Shorewall users - Aug 2003 - Mandrake 9.1 Shorewall 1.3.14: Why does ping still get through?

I started to configure a new system (Mandrake 9.1, which has Shorewall 
1.3.14), using DrakFirewall to start out with a "personal firewall"
with
only ssh allowed, to be able to continue configuring it from another 
host on the network. I checked that OLD_PING_HANDLING=No.

rules:
ACCEPT net fw tcp 22 -

policy:
fw net DROP info (was: fw net ACCEPT)
net all DROP info
all all REJECT info

I did firewall restart, naively expecting everything to be closed except 
for ssh. I connected the new system to the local network. I ssh''ed into
the new system, and tried ping''ing my own host as a simple test... 
successfully (making the test unsuccessful)! Doing "cat /etc/shorewall | 
grep icmp" only reveals a rule in common.def jumping to target icmpdef, 
but "shorewall status" shows that to be empty. Doing "shorewall
status"
reveals a line "2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0" in chain
OUTPUT, which neither of INPUT or FORWARD have. Why is that?

Raf Schietekat <Raf_Schietekat@ieee.org>

On Fri, 2003-08-22 at 11:03, Raf Schietekat wrote:
> I started to configure a new system (Mandrake 9.1, which has Shorewall 
> 1.3.14), using DrakFirewall to start out with a "personal
firewall" with
> only ssh allowed, to be able to continue configuring it from another 
> host on the network. I checked that OLD_PING_HANDLING=No.
> 
> rules:
> ACCEPT net fw tcp 22 -
> 
> policy:
> fw net DROP info (was: fw net ACCEPT)
> net all DROP info
> all all REJECT info
> 
> I did firewall restart, naively expecting everything to be closed except 
> for ssh. I connected the new system to the local network. I ssh''ed
into
> the new system, and tried ping''ing my own host as a simple test...
> successfully (making the test unsuccessful)! Doing "cat /etc/shorewall
|
> grep icmp" only reveals a rule in common.def jumping to target
icmpdef,
> but "shorewall status" shows that to be empty. Doing
"shorewall status"
> reveals a line "2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0" in
chain
> OUTPUT, which neither of INPUT or FORWARD have. Why is that?
Raf -- I personally have no idea how DrakeFirewall configures Shorewall
as a "personal firewall". If you want your questions asked on this
list,
you are going to have to give us information about the *Shorewall*
configuration (as opposed to the DrakFirewall configuration). If you tar
up /etc/shorewall and forward it, I''ll try to address your concerns.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> On Fri, 2003-08-22 at 11:03, Raf Schietekat wrote:
>>I started to configure a new system (Mandrake 9.1, which has Shorewall 
>>1.3.14), using DrakFirewall to start out with a "personal
firewall" with
>>only ssh allowed, to be able to continue configuring it from another 
>>host on the network. I checked that OLD_PING_HANDLING=No.
>>
>>rules:
>>ACCEPT net fw tcp 22 -
>>
>>policy:
>>fw net DROP info (was: fw net ACCEPT)
>>net all DROP info
>>all all REJECT info
>>
>>I did firewall restart, naively expecting everything to be closed except
>>for ssh. I connected the new system to the local network. I
ssh''ed into
>>the new system, and tried ping''ing my own host as a simple
test...
>>successfully (making the test unsuccessful)! Doing "cat
/etc/shorewall |
Obviously "cat /etc/shorewall * | grep icmp" instead.
>>grep icmp" only reveals a rule in common.def jumping to target
icmpdef,
>>but "shorewall status" shows that to be empty. Doing
"shorewall status"
>>reveals a line "2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0"
in chain
>>OUTPUT, which neither of INPUT or FORWARD have. Why is that?
>>
> 
> Raf -- I personally have no idea how DrakeFirewall configures Shorewall
> as a "personal firewall". If you want your questions asked on
this list,
> you are going to have to give us information about the *Shorewall*
> configuration (as opposed to the DrakFirewall configuration). If you tar
> up /etc/shorewall and forward it, I''ll try to address your
concerns.
(DrakFirewall (sic? I''m not at the console right now) appears to be
just
a basic GUI for making some very simple configurations (a list of 
switches for about 5 protocols, a text field allowing some more ports), 
after installing the shorewall rpm package if required, so I thought I 
had summarised all relevant information.)
I have inspected shorewall versions 1.3.14 and 1.4.5, both as obtained 
directly from www.shorewall.net(''s indicated download locations) and 
evidently ./firewall''s add_common_rules() in the former version still 
has these lines:

#
# Enable icmp output
#
run_iptables -A OUTPUT -p icmp -j ACCEPT

which seem to have disappeared in the latter version, thus getting rid 
of this surprise(/bug?) which seems to contradict 
http://www.shorewall.net/ping.html. I suppose you should look up where 
you made the change, and adapt ping.html (this is about the most recent 
release of Mandrake, so it''s probably still relevant enough).
Well, now at least I know this was not a sign of a major problem, so I 
can proceed with less trivial things... Maybe my next step should be to 
install a more recent shorewall version, though?

Thanks for shorewall,

Raf Schietekat <Raf_Schietekat@ieee.org>

Hello Raf,

On Sat, 2003-08-23 at 01:49, Raf Schietekat wrote:
> I have inspected shorewall versions 1.3.14 and 1.4.5, both as obtained 
> directly from www.shorewall.net(''s indicated download locations)
and
> evidently ./firewall''s add_common_rules() in the former version
still
> has these lines:
> 
> #
> # Enable icmp output
> #
> run_iptables -A OUTPUT -p icmp -j ACCEPT
> 
> which seem to have disappeared in the latter version, thus getting rid 
> of this surprise(/bug?) which seems to contradict 
> http://www.shorewall.net/ping.html. I suppose you should look up where 
> you made the change, and adapt ping.html (this is about the most recent 
> release of Mandrake, so it''s probably still relevant enough).
I''ll take a look -- thanks for the research.
> Well, now at least I know this was not a sign of a major problem, so I 
> can proceed with less trivial things... Maybe my next step should be to 
> install a more recent shorewall version, though?
> 
I recommend staying fairly current with Shorewall releases. I can give
better support for the most recent versions since it doesn''t take so
much time to go back and research change history.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 2003-08-23 at 07:22, Tom Eastep wrote:
> 
> On Sat, 2003-08-23 at 01:49, Raf Schietekat wrote:
> 
> > I have inspected shorewall versions 1.3.14 and 1.4.5, both as obtained
> > directly from www.shorewall.net(''s indicated download
locations) and
> > evidently ./firewall''s add_common_rules() in the former
version still
> > has these lines:
> > 
> > #
> > # Enable icmp output
> > #
> > run_iptables -A OUTPUT -p icmp -j ACCEPT
> > 
> > which seem to have disappeared in the latter version, thus getting rid
> > of this surprise(/bug?) which seems to contradict 
> > http://www.shorewall.net/ping.html. I suppose you should look up where
> > you made the change, and adapt ping.html (this is about the most
recent
> > release of Mandrake, so it''s probably still relevant enough).
> 
> I''ll take a look -- thanks for the research.
> 
I have updated http://shorewall.net/ping.html to indicate that in
version 1.3.14[a], ping was still unconditionally enabled from the
firewall itself. This surprise/bug was removed in 1.4.0.

Thanks again Raf,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net