Hi, I''m new to the list and have a question that I hope someone will be able to answer. I''m running shorewall 1.4.2 on a Gentoo 1.4 system and am trying to block usage of streaming media such as internet radio. The setup I have is based on the 2 interfaces axample, the only changes I made was enable access the internet from the fire wall and add this to rules: REJECT loc net tcp 81:109 - REJECT loc net tcp 444:499 - REJECT loc net tcp 502:524 - REJECT loc net tcp 526:531 - REJECT loc net tcp 533:635 - REJECT loc net tcp 537:999 - REJECT loc net tcp 1000:1351 - REJECT loc net tcp 1353:5431 - REJECT loc net tcp 5433:9000 - This does not results in the blocking fo streaming media but it does cause a kernel panic every once in a while. The kernel panic may be related to the Gentoo kernel I''m using so I''ll be working on switching to a kernel.org kernel. The blocking not working however I have no clue about. Any advice is welcome. With kind regard. Patrick
the_activ@activ.dhs.org wrote:> The setup I have is based on the 2 interfaces axample, the only changes I > made was enable access the internet from the fire wall and add this to > rules: > REJECT loc net tcp 81:109 - > REJECT loc net tcp 444:499 - > REJECT loc net tcp 502:524 - > REJECT loc net tcp 526:531 - > REJECT loc net tcp 533:635 - > REJECT loc net tcp 537:999 - > REJECT loc net tcp 1000:1351 - > REJECT loc net tcp 1353:5431 - > REJECT loc net tcp 5433:9000 - > > This does not results in the blocking fo streaming media but it does cause > a kernel panic every once in a while. >I suspect your rules are producing some rather large tables. You would be better off implementing a reject policy and using rules to allow specific services. Some homework on which protocols and ports are used by the various services is also in order.
I tried that but for some reason that blocked all traffic, it appears like my policys are overrulling my rules.> I suspect your rules are producing some rather large tables. You would > be better off implementing a reject policy and using rules to allow > specific > services. Some homework on which protocols and ports are used by the > various > services is also in order. > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
On Thursday 08 January 2004 03:13 am, the_activ@activ.dhs.org wrote:> I tried that but for some reason that blocked all traffic, it appears like > my policys are overrulling my rules. >Nonsense. Several comments: a) Rules only affect NEW connections. So if you have an existing connection for streaming media, you can change your rules until hell freezes over and the connection will still work. So when testing REJECT/DROP rules, be sure that you are trying to create a new connection. b) A lot of streaming media uses UDP rather than TCP. c) Changing your REJECT rules to REJECT:info will allow you to see when one of the rules is triggered. d) If you change your loc->net policy to REJECT then be sure to specify a LOG LEVEL so that you can see what is getting blocked by the policy. That way, you can use the log messages containing "loc2net" to determine what services that you need that you forgot to open (that lead you to erroneous conclusions). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net