Taso Hatzi
2002-May-25 10:16 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
Bug. The chain icmpdef is never traversed. Not specifying ''noping'' cause all icmp packets to be accepted, specifying ''noping'' causes all of them to be dropped. Possible Design Flaw: I have a need to block specific destination IPs, all protocols and all ports, as early as possible in the INPUT and FORWARD chains (or eth0_in and eth0_fwd). The blacklist feature works on source addresses. The reason I need this is because I have run into an DSL provider who, for reasons that I don''t understand, refuses to disable directed broadcasts in the modem/routers they supply. So I want to block all protocols, all ports on the all 0''s and all 1''s IP addresses.
Tom Eastep
2002-May-25 13:54 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
On Sat, 25 May 2002, Taso Hatzi wrote:> Bug. > > The chain icmpdef is never traversed. Not specifying ''noping'' > cause all icmp packets to be accepted, specifying ''noping'' > causes all of them to be dropped. >Here''s my eth0_in chain: Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 5025 319K rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 5025 319K blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 1 64 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 5024 319K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 I don''t specify ''noping'' and clearly only icmp type 8 (ping) packets are being ACCEPTed. Does your chain look different? Shorewall-1.2.92 Chain icmpdef at gateway.shorewall.net - Sat May 25 06:45:12 PDT 2002 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination y 4 256 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 [root@gateway root]# So at least in my case, there have been 4 echo reply packets pass through the icmpdef chain.> > Possible Design Flaw: > > I have a need to block specific destination IPs, all protocols > and all ports, as early as possible in the INPUT and FORWARD > chains (or eth0_in and eth0_fwd). The blacklist feature works > on source addresses. The reason I need this is because I have > run into an DSL provider who, for reasons that I don''t understand, > refuses to disable directed broadcasts in the modem/routers > they supply. So I want to block all protocols, all ports on the > all 0''s and all 1''s IP addresses. >I guess that I still don''t see the problem, especially given your comments above about the icmpdef chain and the ''noping'' option; how are these things related (or are they)? If you need to insert rules that you find aren''t possible with the standard configuration features, you can always create /etc/shorewall/start and insert your own rules; see http://www.shorewall.net/1.3/Documentation.htm#Scripts -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Taso Hatzi
2002-May-25 14:56 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
Tom Eastep wrote:> > I don''t specify ''noping'' and clearly only icmp type 8 (ping) packets are > being ACCEPTed. Does your chain look different?My eth0_in chain is similar, and so produces the same result, but I was making the point that chain ''icmpdef'' does not appear as a target, either in eth0_in, or any other chain, so I can''t see when it gets traversed.> > I guess that I still don''t see the problem, especially given your comments > above about the icmpdef chain and the ''noping'' option; how are these > things related (or are they)? >They are only related in that both arose out of me trying to block the all 0''s and all 1''s (broadcast) IPs from entering or passing through the firewall. Rules don''t catch the icmp packets because they have already been ACCEPT''d. Adding stuff to icmpdef is (apparently) futile because the ''icmpdef'' chain doesn''t get traversed.> If you need to insert rules that you find aren''t possible with the > standard configuration features, you can always create > /etc/shorewall/start and insert your own rules; see > http://www.shorewall.net/1.3/Documentation.htm#Scripts >Thanks, I will have a look at that.
Tom Eastep
2002-May-25 15:57 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
On Sun, 26 May 2002, Taso Hatzi wrote:> Tom Eastep wrote: > > > > > I don''t specify ''noping'' and clearly only icmp type 8 (ping) packets are > > being ACCEPTed. Does your chain look different? > > > My eth0_in chain is similar, and so produces the same result, > but I was making the point that chain ''icmpdef'' does not appear > as a target, either in eth0_in, or any other chain, so I can''t > see when it gets traversed. >It''s traversed out of the common chain.> > > > I guess that I still don''t see the problem, especially given your comments > > above about the icmpdef chain and the ''noping'' option; how are these > > things related (or are they)? > > > > They are only related in that both arose out of me trying to block > the all 0''s and all 1''s (broadcast) IPs from entering or passing > through the firewall. Rules don''t catch the icmp packets because > they have already been ACCEPT''d. Adding stuff to icmpdef is (apparently) > futile because the ''icmpdef'' chain doesn''t get traversed. >Then you had better study the rules some more. Sorry that I don''t have time to continue but I''m going out of town for several days. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Taso Hatzi
2002-May-26 15:11 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
Tom Eastep wrote:> > Then you had better study the rules some more. Sorry that I don''t have > time to continue but I''m going out of town for several days. >Ok, I see one problem. The file ''common'' contains the following: # # Include the standard common.def file # . common.def # This bombs out if the working dir isn''t /etc/shorewall, and the rules in the common chain are not added, hence my remark about not seeing how icmpdef gets traversed. Changing the above to . /etc/shorewall/common.def corrects that problem. That leaves the issue of where to block packets with all 0''s and all 1''s destination address. I can see the script is adding a DROP rule for the all 1''s broadcast address in the common chain, but I think that''s too far down the chain. The rule should be at the top of the eth?_in and eth?_fwd chains. Also, there should be a rule for the all 0''s address. Putting appropriate blocks in the rules file, nearly gives the desired result - except for the ''ACCEPT icmp type 8'' rule which precedes it.
Tom Eastep
2002-May-28 22:45 UTC
[Shorewall-users] 1 bug + 1 (possible) design flaw in 1.2-92
On Mon, 27 May 2002, Taso Hatzi wrote:> > Ok, I see one problem. The file ''common'' contains the following: > > # > # Include the standard common.def file > # > . common.def > # > > This bombs out if the working dir isn''t /etc/shorewall, and > the rules in the common chain are not added, hence my remark > about not seeing how icmpdef gets traversed. Changing the above > to > > . /etc/shorewall/common.def > > corrects that problem. >Thanks -- I''ve updated the samples. A month or six weeks ago, I swore that I would never again touch the samples or Quick Start -- this is an example of the reason I feel that way.> > That leaves the issue of where to block packets with > all 0''s and all 1''s destination address. I can see the > script is adding a DROP rule for the all 1''s broadcast > address in the common chain, but I think that''s too > far down the chain. The rule should be at the top > of the eth?_in and eth?_fwd chains.If you add the following two rules in the rules file, that should be sufficient: DROP net loc:255.255.255.255 DROP net loc:0.0.0.0> Also, there > should be a rule for the all 0''s address. >Probably -- but remember that the ONLY reason that there are those silent drops in the common chain is so that they won''t be logged by the user''s policy and so that I don''t get frantic "I''m under attack" emails. The common chain is only traversed if the POLICY is DROP or REJECT.> Putting appropriate blocks in the rules file, > nearly gives the desired result - except for > the ''ACCEPT icmp type 8'' rule which precedes it. >Disabling response to broadcast ICMP 8 in /proc closes that door. echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net