thr3ads.net - Shorewall users - RE: (scan behind firewall) [Oct 2004]

If this information is useful, please help other people find it:
Share via:

Ligiu A. Uiorean

2004-Oct-08 06:18 UTC

RE: (scan behind firewall)

Good point Stijn, I am sorry to post without subject and such
it must be the early morning.

The relevant entries in my rules file:

ACCEPT  net             fw              tcp     25
ACCEPT  net             fw              tcp     80
ACCEPT  net             fw              tcp     22
ACCEPT  net             fw              tcp     21
ACCEPT  net             fw              udp     21

REJECT  loc             net             tcp     25


DNAT    net     loc:10.10.10.254         tcp     21
DNAT    net     loc:10.10.10.254         udp     21
#10.10.10.254 beeing the back firewall



Policy file, complete:


loc             net             ACCEPT
#like playing russian rulette
loc             fw              ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT


#i''m allowing traffic by rules
net             dmz             DROP            info
dmz             net             ACCEPT

#i don''t know if I need this, the dmz zone has two public addres
#proxy-arped hosts
fw              dmz             ACCEPT
dmz             fw              ACCEPT


net             net             DROP            info
net             all             DROP            info

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          info


Hope this helps.
---
Ligiu Uiorean
departament IT - SANEX SA
ligiu.uiorean@ro.lasselsberger.com
tel. +40-740-116.117

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Stijn
Jonker
Sent: Friday, October 08, 2004 9:00 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] (no subject)

Hello Ligiu,

First of all, my knowledge of ISA is very limited, so I don''t know what
it''s refering to with those alerts..

Ligiu A. Uiorean said the following on 08-Oct-04 7:50:
> With shorewall acting as a front firewall and M$ ISA Server 2004
acting> as a back firewall. I turned all ''intrusion alerts''
> 
> On at the ISA server expecting not to get any since shorewall should
> block everything.
> Now to the problem:
> I am getting quite a few alerts on the ISA server, regarding possible
> intrusion alerts mainly port scan attempts and half scan attempts (as
ISA names them) by public IP addresses. > 
> Any idea how this could happen? How can packets get thru shorewall?Probally because you allowed them.... OR because the radiation being 
transmitted by the sun is so intense that shorewall can''t filter
correctly.

But now honestly, you don''t mention anything in regards to your 
configuration, rules etc. How are we suposed to help you?
Please see the url below on how to provide info so ppl can help you.
http://www.shorewall.net/support.htm

-- 
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Maybe Matching Threads

Search for more apparently analagous threads

Shorewall users - Oct 2004 - RE: (scan behind firewall)

RE: (scan behind firewall)

Maybe Matching Threads

Wisdom of the Ancients