Shorewall users - Apr 2003 - swat port 901 to net blocking

>> probably your policy allows the traffic from fw -> net
You are right
>> try putting your blocking rules on blacklist file.
ok, in interfaces I put blacklist option in place where it is needed. I put
in blacklist file one IP to test it, and it is working, now I want to block
all from net to port 901:

fw    tcp  901 -> not working, shorewall don''t start "
host/network `fw'' not
found"

then I try :
217.96.90.134  tcp  901  -> shorewall started, but on this IP (my IP) I
steel can connetct to port 901

so how to do it in blacklist file to 901 port, how to block ?

>> Isn''t there a way in SWAT config to do what you want ?
I really want to do it in shorewall :)



--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

>I really want to do it in shorewall :)
WHats wrong with

REJECT	net 	$FW	tcp	901

?

(I assume what you _really_ want is to block swat access (swat running
on your firewall) from the internet?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Swat also has a only_from option in the configuration file which will
allow it to only work from a certain IP.

- ---
Aaron Axelsen
AIM: AAAK2
Email: axelseaa@amadmax.com

Want reliable web hosting at affordable prices?
www.modevia.com
 
Web Dev/Design Community/Zine
www.developercube.com



- -----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jan
Johansson
Sent: Wednesday, April 23, 2003 8:06 AM
To: ''Maciek Kurkiewicz''; shorewall-users@lists.shorewall.net
Subject: RE: [Shorewall-users] swat port 901 to net blocking

>I really want to do it in shorewall :)
WHats wrong with

REJECT	net 	$FW	tcp	901

?

(I assume what you _really_ want is to block swat access (swat
running on your firewall) from the internet?

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPqaQgbrnDjSLw9ADEQKIKQCeKu7lLLHyKmfYM46E5SESBbZS0asAoKnC
xqVV8f6MRtyMdTriSSqRgxba
=E1T1
-----END PGP SIGNATURE-----

>> REJECT net $FW tcp 901

It doesyn''t work in my shorewall, shorewall don''t start.
"unknown protocol
`net'' specified

>> I assume what you _really_ want is to block swat access (swat running
>> on your firewall) from the internet?
yes




--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

>It doesyn''t work in my shorewall, 
Version?

>shorewall don''t start. "unknown protocol
>`net'' specified
And you put that in your rules file?

>>REJECT $FW net tcp 901
>>REJECT $FW net udp 901
>>does work, else something else is wrong with your set up, but that is
>>the correct rule.
It doesnt work, maybe I have something wrong, but I dont know what. After
this rules i can connect to my external swat. Someone cat suggest me what
can be wrong ?



--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

>It doesnt work, maybe I have something wrong, but I dont know what.
After
>this rules i can connect to my external swat. Someone cat suggest me
what
>can be wrong ?
A million things. 

1. Are you SURE you are trying to connect from the Net Zone to the swat
interface?

2. How much have you changed in your configuration?

>It doesnt work, maybe I have something wrong, but I dont know what.
After
>this rules i can connect to my external swat. Someone cat suggest me
what
>can be wrong ?

And now you say "External swat" again.

EXACTLY what are you trying to do? 

Where are you executing the call from?
Where is the host you want to prevent SWAT access from?
Where is the host you want to prevent SWAT access to?

When I asked you, you said you wanted to prevent access to SWAT running
on firewall from net. Now you say you want to prevent SWAT access "to an
external SWAT". Which is it?

>>And now you say "External swat" again.
>>EXACTLY what are you trying to do?
>>Where are you executing the call from?
>>Where is the host you want to prevent SWAT access from?
>>Where is the host you want to prevent SWAT access to?
>>When I asked you, you said you wanted to prevent access to SWAT running
>>on firewall from net. Now you say you want to prevent SWAT access
"to an
>>external SWAT". Which is it?
sory, it is my english fault, it isn''t so good, I have swat on my fw, I
only
want to have acces from my local net, I want to block it ftom net. For
example it I will connetc to fw like that : http://192.168.1.1:901 it should
work and it is working, after that I can go to my friend, he has different
IP, and if I will write http://217.96.90.134:901 (my IP) on his commputer,
it should be rejected from my firewall. I was tryging to check it on my
computer by connecting with http://217.96.90.134:901 (so it is my external
IP) and from my friend computer from different IP. And it is steel working
after :
REJECT $FW net tcp 901
REJECT $FW net udp 901

I don''t have sth special in my configuratnion, i allow everytnigng and
after
that reject some ports to IP from net to loc, also have masq to my network.
Notihng more. F.e. policy file :
loc             net             ACCEPT
net             loc             ACCEPT
loc             fw              ACCEPT
fw              loc             ACCEPT
net             fw              ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

I know that it isn''t good to set it like that




--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

>>have you tried DROP instead of reject.
yes, and from internet each coputer can go to my fw on port 901 to swat, I
want nobody fron internet, olny from local network to configure by port 901

>>and have you tried blocking fw -> net access?
in policy file I have changed :
fw  net  ACCEPT --to---> fw  net  REJECT and restart shorewall, and after
that i can also connect to my sawt to 901 port from other external
IP''s. It
is strange



--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> >>have you tried DROP instead of reject.
> 
> yes, and from internet each coputer can go to my fw on port 901 to swat, I
> want nobody fron internet, olny from local network to configure by port 901
> 
> 
> >>and have you tried blocking fw -> net access?
> 
> in policy file I have changed :
> fw  net  ACCEPT --to---> fw  net  REJECT and restart shorewall, and
after
> that i can also connect to my sawt to 901 port from other external
IP''s. It
> is strange
> 
Are you stopping the browser between attempts to connect? Your browser may
be keeping the port open and in that case, you can add rules until you are
old and gray and the browser will still be able to access SWAT.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

yes, every time I have restarted my browser, also I had login by ssh to
other coputer in other city with other extermal IP and I was checking it,
after rule
fw  net  reject
in policy file I steel can connect to 901. In my opinion it is strange.



--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> yes, every time I have restarted my browser, also I had login by ssh to
> other coputer in other city with other extermal IP and I was checking it,
> after rule
> fw  net  reject
Of course that policy has ABSOLUTELY NOTHING TO DO with connections from 
the net to the firewall....

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 23 Apr 2003, Tom Eastep wrote:
> On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> 
> > yes, every time I have restarted my browser, also I had login by ssh
to
> > other coputer in other city with other extermal IP and I was checking
it,
> > after rule
> > fw  net  reject
> 
> Of course that policy has ABSOLUTELY NOTHING TO DO with connections from 
> the net to the firewall....
> 
If you post your entire configuration along with the output of "shorewall 
status", we''ll try to understand what is happening....

Please place all of the files in a tarball...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

all my files, file status is ''shorewall status''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: files.tar.gz
Type: application/octet-stream
Size: 73896 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030423/2f9ba4e3/files.tar-0001.obj

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> all my files, file status is ''shorewall status''
You have:

/etc/shorewall/policy:

net	fw	ACCEPT

and you have no rules that limit net->fw connections. 

Note that the rules that you do have limit OUTBOUND swat connections:

REJECT   $FW    net     tcp    901
REJECT   $FW    net     udp    901

Finally, SWAT only uses TCP -- the UDP rule would be superfluous in any 
case.

If you want to reject swat connections from the net to your firewall:

REJECT	net	$FW	tcp	901

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

> If you want to reject swat connections from the net to your firewall:
> 
> REJECT net $FW tcp 901
still I can make connection from net to my firewall on 901 port 




--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> 
> > If you want to reject swat connections from the net to your firewall:
> > 
> > REJECT net $FW tcp 901
> 
> still I can make connection from net to my firewall on 901 port 
> 
What does "shorewall show net2fw" show?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
   86 19873 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED

  201 32916 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02

    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:901

   47  3948 DROP       icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 8

    0     0 reject     all  --  *      *       64.190.200.80
0.0.0.0/0
    0     0 reject     all  --  *      *       63.111.220.250
0.0.0.0/0
    0     0 reject     all  --  *      *       213.155.190.102
0.0.0.0/0
    0     0 reject     all  --  *      *       217.96.90.136
0.0.0.0/0
    0     0 reject     all  --  *      *       213.77.231.3
0.0.0.0/0
    0     0 reject     all  --  *      *       195.136.7.130
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0



--
----
Oferta jakiej jeszcze nie bylo!
Serwer www 60 MB za 96 zl rocznie
Szczegoly: www.oferta.alpha.pl
----

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> Chain net2fw (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    86 19873 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>
>   201 32916 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>
>     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp dpt:901
>
>    47  3948 DROP       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          icmp type 8
>
>     0     0 reject     all  --  *      *       64.190.200.80
> 0.0.0.0/0
>     0     0 reject     all  --  *      *       63.111.220.250
> 0.0.0.0/0
>     0     0 reject     all  --  *      *       213.155.190.102
> 0.0.0.0/0
>     0     0 reject     all  --  *      *       217.96.90.136
> 0.0.0.0/0
>     0     0 reject     all  --  *      *       213.77.231.3
> 0.0.0.0/0
>     0     0 reject     all  --  *      *       195.136.7.130
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
No new connection requests have come through that chain. Please

1) shorewall reset
2) connect to port 901
3) Capture and post "shorewall status".

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

>>1) shorewall reset
done
>>2) connect to port 901
done
>>3) Capture and post "shorewall status".
ok :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stat.tar.gz
Type: application/octet-stream
Size: 11181 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030423/6c3eff0e/stat.tar.obj

On Wed, 23 Apr 2003, Maciek Kurkiewicz wrote:
> >>1) shorewall reset
> done
>
> >>2) connect to port 901
> done
>
> >>3) Capture and post "shorewall status".
> ok :)
I am in the process up upgrading my Linux desktop system. I''ll look at
this just as soon as the upgrade has completed.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net