[newbie question] Before using Shorewall I used to manually write some very short iptables rules which where probably much poorer than what this Shorewall gem does but I could "follow" them very easily. Now reading the output of iptable -L gives me a terrible headache. Is there some tool that graphs the rules in order to "see" them better ? For instance I was experiencing some delays in response to some protocols and suspect it could be an IDENT protocol being firewalled. I grepped for 113 and ident in the iptables -L output and decided I needed to add an explicit rule for it. Is this correct ? My setup is a standalone laptop connected to various LANs (home. clients, office). Ciao from an uncommonly grey, dull, wet Rome - Italy Bob [/newbie question]
On Thu, 2004-12-16 at 16:25 +0100, Bob Alexander wrote:> [newbie question] > Before using Shorewall I used to manually write some very short iptables > rules which where probably much poorer than what this Shorewall gem does > but I could "follow" them very easily. > > Now reading the output of iptable -L gives me a terrible headache. > > Is there some tool that graphs the rules in order to "see" them better ?Not that I''m aware of.> > For instance I was experiencing some delays in response to some > protocols and suspect it could be an IDENT protocol being firewalled. > > I grepped for 113 and ident in the iptables -L output and decided I > needed to add an explicit rule for it. > > Is this correct ?No -- If you: shorewall show Drop Reject RejectAuth you will see that in both the Drop and Reject chains, the first rule is an unconditional jump to the RejectAuth chain which silently rejects tcp 113. The Drop chain is traversed before a DROP policy is enforced and the Reject chain is traversed before a REJECT policy is enforced. So unless you have an explicit rule that is dropping auth requests, you should not experience delays due to IDENT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-12-16 at 16:25 +0100, Bob Alexander wrote:> > I grepped for 113 and ident in the iptables -L output and decided I > needed to add an explicit rule for it. >Also, I would recommend using "shorewall status" rather than ''iptables -L''.> > Ciao from an uncommonly grey, dull, wet Rome - ItalyRegards from typically grey, dull, wet Seattle :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> you will see that in both the Drop and Reject chains, the first rule is > an unconditional jump to the RejectAuth chain which silently rejects tcp > 113. The Drop chain is traversed before a DROP policy is enforced and > the Reject chain is traversed before a REJECT policy is enforced. > > So unless you have an explicit rule that is dropping auth requests, you > should not experience delays due to IDENT. >Thank you very much Tom. Second spiderweb removed :) Wow my brain begins to see light :) Ok I understand the rules traversal you are describing (at least I think so). But slightly offtopic (not Shorewall related): the delay I am talking about, IIRC, is that of servers on internet trying to use IDENT towards my client and "hanging" for a little while until they receive a reply from client port 113. Am I (totally) wrong ? For instance the webmin-firewall module, if started on a "clean" machine will propose a "drop everything but inbound ssh and ident" prototype and I believe that is the reason. Take care. Bob
On Thu, 2004-12-16 at 17:05 +0100, Bob Alexander wrote:> > But slightly offtopic (not Shorewall related): the delay I am talking > about, IIRC, is that of servers on internet trying to use IDENT towards > my client and "hanging" for a little while until they receive a reply > from client port 113. > > Am I (totally) wrong ?That is true -- but your Shorewall system should be sending an RST in response to the SYN (port 113) from the remote system -- is it not doing so? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote on 16/12/2004 13:39:24:> On Thu, 2004-12-16 at 16:25 +0100, Bob Alexander wrote: > > > > > I grepped for 113 and ident in the iptables -L output and decided I > > needed to add an explicit rule for it. > > > > Also, I would recommend using "shorewall status" rather than ''iptables > -L''. > > > > > Ciao from an uncommonly grey, dull, wet Rome - Italy > > Regards from typically grey, dull, wet Seattle :-) > > -TomTo understand all the settings of rules in shorewall, I usually go from the INPUT chain and start examining every chain called (net2fw, loc2fw etc). And then I go down on all the chains called etc etc. After that, I make the same thing with OUTPUT and FORWARD. If it could be done in an interactive way, that would be wonderfull. hummmm, Maybe in the next holidays... - and I couldn''t resist: tchau from a typically blue, sunny and hot Rio de Janeiro... ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Thu, 2004-12-16 at 14:25 -0200, Eduardo Ferreira wrote:> To understand all the settings of rules in shorewall, I usually go from > the INPUT chain and start examining every chain called (net2fw, loc2fw > etc). And then I go down on all the chains called etc etc. After that, I > make the same thing with OUTPUT and FORWARD.Here''s an article that may also help: http://shorewall.net/PacketHandling.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote: >>But slightly offtopic (not Shorewall related): the delay I am talking>>about, IIRC, is that of servers on internet trying to use IDENT towards >>my client and "hanging" for a little while until they receive a reply >>from client port 113. >> >>Am I (totally) wrong ? > > > That is true -- but your Shorewall system should be sending an RST in > response to the SYN (port 113) from the remote system -- is it not doing > so? >Can''t really understand how I would see that since my laptop is connected to my ADSL router and have no other machines to sniff traffic :( Bob
