Hello,
I''ve installed Shorewall 1.4.1a on top of Red Hat 9.I''ve used
the Quick
Install for standalone shorewall configurations. I don''t have the
hardware yet to test on. So my laptop is serving as test rabbit.
I''m confronted with ports 389 (LDAP) and 1720 (H323HostCall) that stay
open always no matter how I change the rules. I''ve included the policy
and rules files. Besides that I still have 8 UDP ports that appear to be
open, but that seems to be an illusion. That''s what I read in manuals
and guides.
Can someone tell me why I keep on having ports open even though I tell
(I think) to shut all ports and gates?
Kind regards,
Gerd
[root@localhost gerdp]# /sbin/shorewall version
1.4.1a
[root@localhost gerdp]# uname -a
Linux localhost.localdomain 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003
i686 i686 i386 GNU/Linux
[root@localhost gerdp]# /sbin/ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0b:cd:5f:85:d7 brd ff:ff:ff:ff:ff:ff
inet 192.168.221.12/24 brd 192.168.221.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
link/ether 00:02:2d:60:8d:da brd ff:ff:ff:ff:ff:ff
[root@localhost gerdp]# /sbin/ip route show
192.168.221.0/24 dev eth0 proto kernel scope link src 192.168.221.12
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.221.2 dev eth0
[root@localhost gerdp]# /sbin/lsmod
Module Size Used by Not tainted
trident 33620 0 (autoclean)
ac97_codec 13640 0 (autoclean) [trident]
pcigame 2952 0 (autoclean) [trident]
gameport 3364 0 (autoclean) [pcigame]
soundcore 6404 2 (autoclean) [trident]
parport_pc 19076 1 (autoclean)
lp 8996 0 (autoclean)
parport 37056 1 (autoclean) [parport_pc lp]
autofs 13268 0 (autoclean) (unused)
ipt_TOS 1656 4 (autoclean)
ipt_LOG 4152 7 (autoclean)
ipt_REJECT 3928 6 (autoclean)
ipt_state 1048 17 (autoclean)
iptable_mangle 2776 1 (autoclean)
ip_nat_irc 3280 0 (unused)
ip_nat_ftp 4112 0 (unused)
iptable_nat 21720 2 [ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4112 1
ip_conntrack_ftp 5296 1
ip_conntrack 26976 4 [ipt_state ip_nat_irc ip_nat_ftp
iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2412 1 (autoclean)
ip_tables 15096 9 [ipt_TOS ipt_LOG ipt_REJECT ipt_state
iptable_mangle iptable_nat iptable_filter]
orinoco_cs 5864 0 (unused)
orinoco 36024 0 [orinoco_cs]
hermes 8196 0 [orinoco_cs orinoco]
ds 8680 1 [orinoco_cs]
yenta_socket 13472 1
pcmcia_core 57216 0 [orinoco_cs ds yenta_socket]
8139too 18088 1
mii 3976 0 [8139too]
sg 36524 0 (autoclean)
sr_mod 18136 0 (autoclean)
ide-scsi 12208 0
scsi_mod 107160 3 [sg sr_mod ide-scsi]
ide-cd 35708 0
cdrom 33728 0 [sr_mod ide-cd]
ohci1394 20168 0 (unused)
ieee1394 48780 0 [ohci1394]
keybdev 2944 0 (unused)
mousedev 5492 1
hid 22148 0 (unused)
input 5856 0 [keybdev mousedev hid]
ehci-hcd 19976 0 (unused)
usb-ohci 21480 0 (unused)
usbcore 78784 1 [hid ehci-hcd usb-ohci]
ext3 70784 2
jbd 51892 2 [ext3]
-------------- next part --------------
[H[2JShorewall-1.4.1a Status at localhost.localdomain - Mon Apr 14 22:38:08 CEST
2003
Counters reset Tue Apr 15 00:05:14 CEST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
14695 1003K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
87 12185 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
14695 1003K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
109 8492 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
192.168.221.255
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
87 12185 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
7 2088 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
29 3029 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
80 10097 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
49 4839 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
60 3653 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain logdrop (29 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
51 7068 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
29 3029 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (8 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
29 3029 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
29 3029 RETURN all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53263 DF PROTO=TCP SPT=4048 DPT=25006
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53264 DF PROTO=TCP SPT=4049 DPT=25007
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53265 DF PROTO=TCP SPT=4050 DPT=25008
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53266 DF PROTO=TCP SPT=4051 DPT=25009
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53267 DF PROTO=TCP SPT=4052 DPT=25793
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53268 DF PROTO=TCP SPT=4053 DPT=25867
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53269 DF PROTO=TCP SPT=4054 DPT=26000
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53270 DF PROTO=TCP SPT=4055 DPT=26208
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53271 DF PROTO=TCP SPT=4056 DPT=30303
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53272 DF PROTO=TCP SPT=4057 DPT=47557
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53273 DF PROTO=TCP SPT=4058 DPT=47806
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53274 DF PROTO=TCP SPT=4059 DPT=47808
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53275 DF PROTO=TCP SPT=4060 DPT=54320
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 00:33:53 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=53276 DF PROTO=TCP SPT=4061 DPT=65000
WINDOW=16384 RES=0x00 SYN URGP=0
Apr 14 21:00:58 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=32 TOS=0x00 PREC=0x00 TTL=128 ID=4801 PROTO=ICMP TYPE=17 CODE=0
Apr 14 21:00:58 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=4802 PROTO=ICMP TYPE=13 CODE=0
Apr 14 21:00:58 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=4803 PROTO=ICMP TYPE=15 CODE=0
Apr 14 21:23:27 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=32 TOS=0x00 PREC=0x00 TTL=128 ID=5296 PROTO=ICMP TYPE=17 CODE=0
Apr 14 21:23:27 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=5297 PROTO=ICMP TYPE=13 CODE=0
Apr 14 21:23:27 net2all:DROP:IN=eth0 OUT= SRC=192.168.221.2 DST=192.168.221.12
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=5298 PROTO=ICMP TYPE=15 CODE=0
NAT Table
Chain PREROUTING (policy ACCEPT 31 packets, 3633 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 409 packets, 24617 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 409 packets, 24617 bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 14782 packets, 1015K bytes)
pkts bytes target prot opt in out source destination
36 5117 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state NEW
14782 1015K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 14782 packets, 1015K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14804 packets, 1012K bytes)
pkts bytes target prot opt in out source destination
14804 1012K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 14804 packets, 1012K bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (29 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
7 2088 RETURN all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
29 3029 RETURN all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0
198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
tcp 6 60 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33162 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33162 [ASSURED] use=1
tcp 6 75 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33165 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33165 [ASSURED] use=1
tcp 6 90 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33168 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33168 [ASSURED] use=1
tcp 6 105 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33171 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33171 [ASSURED] use=1
tcp 6 0 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33150 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33150 [ASSURED] use=1
tcp 6 15 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33153 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33153 [ASSURED] use=1
tcp 6 30 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33156 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33156 [ASSURED] use=1
tcp 6 45 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33159 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33159 [ASSURED] use=1
tcp 6 55 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33161 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33161 [ASSURED] use=1
tcp 6 70 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33164 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33164 [ASSURED] use=1
tcp 6 85 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33167 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33167 [ASSURED] use=1
tcp 6 100 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33170 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33170 [ASSURED] use=1
tcp 6 115 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33173 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33173 [ASSURED] use=1
tcp 6 10 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33152 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33152 [ASSURED] use=1
tcp 6 25 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33155 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33155 [ASSURED] use=1
tcp 6 40 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33158 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33158 [ASSURED] use=1
tcp 6 50 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33160 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33160 [ASSURED] use=1
tcp 6 65 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33163 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33163 [ASSURED] use=1
tcp 6 80 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33166 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33166 [ASSURED] use=1
tcp 6 95 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33169 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33169 [ASSURED] use=1
tcp 6 110 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33172 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33172 [ASSURED] use=1
tcp 6 20 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33154 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33154 [ASSURED] use=1
tcp 6 35 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=33157 dport=631
src=127.0.0.1 dst=127.0.0.1 sport=631 dport=33157 [ASSURED] use=1
-------------- next part --------------
#
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
# or LOG.
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT net fw icmp 8
REJECT net fw udp - -
REJECT net fw tcp - -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT",
"CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE