Shorewall users - Jul 2003 - First impression & first question

Hello Tom,

[Frenchy type english ON]

Finally I''ve found, with ShoreWall, the long awaited tool for
administrating my box an soon more productive servers.

ShoreWall arrive at the right moment, I must say I started to be a bit
tired after trying almost all the scripts and rules generators found
on freshmeat.

Most of them require a very good knowledge of NetFilter, for those
users i''ve very appreciated/used FERM.

Others let you sit, claiming security and ease of use and just lacking
to flush existing users rules before running.

So 10^4 congratulation for your work. ;-)

I''ve a question: Best techniques to manage complex rules set ?

In the case where internal users (about 10) and servers have each
specifics access to external, DMZ and "DMZ-Private" the ruleset become
a bit giant. `iptables -L | wc` give me 1959.

Okay it''s FERM work:

proto (UDP TCP) {
  DPORT ( 4 5 6 7 8 9 )
   ACCEPT;
  }
generate 2x7 rules.

So, after reading Shorewall''s doc I''m a bit confused on how
handle groups of
IP and groups of Services ?

/etc/shorewall/hosts is, if I read you right, not the best place for
that.

/etc/showall/zones is made for interface or whole domains, no ?

So, in your opinion, what is the best way to express in rules or
elsewhere webservers_group with n IP and ssh_users and so on ?

Ciao''
Mathieu

--

On Wed, 2003-07-23 at 09:13, mathieu.chappuis@ged-software.com wrote:
> Okay it''s FERM work:
> 
> proto (UDP TCP) {
>   DPORT ( 4 5 6 7 8 9 )
>    ACCEPT;
>   }
> generate 2x7 rules.
It should only generate *TWO* rules:

	ACCEPT	a	b	udp	4,5,6,7,8,9
	ACCEPT	a	b	tcp	4,5,6,7,8,9

Provided that your kernel has MULTIPORT match support (and you set
MULTIPORT=Yes when running Shorewall 1.4.5 and earlier) that is exactly
two iptables rules.
> 
> So, after reading Shorewall''s doc I''m a bit confused on
how handle groups of
> IP and groups of Services ?
> 
> /etc/shorewall/hosts is, if I read you right, not the best place for
> that.
If your setup is complex, that''s *exactly* the right place.
> 
> /etc/showall/zones is made for interface or whole domains, no ?
No -- you declare a zone in /etc/shorewall/zones then define it''s
contents either in /etc/shorewall/interfaces *OR* in
/etc/shorewall/hosts. If you define it in /etc/shorewall/hosts, then it
can have any collection of ip addresses in it.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-07-23 at 09:38, Tom Eastep wrote:
> On Wed, 2003-07-23 at 09:13, mathieu.chappuis@ged-software.com wrote:
> 
> > Okay it''s FERM work:
> > 
> > proto (UDP TCP) {
> >   DPORT ( 4 5 6 7 8 9 )
> >    ACCEPT;
> >   }
> > generate 2x7 rules.
> 
> It should only generate *TWO* rules:
> 
> 	ACCEPT	a	b	udp	4,5,6,7,8,9
> 	ACCEPT	a	b	tcp	4,5,6,7,8,9
> 
> Provided that your kernel has MULTIPORT match support (and you set
> MULTIPORT=Yes when running Shorewall 1.4.5 and earlier) that is exactly
> two iptables rules.
That is to say, *in Shorewall* you would use two rules to express what
the FERM specification above expresses and the Shorewall rules would
result in two iptables rules.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 23 Jul 2003 at 9:38, Tom Eastep wrote:
> On Wed, 2003-07-23 at 09:13, mathieu.chappuis@ged-software.com wrote:
> 
> > Okay it''s FERM work:
> > 
> > proto (UDP TCP) {
> >   DPORT ( 4 5 6 7 8 9 )
> >    ACCEPT;
> >   }
> > generate 2x7 rules.
> 
> It should only generate *TWO* rules:
> 
>  ACCEPT	a	b	udp	4,5,6,7,8,9
>  ACCEPT	a	b	tcp	4,5,6,7,8,9
> 
> Provided that your kernel has MULTIPORT match support (and you set
> MULTIPORT=Yes when running Shorewall 1.4.5 and earlier) that is
> exactly two iptables rules.
Tom:

A further question on this...

I note that my shorewall.conf file says MULTIPORT=No
and that vmlinuz.config indicates that 
CONFIG_IP_NF_MATCH_MULTIPORT is a module.

So if I''m reading this correctly, I could set MULTIPORT=Yes.

None of my rules have more than 3 ports per line (even the ranges).

Am I likely to see any benefit in turning this on???


In the spirit of IINBDFI (If Its Not Broke...) I have to point out
I have no performance complaints, nor any extensive rules
other than samba and a few common services.

 -- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Wed, 2003-07-23 at 11:26, John S. Andersen wrote:
> 
> A further question on this...
> 
> I note that my shorewall.conf file says MULTIPORT=No
> and that vmlinuz.config indicates that 
> CONFIG_IP_NF_MATCH_MULTIPORT is a module.
> 
> So if I''m reading this correctly, I could set MULTIPORT=Yes.
If you want the benefits of multiport match support, yes. The reason
that the default is MULTIPORT=No is that when I implemented support for
multiport match, it was only available in the latest kernel available4.
> 
> None of my rules have more than 3 ports per line (even the ranges).
> 
> Am I likely to see any benefit in turning this on???
> 
Probably not -- you will see fewer iptables rules generated but since
the affected rules are only evaluated for connection requests, the
effect won''t likely be noticeable.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net