Hello, I set up a snort sensor on my external interface. I got lots of loopback alerts like the following =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] BAD TRAFFIC loopback traffic [**] 10/05-00:20:28.933495 127.0.0.1:80 -> xxx.xxx.xxx.xxx:1009 TCP TTL:126 TOS:0x0 ID:18604 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x434D0001 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The source port is always 80, the destination port changes with each packet. I think I''ve enabled the rfc1918 filtering and logging but I cant see any of these packets in my log my settings are: shorewall.conf RFC1918_LOG_LEVEL=ULOG ROUTE_FILTER=No file interfaces: net ppp0 - routefilter,norfc1918,tcpflags,blacklist Thank you very much for shorewall, wich makes the use of netfilter much more easy and efficient. -- guy
On Sun, 2003-10-05 at 01:18, Guy Marcenac wrote:> Hello, > > I set up a snort sensor on my external interface. > I got lots of loopback alerts like the following > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > [**] BAD TRAFFIC loopback traffic [**] > 10/05-00:20:28.933495 127.0.0.1:80 -> xxx.xxx.xxx.xxx:1009 > TCP TTL:126 TOS:0x0 ID:18604 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x434D0001 Win: 0x0 TcpLen: 20 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > The source port is always 80, the destination port changes with each packet. > > I think I''ve enabled the rfc1918 filtering and logging but I cant see any of > these packets in my log > my settings are: > > shorewall.conf > RFC1918_LOG_LEVEL=ULOG > ROUTE_FILTER=No > > file interfaces: > net ppp0 - > routefilter,norfc1918,tcpflags,blacklist >Traffic on the loopback device in passed unconditionally and is not subject to any of the interface options. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Sunday, October 05, 2003 5:06 PM Subject: Re: [Shorewall-users] Bad loopback traffic not logged> > Traffic on the loopback device in passed unconditionally and is not > subject to any of the interface options. >I am sorry but I probably misunderstood what the norfc1918 is. My understanding is that these packets are spoofed and arriving from the outside (I sniff them on ppp0). If this was the case, would my settings drop and log them (I think they should be processed by the rfc1918 chain, which would pass them to the logdrop chain) ? Will these settings drop any non routable source ip ? Thanks guy
On Sun, 2003-10-05 at 09:20, Guy Marcenac wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Sunday, October 05, 2003 5:06 PM > Subject: Re: [Shorewall-users] Bad loopback traffic not logged > > > > > > Traffic on the loopback device in passed unconditionally and is not > > subject to any of the interface options. > > > > I am sorry but I probably misunderstood what the norfc1918 is. > > My understanding is that these packets are spoofed and arriving from the > outside (I sniff them on ppp0).Then they should be subject to RFC1918 filtering. How is SNORT sniffing them? If it is using libpcap then it can see these packets even if they are subsequently filtered by Shorewall.> If this was the case, would my settings drop and log them (I think they > should be processed by the rfc1918 chain, which would pass them to the > logdrop chain) ? > Will these settings drop any non routable source ip ?They will treat these packets based on what you have in your rfc1918 file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Sunday, October 05, 2003 6:32 PM Subject: Re: [Shorewall-users] Bad loopback traffic not logged> Then they should be subject to RFC1918 filtering. How is SNORT sniffing > them? If it is using libpcap then it can see these packets even if they > are subsequently filtered by Shorewall.yes, snort sees them before the fw> They will treat these packets based on what you have in your rfc1918 > file.I think I''ve found the prob, but dont know how to fix it. This is true for any rfc1918 adress execpt 127.0.0.1 because the ruleset appears like this Chain INPUT (policy DROP 5 packets, 240 bytes) pkts bytes target prot opt in out source destination 2 168 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 242 14724 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 2816 196K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 19027 2083K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 26 packets, 2077 bytes) pkts bytes target prot opt in out source destination 2 168 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 185 14044 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 2520 1021K fw2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 18700 2487K fw2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 So I think that the lo accept rule applies _before_ ppp0_in Am I right ? -- guy
On Sun, 5 Oct 2003, Guy Marcenac wrote:> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Sunday, October 05, 2003 6:32 PM > Subject: Re: [Shorewall-users] Bad loopback traffic not logged > > > Then they should be subject to RFC1918 filtering. How is SNORT sniffing > > them? If it is using libpcap then it can see these packets even if they > > are subsequently filtered by Shorewall. > > yes, snort sees them before the fw > > > > They will treat these packets based on what you have in your rfc1918 > > file. > > I think I''ve found the prob, but dont know how to fix it. > This is true for any rfc1918 adress execpt 127.0.0.1 because the ruleset > appears like this > > Chain INPUT (policy DROP 5 packets, 240 bytes) > pkts bytes target prot opt in out source > destination > 2 168 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 242 14724 ppp0_in all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > 2816 196K eth0_in all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 19027 2083K eth1_in all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy DROP 26 packets, 2077 bytes) > pkts bytes target prot opt in out source > destination > 2 168 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 185 14044 fw2net all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > 2520 1021K fw2loc all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > 18700 2487K fw2dmz all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 > > So I think that the lo accept rule applies _before_ ppp0_in > Am I right ? >So what is your point? The ''lo'' rule only applies to traffic arriving on the ''lo'' device. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 5 Oct 2003, Tom Eastep wrote:> > > > So I think that the lo accept rule applies _before_ ppp0_in > > Am I right ? > > > > So what is your point? The ''lo'' rule only applies to traffic arriving on > the ''lo'' device. >The reason that Shorewall isn''t seeing the packets is that the kernel is dropping them under the ''routefilter'' option.. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > The reason that Shorewall isn''t seeing the packets is that the kernel is > dropping them under the ''routefilter'' option.. >understood thanks tom -- guy
On Mon, 2003-10-06 at 13:40, Guy Marcenac wrote:> > > > The reason that Shorewall isn''t seeing the packets is that the kernel is > > dropping them under the ''routefilter'' option.. > > > understood > thanks tomYou''re welcome Guy. Sorry I didn''t pick up on the solution sooner in our email exchange :-\ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net