Hello,
I set up a shorewall dual interface firewall and started with that guideline
file to get it running. I''ve since modified it to support my routing
needs
and have updated it to be similar to the set up as documented on
shorewall.net.
I started to set up another Linux box that will be used to handle our mail
services. I decided to put shorewall on that server so that I can lock it
down too. After getting Linux installed on it, I had to take care of some
other projects. When I came back to it, I noticed some rejected packets in
the logwatch report on the new mail server (10.10.1.30/216.17.21.77).
At first the packets all appeared to be related to port 135. Then I started
to see other ports as well. After a while, it looked like several common
ports were used but also >1024 ports, too. Here are some of the common port
log items from the mail server:
Sep 14 22:47:11 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.15.37.168 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=135 DPT=2689 WINDOW=0 RES=0x00 ACK RST
URGP=0
Sep 14 22:49:22 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.16.57.8 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=135 DPT=3153 WINDOW=0 RES=0x00 ACK RST
URGP=0
Sep 14 22:49:39 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=139 DPT=58364 WINDOW=0 RES=0x00 ACK RST
URGP=0
Sep 14 22:49:45 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=139 DPT=58365 WINDOW=0 RES=0x00 ACK RST
URGP=0
Sep 14 22:50:15 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=445 DPT=58364 WINDOW=0 RES=0x00 ACK RST
URGP=0
Sep 14 22:50:21 localhost kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0 SRC=216.17.21.77 DST=216.17.55.53 LEN=40 TOS=0x00 PREC=0x00
TTL=254 ID=0 DF PROTO=TCP SPT=445 DPT=58365 WINDOW=0 RES=0x00 ACK RST
URGP=0
I set up another RH9 Linux PC and put it outside of the firewall and used
nmap and ethereal to help figure out the packets that were getting routed
in. It looks like nmap believes all the ports are closed and I think that
they are, but I''d like to have these packets die at the firewall and
not
inside the network. The following nmap options will generate the rejected
packets above on the mail server when I comment out the DROP rule for this
server:
nmap -v -sS -O -P0 216.17.21.77
Basically the packets have one of the following flag combos:
1. RST, ACK
2. SYN (incoming)
3. RST
4. ACK
Finally some questions:
When looking at my rules file, I would think that only smtp and pop3 packets
would be allowed to get to the mail server. Shouldn''t the rules at the
end
of the policy file drop or reject other packet types?
By adding the DROP rule (see rules for 10.10.1.30 in rules file below) at
the end of the list of ACCEPT rules, I can force shorewall/iptables to drop
the packets that I don''t want routed through. I get the feeling that
this
is not how it is supposed to work though.
I think that I have included all of shorewall configuration files that will
help figure this out.
Please let me know if I have a rule/policy that is allowing this traffic
through and bypassing the default policies.
I really like shorewall, it is MUCH easier to set up than iptables.
I''ve
learned a lot about nessus, nmap, and ethereal, too. These are some really
cool tools.
At this point I''m not concerned about the shorewall set up on my mail
server. I''m glad that I set shorewall up on that server or I may not
have
detected these other packets for quite some time. I just want to correct
the firewall so that it is ''correctly'' restricting these
packets before I
finish setting that up.
SUPPORT INFO
Linux Distro:
Redhat 9.0 - 2.4.20-20.9
shorewall version:
1.4.6c
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:b3:97:c7:10 brd ff:ff:ff:ff:ff:ff
inet 216.17.21.94/27 brd 216.17.21.95 scope global eth0
inet 216.17.21.66/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.68/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.69/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.70/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.71/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.72/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.74/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.75/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.77/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.78/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.79/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.81/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.82/27 brd 216.17.21.95 scope global secondary eth0
inet 216.17.21.90/27 brd 216.17.21.95 scope global secondary eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:b3:97:c6:e2 brd ff:ff:ff:ff:ff:ff
inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1
ip route show:
216.17.21.64/27 dev eth0 scope link
10.10.1.0/24 dev eth1 scope link
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 216.17.21.65 dev eth0
What is the 169.254.0.0/16 for above? This is the first time that I''ve
noticed it.
