hi all, shorewall claim that support stateful connection. But I read the document, I can''t found any configuration on it like in iptables e.g. -m -state NEW, ESTABLISHED something like like. Is shorewall by default is staeful connection for any connectione.g. web, http
On Sunday 24 October 2004 21:26, Adrian Mak wrote:> shorewall claim that support stateful connection. But I read the > document, I can''t found any configuration on it like in iptables e.g. > -m -state NEW, ESTABLISHED > something like like. > > Is shorewall by default is staeful connection for any connectione.g. web, > httpYes -- In fact is is not possible to configure Shorewall any other way. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> On Sunday 24 October 2004 21:26, Adrian Mak wrote: > > >>shorewall claim that support stateful connection. But I read the >>document, I can''t found any configuration on it like in iptables e.g. >>-m -state NEW, ESTABLISHED >>something like like. >> >>Is shorewall by default is staeful connection for any connectione.g. web, >>http > > > Yes -- In fact is is not possible to configure Shorewall any other way.I can''t type this morning (when could I ever?) -- that should have been "...it is not..." - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBfQ+KO/MAbZfjDLIRAkgIAJoDv/Pu/C2DJHm30e2dC8KOamWuoQCfSC7z qAV/9yAjc/ijeLvvPjfHDqY=I6SW -----END PGP SIGNATURE-----
Tom Eastep wrote on 25/10/2004 10:45:28:> On Sunday 24 October 2004 21:26, Adrian Mak wrote: > > > shorewall claim that support stateful connection. But I read the > > document, I can''t found any configuration on it like in iptables e.g. > > -m -state NEW, ESTABLISHED > > something like like.I''ve been confused by this too, and for a long time. When I first started using shorewall (version 1.2something), the initial connections where all stated with -NEW and the talk-back connections with -RELATED,ESTABLISHED. In some version on the way, only the -RELATED,ESTABLISHED talk-back connections where stated. In the INPUT chain (actually, eth0_in chain), for instance, the states -INVALID,NEW are used to consult the chains dynamic, blacklst, nobogons, rfc1918 and tcpflag, but not in the net2fw chain.> > > > Is shorewall by default is staeful connection for any connectione.g.web,> > http > > Yes -- In fact is is not possible to configure Shorewall any other way. >So, is the pair -R,E all that is necessary to iptables use statefull inspections in all packets? this is an old doubt... cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Ferreira wrote:> Tom Eastep wrote on 25/10/2004 10:45:28: > > >>On Sunday 24 October 2004 21:26, Adrian Mak wrote: >> >> >>>shorewall claim that support stateful connection. But I read the >>>document, I can''t found any configuration on it like in iptables e.g. >>>-m -state NEW, ESTABLISHED >>>something like like. > > I''ve been confused by this too, and for a long time. When I firststarted> using shorewall (version 1.2something), the initial connections where all > stated with -NEW and the talk-back connections with -RELATED,ESTABLISHED. > In some version on the way, only the -RELATED,ESTABLISHED talk-back > connections where stated. In the INPUT chain (actually, eth0_in chain), > for instance, the states -INVALID,NEW are used to consult the chains > dynamic, blacklst, nobogons, rfc1918 and tcpflag, but not in the net2fw > chain. > >>>Is shorewall by default is staeful connection for any connectione.g. > > web, > >>>http >> >>Yes -- In fact is is not possible to configure Shorewall any other way. >> > > So, is the pair -R,E all that is necessary to iptables use statefull > inspections in all packets? this is an old doubt... >There are four connection tracking states: NEW, RELATED, ESTABLISHED and INVALID. At the head of the INPUT and FORWARD chains, is a rule like this: 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID So all packets in the INVALID state except ICMP packets are dropped there. INVALID ICMP packets need to be passed through the rules because Netfilter doesn''t always get the state right for ICMP. At the head of the "interface input chains" (such as eth1_fwd), there are one or two rules: 33888 2187K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 33888 2187K blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none state INVALID,NEW Those are for dynamic and static blacklisting respectively. The ''NEW'' is there because I select BLACKLISTNEWONLY=Yes in shorewall.conf (sounds like you do too). At the head of the "rule" and "policy" chains (those with a "2" in their name), you will find: 536K 82M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED So, if a packet makes it through that rule, it is either in the NEW state or it is an ICMP packet in the INVALID state; those are the only two cases that are subject to policies and rules. Finally, in the Drop and Reject standard actions (at least beginning with 2.0.6), ICMP packets in the INVALID state are silently dropped using the ''dropInvalid'' builtin action. This prevents these from being logged. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBfRSDO/MAbZfjDLIRAvNvAJ9SrCTx0H+VAZNEGe73D8mPWUPiPQCgrffs i47w3ctwoQH45G3Q5JewSsI=y8o1 -----END PGP SIGNATURE-----