Tom:
I am running Shorewall snapshot 1.4.6-20030821, linux 2.4.21, and
iptables 1.2.7a. with a dialup link to the internet.
When connected to the internet I issue a "shorewall drop
207.44.210.28" then
"shorewall save". This saves the dns name and not the IP address in
/var/lib/shorewall/savedyn. If I now close the dialup link then stop and
start Shorewall, the start fails trying to resolve the dns name.
Adding the ''-n'' option to the iptables statement on line 991
in
/sbin/shorewall stops the reverse dns lookup during a "shorewall
save".
Issuing a ''shorewall save'' does not overwrite
/var/lib/shorewall/save, it adds
to the end. I have changed ''>>'' to
''>'' on line 552 in /sbin/shorewall.
Issuing a "shorewall drop 192.168.0.10", shorewall responds with the
message
"192.168.0.10 Rejected in Chain eth4_dyn".
I have changed line 911 in /sbin/shorewall so that the message says
"192.168.0.10 Dropped in Chain eth4_dyn".
I have attached a copy of /sbin/shorewall with the above modifications.
While connected to the internet issuing "shorewall drop
207.44.210.28"
produces the message "207.44.210.28 Dropped in Chain ppp_dyn"
If I now disconnect from the internet, issuing
"shorewall allow 207.44.210.28" produces the message
"207.44.210.28 not Dropped or Rejected in Chain dynamic"
Issuing "shorewall drop 207.44.210.28" while not connected to the
internet
produces the message "207.44.210.28 Dropped in Chain dynamic"
Connecting to the internet and issuing "shorewall allow 207.44.210.28"
produces the message "207.44.210.28 not Dropped or Rejected in Chain
ppp_dyn"
This problem also affects ethernet devices. I have an interface eth4 with
IP address 192.168.0.254 and a subnet mask 255.255.255.0.
Issuing "shorewall dropall 192.168.0.10" produces the message
"192.168.0.10 Dropped in Chain dynamic"
Issuing "shorewall allow 192.168.0.10" produces the message
"192.168.0.10 not Dropped or Rejected in Chain eth4_dyn"
Issuing multiple drops or rejects for the same IP address requires issuing
multiple allows to reinstate the IP address.
A potential solution to these problems might be to issue "iptables -D"
commands for all defined interfaces, dynamic and ppp (even if ppp is not
currently defined). An "iptables -D" command could be issued multiple
times
for each interface until all occurrences of the IP address are removed.
A further enhancement could allow the dropping/rejecting of IP addresses on
interfaces that not are defined by specifying the interface eg. "shorewall
drop ppp:207.44.210.28".
Then if a drop or reject command is issued without an interface and Shorewall
cannot determine which interface to use, a message could be issued eg.
"shorewall drop 207.44.210.28"
"Shorewall could not determine which interface 207.44.210.28 is on. Please
specify an interface or issue a dropall command".
If you need any further information on any of these points please let me know.
Regards
Steven.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorewall
Type: application/x-shellscript
Size: 21881 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030823/9063ed29/shorewall-0001.bin
On Sat, 23 Aug 2003, Steven Jan Springl wrote:> > If you need any further information on any of these points please let me know. >Steven, Having reviewed your post, I''ve reconsidered per-interface dynamic chains; the feature clearly doesn''t make sense for firewalls with intermittent internet connectivity and it will be removed in the next snapshot. Thanks for brining these issues to the forefront, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 8/23/2003 23:38 +0100, Steven Jan Springl wrote:>Issuing multiple drops or rejects for the same IP address requires issuing >multiple allows to reinstate the IP address.Would it be a good thing or a bad thing to have Shorewall check for duplicates, such that an IP address is only dropped once? -- Rodolfo J. Paiz rpaiz@simpaticus.com
At 8/23/2003 16:14 -0700, Tom Eastep wrote:>Steven, > >Having reviewed your post, I''ve reconsidered per-interface dynamic chains; >the feature clearly doesn''t make sense for firewalls with intermittent >internet connectivity and it will be removed in the next snapshot.Really? That surprises me, assuming you mean that the feature will be removed entirely. To give one example, my home network is on a paltry 128Kbps link to the Internet (ISDN dial-up, so ppp0), but I want it to be as secure as possible. Thus, I dynamically block people who probe me on a wide variety of ports and leave them blocked for a full week. This cuts down over 90% of the other hits to my firewall, at the cost of having around 80 IP addresses blocked at any given time. Those 80 rules do not hinder my throughput on ppp0 in any way, as the CPU is plenty fast enough for that bandwidth. However, those 80 rules do in fact slow down stuff going from eth0 to eth1, two local interfaces at 100 Mbps. So I found per-interface dynamic blocking a godsend. Is there a middle ground here? Why do you think it is not a good idea? I mean, I''m sure you have good reasoning there, but my knowledge is little enough that I may not have yet seen the light. To me, it seems like something that is wonderful if available even if I did live without it for a long time. -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Sun, 24 Aug 2003, Rodolfo J. Paiz wrote:> At 8/23/2003 16:14 -0700, Tom Eastep wrote: > >Steven, > > > >Having reviewed your post, I''ve reconsidered per-interface dynamic chains; > >the feature clearly doesn''t make sense for firewalls with intermittent > >internet connectivity and it will be removed in the next snapshot. > > Really? That surprises me, assuming you mean that the feature will be > removed entirely. >No -- I mean that the code will revert to the way it was in 1.4.6. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-08-23 at 23:21, Rodolfo J. Paiz wrote:> At 8/23/2003 23:38 +0100, Steven Jan Springl wrote: > >Issuing multiple drops or rejects for the same IP address requires issuing > >multiple allows to reinstate the IP address. > > Would it be a good thing or a bad thing to have Shorewall check for > duplicates, such that an IP address is only dropped once?I''ve just added code in ''drop'' and ''reject'' that deletes any existing rule for the address before adding the new one. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net