Shorewall users - Dec 2003 - New Actions

Hi, I have installed Shorewall with Webmin and they work very well.

I have a question: can I create chains and point actions to these chains ??

Let me explain:

I have chains that I created for log/drop and/or log/accept those I am 
using in one or more chains pointed as actions.

Is there any chance to do something similar in Shorewall ??

Thanks,
Paulo Kappke

On Mon, 2003-12-01 at 15:50, Paulo Kappke wrote:
> Hi, I have installed Shorewall with Webmin and they work very well.
> 
> I have a question: can I create chains and point actions to these chains ??
> 
> Let me explain:
> 
> I have chains that I created for log/drop and/or log/accept those I am 
> using in one or more chains pointed as actions.
> 
> Is there any chance to do something similar in Shorewall ??
What exactly are you trying to accomplish?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 1 Dec 2003, Tom Eastep wrote:
> On Mon, 2003-12-01 at 15:50, Paulo Kappke wrote:
> > Hi, I have installed Shorewall with Webmin and they work very well.
> >
> > I have a question: can I create chains and point actions to these
chains ??
> >
> > Let me explain:
> >
> > I have chains that I created for log/drop and/or log/accept those I am
> > using in one or more chains pointed as actions.
> >
> > Is there any chance to do something similar in Shorewall ??
>
> What exactly are you trying to accomplish?
Let me back up -- the reason that I''m asking is that while Shorewall
doesn''t currently support such a facility, yours is the second request
that I''ve received recently for something like that. I''m
trying to
understand what the preceived requirements are.

Thanks
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom, for instance, I have in my old firewall script:

# Chain with disallowed ports:
iptables -N DENYVALID
iptables -A DENYVALID -p tcp --dport 5050 -j DENYRULES # YAHOO MESSENGER
iptables -A DENYVALID -p tcp --dport 1863 -j DENYRULES #   MSN MESSENGER

# Chain to log the disallowed ports:
iptables -N DENYRULES
iptables -A DENYRULES -j LOG --log-prefix "IPT DENYRULES: " $LOGOPT

# Rule calling the Chain to log the disallowed ports
iptables -A GOOD-BAD -j DENYVALID

Did you understand it ?

How do I do this in Shorewall ?

Thanks,
Paulo K

Tom Eastep wrote:
> On Mon, 2003-12-01 at 15:50, Paulo Kappke wrote:
> 
>>Hi, I have installed Shorewall with Webmin and they work very well.
>>
>>I have a question: can I create chains and point actions to these chains
??
>>
>>Let me explain:
>>
>>I have chains that I created for log/drop and/or log/accept those I am 
>>using in one or more chains pointed as actions.
>>
>>Is there any chance to do something similar in Shorewall ??
> 
> 
> What exactly are you trying to accomplish?
> 
> -Tom
-- 
---------------------------
Paulo Roberto Kappke
IT Manager
Cyclades Corporation
paulo.kappke@cyclades.com
Phone: +1 (510) 771-6241
Fax:   +1 (510) 771-6200
http://www.cyclades.com
Everywhere with Linux
---------------------------

Tom, this feature is interesting because you can call a chain/action 
from any "main chain".

Another thing, is it possible to add a comment in the rules ?

Paulo K

Tom Eastep wrote:
> On Mon, 1 Dec 2003, Tom Eastep wrote:
> 
> 
>>On Mon, 2003-12-01 at 15:50, Paulo Kappke wrote:
>>
>>>Hi, I have installed Shorewall with Webmin and they work very well.
>>>
>>>I have a question: can I create chains and point actions to these
chains ??
>>>
>>>Let me explain:
>>>
>>>I have chains that I created for log/drop and/or log/accept those I
am
>>>using in one or more chains pointed as actions.
>>>
>>>Is there any chance to do something similar in Shorewall ??
>>
>>What exactly are you trying to accomplish?
> 
> 
> Let me back up -- the reason that I''m asking is that while
Shorewall
> doesn''t currently support such a facility, yours is the second
request
> that I''ve received recently for something like that. I''m
trying to
> understand what the preceived requirements are.
> 
> Thanks
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
-- 
---------------------------
Paulo Roberto Kappke
IT Manager
Cyclades Corporation
paulo.kappke@cyclades.com
Phone: +1 (510) 771-6241
Fax:   +1 (510) 771-6200
http://www.cyclades.com
Everywhere with Linux
---------------------------

On Mon, 1 Dec 2003, Paulo Kappke wrote:
> Tom, this feature is interesting because you can call a chain/action
> from any "main chain".
>
I''m interested in what functions from the current rules file that you
want
to be able to place in these "action" chains.
> Another thing, is it possible to add a comment in the rules ?
>
Sure -- throw away Webmin and use Shorewall as it was designed to be used.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom, this feature is interesting because you can call a chain/action 
from any "main chain".

