I have a 2 nic standard setup, one public, one private interface. I allow ip forwarding by the kernel but my policies are reject everything accept fw<->fw(localhost). Everything needs to be allowed explicitly. I have specified filterping for every interface in the interface list. Everything seems to be blocking fine accept for ping. For some strange reason a ping to everywhere is still possible even though I only have the following rules : #----------------------------------------------------------- ### PING ICMP #----------------------------------------------------------- ACCEPT fw net icmp echo-request ACCEPT fw loc icmp echo-request ACCEPT loc fw icmp echo-request ACCEPT loc:$RBWORK net icmp echo-request #ACCEPT net fw icmp echo-request ACCEPT net:$RBHOME fw icmp echo-request The 2 params $RBHOME and $RBWORK are ip''s only, not subnets. Could it be that this traffic still gets through because I allow loc->fw and fw->net and ip_forward is enabled although I do not allow loc->net and how could I verify this?? Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Saturday, November 23, 2002 04:19:28 PM +0100 Remco Barendse <shorewall@barendse.to> wrote:> I have a 2 nic standard setup, one public, one private interface. I allow > ip forwarding by the kernel but my policies are reject everything accept > fw<->fw(localhost).Adding ANYTHING for fw->fw is a total waste of your time -- Shorewall unconditionally allows all fw->fw traffic no matter what you do. Everything needs to be allowed explicitly.> I have specified filterping for every interface in the interface list.And what is your setting for FORWARDPING in /etc/shorewall/shorewall.conf?> > Everything seems to be blocking fine accept for ping. > > For some strange reason a ping to everywhere is still possible even > though I only have the following rules :See above -- a ping from the firewall to anywhere is ALWAYS going to be possible and if you have FORWARDPING=Yes then ping from anywhere to anywhere is possible.># ----------------------------------------------------------- >### PING ICMP ># ----------------------------------------------------------- > ACCEPT fw net icmp echo-request > ACCEPT fw loc icmp echo-requestShorewall allows ALL ICMP outbound from the firewall no matter what you do so the above two rules are superfluous.> ACCEPT loc fw icmp echo-request > ACCEPT loc:$RBWORK net icmp echo-request ># ACCEPT net fw icmp echo-request > ACCEPT net:$RBHOME fw icmp echo-request > > The 2 params $RBHOME and $RBWORK are ip''s only, not subnets. >-Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Saturday, November 23, 2002 08:08:39 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Saturday, November 23, 2002 04:19:28 PM +0100 Remco Barendse > <shorewall@barendse.to> wrote: > >> I have a 2 nic standard setup, one public, one private interface. I allow >> ip forwarding by the kernel but my policies are reject everything accept >> fw<->fw(localhost). > > Adding ANYTHING for fw->fw is a total waste of your time -- Shorewall > unconditionally allows all fw->fw traffic no matter what you do. >And I should add that in 1.3.11, fw->fw policies will generate an error at startup and fw->fw rules will generate a warning and will be ignored -- that code has been in the development CVS project for a couple of weeks now. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
As always, you are right :) I had never thought of a setting FORWARDPING and it is set to yes. I suddenly got scared because I was trying some stuff on a box that shouldn''t be able to get anywhere and it was able to ping the internet! Just a suggestion, couldn''t you have 1.3.11 also ignore a fw->fw policy instead of having it stopped with an error? I sort of like to have it there, if it was only to make sure any other admin that would look at my box and fw rules wouldn''t think that I''d forgotten to allow localhost traffic and he''d therefore found the problem :) (That is only ppl that admins who arent familiar with Shorewall ofcourse, and all admins should :)) Thanks for the reply! On Sat, 23 Nov 2002, Tom Eastep wrote:> > > --On Saturday, November 23, 2002 08:08:39 AM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > > > --On Saturday, November 23, 2002 04:19:28 PM +0100 Remco Barendse > > <shorewall@barendse.to> wrote: > > > >> I have a 2 nic standard setup, one public, one private interface. I allow > >> ip forwarding by the kernel but my policies are reject everything accept > >> fw<->fw(localhost). > > > > Adding ANYTHING for fw->fw is a total waste of your time -- Shorewall > > unconditionally allows all fw->fw traffic no matter what you do. > > > > And I should add that in 1.3.11, fw->fw policies will generate an error at > startup and fw->fw rules will generate a warning and will be ignored -- > that code has been in the development CVS project for a couple of weeks now. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > >-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--On Saturday, November 23, 2002 05:31:52 PM +0100 Remco Barendse <shorewall@barendse.to> wrote:> As always, you are right :) > > I had never thought of a setting FORWARDPING and it is set to yes. > > I suddenly got scared because I was trying some stuff on a box that > shouldn''t be able to get anywhere and it was able to ping the internet! > > Just a suggestion, couldn''t you have 1.3.11 also ignore a fw->fw policy > instead of having it stopped with an error? I sort of like to have it > there, if it was only to make sure any other admin that would look at my > box and fw rules wouldn''t think that I''d forgotten to allow localhost > traffic and he''d therefore found the problem :) (That is only ppl that > admins who arent familiar with Shorewall ofcourse, and all admins should > :)) >I''ll add a large warning to the 1.3.11 policy file template stating that a fw->fw policy will not be allowed. You should do the same with your copy. The problem is that the policy file is read many times during "shorewall [re]start" and I don''t want to have to add special code in all of those places to ignore fw->fw. People already complain that [re]start is too slow so I don''t want to intentionally do anything to make it even slower :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net