I was asking a few days ago about the overnet client and shorewall. I''ve just been checking and the situation actually seems worse than I thought. I added a rule to shorewall to open port 4662 to allow sharing with remote clients. However, when I don''t have the client running, I thought I should close this port again. So, I removed the rule from Shorewall and restarted it. But when I checked the port using grc.com''s port scanner, it was still reported as Open. Further checking shows that the overnet client can open a port even if shorewall has closed it - and it remains open even after I quit overnet and restart Shorewall! After a reboot, the port is reported as Stealth (i.e. dropping connections). However, merely running overnet is enough to cause the port to become Open, with no changes to Shorewall! Quitting overnet leaves the port open. Indeed, I cannot manage to close this port once overnet has run without rebooting the box. I first tried changing the Shorewall rule for port 4662 to a DROP rule, with no apparent effect after restarting it. Removing the rule completely had no effect (my default policy for all net>fw connections is to DROP them). How and why is overnet breaching the firewall? Or have I missed something? John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
At 09:43 10/31/2003, you wrote:>How and why is overnet breaching the firewall? Or have I missed something?I think you''ve missed the nature of Shorewall and iptables. iptables is the kernel facility that filters packets (known really as a "packet filter") to provide firewall functionality. iptables runs all the time. Shorewall, on the other hand, is NOT a service which runs all the time... it is a set of scripts that run *ONCE* when you start Shorewall and then do nothing. Those scripts write iptables rules to do what you told Shorewall to do, and then iptables is the one that does all the work. What is happening is that you start Shorewall and the iptables rules get properly configured. Then, you or Overnet is writing ("by hand" so to speak) an iptables rule to open 4662. Shorewall does not know this happened and cannot do anything about it. I can think of two solutions: modify the Overnet client to delete the rule that opened port 4662, so that when the client is shut down the port is closed, or issue a "shorewall restart" command when you close Overnet so that your correct configuration is restored. However, note that having port 4662 will not cause your machine to be vulnerable IF NO SERVICE IS LISTENING on that port. Simply having an open port is not a vulnerability. So perhaps just leaving 4662 open in your Shorewall configuration is not a bad thing either if you''re going to be running Overnet most of the time anyway. -- Rodolfo J. Paiz rpaiz@simpaticus.com
Hi John:> I was asking a few days ago about the overnet client andshorewall. I''ve just> been checking and the situation actually seems worse thanI thought.> > I added a rule to shorewall to open port 4662 to allowsharing with remote> clients. However, when I don''t have the client running, Ithought I should> close this port again. So, I removed the rule fromShorewall and restarted it.> But when I checked the port using grc.com''s port scanner,it was still> reported as Open. > > Further checking shows that the overnet client can open aport even if> shorewall has closed it - and it remains open even after Iquit overnet and> restart Shorewall! > > After a reboot, the port is reported as Stealth (i.e.dropping connections).> However, merely running overnet is enough to cause theport to become Open,> with no changes to Shorewall! Quitting overnet leaves theport open. Indeed, I> cannot manage to close this port once overnet has runwithout rebooting the> box. I first tried changing the Shorewall rule for port4662 to a DROP rule,> with no apparent effect after restarting it. Removing therule completely had> no effect (my default policy for all net>fw connections isto DROP them).> > How and why is overnet breaching the firewall? Or have Imissed something?> > JohnI recall Tom suggesting using "cutter" to break connections like that... Have a look at this thread: http://lists.shorewall.net/pipermail/shorewall-users/2003-Au gust/008156.html Jerry Vonau
On Fri, 2003-10-31 at 08:36, Rodolfo J. Paiz wrote:> At 09:43 10/31/2003, you wrote: > >How and why is overnet breaching the firewall? Or have I missed something? > > I think you''ve missed the nature of Shorewall and iptables. > > iptables is the kernel facility that filters packets (known really as a > "packet filter") to provide firewall functionality. iptables runs all the > time. Shorewall, on the other hand, is NOT a service which runs all the > time... it is a set of scripts that run *ONCE* when you start Shorewall and > then do nothing. Those scripts write iptables rules to do what you told > Shorewall to do, and then iptables is the one that does all the work. > > What is happening is that you start Shorewall and the iptables rules get > properly configured. Then, you or Overnet is writing ("by hand" so to > speak) an iptables rule to open 4662. Shorewall does not know this happened > and cannot do anything about it. >On the other hand, if this is what was happening then "shorewall restart" would delete the rule. John: Are you running Overnet on the Shorewall box or on a system behind it? And what is the URL for the grc.com port scanner? It seems to be hidden on the grc.com site... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hit send too fast.... Here is another report of cutter killing off open connections: http://lists.shorewall.net/pipermail/shorewall-users/2003-Ju ly/007187.html Jerry ----- Original Message ----- From: "John Pettigrew" <john@xl-cambridge.com> To: <shorewall-users@lists.shorewall.net> Sent: Friday, October 31, 2003 09:43 Subject: [Shorewall-users] Overnet again> I was asking a few days ago about the overnet client andshorewall. I''ve just> been checking and the situation actually seems worse thanI thought.