Another thing, is it possible to add a comment in the rules ?

Paulo K

Tom Eastep wrote:
> On Mon, 1 Dec 2003, Tom Eastep wrote:
> 
> 
>>On Mon, 2003-12-01 at 15:50, Paulo Kappke wrote:
>>
>>>Hi, I have installed Shorewall with Webmin and they work very well.
>>>
>>>I have a question: can I create chains and point actions to these 
chains ??
>>>
>>>Let me explain:
>>>
>>>I have chains that I created for log/drop and/or log/accept those I
am
>>>using in one or more chains pointed as actions.
>>>
>>>Is there any chance to do something similar in Shorewall ??
>>
>>What exactly are you trying to accomplish?
> 
> 
> Let me back up -- the reason that I''m asking is that while
Shorewall
> doesn''t currently support such a facility, yours is the second
request
> that I''ve received recently for something like that. I''m
trying to
> understand what the preceived requirements are.
> 
> Thanks
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
-- 
---------------------------
Paulo Roberto Kappke
IT Manager
Cyclades Corporation
paulo.kappke@cyclades.com
Phone: +1 (510) 771-6241
Fax:   +1 (510) 771-6200
http://www.cyclades.com
Everywhere with Linux
---------------------------

To add my 2 cents....The comment on the same line of a blacklist entry 
would be nice...i.e the IP address and what they did...

example

123.45.67.89    ; This joker keeps trying the old senmail exploit 
23-Nov-2003


Right now I have to...

# This next joker keeps trying the old sendmail exploit  23-Nov-2003
123.45.67.89

I know it''s a nit....

Tom, all of those (DROP, REJECT, etc) plus the chain/action created.

The main idea for the chain/action, is like a program where you have a 
function that can be called in any part of the program.

I can send you more samples that I am using in my old firewall script.

Regards,
Paulo K

Tom Eastep wrote:
> On Mon, 1 Dec 2003, Paulo Kappke wrote:
> 
> 
>>Tom, this feature is interesting because you can call a chain/action
>>from any "main chain".
>>
> 
> 
> I''m interested in what functions from the current rules file that
you want
> to be able to place in these "action" chains.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
-- 
---------------------------
Paulo Roberto Kappke
IT Manager
Cyclades Corporation
paulo.kappke@cyclades.com
Phone: +1 (510) 771-6241
Fax:   +1 (510) 771-6200
http://www.cyclades.com
Everywhere with Linux
---------------------------

On Mon, 1 Dec 2003, Paulo Kappke wrote:
> Tom, all of those (DROP, REJECT, etc) plus the chain/action created.
>
> The main idea for the chain/action, is like a program where you have a
> function that can be called in any part of the program.
>
Thanks -- I understand the concept of sub-programs/procedures/functions;
I''ve been programming for 35 years now...

And before you offer patronizing advise, you might want to look at the
Shorewall-generated Netfilter ruleset. I hope that it reflects something
of what I''ve learned in those 35 years.

-Tom
-
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 2003-12-01 at 19:18, Tom Eastep wrote:
> On Mon, 1 Dec 2003, Paulo Kappke wrote:
> 
> > Tom, all of those (DROP, REJECT, etc) plus the chain/action created.
> >
> > The main idea for the chain/action, is like a program where you have a
> > function that can be called in any part of the program.
> >
> 
> Thanks -- I understand the concept of sub-programs/procedures/functions;
> I''ve been programming for 35 years now...
> 
> And before you offer patronizing advise, you might want to look at the
> Shorewall-generated Netfilter ruleset. I hope that it reflects something
> of what I''ve learned in those 35 years.
I apologize to Paulo and to the list -- that was uncalled for.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you Tom... I almost left the list from that outburst..  We are not all
nearly as experienced as you... thus we look to you for answers.  I
understand your frustration when people ask many questions that are already
answered in the FAQ and other areas on the mailing list.  Maybe together we
can think up a better way to help out the "casual" users that get
turned
onto SW and just need a basic setup.  Just thoughts and ideas =)

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, December 02, 2003 9:28 AM
To: Shorewall Users Mailing List
Subject: Re: [Shorewall-users] New Actions

On Mon, 2003-12-01 at 19:18, Tom Eastep wrote:
> On Mon, 1 Dec 2003, Paulo Kappke wrote:
> 
> > Tom, all of those (DROP, REJECT, etc) plus the chain/action created.
> >
> > The main idea for the chain/action, is like a program where you have a
> > function that can be called in any part of the program.
> >
> 
> Thanks -- I understand the concept of sub-programs/procedures/functions;
> I''ve been programming for 35 years now...
> 
> And before you offer patronizing advise, you might want to look at the
> Shorewall-generated Netfilter ruleset. I hope that it reflects something
> of what I''ve learned in those 35 years.
I apologize to Paulo and to the list -- that was uncalled for.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Tom,

Thank-you for all your effort! 

