Shorewall users - Feb 2003 - Re: Shorewall-users Digest, Vol 3, Issue 52

Would you mind if I inquired as to the reasoning of having to explicitly open up
pings?  While I realize there are different schools of though on allowing or
disallowing pings to/from the firewall, I much rather liked it when Shorewall
started allowing them by default....

------------------------------------------------------------------
Mark Hoover
District Network Engineer
Norfolk Public Schools
628-3810 x3045
>>> shorewall-users-request@lists.shorewall.net 02/19/03 06:37PM
>>>
5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
    longer unconditionally accepts outbound ICMP packets. So if you want
    to ''ping'' from the firewall, you will need the appropriate
rule or
    policy.

Mark Hoover wrote:
> Would you mind if I inquired as to the reasoning of having to explicitly
open up
> pings?  While I realize there are different schools of though on allowing
or
> disallowing pings to/from the firewall, I much rather liked it when
Shorewall
> started allowing them by default....
> 
You can make a one-line change (which is well-documented in the 1.4 
docs) to your /etc/shorewall/common file which will make ping allowed by 
default again.

The reason for this change is that I got tired of answering the quesiton 
"I have a DROP policy from x to y yet I can ping from x to y; why?".

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> The reason for this change is that I got tired of answering the quesiton 
> "I have a DROP policy from x to y yet I can ping from x to y;
why?".
> 
And this makes on ask oneself: "Why should ''ping'' be any
different than
any other connection request?". I couldn''t come up with a
convincing
answer that it should be different.

The old ping handling was way too complicated anyway -- even I had to
read the code/documentation to remember how it worked :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

At 2/20/2003 10:47, Mark Hoover wrote:
>Would you mind if I inquired as to the reasoning of having to explicitly 
>open up
>pings?  While I realize there are different schools of though on allowing or
>disallowing pings to/from the firewall, I much rather liked it when
Shorewall
>started allowing them by default....
Being a firewall, security is a must.

There are several issues.
One of then is that several hackers (or ''script kiddies'') uses
tools that
starts scanning net ranges when doing mass attacks. And only those that 
responds to ping requests and really scanned. You have more chances to be 
left behind.

Talking about network management, I prefer allow the ping replies to a few 
hosts that does the management.

I only permit ping for my internal machines (zone LOC) to troubleshoot the 
connectivity with the gateway (Linux w/Shorewall).

-Gilson

I''m doing a maintenance in one of my shorewall firewall servers
(shorewall
1.3.13 running in a 2.4.18-3U8_4cl kernel with iptables 1.2.5) and stuck 
into something very strange.  After doing some modifications in the rules 
file, I?ve issued a shorewall check and there goes the output:

[... snip ..]
   Rule "ACCEPT zonA zonB:192.16.25 tcp radius" validated.
   Rule "ACCEPT zonA zonB:192.16.28,192.168.16.52 5666" validated.
[...snip...]

but when I issue a shorewall restart, it dies:
[...snip...]
   Rule "ACCEPT zonA zonB:192.168.16.25 tcp radius" added.
iptables v1.2.5: unknown protocol `5666'' specified
Try `iptables -h'' or ''iptables --help'' for more
information.
[...snip...]

Ok, I know what the problem is (I forgot to put the protocol in the rule). 
 But, isn''t this a Bug? Or the check option is not supposed to check
this?

thanks,

Eduardo Ferreira

Eduardo Ferreira wrote:
> I''m doing a maintenance in one of my shorewall firewall servers
(shorewall
> 1.3.13 running in a 2.4.18-3U8_4cl kernel with iptables 1.2.5) and stuck 
> into something very strange.  After doing some modifications in the rules 
> file, I?ve issued a shorewall check and there goes the output:
> 
> [... snip ..]
>    Rule "ACCEPT zonA zonB:192.16.25 tcp radius" validated.
>    Rule "ACCEPT zonA zonB:192.16.28,192.168.16.52 5666"
validated.
> [...snip...]
> 
> but when I issue a shorewall restart, it dies:
> [...snip...]
>    Rule "ACCEPT zonA zonB:192.168.16.25 tcp radius" added.
> iptables v1.2.5: unknown protocol `5666'' specified
> Try `iptables -h'' or ''iptables --help'' for more
information.
> [...snip...]
> 
> Ok, I know what the problem is (I forgot to put the protocol in the rule). 
>  But, isn''t this a Bug? Or the check option is not supposed to
check this?
> 
I don''t consider ANY case where check fails to catch errors that
prevent
Shorewall from starting to be a bug. The ''check'' command was
never
intended to catch all such errors and the documentation of the command 
clearly states that (note the text in BOLD RED LETTERS in that 
documentation).

In this particular case, check doesn''t realize that 5666 isn''t
a valid
protocol number.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

thanks and sorry.  I (humble) didn''t read that... 


shorewall-users-bounces@lists.shorewall.net wrote on 20/02/2003 14:26:57:
> 
> I don''t consider ANY case where check fails to catch errors that
prevent
> Shorewall from starting to be a bug. The ''check'' command
was never
> intended to catch all such errors and the documentation of the command 
> clearly states that (note the text in BOLD RED LETTERS in that 
> documentation).
> 
> In this particular case, check doesn''t realize that 5666
isn''t a valid
> protocol number.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

Eduardo Ferreira wrote:
> 
> Tom,
> 
> thanks and sorry.  I (humble) didn''t read that...  
> 
No problem, Eduardo -- you''re not the first :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net