> > I added a rule to shorewall to open port 4662 to allowsharing with remote> clients. However, when I don''t have the client running, Ithought I should> close this port again. So, I removed the rule fromShorewall and restarted it.> But when I checked the port using grc.com''s port scanner,it was still> reported as Open. > > Further checking shows that the overnet client can open aport even if> shorewall has closed it - and it remains open even after Iquit overnet and> restart Shorewall! > > After a reboot, the port is reported as Stealth (i.e.dropping connections).> However, merely running overnet is enough to cause theport to become Open,> with no changes to Shorewall! Quitting overnet leaves theport open. Indeed, I> cannot manage to close this port once overnet has runwithout rebooting the> box. I first tried changing the Shorewall rule for port4662 to a DROP rule,> with no apparent effect after restarting it. Removing therule completely had> no effect (my default policy for all net>fw connections isto DROP them).> > How and why is overnet breaching the firewall? Or have Imissed something?> > John > -- > John Pettigrew XL Cambridge - contract andfreelance editing> Biology specialist Molecular biology, genetics,biotechnology> john@xl-cambridge.comhttp://www.xl-cambridge.com/> PGP public key available > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
In a previous message, "Rodolfo J. Paiz" <rpaiz@simpaticus.com> wrote:> At 09:43 10/31/2003, you wrote: > > How and why is overnet breaching the firewall? Or have I missed something? > > I think you''ve missed the nature of Shorewall and iptables.I don''t think so...> Shorewall, on the other hand, is NOT a service which runs all the > time... it is a set of scripts that run *ONCE* when you start Shorewall and > then do nothing. Those scripts write iptables rules to do what you told > Shorewall to do, and then iptables is the one that does all the work.What''s concerning me is that Shorewall seems not to be able to close port 4662 after the overnet app has run, even if it has been quit. I can see that overnet might be opening the port itself (and I''m asking on the overnet forum whether this is so, because they don''t talk about it AFAICS!). However, that doesn''t explain why Shorewall can''t close it again.> However, note that having port 4662 will not cause your machine to be > vulnerable IF NO SERVICE IS LISTENING on that port.I hadn''t thought about it that way. My remaining concern is that overnet might be remaining resident somehow after being quit, because the port is kept open by something despite trying to close it with Shorewall. However, that is admittedly not a Shorewall problem so I''ll continue to chase that elsewhere. I am still concerned by Shorewall''s inability to close this port - is it possible to write something that would keep an eye on the port and rewrite the iptables to keep it open whenever it''s closed (given that overnet runs as a normal user)? John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
On Fri, 2003-10-31 at 08:46, Tom Eastep wrote:> > John: Are you running Overnet on the Shorewall box or on a system behind > it? And what is the URL for the grc.com port scanner? It seems to be > hidden on the grc.com site...Never mind -- I found it. Running Overnet from a XP box behind my firewall, I am totally unable to reproduce John''s results. If I stop Overnet, the status is "Closed". If I remove the rule and restart Shorewall, the status is "Stealth". John -- IIRC, you are running Overnet on Linux. When you "Stop Overnet" are you simply stopping the GUI or are you stopping the "core" application as well. It is the latter that listens on port 4662 and it remains running after the GUI is stopped. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-31 at 08:54, John Pettigrew wrote:> > I am still concerned by Shorewall''s inability to close this port - is it > possible to write something that would keep an eye on the port and rewrite the > iptables to keep it open whenever it''s closed (given that overnet runs as a > normal user)? >John -- There is no way that a port can be "open" if there is no application listening on it. I want to see the output of "shorewall status" (as a text attachment) after you have "closed the port" and restarted Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
In a previous message, Tom Eastep <teastep@shorewall.net> wrote:> John: Are you running Overnet on the Shorewall box or on a system behind it?It''s on the Shorewall box itself - I just have the one box.> And what is the URL for the grc.com port scanner? It seems to be hidden on > the grc.com site...Yes, it''s a bit of a maze these days. The URL for the port scanner is: https://grc.com/x/portprobe=4662 Just substitute whatever ports you''re interested in (range of 40 or less, I think). John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
On Fri, 2003-10-31 at 09:04, John Pettigrew wrote:> In a previous message, Tom Eastep <teastep@shorewall.net> wrote: > > > John: Are you running Overnet on the Shorewall box or on a system behind it? > > It''s on the Shorewall box itself - I just have the one box. >Ok -- When you sent the "shorewall status" output, please also send the output of "netstat -tnap". And please do a grc.com scan of port 4662 after you have "closed the port" and restarted Shorewall and before you produce the "shorewall status" output. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
In a previous message, Jerry Vonau <jvonau@shaw.ca> wrote:> Hit send too fast.... Here is another report of cutter killing off open > connections:Hmm. Reading the stuff on the cutter website, it looks like it''s no use to me - it relies on the firewall being a separate box. I''m running a simple desktop machine with Shorewall on the same box :-( John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
