I recently downloaded shorewall and tried to get it set up. Used the provided example two-interface model. Started with simply trying to stop all incoming traffic. I noticed that not everything I expected to be logged got logged, so I made some minor modifications, mostly around adding '':info'' to log more data, which did not seem to work. I went back to the standard two-interface config. No forwarding. I''m running RH7.2,updated with kernel-2.4.9-21, iptables-1.2.4-2. I use roaring penguin rp-pppoe-3.3-1 to connect to the internet, I use ppp0 as my defined internet interface. It seems nothing much is getting logged at this point, although I''m sure a lot should be logged (which was the case when I ran rcf...). I noticed that when I connect from the outside on port 8080 it gets logged as a DROP (as expected), but when I try to connect on port 80, although it appears to be dropped, nothing gets logged. I went to grc.com and had it probe, which seemed to indicate the expected response. It did manage to generate a lot of DROP messages, but not from port 80. Looked through the status display and I noticed nothing that would indicate that port 80 is in any way special. I''m somewhat baffled, I''m obviously missing something. I''ve also tried port forwarding, which does not seem to work either (I used to have this working with rcf when I was still running a 2.2 kernel). Any pointers? Michel
> I recently downloaded shorewall and tried to get it set up. Used the > provided example two-interface model. Started with simply trying to > stop all incoming traffic. I noticed that not everything I expected to > be logged got logged, so I made some minor modifications, mostly around > adding '':info'' to log more data, which did not seem to work. I went back > to the standard two-interface config.By default, Shorewall rate-limits logging and furthermore it drops some common sources of newbie questions about "What is this attack?" (broadcasts, SMB chatter, etc.). You can turn off rate limiting by setting: LOGRATELOGBURST in /etc/shorewall/shorewall.conf No forwarding.>Did forwarding work before you tried to improve logging?> > I''m running RH7.2,updated with kernel-2.4.9-21, iptables-1.2.4-2. I use > roaring penguin rp-pppoe-3.3-1 to connect to the internet, I use ppp0 > as my defined internet interface.Are you using the new CLAMPMSS setting in /etc/shorewall.conf? You should be.> > It seems nothing much is getting logged at this point, although I''m sure > a lot should be logged (which was the case when I ran rcf...). I noticed > that when I connect from the outside on port 8080 it gets logged as a > DROP (as expected), but when I try to connect on port 80, although it > appears to be dropped, nothing gets logged. I went to grc.com and had > it probe, which seemed to indicate the expected response. It did manage > to generate a lot of DROP messages, but not from port 80.See above. -Tom PS -- excuse the whimpy email client but I''m installing XP as a second OS on my main desktop system today.> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep wrote:>>I recently downloaded shorewall and tried to get it set up. Used the >>provided example two-interface model. Started with simply trying to >>stop all incoming traffic. I noticed that not everything I expected to >>be logged got logged, so I made some minor modifications, mostly around >>adding '':info'' to log more data, which did not seem to work. I went back >>to the standard two-interface config. >> > > By default, Shorewall rate-limits logging and furthermore it drops some > common sources of newbie questions about "What is this attack?" > (broadcasts, SMB chatter, etc.). You can turn off rate limiting by setting: > > LOGRATE> LOGBURST> > in /etc/shorewall/shorewall.confDid that, with little success. I''m going to redo my work this morning. I did notice the few specific things that are blocked, which is why I thought I must be doing something obviously wrong.> > No forwarding> > Did forwarding work before you tried to improve logging?Nope.> > >>I''m running RH7.2,updated with kernel-2.4.9-21, iptables-1.2.4-2. I use >>roaring penguin rp-pppoe-3.3-1 to connect to the internet, I use ppp0 >>as my defined internet interface. >> > > Are you using the new CLAMPMSS setting in /etc/shorewall.conf? You should > be.rp-ppoe already does that, unless I turned it off by mistake. I''ll check. Thanks for your time!> > >>It seems nothing much is getting logged at this point, although I''m sure >>a lot should be logged (which was the case when I ran rcf...). I noticed >>that when I connect from the outside on port 8080 it gets logged as a >>DROP (as expected), but when I try to connect on port 80, although it >>appears to be dropped, nothing gets logged. I went to grc.com and had >>it probe, which seemed to indicate the expected response. It did manage >>to generate a lot of DROP messages, but not from port 80. >> > > See above. > > -Tom > > PS -- excuse the whimpy email client but I''m installing XP as a second OS on > my main desktop system today.I''m using the stok NS 6.2 mail client. You won''t hear a peep from me!
On Saturday 26 January 2002 07:13 am, Michel van der List wrote:> > rp-ppoe already does that, unless I turned it off by mistake. I''ll > check. >But as soon as you start/restart shorewall it gets removed unless you have=20 CLAMPMSS=3DYes in /etc/shorewall/shorewall.conf. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> On Saturday 26 January 2002 07:13 am, Michel van der List wrote: > >>rp-ppoe already does that, unless I turned it off by mistake. I''ll >>check. >> >> > > But as soon as you start/restart shorewall it gets removed unless you have > CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.Ouch. So, I fixed that, but I''m still seeing the same symptoms (turned the logging bit off, so that things are logged). Connecting on port 8080 gives an immediate entry in my kernel log, 80 does not. Tried a few others as well, same result. I''l try to forward port 8080, see if I can make that work. Revisit the strange port 80 issue again later. Perhaps some strange cache is getting in the way somewhere (I''m using my work account to check...). Sorry for all this bone-headedness... Michel
>> But as soon as you start/restart shorewall it gets removed unless you >> have CLAMPMSS=Yes in /etc/shorewall/shorewall.conf. > > Ouch. So, I fixed that, but I''m still seeing the same symptoms (turned > the logging bit off, so that things are logged). Connecting on port > 8080 gives an immediate entry in my kernel log, 80 does not. Tried a few > others as well, same result. I''l try to forward port 8080, see if I can > make that work. Revisit the strange port 80 issue again later. Perhaps > some strange cache is getting in the way somewhere (I''m using my work > account to check...). > > Sorry for all this bone-headedness...Now I''m even more confused. Happily forwarded port 8080, but port 80 will not work. I''ll have a buddy of mine test from his system later today, but I expect he''ll see the same. Everything else works just fine, including syslog back to another server, ssh to firewall, etc. Looking through the status display, I see the expected forwarding rules. Michel