shorewall.conf:
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=info
BLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
params:
LOG=info
zones:
net Net Internet
loc Local Local networks
ose OffsiteEmps Off-site employees
interfaces:
net eth0 detect
norfc1918,routefilter,dropunclean,blacklist,tcpflags,newnotsyn
loc eth1 detect
hosts:
loc eth1:10.10.1.0/24
net eth0:0.0.0.0/0
ose eth0:24.163.215.41
routestopped:
eth1 -
policy:
loc net ACCEPT
fw net ACCEPT
fw loc ACCEPT
loc fw REJECT $LOG
ose all CONTINUE
net all DROP $LOG 10/sec:40
all all REJECT $LOG
masq:
eth0 eth1
nat:
216.17.21.66 eth0 10.10.1.250 no no
216.17.21.68 eth0 10.10.1.249 no no
216.17.21.69 eth0 10.10.1.201 no no
216.17.21.70 eth0 10.10.1.248 no no
216.17.21.71 eth0 10.10.1.202 no no
216.17.21.72 eth0 10.10.1.247 no no
216.17.21.74 eth0 10.10.1.203 no no
216.17.21.75 eth0 10.10.1.246 no no
216.17.21.77 eth0 10.10.1.30 no no
216.17.21.78 eth0 10.10.1.11 no no
216.17.21.79 eth0 10.10.1.12 no no
216.17.21.81 eth0 10.10.1.200 no no
216.17.21.82 eth0 10.10.1.199 no no
216.17.21.90 eth0 10.10.1.101 no no
rules:
############################################################################
##
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL
# PORT PORT(S) DEST
#
# Reject attempts by trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Reject NETBIOS packets because our policy is accept
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
# drop local to firewall traffic if not 10.10.1.0/24
#
DROP:$LOG loc:!10.10.1.0/24 fw
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc net tcp domain
ACCEPT loc net udp domain
#
# Accept DHCP connections from the firewall to/from the network
#
ACCEPT loc fw udp 67
ACCEPT fw loc udp 68
#
# Accept traceroute connections from loc/fw to the network
#
ACCEPT loc fw udp 33434:33523
ACCEPT fw net udp 33434:33523
ACCEPT fw loc icmp 11
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
# Accept VNC connections from the local network for administration
#
ACCEPT loc fw tcp 5900:5903
ACCEPT fw loc tcp 5900:5903
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Allow Samba fw connections to/from loc
#
ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139,445
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139,445
ACCEPT loc fw udp 1024: 137
#
# jcs-ldns01
# services: dns
#
ACCEPT net loc:10.10.1.11 tcp domain
ACCEPT net loc:10.10.1.11 udp domain
#
# jcs-ldns02
# services: dns
#
ACCEPT net loc:10.10.1.12 tcp domain
ACCEPT net loc:10.10.1.12 udp domain
#
#
# jcs-lmail01
# aka: mail.jibben.com
# services: pop3, smtp, imap, imaps
#
ACCEPT net loc:10.10.1.30 tcp smtp
ACCEPT ose loc:10.10.1.30 tcp pop3
ACCEPT ose loc:10.10.1.30 tcp smtp
#this catches the extra packets coming through, but shouldn''t the
policy
drop them???
