Maybe this is already "in" but I just don''t see it... I''d really love it if Shorewall came with a file that allowed me to speak in terms of the "services" that I''m trying to open or close, rather than ports. In other words, I''d like for there to be a definition-file someplace that says that "the (say) FTP service requires ports X-Y to be open for TCP and UDP, and ports X2-Y2 also to be open." Then I could specify a rule such as: (from) LOCAL (to) INTERNET (service) FTP_SERVICE (is) ALLOWED One of the most difficult .. for me, anyway .. aspects of setting up a firewall correctly is knowing which ports need to be open or closed in order for a particular service to be correctly activated or blocked. Sure, I could look up the information on somebody''s web-site somewhere, but it would be so much better if Shorewall came equipped with a service-definition file which contained the needed info, "known to be correct." Shorewall, being the good computer program that it is, could easily expand these specifications into appropriate iptables rules, detect conflicts between them, and so-on ... much quicker and more reliably than "little ol'' me." -Mike Robinson
--On Monday, February 24, 2003 10:21:58 AM -0700 Mike Robinson <miker@sundialservices.com> wrote:> > Maybe this is already "in" but I just don''t see it... > > I''d really love it if Shorewall came with a file that allowed me to speak > in terms of the "services" that I''m trying to open or close, rather than > ports. > > In other words, I''d like for there to be a definition-file someplace that > says that "the (say) FTP service requires ports X-Y to be open for TCP > and UDP, and ports X2-Y2 also to be open." > > Then I could specify a rule such as: > > (from) LOCAL (to) INTERNET (service) FTP_SERVICE (is) ALLOWED > > One of the most difficult .. for me, anyway .. aspects of setting up a > firewall correctly is knowing which ports need to be open or closed in > order for a particular service to be correctly activated or blocked. > Sure, I could look up the information on somebody''s web-site somewhere, > but it would be so much better if Shorewall came equipped with a > service-definition file which contained the needed info, "known to be > correct."Shorewall actually does come with such a list -- it is called ports.htm. You can access it from the home page (either from the web or from the local copy installed with Shorewall) -> Documentation Index -> Port Information (* Which applications use which ports). I''m very reluctant to do anything more than that -- If I make it a "services" file as you suggest then I can guarantee that every day there will be problem reports: <whine> Kazzaa isn''t in the services file. </whine> <whine> Why isn''t edonkey in the services file. </whine> ... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Mike Robinson wrote:>Maybe this is already "in" but I just don''t see it... > >I''d really love it if Shorewall came with a file that allowed me to speak in >terms of the "services" that I''m trying to open or close, rather than ports. > >In other words, I''d like for there to be a definition-file someplace that says >that "the (say) FTP service requires ports X-Y to be open for TCP and UDP, >and ports X2-Y2 also to be open." > >Then I could specify a rule such as: > > (from) LOCAL (to) INTERNET (service) FTP_SERVICE (is) ALLOWED > >One of the most difficult .. for me, anyway .. aspects of setting up a >firewall correctly is knowing which ports need to be open or closed in order >for a particular service to be correctly activated or blocked. Sure, I could >look up the information on somebody''s web-site somewhere, but it would be so >much better if Shorewall came equipped with a service-definition file which >contained the needed info, "known to be correct." >Mike, A couple of points that Tom didn''t mention: 1. Shorewall knows about the /etc/services file, so you can already specify rules like this: ACCEPT loc net tcp ssh ACCEPT net dmz tcp http I tend not to use this because a) it introduces yet another dependency into shorewall''s startup which IMHO is bad, and b) i tend to order my rules files by port number, and c) i think it''s good to remember the port numbers anyway. :-) 2. In many cases, the "and ports X2-Y2 also to be open" part is covered by connection tracking, which is controlled by /etc/shorewall/modules. For example, since the FTP connection tracking module is on by default (the "loadmodule ip_conntrack_ftp" in that file), all you need to do to enable FTP is a rule like this: ACCEPT net dmz tcp ftp The iptables connection tracking takes care of the rest (i believe it even knows about active and passive FTP). Connection tracking is one of the main reasons i trust shorewall/iptables over some of the older firewall distributions based on the 2.2 kernel, because it only opens the ports that are necessary - on a per-connection basis - and closes them again when they are not needed. Paul
--On Tuesday, February 25, 2003 05:51:18 AM +1000 Paul Gear <paul@gear.dyndns.org> wrote:> > Mike, > > A couple of points that Tom didn''t mention: > > 1. Shorewall knows about the /etc/services file, so you can already > specify rules like this: ACCEPT loc net tcp ssh > ACCEPT net dmz tcp http > I tend not to use this because > a) it introduces yet another dependency into shorewall''s startup > which IMHO is bad, and > b) i tend to order my rules files by port number, and > c) i think it''s good to remember the port numbers anyway. :-)Yep -- the Netfilter log certainly doesn''t collapse PROTO=97 into AX.25 or PROTO=6 DPORT=21 into "FTP".> > 2. In many cases, the "and ports X2-Y2 also to be open" part is covered > by connection tracking, which is controlled by /etc/shorewall/modules. > For example, since the FTP connection tracking module is on by default > (the "loadmodule ip_conntrack_ftp" in that file), all you need to do to > enable FTP is a rule like this: > ACCEPT net dmz tcp ftp > The iptables connection tracking takes care of the rest (i believe it > even knows about active and passive FTP).Yes, it does.> > Connection tracking is one of the main reasons i trust shorewall/iptables > over some of the older firewall distributions based on the 2.2 kernel, > because it only opens the ports that are necessary - on a per-connection > basis - and closes them again when they are not needed. >-Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net