I''m wondering if is is posable to do something like . /etc/shorewall/somefile from inside the blacklist file is a future release. is is this sort of thing already available and I''m just doing it wrong? -- Brad Wyman |\ _,,,---,,_ bradw@sta-care.com /,`.-''`'' -. ;-;;,_ Network Admin |,4- ) )-,_. ,\ ( `''-'' Sta-Care, Inc. ''---''''(_/--'' `-''_) PGP Fingerprint: 8B1E E12F 3982 0D54 E01C DFD3 898B 6CA3 ED6F 3E56
It''s not already available and it is unlikely to be added given that there are obvious workarounds. For example, if your black list is made up of several files (f1, f2, ... fn), you can simply "cat f1 f2 f3 ... fn > /etc/shorewall/blacklist". In the next RC of 1.3 (or Final if no more RCs), I''ll include the ability to have a /etc/shorewall/refresh file that will be sourced prior to refreshing the blacklist. This will allow the above command to be executed prior to reloading the blackl st chain. For handling "start" and "restart", you can include the command in /etc/shorewall/init. If you want to modify your firewall script to run /etc/shorewall/restart before that, just add "run_user_exit refresh" to the "refresh_firewall" function. Just be sure to add the command before the existing "refresh_blacklist" call. -Tom ----- Original Message ----- From: "bradw" <tildar@sta-care.com> To: <shorewall-users@shorewall.net> Sent: Friday, May 24, 2002 7:53 AM Subject: [Shorewall-users] blacklist question> I''m wondering if is is posable to do something like > > . /etc/shorewall/somefile > > from inside the blacklist file is a future release. > is is this sort of thing already available and I''m just doing it wrong? > > -- > Brad Wyman |\ _,,,---,,_ > bradw@sta-care.com /,`.-''`'' -. ;-;;,_ > Network Admin |,4- ) )-,_. ,\ ( `''-'' > Sta-Care, Inc. ''---''''(_/--'' `-''_) > > PGP Fingerprint: 8B1E E12F 3982 0D54 E01C DFD3 898B 6CA3 ED6F 3E56 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > >
I''m probably missing something, but what is the difference between lower and upper case versions of the iptables'' policies? The reason I ask, is I was troubleshooting some anomalies with scans and port 135 showing as closed, when I thought it should be blocked. What I found was two instances of policies stating ''reject'' rather than ''REJECT'' in the common.def file -- one for port 135 and one for AUTH blocking. Changing the case to upper does seem to change how the iptables -L command displays the rule, but I just fail to fathom what the difference means. Thanks, JCS
Another question for you firewall aficionados... I am seeing hundreds of inbound syn packets per hour to tcp port 6633, originating from dozens of hosts around the globe. Anyone have any info on this? I can find no correlation to anything originating from my network to the seemingly randomly-originated and continuous inbound stream. I can find nothing on the net regarding this traffic pattern. Thanks, John Stroud
On Sat, 25 May 2002, John Stroud wrote:> I''m probably missing something, but what is the difference between lower > and upper case versions of the iptables'' policies? > > The reason I ask, is I was troubleshooting some anomalies with scans and > port 135 showing as closed, when I thought it should be blocked. What I > found was two instances of policies stating ''reject'' rather than > ''REJECT'' in the common.def file -- one for port 135 and one for AUTH > blocking. > > Changing the case to upper does seem to change how the iptables -L > command displays the rule, but I just fail to fathom what the difference > means. >REJECT is a builtin target provided by Netfilter that by default rejects the connection request with an ICMP port unreachable response. ''reject'' is a chain created by Shorewall that responds to TCP connection requests with a TCP RST and that responds to UDP connection requests with an ICMP port unreachable response. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sat, 25 May 2002, John Stroud wrote:> I''m probably missing something, but what is the difference between lower > and upper case versions of the iptables'' policies? > > The reason I ask, is I was troubleshooting some anomalies with scans and > port 135 showing as closed, when I thought it should be blocked. What I > found was two instances of policies stating ''reject'' rather than > ''REJECT'' in the common.def file -- one for port 135 and one for AUTH > blocking. >BTW -- the issue of port 135 is a FAQ -- see http://www.shorewall.net/FAQ.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sun, 26 May 2002, John Stroud wrote:> Another question for you firewall aficionados... > > I am seeing hundreds of inbound syn packets per hour to tcp port 6633, > originating from dozens of hosts around the globe. Anyone have any info > on this? I can find no correlation to anything originating from my > network to the seemingly randomly-originated and continuous inbound > stream. >Sorry, can''t help you. The Port du Jour here is 1433 (MS SQL Server). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> On Sun, 26 May 2002, John Stroud wrote: > > > Another question for you firewall aficionados... > > > > I am seeing hundreds of inbound syn packets per hour to tcp port 6633, > > originating from dozens of hosts around the globe. Anyone have any info > > on this? I can find no correlation to anything originating from my > > network to the seemingly randomly-originated and continuous inbound > > stream. > > > > Sorry, can''t help you. The Port du Jour here is 1433 (MS SQL Server).And here! The script kiddies/worms seem to be majoring in MS SQL, minoring in wu-ftpd, and taking a course in ssh, IIS, or rpc every now and then... :-) Paul http://paulgear.webhop.net