Hello: I just setup a Shorewall.2.1.1-1 on a new RH9 Server. In the etc/Shorewall/policy file, I have (: net all DROP info In the /etc/shorewall/rules file, I have DROP setup for all ports. My goal is to test each line in the "rules" and change DROP to either ACCEPT or REJECT depending upon the port. FYI, each time I change any file in the etc/shorewall folder, I restart Shorewall. I am hoping that the "%shorewall restart" command is incorporating the I changes I make to Shorewall. To test which ports are open, I am using "SheildsUP" utility in http://grc.com <http://grc.com> . After I probe the ports (by running ALL SERVICE PORT utility), it shows port 22 & 718 as being open. I have the following lines in the "rules" file: DROP net fw tcp ssh DROP net fw tcp 718 DROP net fw udp 718 What changes ( & which files ) I need to do to close these ports? Thanks. Kirti
On Thursday 15 July 2004 02:02 pm, Kirti S. Bajwa wrote:> Hello: > > I just setup a Shorewall.2.1.1-1 on a new RH9 Server. In the > etc/Shorewall/policy file, I have (: > > net all DROP info > > In the /etc/shorewall/rules file, I have DROP setup for all ports. My > goal is to test each line in the "rules" and change DROP to either > ACCEPT or REJECT depending upon the port. FYI, each time I change any > file in the etc/shorewall folder, I restart Shorewall. I am hoping > that the "%shorewall restart" command is incorporating the I changes I > make to Shorewall. > > To test which ports are open, I am using "SheildsUP" utility in > http://grc.com <http://grc.com> . After I probe the ports (by running > ALL SERVICE PORT utility), it shows port 22 & 718 as being open. I > have the following lines in the "rules" file: > > DROP net fw tcp ssh > > DROP net fw tcp 718 > DROP net fw udp 718 > > What changes ( & which files ) I need to do to close these ports?Are you ssh-ed into said machine while testing this? Do you have absentminded set to yes? -- John Andersen - NORCOM http://www.norcomsoftware.com/
Kirti S. Bajwa wrote:> Hello: > > I just setup a Shorewall.2.1.1-1 on a new RH9 Server. In the > etc/Shorewall/policy file, I have (: > > net all DROP info > > In the /etc/shorewall/rules file, I have DROP setup for all ports.Why?> My goal > is to test each line in the "rules" and change DROP to either ACCEPT or > REJECT depending upon the port. FYI, each time I change any file in the > etc/shorewall folder, I restart Shorewall. I am hoping that the "%shorewall > restart" command is incorporating the I changes I make to Shorewall.Yes BUT... You will still have pending connection tracking entries which can get re-used if grc happens to use the same local port the next time you test. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Are you familiar with nmap? It is a very nice linux port scanner. I would use nmap and see if those ports are really open. In some situations intermediate hardware like the isp''s routers for example will filter traffic from grc to your server and provide you with results like below. The rules below should be fine, but probably they are unnecessary as the default policy would be to drop anything not explicitly allowed unless you changed this. So, use a local scanner on the linux firewall to see if you have services running (for safety''s sake) and then try to access those services from outside the firewall (for example, telnet yourservert.com 22, or telnet yourserver.com 718) and watch the shorewall log ''tail -f /var/log/messages''. I bet you will see your firewall drop those packets. If this is the case then I would not worry about grc''s response. Maybe someone else can expand on why port scans will sometimes show stuff that is not the case on the target machine?? -Alex Kirti S. Bajwa wrote:> Hello: > > I just setup a Shorewall.2.1.1-1 on a new RH9 Server. In the > etc/Shorewall/policy file, I have (: > > net all DROP info > > In the /etc/shorewall/rules file, I have DROP setup for all ports. My goal > is to test each line in the "rules" and change DROP to either ACCEPT or > REJECT depending upon the port. FYI, each time I change any file in the > etc/shorewall folder, I restart Shorewall. I am hoping that the "%shorewall > restart" command is incorporating the I changes I make to Shorewall. > > To test which ports are open, I am using "SheildsUP" utility in > http://grc.com <http://grc.com> . After I probe the ports (by running ALL > SERVICE PORT utility), it shows port 22 & 718 as being open. I have the > following lines in the "rules" file: > > DROP net fw tcp ssh > > DROP net fw tcp 718 > DROP net fw udp 718 > > What changes ( & which files ) I need to do to close these ports? > > Thanks. > > Kirti > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----Original Message----- From: John Andersen [mailto:jsa@norcomix.dyndns.org] Sent: Thursday, July 15, 2004 6:46 PM To: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] Open Ports Are you ssh-ed into said machine while testing this? Do you have absentminded set to yes? John: Good point. My answer, I do not know. I am using port scanner as outlined at http://grc.com. I will look into further. Thanks. Kirti
Tom: Thanks for your response.> In the /etc/shorewall/rules file, I have DROP setup for all ports.Why? As to why I have DRP on all ports, because that''s the way I was going to test it. I want to take one protocol at a time and test ACCEPT/DROP/REJECT one at a time. I am sure there are better ways to test the firewall, but this is what I thought to be the best. Yes BUT... You will still have pending connection tracking entries which can get re-used if grc happens to use the same local port the next time you test. Good point except I do not know if http://grc.com is using ssh port to do port scan. I plan to email to the author and find out. Kirti -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, July 15, 2004 6:54 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Open Ports Kirti S. Bajwa wrote:> Hello: > > I just setup a Shorewall.2.1.1-1 on a new RH9 Server. In the > etc/Shorewall/policy file, I have (: > > net all DROP info > > In the /etc/shorewall/rules file, I have DROP setup for all ports.Why?> My goal > is to test each line in the "rules" and change DROP to either ACCEPT or > REJECT depending upon the port. FYI, each time I change any file inthe> etc/shorewall folder, I restart Shorewall. I am hoping that the"%shorewall> restart" command is incorporating the I changes I make to Shorewall.Yes BUT... You will still have pending connection tracking entries which can get re-used if grc happens to use the same local port the next time you test. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Alex: I will try nmap and other suggestions you have mentioned. Just to make it clear, I am DROPing everything as of now. When I test each port, I will change them. Thanks. Kirti
Read about /etc/shorewall/policy. The reason Tom asked "Why?" is because the default policy (net2all) already drops everything, such as inbound ssh access, like the traffic grc.com generates into your box. Thus, it is NOT necessary to have anything explicit in /etc/shorewall/rules, unless you want to ALLOW traffic. (You use rules for other things, like changing log levels, or forwarding ports, etc, but these things are out of your scope I would guess, until you understand the basic setup) Always, take some time and read Tom''s excellent documentation at http://www.shorewall.net. Read the faq, and the "(one or two) interface setup guides". Alex Martin http://www.rettc.com Kirti S. Bajwa wrote:> Alex: > > I will try nmap and other suggestions you have mentioned. > > Just to make it clear, I am DROPing everything as of now. When I test each > port, I will change them. > > Thanks. > > Kirti > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm