Evening all, First: Obligatory thanks to Tom. Shorewall is GREAT! I''ve got it on 3 machines now and love it. (Just because they are obligatory does not mean they are not heart-felt.) On my main web server, I am constantly scanning my log files for worm-signs. Requests for default.ida, any .exe, there are several others, you probably have your favorite. I got tired of doing it by hand so I created a couple of shell scripts to help me. PLEASE READ AND UNDERSTAND ANY SCRIPTS BEFORE PUTTING THEM ON A PRODUCTION MACHINE! (There two are not rocket science!) The first one, isipblocked.sh, simply greps shorewall''s shorewall show dynamic output for a given ip address. If it finds it it returns it, otherwise it returns nothing. (I probably should return SOMETHING but it''s meant to be used by other programs, not by people.) This needs to be somewhere in your path or you''ll have to modify the second one. The second one, wormHunter.sh scans a given log file for a given document request. If it finds it, it peals the IP address out of the line and adds it to shorewall''s dynamic block list. I make 1 assumption here. All my log files are in ''common'' apache format. If yours are not you may have to tweak the second script around the awk command. Finally, if you have a better way of doing this I''d like to hear it. This is a constant problem for me. If you find either of these useful then thank Tom because they would be useless without shorewall. That is all. Continue as you were, =C* * Cal Evans * http://www.calevans.com * The measure of a programmer is not the number of lines of code he writes but the number of lines he does not have to write. * * -------------- next part -------------- A non-text attachment was scrubbed... Name: isipblocked.sh Type: application/octet-stream Size: 2796 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030806/2bc25ae1/isipblocked.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: wormHunter.sh Type: application/octet-stream Size: 4273 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030806/2bc25ae1/wormHunter.obj
Cal Evans wrote:> > Finally, if you have a better way of doing this I''d like to hear it. > This is a constant problem for me.I created a similar script last year that basically does the same thing as yours, except... 1) It scp''s the apache logfile from my web server to my firewall. 2) It updates/sorts the shorewall blacklist file. 3)I use the "or" in my grep statement. i.e. grep "default.ida\|cmd.exe" logfile> > If you find either of these useful then thank Tom because they would > be useless without shorewall.I agree! Thanks Tom. Steve Cowles
Hi all, I am running a shorewall with 2 NICS. eth0 external eht1 local. I have masq set up and its all working. The eth1 IP is 192.168.7.1 and its the default gateway for all the on the 192.168.7.0/24 network There are 2 other networks connected to the 192.168.7.0/24, a 192.168.8.0/24 aqnd a 192.168.8.0/24. The router for these is 192.168.7.2 My route table (relevant parts) on SHorewall has the following entries Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.7.0 * 255.255.255.0 U 0 0 0 eth1 192.168.11.0 192.168.7.3 255.255.255.0 UG 0 0 0 eth1 192.168.9.0 192.168.7.2 255.255.255.0 UG 0 0 0 eth1 192.168.8.0 192.168.7.2 255.255.255.0 UG 0 0 0 eth1 Is there anything else I need to specifically do to get shorewall to route these clients to the other networks? Its not working at the moment. I would be very grateful for any help thanks Jon
Sorry the answer was staring at me in the face. I edited the hosts file and all is working well. Hope I didn''t waste anyones time. Jon On Thu, 7 Aug 2003, Jon Booth wrote:> Hi all, > I am running a shorewall with 2 NICS. eth0 external eht1 local. > I have masq set up and its all working. > The eth1 IP is 192.168.7.1 and its the default gateway for all the on the > 192.168.7.0/24 network > > There are 2 other networks connected to the 192.168.7.0/24, a > 192.168.8.0/24 aqnd a 192.168.8.0/24. The router for these is 192.168.7.2 > > My route table (relevant parts) on SHorewall has the following entries > > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.7.0 * 255.255.255.0 U 0 0 0 > eth1 > 192.168.11.0 192.168.7.3 255.255.255.0 UG 0 0 0 > eth1 > 192.168.9.0 192.168.7.2 255.255.255.0 UG 0 0 0 > eth1 > 192.168.8.0 192.168.7.2 255.255.255.0 UG 0 0 0 > eth1 > > Is there anything else I need to specifically do to get shorewall to route > these clients to the other networks? Its not working at the moment. > > I would be very grateful for any help > > thanks > Jon > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 2003-08-07 at 01:47, Jon Booth wrote:> Sorry the answer was staring at me in the face. I edited the hosts file > and all is working well. Hope I didn''t waste anyones time. >If the problem you were trying to solve was that your Shorewall box wasn''t routing between the other networks, simpler approach would have been to simply set the ''routeback'' option for eth1 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2003-08-06 at 18:24, Cal Evans wrote:> > First: Obligatory thanks to Tom. Shorewall is GREAT! I''ve got it on 3 > machines now and love it. (Just because they are obligatory does not mean > they are not heart-felt.)Thanks, Cal> > On my main web server, I am constantly scanning my log files for > worm-signs. Requests for default.ida, any .exe, there are several others, > you probably have your favorite. I got tired of doing it by hand so I > created a couple of shell scripts to help me. >I''ve published your work at: http://shorewall.net/pub/shorewall/contrib/WormHunter ftp://shorewall.net/pub/shorewall/contrib/WormHunter where it will be propagated to the other mirrors. Thanks for your contribution. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2003-08-06 at 19:26, Cowles, Steve wrote:> > I created a similar script last year that basically does the same thing as > yours, except... >Steve, I thought I had published your script on the Shorewall site but I don''t see it. If you send it to me (with a README), I''ll be happy to publish it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Is this possible? I would like to enable routing from eth2 to eth1 for a certain subnet. I have a VPN concentrator in loc (eth2) that has connections that when authenticated should be able to connect directly to the DMZ. But other connections in the loc zone should not. Thanks Jon
On Mon, 18 Aug 2003, Jon Booth wrote:> Is this possible? > > I would like to enable routing from eth2 to eth1 for a certain subnet. >Not easy -- but you can enable access from eth2 to eth1 for a certain subnet.> I have a VPN concentrator in loc (eth2) that has connections that when > authenticated should be able to connect directly to the DMZ. But other > connections in the loc zone should not. >In any rule, the SOURCE may be qualified by an address (network or host) so what you want to do is trivially possible. -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 17 Aug 2003 17:23:54 -0700 (Pacific Daylight Time), Tom Eastep <teastep@shorewall.net> wrote:> On Mon, 18 Aug 2003, Jon Booth wrote: > >> Is this possible? >> >> I would like to enable routing from eth2 to eth1 for a certain subnet. >> > > Not easy -- but you can enable access from eth2 to eth1 for a certain > subnet.What I''m saying here is that conditional routing isn''t easy (and is only vaguely related to Shorewall. To do conditional routing, you must set up multiple routing tables then create rules to use packets from some hosts to use an alternate table. Shorewall can be used to mark the packets for later assignment to a routing table). But Shorewall has facilities for permitting connections conditionally between interfaces; which is what I think you want. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 17 Aug 2003 17:23:54 -0700 (Pacific Daylight Time), Tom Eastep <teastep@shorewall.net> wrote:> > In any rule, the SOURCE may be qualified by an address (network or host) > so what you want to do is trivially possible. >At http://shorewall.net/Shorewall_and_Aliased_Interfaces.html you can also see how to set up separate zones for individual subnets in your local network. While that page is directed toward the case where you have multiple addressed defined on your local interface, the setup is basically the same where a subnet is concentrated through a separate router. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net