Shorewall users - Sep 2005 - DNAT makes both ports (redirectee + redirected) accessible

I have a standalone machine installed on a LAN that I do not control. 
To protect it I''ve installed Shorewall.

I access that machine via SSH over the Internet. 
To prevent brute force attacks, I use a port different from the default 
one with the rule 

      DNAT    net  fw:192.168.2.21:22    tcp  4412

where 192.168.2.21 is the internal address of the only interface available 
on the machine.

While with Shorewall 2.2.1 the above rule allows access only to 
port 4412, with Shorewall 2.4.3 both port 22 and 4412 are accessible.
Is that the intended behaviour with that version?
If the answer is YES, how can I stop port 22 from being accessible?

I have attached a file with the <shorewall status> output.
Thanks for the help,

  Costantino

Costantino wrote:
>
> 
> While with Shorewall 2.2.1 the above rule allows access only to 
> port 4412, with Shorewall 2.4.3 both port 22 and 4412 are accessible.
> Is that the intended behaviour with that version?
No -- what does "shorewall show capabilities" output look like?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

# shorewall show capabilities
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Available
   Connmark Match: Available

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom
Eastep
Sent: 12 September 2005 20:58
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] DNAT makes both ports (redirectee +
redirected) accessible


Costantino wrote:
>
> 
> While with Shorewall 2.2.1 the above rule allows access only to 
> port 4412, with Shorewall 2.4.3 both port 22 and 4412 are accessible.
> Is that the intended behaviour with that version?
No -- what does "shorewall show capabilities" output look like?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


		
___________________________________________________________ 
How much free photo storage do you get? Store your holiday 
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Costantino wrote:
> 
> Costantino wrote:
>>
>> While with Shorewall 2.2.1 the above rule allows access only to 
>> port 4412, with Shorewall 2.4.3 both port 22 and 4412 are accessible.
>> Is that the intended behaviour with that version?
> 
> No -- what does "shorewall show capabilities" output look like?
> 
Sorry -- I was thinking about IP mapping, not port mapping. If your
system only has a single interface, there is no way using standard
Shorewall configuration features (in any Shorewall version) to block
access to 192.168.2.21:22 if you have the rule that you quote in your
original post. That technique will only work on a two-interface system
as described in the answer to FAQ 1e.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I have enabled a second interfaces [eth1 = local], nevertheless 
I''m still able to connect using port 22.

The new <shorewall status> is attached.

  Costantino

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom
Eastep
Sent: 12 September 2005 21:58
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] DNAT makes both ports (redirectee +
redirected) accessible


Costantino wrote:
> 
> Costantino wrote:
>>
>> While with Shorewall 2.2.1 the above rule allows access only to 
>> port 4412, with Shorewall 2.4.3 both port 22 and 4412 are accessible.
>> Is that the intended behaviour with that version?
> 
> No -- what does "shorewall show capabilities" output look like?
> 
Sorry -- I was thinking about IP mapping, not port mapping. If your
system only has a single interface, there is no way using standard
Shorewall configuration features (in any Shorewall version) to block
access to 192.168.2.21:22 if you have the rule that you quote in your
original post. That technique will only work on a two-interface system
as described in the answer to FAQ 1e.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Costantino wrote:
> I have enabled a second interfaces [eth1 = local], nevertheless 
> I''m still able to connect using port 22.
> 
> The new <shorewall status> is attached.
> 
Please send a trace of "shorewall restart"

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Costantino wrote:
> I have enabled a second interfaces [eth1 = local], nevertheless 
> I''m still able to connect using port 22.
> 
> The new <shorewall status> is attached.
Please disregard my last post.

Your rule must be:

DNAT	net	fw:192.168.9.21:22 tcp	4412	- 192.168.2.21

and your ssh server must be listening on 192.168.9.21:22 and not on
192.168.2.21.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

It works. 

Thanks,

 Costantino

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom
Eastep
Sent: 12 September 2005 23:00
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] DNAT makes both ports (redirectee +
redirected) accessible


Costantino wrote:
> I have enabled a second interfaces [eth1 = local], nevertheless 
> I''m still able to connect using port 22.
> 
> The new <shorewall status> is attached.
Please disregard my last post.

Your rule must be:

DNAT	net	fw:192.168.9.21:22 tcp	4412	- 192.168.2.21

and your ssh server must be listening on 192.168.9.21:22 and not on
192.168.2.21.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


	
	
		
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail
http://uk.messenger.yahoo.com



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Costantino wrote:
> Tom,
> 
> It works. 
> 
I''ve been thinking about this a bit more and I suspect that you could
do
this without a second interface by having sshd listen on 127.0.0.1 and
use this rule:

DNAT	net	fw:127.0.0.1:22 tcp	4412	- 192.168.2.21

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

It would be nice if it did, but it doesn''t.
Shorewall does not seem to log any entry, although the connection 
fail with a TIME OUT message.

Costantino

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom
Eastep
Sent: 13 September 2005 00:19
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] DNAT makes both ports (redirectee +
redirected) accessible


Costantino wrote:
> Tom,
> 
> It works. 
> 
I''ve been thinking about this a bit more and I suspect that you could
do
this without a second interface by having sshd listen on 127.0.0.1 and
use this rule:

DNAT	net	fw:127.0.0.1:22 tcp	4412	- 192.168.2.21

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


		
___________________________________________________________ 
To help you stay safe and secure online, we''ve developed the all new
Yahoo! Security Centre. http://uk.security.yahoo.com



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php