If I could suggest a way to make "life better" for all users (you
included),
it would be to stop using the mailing list, and go to a phpBB type web based
forum. I personally enjoy that interface, and find it easy to search for
needed answers. 

As a newbie to Shorewall, I found the Webmin interface for Shorewall VERY
VERY easy to understand. Once all initial firewall settings were setup, I
stopped using Webmin and now only use SSH and the config files.

I have to say that Shorewall is by far the best thing since topless burger
joints, and again thanks for the excellence!


-Me




-----Original Message-----
From: Troy Arnold [mailto:troy@troyandtina.com] 
Sent: Tuesday, December 02, 2003 8:10 AM
To: ''Shorewall Users Mailing List''
Subject: RE: [Shorewall-users] New Actions

Thank you Tom... I almost left the list from that outburst..  We are not all
nearly as experienced as you... thus we look to you for answers.  I
understand your frustration when people ask many questions that are already
answered in the FAQ and other areas on the mailing list.  Maybe together we
can think up a better way to help out the "casual" users that get
turned
onto SW and just need a basic setup.  Just thoughts and ideas =)

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, December 02, 2003 9:28 AM
To: Shorewall Users Mailing List
Subject: Re: [Shorewall-users] New Actions

On Mon, 2003-12-01 at 19:18, Tom Eastep wrote:
> On Mon, 1 Dec 2003, Paulo Kappke wrote:
> 
> > Tom, all of those (DROP, REJECT, etc) plus the chain/action created.
> >
> > The main idea for the chain/action, is like a program where you have a
> > function that can be called in any part of the program.
> >
> 
> Thanks -- I understand the concept of sub-programs/procedures/functions;
> I''ve been programming for 35 years now...
> 
> And before you offer patronizing advise, you might want to look at the
> Shorewall-generated Netfilter ruleset. I hope that it reflects something
> of what I''ve learned in those 35 years.
I apologize to Paulo and to the list -- that was uncalled for.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


*************************************************************************

This document and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. This communication may contain material protected by the
attorney-client privilege or other privileges or protections from
discovery, such as the physician-patient privilege, or a peer review
privilege, such as California Evidence Code Section 1157. If you are not
the intended recipient or the individual responsible for delivering the
document to the intended recipient, please be advised that you have
received this document in error and that any use, dissemination,
forwarding, printing, or copying of this document is strictly prohibited. 
If you have received this document in error, please notify the sender
immediately, and destroy all copies of the document.

*************************************************************************

On Tue, 2003-12-02 at 12:30, Kyle Gasho wrote:
> Tom,
> 
> Thank-you for all your effort! 
> 
> If I could suggest a way to make "life better" for all users (you
included),
> it would be to stop using the mailing list, and go to a phpBB type web
based
> forum. I personally enjoy that interface, and find it easy to search for
> needed answers. 
Been there, done that, got the T-shirt, it sucked :-(

Web interfaces are unsuitable for supporting a product like Shorewall.
Once you''ve seen the output of "shorewall status" posted to a
phpBB,
you''ll understand why.
> 
> As a newbie to Shorewall, I found the Webmin interface for Shorewall VERY
> VERY easy to understand. Once all initial firewall settings were setup, I
> stopped using Webmin and now only use SSH and the config files.
> 
> I have to say that Shorewall is by far the best thing since topless burger
> joints, and again thanks for the excellence!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 2 Dec 2003 at 12:44, Tom Eastep wrote:
> > If I could suggest a way to make "life better" for all users
(you
> > included), it would be to stop using the mailing list, and go to a
> > phpBB type web based forum. I personally enjoy that interface, 
and
> > find it easy to search for needed answers. 
> 
> Been there, done that, got the T-shirt, it sucked :-(
> 
> Web interfaces are unsuitable for supporting a product like 
Shorewall.
> Once you''ve seen the output of "shorewall status" posted
to a
phpBB,
> you''ll understand why.
It must be a generational thing.  I''ve notices that younger
folks (I have no idea how old Kyle Gasho is) seem to like 
forums better.  I don''t.

Personally, I''m with Tom.  The list arrives in
my mailbox and I can scan the subjects for things I need
to know.

Each message has the links at the bottom to the mailman page
from which I can get to the archives to search. (And google has
it all too).  Email is faster than forums.  

I just hate clicking on each message one by one and waiting
for a server response form some slow Forum server somewhere.
If I was on dial-up I would never put up with it.  



-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/