On Thu, 2004-12-16 at 17:57 +0100, Bob Alexander wrote:> > Can''t really understand how I would see that since my laptop is > connected to my ADSL router and have no other machines to sniff traffic :( >You can see it from the Shorewall box: tcpdump -ni eth0 port 113 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> You can see it from the Shorewall box: > > tcpdump -ni eth0 port 113Interesting. I thought the firewalled packets where never handled the libpcap interface. FWIW nor tcpdump nor ethereal seem to trace ANY TCP/113 activity at all while I am doing HTTP, FTP, IMAP, NNTP ... Take care. Going to dinner now. Bob
On Thu, 2004-12-16 at 18:54 +0100, Bob Alexander wrote:> Tom Eastep wrote: > > You can see it from the Shorewall box: > > > > tcpdump -ni eth0 port 113 > > Interesting. I thought the firewalled packets where never handled the > libpcap interface.You were misinformed.> > FWIW nor tcpdump nor ethereal seem to trace ANY TCP/113 activity at all > while I am doing HTTP, FTP, IMAP, NNTP ...On my firewall: gateway:/etc/postfix# tcpdump -ni eth1 port 113 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 10:05:55.991460 IP 147.228.57.10.34496 > 206.124.146.177.113: S 2139597947:2139597947(0) win 5840 <mss 1460,sackOK,timestamp 53936553 0,nop,wscale 0> 10:05:55.994653 IP 206.124.146.177.113 > 147.228.57.10.34496: R 0:0(0) ack 2139597948 win 0 10:06:01.679378 IP 196.25.198.3.38670 > 206.124.146.177.113: S 1533841755:1533841755(0) win 5840 <mss 1460,sackOK,timestamp 80805711 0,nop,wscale 0> 10:06:01.679725 IP 206.124.146.177.113 > 196.25.198.3.38670: R 0:0(0) ack 1533841756 win 0 Note the RST''s being sent in response to the SYNs... gateway:/etc/postfix# shorewall show RejectAuth Shorewall-2.2.0-Beta8 Chain RejectAuth at gateway - Thu Dec 16 10:05:28 PST 2004 Counters reset Wed Dec 15 18:57:45 PST 2004 Chain RejectAuth (2 references) pkts bytes target prot opt in out source destination 1656 96080 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Thu, 2004-12-16 at 18:54 +0100, Bob Alexander wrote: > >>Tom Eastep wrote: >> >>>You can see it from the Shorewall box: >>> >>> tcpdump -ni eth0 port 113 >> >>Interesting. I thought the firewalled packets where never handled the >>libpcap interface. > > > You were misinformed. > > >>FWIW nor tcpdump nor ethereal seem to trace ANY TCP/113 activity at all >>while I am doing HTTP, FTP, IMAP, NNTP ... > > > On my firewall: > > gateway:/etc/postfix# tcpdump -ni eth1 port 113 > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes > 10:05:55.991460 IP 147.228.57.10.34496 > 206.124.146.177.113: S > 2139597947:2139597947(0) win 5840 <mss 1460,sackOK,timestamp 53936553 > 0,nop,wscale 0> > 10:05:55.994653 IP 206.124.146.177.113 > 147.228.57.10.34496: R 0:0(0) > ack 2139597948 win 0 > 10:06:01.679378 IP 196.25.198.3.38670 > 206.124.146.177.113: S > 1533841755:1533841755(0) win 5840 <mss 1460,sackOK,timestamp 80805711 > 0,nop,wscale 0> > 10:06:01.679725 IP 206.124.146.177.113 > 196.25.198.3.38670: R 0:0(0) > ack 1533841756 win 0 > > Note the RST''s being sent in response to the SYNs... > > gateway:/etc/postfix# shorewall show RejectAuth > Shorewall-2.2.0-Beta8 Chain RejectAuth at gateway - Thu Dec 16 10:05:28 > PST 2004 > > Counters reset Wed Dec 15 18:57:45 PST 2004 > > Chain RejectAuth (2 references) > pkts bytes target prot opt in out source > destination > 1656 96080 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:113 > > -TomTom, well first of all I wnt to publicly express my admiration for your beautiful software, your deep knowledge and above all your great support. Really impressive !! Thank you. I do not see any tcp/113 activity at home ... mhhhh ... should I worry ? :) Take care, Bob PS For Eduardo: second rainy day in a row. VIVA BRAZIL ! I will never be able to come there since I know that if I do I will never come back :)
On Fri, 2004-12-17 at 08:43 +0100, Bob Alexander wrote:> well first of all I wnt to publicly express my admiration for your > beautiful software, your deep knowledge and above all your great > support. Really impressive !! Thank you.You''re welcome.> > I do not see any tcp/113 activity at home ... mhhhh ... should I worry ? :) >I don''t see any either if I forward all email from my MTA through my ISP''s MTA. I only see the high level of IDENT activity if I deliver mail directly. Since IDENT is a complete waste of bandwidth on today''s Internet, I''m happy when I don''t see any. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key