DROP:$LOG net loc:10.10.1.30 all
#
# jcs-inetd01
# aka: dev.jibben.com
# services: http, ftp, pcany
#
ACCEPT net loc:10.10.1.250 tcp http
ACCEPT net loc:10.10.1.250 tcp ftp
ACCEPT net loc:10.10.1.250 tcp 5631
ACCEPT net loc:10.10.1.250 udp 5632
#ACCEPT net loc:10.10.1.250 tcp 5800
#ACCEPT net loc:10.10.1.250 tcp 5900
#
# jcs-winet01
#
# aka: www.jibben.com
# services: http, pcany, vnc
ACCEPT net loc:10.10.1.249 tcp http
ACCEPT net loc:10.10.1.249 tcp 5631
ACCEPT net loc:10.10.1.249 udp 5632
#
# aka: www.y2corn.com, www.weirdsciencerocks.com
# services: http, ftp, ftp (on port 77)
#
ACCEPT net loc:10.10.1.201 tcp http
ACCEPT net loc:10.10.1.201 tcp ftp
ACCEPT net loc:10.10.1.201 tcp 77
#
# aka: www.jibbensoftware.com
# services: http, https, ftp
#
ACCEPT net loc:10.10.1.248 tcp http
#ACCEPT net loc:10.10.1.248 tcp https
ACCEPT net loc:10.10.1.248 tcp ftp
#
# aka: www.alba-ker.com, www.tomlommel.com
# services: http, ftp
#
ACCEPT net loc:10.10.1.202 tcp http
ACCEPT net loc:10.10.1.202 tcp ftp
#
# jcs-winetd02
# aka: dev5.jibben.com
# services: http, pcany, vnc
#
ACCEPT net loc:10.10.1.247 tcp http
ACCEPT net loc:10.10.1.247 tcp 5631
ACCEPT net loc:10.10.1.247 udp 5632
#ACCEPT net loc:10.10.1.247 tcp 5800
#ACCEPT net loc:10.10.1.247 tcp 5900
#
# ServerX
# aka: www.visionarymail.com
# services: http, https, ftp, pop3, smtp, imap, imaps, pcany
(8000-8001), vpn-pptp (1723), gre
#
ACCEPT net loc:10.10.1.203 tcp http
ACCEPT net loc:10.10.1.203 tcp https
ACCEPT net loc:10.10.1.203 tcp ftp
ACCEPT net loc:10.10.1.203 tcp pop3
ACCEPT net loc:10.10.1.203 tcp smtp
ACCEPT net loc:10.10.1.203 tcp imap
ACCEPT net loc:10.10.1.203 tcp imaps
ACCEPT net loc:10.10.1.203 tcp 8000
ACCEPT net loc:10.10.1.203 udp 8001
ACCEPT net loc:10.10.1.203 tcp 1723
ACCEPT net loc:10.10.1.203 gre
#
# jcs-winetd07
# aka: devmx.jibben.com
# services: http, pcany, vnc
#
ACCEPT net loc:10.10.1.246 tcp http
ACCEPT net loc:10.10.1.246 tcp 5631
ACCEPT net loc:10.10.1.246 udp 5632
#ACCEPT net loc:10.10.1.246 tcp 5800
#ACCEPT net loc:10.10.1.246 tcp 5900
#
# jcs-wsql2k-01
# services: pcany, ms-sql-s, ms-sql-m, vnc
#
ACCEPT ose loc:10.10.1.200 tcp ms-sql-s
ACCEPT ose loc:10.10.1.200 udp ms-sql-s
ACCEPT ose loc:10.10.1.200 tcp ms-sql-m
ACCEPT ose loc:10.10.1.200 udp ms-sql-m
ACCEPT net loc:10.10.1.200 tcp 5631
ACCEPT net loc:10.10.1.200 udp 5632
#ACCEPT net loc:10.10.1.200 tcp 5800
#ACCEPT net loc:10.10.1.200 tcp 5900
#
# jcs-wsql7-01
# services: pcany, ms-sql-s, ms-sql-m, vnc
#
ACCEPT ose loc:10.10.1.199 tcp ms-sql-s
ACCEPT ose loc:10.10.1.199 udp ms-sql-s
ACCEPT ose loc:10.10.1.199 tcp ms-sql-m
ACCEPT ose loc:10.10.1.199 udp ms-sql-m
ACCEPT net loc:10.10.1.199 tcp 5631
ACCEPT net loc:10.10.1.199 udp 5632
#ACCEPT net loc:10.10.1.199 tcp 5800
#ACCEPT net loc:10.10.1.199 tcp 5900
#
# jcs-wdev07
# services: kazaa, vnc
#
ACCEPT net loc:10.10.1.101 tcp 1214
ACCEPT net loc:10.10.1.101 tcp 3017
ACCEPT net loc:10.10.1.101 udp 3017
ACCEPT net loc:10.10.1.101 tcp http
#ACCEPT net loc:10.10.1.101 tcp 5800
ACCEPT net loc:10.10.1.101 tcp 5900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE