
> 
> server:
> 
>  
> 
> nmap -v -sS -O -P0 216.17.21.77
> 
>  
If the messages are from INPUT, OUTPUT or FORWARD it still means that
your zone definitions are probably hosed.
> 
> Basically the packets have one of the following flag combos:
> 
> 1. RST, ACK
> 
> 2. SYN (incoming)
> 
> 3. RST
> 
> 4. ACK
> 
>  
> 
> Finally some questions:
> 
> When looking at my rules file, I would think that only smtp and pop3
packets
> would be allowed to get to the mail server.  Shouldn''t the rules
at the end
> of the policy file drop or reject other packet types?
Not if your zone definitions are wrong.

> 
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> 
>     ...
> 
>     inet 216.17.21.77/27 brd 216.17.21.95 scope global secondary eth0
>     ...
> 
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> 
>     link/ether 00:02:b3:97:c6:e2 brd ff:ff:ff:ff:ff:ff
> 
>     inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1
> 
If this is a server, why does it have two interfaces? Is it a server AND
a gateway/firewall?
>  
> 
> ip route show:
> 
> 216.17.21.64/27 dev eth0  scope link 
> 
> 10.10.1.0/24 dev eth1  scope link 
> 
> 169.254.0.0/16 dev eth1  scope link 
> 
> 127.0.0.0/8 dev lo  scope link 
> 
> default via 216.17.21.65 dev eth0
> 
>  
> 
> What is the 169.254.0.0/16 for above?  This is the first time that
I''ve
> noticed it.
This has been exhaustively discussed on the list over the last week.
> 
>  
> 
> zones:
> 
> net   Net         Internet
> 
> loc   Local       Local networks
> 
> ose   OffsiteEmps Off-site employees
ose appears to be a sub-zone of ''net'' yet it is listed after
''net''. This
means that ''net->*'' rules will be applied *BEFORE*
''ose->*'' rules.
> 
>  
> 
> interfaces:
> 
> net   eth0        detect
> 
> norfc1918,routefilter,dropunclean,blacklist,tcpflags,newnotsyn
> 
> loc   eth1        detect
> 
>  
> 
> hosts:
> 
> loc         eth1:10.10.1.0/24
> 
> net         eth0:0.0.0.0/0
> 
> ose         eth0:24.163.215.41
Ah -- the %$#@ hosts file. Do a "shorewall check" and see what hosts
are
*really* in each zone.

Before we go further, what are you trying to accomplish with this
configuration?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Sep 2003 - policy drop ignored?

[Shorewall-users] policy drop ignored?

[Shorewall-users] policy drop ignored?