Shorewall users - May 2002 - 1 bug + 1 (possible) design flaw in 1.2-92

Bug.

The chain icmpdef is never traversed. Not specifying ''noping''
cause all icmp packets to be accepted, specifying ''noping''
causes all of them to be dropped.


Possible Design Flaw:

I have a need to block specific destination IPs, all protocols
and all ports, as early as possible in the INPUT and FORWARD
chains (or eth0_in and eth0_fwd). The blacklist feature works
on source addresses. The reason I need this is because I have
run into an DSL provider who, for reasons that I don''t understand,
refuses to disable directed broadcasts in the modem/routers
they supply. So I want to block all protocols, all ports on the
all 0''s and all 1''s IP addresses.

On Sat, 25 May 2002, Taso Hatzi wrote:
> Bug.
> 
> The chain icmpdef is never traversed. Not specifying
''noping''
> cause all icmp packets to be accepted, specifying
''noping''
> causes all of them to be dropped.
>
Here''s my eth0_in chain:

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               
destination
 5025  319K rfc1918    all  --  *      *       0.0.0.0/0            
0.0.0.0/0
 5025  319K blacklst   all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    1    64 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 8
 5024  319K net2fw     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

I don''t specify ''noping'' and clearly only icmp type 8
(ping) packets are
being ACCEPTed. Does your chain look different?

Shorewall-1.2.92 Chain icmpdef at gateway.shorewall.net - Sat May 25 
06:45:12 PDT 2002

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               
destination
y    4   256 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 12
[root@gateway root]#

So at least in my case, there have been 4 echo reply packets pass through 
the icmpdef chain.
 
> 
> Possible Design Flaw:
> 
> I have a need to block specific destination IPs, all protocols
> and all ports, as early as possible in the INPUT and FORWARD
> chains (or eth0_in and eth0_fwd). The blacklist feature works
> on source addresses. The reason I need this is because I have
> run into an DSL provider who, for reasons that I don''t understand,
> refuses to disable directed broadcasts in the modem/routers
> they supply. So I want to block all protocols, all ports on the
> all 0''s and all 1''s IP addresses.
> 
I guess that I still don''t see the problem, especially given your
comments
above about the icmpdef chain and the ''noping'' option; how are
these
things related (or are they)?

If you need to insert rules that you find aren''t possible with the 
standard configuration features, you can always create 
/etc/shorewall/start and insert your own rules; see 
http://www.shorewall.net/1.3/Documentation.htm#Scripts

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> I don''t specify ''noping'' and clearly only icmp
type 8 (ping) packets are
> being ACCEPTed. Does your chain look different?

My eth0_in chain is similar, and so produces the same result,
but I was making the point that chain ''icmpdef'' does not
appear
as a target, either in eth0_in, or any other chain, so I can''t
see when it gets traversed.
> 
> I guess that I still don''t see the problem, especially given your
comments
> above about the icmpdef chain and the ''noping'' option;
how are these
> things related (or are they)?
> 
They are only related in that both arose out of me trying to block
the all 0''s and all 1''s (broadcast) IPs from entering or
passing
through the firewall. Rules don''t catch the icmp packets because
they have already been ACCEPT''d. Adding stuff to icmpdef is
(apparently)
futile because the ''icmpdef'' chain doesn''t get
traversed.
> If you need to insert rules that you find aren''t possible with the
> standard configuration features, you can always create 
> /etc/shorewall/start and insert your own rules; see 
> http://www.shorewall.net/1.3/Documentation.htm#Scripts
> 
Thanks, I will have a look at that.

On Sun, 26 May 2002, Taso Hatzi wrote:
> Tom Eastep wrote:
> 
> > 
> > I don''t specify ''noping'' and clearly only
icmp type 8 (ping) packets are
> > being ACCEPTed. Does your chain look different?
> 
> 
> My eth0_in chain is similar, and so produces the same result,
> but I was making the point that chain ''icmpdef'' does not
appear
> as a target, either in eth0_in, or any other chain, so I can''t
> see when it gets traversed.
>
It''s traversed out of the common chain.
 
> > 
> > I guess that I still don''t see the problem, especially given
your comments
> > above about the icmpdef chain and the ''noping''
option; how are these
> > things related (or are they)?
> > 
> 
> They are only related in that both arose out of me trying to block
> the all 0''s and all 1''s (broadcast) IPs from entering or
passing
> through the firewall. Rules don''t catch the icmp packets because
> they have already been ACCEPT''d. Adding stuff to icmpdef is
(apparently)
> futile because the ''icmpdef'' chain doesn''t get
traversed.
> 
Then you had better study the rules some more. Sorry that I don''t have 
time to continue but I''m going out of town for several days.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> Then you had better study the rules some more. Sorry that I don''t
have
> time to continue but I''m going out of town for several days.
> 
Ok, I see one problem. The file ''common'' contains the
following:

#
# Include the standard common.def file
#
. common.def
#

This bombs out if the working dir isn''t /etc/shorewall, and
the rules in the common chain are not added, hence my remark
about not seeing how icmpdef gets traversed. Changing the above
to

. /etc/shorewall/common.def

corrects that problem.


That leaves the issue of where to block packets with
all 0''s and all 1''s destination address. I can see the
script is adding a DROP rule for the all 1''s broadcast
address in the common chain, but I think that''s too
far down the chain. The rule should be at the top
of the eth?_in and eth?_fwd chains. Also, there
should be a rule for the all 0''s address.

Putting appropriate blocks in the rules file,
nearly gives the desired result - except for
the ''ACCEPT icmp type 8'' rule which precedes it.

On Mon, 27 May 2002, Taso Hatzi wrote:
> 
> Ok, I see one problem. The file ''common'' contains the
following:
> 
> #
> # Include the standard common.def file
> #
> . common.def
> #
> 
> This bombs out if the working dir isn''t /etc/shorewall, and
> the rules in the common chain are not added, hence my remark
> about not seeing how icmpdef gets traversed. Changing the above
> to
> 
> . /etc/shorewall/common.def
> 
> corrects that problem.
>
Thanks -- I''ve updated the samples. A month or six weeks ago, I swore
that
I would never again touch the samples or Quick Start -- this is an example 
of the reason I feel that way. 
 
> 
> That leaves the issue of where to block packets with
> all 0''s and all 1''s destination address. I can see the
> script is adding a DROP rule for the all 1''s broadcast
> address in the common chain, but I think that''s too
> far down the chain. The rule should be at the top
> of the eth?_in and eth?_fwd chains. 
If you add the following two rules in the rules file, that should be 
sufficient:

DROP	net	loc:255.255.255.255
DROP	net	loc:0.0.0.0
> Also, there
> should be a rule for the all 0''s address.
> 
Probably -- but remember that the ONLY reason that there are those silent 
drops in the common chain is so that they won''t be logged by the
user''s
policy and so that I don''t get frantic "I''m under
attack" emails. The
common chain is only traversed if the POLICY is DROP or REJECT.
> Putting appropriate blocks in the rules file,
> nearly gives the desired result - except for
> the ''ACCEPT icmp type 8'' rule which precedes it.
> 
Disabling response to broadcast ICMP 8 in /proc closes that door.

	echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net