In a previous message, Tom Eastep <teastep@shorewall.net> wrote:> Running Overnet from a XP box behind my firewall, I am totally unable to > reproduce John''s results.There are a couple of differences here - I''m running the linux command-line client, and it''s running *on* the firewall box, not behind a separate firewall.> John -- IIRC, you are running Overnet on Linux. When you "Stop Overnet" are > you simply stopping the GUI or are you stopping the "core" application as > well.When you quit the GUI, it kills the core at the same time. Certainly, there are no "overnet" programs left running as reported by gtop. John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
In a previous message, Tom Eastep <teastep@shorewall.net> wrote:> Ok -- When you sent the "shorewall status" output, please also send the > output of "netstat -tnap". And please do a grc.com scan of port 4662 after > you have "closed the port" and restarted Shorewall and before you produce > the "shorewall status" output.Sent privately - no need to clog up the list! John -- John Pettigrew XL Cambridge - contract and freelance editing Biology specialist Molecular biology, genetics, biotechnology john@xl-cambridge.com http://www.xl-cambridge.com/ PGP public key available
On Fri, 2003-10-31 at 12:16, John Pettigrew wrote:> In a previous message, Tom Eastep <teastep@shorewall.net> wrote: > > > Ok -- When you sent the "shorewall status" output, please also send the > > output of "netstat -tnap". And please do a grc.com scan of port 4662 after > > you have "closed the port" and restarted Shorewall and before you produce > > the "shorewall status" output. > > Sent privately - no need to clog up the list!I''ve looked at the information that John sent me; here are the relevant parts: 1. There is no rule in place allowing port tcp port 4662: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 472 40462 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 43 9463 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 43 9463 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2 656 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 13 749 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 41 8807 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 28 8058 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 13 749 common all -- * * 0.0.0.0/0 0.0.0.0/0 13 749 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 13 749 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 2. Of the 13 messages logged and dropped, 11 of them were of this flavor: Oct 31 20:13:39 net2all:DROP:IN=eth0 OUT= SRC=62.253.128.10 DST=www.xxx.yyy.zzz LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10188 DF PROTO=TCP SPT=52259 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 In other words, connection attempts to port 4662 *are* being dropped after the "shorewall restart" 3. There were *no* messages regarding shieldsup.grc.com attempting to open tcp port 4662! I guess the next step is to see what shieldsup is really doing: a) Close the port and stop Overnet b) "shorewall restart" c) tcpdump -ni eth0 host shieldsup.grc.com Run the ShieldsUp scan for port and look at the tcpdump trace. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-31 at 14:06, Tom Eastep wrote:> > 2. Of the 13 messages logged and dropped, 11 of them were of this > flavor: > > Oct 31 20:13:39 net2all:DROP:IN=eth0 OUT= SRC=62.253.128.10 > DST=www.xxx.yyy.zzz LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10188 DF > PROTO=TCP SPT=52259 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 > > In other words, connection attempts to port 4662 *are* being dropped > after the "shorewall restart" > > 3. There were *no* messages regarding shieldsup.grc.com attempting to > open tcp port 4662!I should mention however that there was a ''ping'' from shieldsup.grc.com: Oct 31 20:13:36 net2all:DROP:IN=eth0 OUT= SRC=204.1.226.228 DST=www.xxx.yyy.zzz LEN=28 TOS=0x00 PREC=0x00 TTL=113 ID=32768 PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-11-01 at 01:35, John Pettigrew wrote:> You wrote: > > > What exactly does the text from ShieldsUP say under the "Solicited TCP > > Packets" and "Unsolicited Packets" text. > > Sorry - I''ve paid more attention now. There seem to be 2 ways to do this probe > on grc.com and I was using the one that doesn''t report this information (using > the .../portprobe=4662 URL). > > I''ve done a wider scan (4660-4670) and attached the results of the shorewall > status command from this, as well as the grc.com results showing a claimed > open port at 4662. > > I''ve no idea what''s going on - grc.com did once report the port as stealthed, > but it then reported it as open again without my having run overnet again! >Note that this time we *do* see Shorewall messages about connection requests from shieldsup.grc.com: Nov 1 09:32:28 net2all:DROP:IN=eth0 OUT= SRC=204.1.226.228 DST=www.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=32768 PROTO=TCP SPT=46973 DPT=4661 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 1 09:32:28 net2all:DROP:IN=eth0 OUT= SRC=204.1.226.228 DST=81.96.73.117 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=32768 PROTO=TCP SPT=46973 DPT=4663 WINDOW=8192 RES=0x00 SYN URGP=0 Note that the port number in the messages skips from 4661 to 4663. Yet we also see: Nov 1 09:32:42 net2all:DROP:IN=eth0 OUT= SRC=62.253.128.10 DST=www.xxx.yyy.zzz LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=36847 DF PROTO=TCP SPT=2270 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 so it appears that from every other host in the world except Gibson''s, connection requests to tcp 4662 are dropped. We still need a tcpdump as I described in my post to the list yesterday. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net