-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
I''m new to this list, so hi all :-)
I would ask for a feature in shorewall that I think will be very nice to many
ppl.
I noticed that AFAIK there is no way to instruct SW to turn NEWNOTSYN off on
an interface only in a direction...
I''ll try to expose the real life problem:
I set NEWNOTSYN to YES, as i don''t want this kind of packets reach my
FW.
In the case that the FW is also my working machine (my laptop in this case)
I''d like to perform a pool of operation from my machin on the net, i.e.
running nmap -sA -P0 ...
So the request is, is there a way to instruct actual version of SW to allow
such a traffic and denying it from outside ?
I think it isn''t so... why not implement such a feature ?... just the
possibility of defineing NEWNOTSYN on a per target choice (ie: fw2net has to
permitt newnotsyn, in may case)
Tnx in advance
- --
<?php echo '' Emiliano `AlberT` Gabrielli
''."\n".
'' E-Mail: AlberT_AT_SuperAlberT_it
''."\n".
'' Web: http://SuperAlberT.it ''."\n".
'' IRC: #php,#AES azzurra.com
''."\n".''ICQ: 158591185''; ?>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAR2/UF4boRkzPHocRAhd3AJ0dXVQ+pZCK4Vb/ptmx5Dxuw2kPlQCeJUVx
mLvLsvcCo32sPINaNd+J2c4=jipC
-----END PGP SIGNATURE-----
On Thursday 04 March 2004 10:04 am, Emiliano ''AlberT'' Gabrielli wrote:> So the request is, is there a way to instruct actual version of SW to allow > such a traffic and denying it from outside ? > > I think it isn''t so... why not implement such a feature ?... just the > possibility of defineing NEWNOTSYN on a per target choice (ie: fw2net has > to permitt newnotsyn, in may case)In Shorewall 2.0, you can drop NEWNOTSYN traffic in the rules file using the dropNonSyn action. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 19:34, giovedì 4 marzo 2004, Tom Eastep wrote:> In Shorewall 2.0, you can drop NEWNOTSYN traffic in the rules file using > the dropNonSyn action.wow, great .. I''ll try it soon tnx -- <?php echo '' Emiliano `AlberT` Gabrielli ''."\n". '' E-Mail: AlberT_AT_SuperAlberT_it ''."\n". '' Web: http://SuperAlberT.it ''."\n". '' IRC: #php,#AES azzurra.com ''."\n".''ICQ: 158591185''; ?>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19:34, giovedì 4 marzo 2004, Tom Eastep wrote:> On Thursday 04 March 2004 10:04 am, Emiliano ''AlberT'' Gabrielli wrote: > > So the request is, is there a way to instruct actual version of SW to > > allow such a traffic and denying it from outside ? > > > > I think it isn''t so... why not implement such a feature ?... just the > > possibility of defineing NEWNOTSYN on a per target choice (ie: fw2net has > > to permitt newnotsyn, in may case) > > In Shorewall 2.0, you can drop NEWNOTSYN traffic in the rules file using > the dropNonSyn action. > > -Tomuhmm... I don''t know if I have fully understand your solution, but AFAIK you are telling me to set NEWNOTSYN = No by default and *then* add an action to drop them every time I want ... yes it will work but It seems quite boring... my request is to introduce a new Buildin Action allowNonSyn in order to allow to reverse the prcess, setting the default to NEWNOTSYN = Yes and then allowing SYNs only on the few rules I need ... am I missing something.. ?? thanks in advance - -- <?php echo '' Emiliano `AlberT` Gabrielli ''."\n". '' E-Mail: AlberT_AT_SuperAlberT_it ''."\n". '' Web: http://SuperAlberT.it ''."\n". '' IRC: #php,#AES azzurra.com ''."\n".''ICQ: 158591185''; ?> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFASExpF4boRkzPHocRAgdGAKDSbZjCTMfCq8kOfA8R/j9db0phzACgkD1+ o7acl0wXxKf4FSlhs44LGhw=pTRz -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10:46, venerdì 5 marzo 2004, Emiliano ''AlberT'' Gabrielli wrote:> On 19:34, giovedì 4 marzo 2004, Tom Eastep wrote: > > On Thursday 04 March 2004 10:04 am, Emiliano ''AlberT'' Gabrielli wrote: > > > So the request is, is there a way to instruct actual version of SW to > > > allow such a traffic and denying it from outside ? > > > > > > I think it isn''t so... why not implement such a feature ?... just the > > > possibility of defineing NEWNOTSYN on a per target choice (ie: fw2net > > > has to permitt newnotsyn, in may case) > > > > In Shorewall 2.0, you can drop NEWNOTSYN traffic in the rules file using > > the dropNonSyn action. > > > > -Tom > > uhmm... I don''t know if I have fully understand your solution, but AFAIK > you are telling me to set NEWNOTSYN = No by default and *then* add an > action to drop them every time I want ... yes it will work but It seems > quite boring... > > my request is to introduce a new Buildin Action > > allowNonSyn > > in order to allow to reverse the prcess, setting the default to NEWNOTSYN > Yes and then allowing SYNs only on the few rules I need ... > > am I missing something.. ??Ok, problem solved I have defined a custom action AllowNonSyn added its name in /etc/shorewall/actions then created an action file /etc/shorewall/action.AllowNonSyn with those lines: LOG:debug ACCEPT then added a rule in /etc/shorewall/rules: AllowNonSyn fw net all - - - - root It works fine ... SW v.2 it''s a very powerfull applicatin, good work Tom :-) The point now is that I can''t understand the documentation for the action.templates file ... if I try to specify an action using the same syntax used in rules, as the templates seems to tell me, iptables fails... Can someone clarify this point ? thank you so much - -- <?php echo '' Emiliano `AlberT` Gabrielli ''."\n". '' E-Mail: AlberT_AT_SuperAlberT_it ''."\n". '' Web: http://SuperAlberT.it ''."\n". '' IRC: #php,#AES azzurra.com ''."\n".''ICQ: 158591185''; ?> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFASFbzF4boRkzPHocRAnUDAKDILdGtjC8DbgtGHRNMlJOd6b8bQwCgsQa2 xrksyUZe+srCd/DubWRT/Ww=oQ0M -----END PGP SIGNATURE-----
On Friday 05 March 2004 02:31 am, Emiliano ''AlberT'' Gabrielli wrote:> > if I try to specify an action using the same syntax used in rules, as the > templates seems to tell me, iptables fails... > > Can someone clarify this point ? thank you so muchThe template does NOT tell you to use the same syntax as in the rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 05 March 2004 01:46 am, Emiliano ''AlberT'' Gabrielli wrote:> uhmm... I don''t know if I have fully understand your solution, but AFAIK > you are telling me to set NEWNOTSYN = No by default and *then* add an > action to drop them every time I want ... yes it will work but It seems > quite boring... > > my request is to introduce a new Buildin Action > > allowNonSyn > > in order to allow to reverse the prcess, setting the default to NEWNOTSYN > Yes and then allowing SYNs only on the few rules I need ... > > am I missing something.. ??Yes -- you propose a solution to a problem that is already solved but in a different way. What I was suggesting that you do is set NEWNOTSYN=Yes in shorewall.conf then use the dropNonSyn action in those places where you don''t want it. e.g., in /etc/shorewall/rules: dropNonSyn net all all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 05 March 2004 02:31 am, Emiliano ''AlberT'' Gabrielli wrote:> > Ok, problem solved > > I have defined a custom action AllowNonSyn > > added its name in /etc/shorewall/actions > then created an action file /etc/shorewall/action.AllowNonSyn with those > lines: > > LOG:debug > ACCEPT > > then added a rule in /etc/shorewall/rules: > > AllowNonSyn fw net all - - - - > root > > > It works fine ... SW v.2 it''s a very powerfull applicatin, good work Tom > :-)Unfortunately, you can''t create an AllowNonSyn that would override NEWNOTSYN=No because NOWNOTSYN=No takes effect before the rules are evaluated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net