Hi, I have standalone web server with shorewall and want to disable default ''outgoing accept policy'' and implement ''outgoing deny policy''. I know I need to change this line in ''policy'' file fw net ACCEPT to fw net DROP but what to add to ''rules'' file to not kill my server services? There is running: www sftp mail sshd What outgoing legal traffic I can imagine: dns ping ssh ntp (time synchronization) So I think I should add to ''rules'' file: #dns ACCEPT fw net udp - 53 #ntp ACCEPT fw net udp - 123 #ssh ACCEPT fw net tcp - 22 #ping ACCEPT fw net icmp Am I right? Did I forgot anything? Any ideas? Thanks, Petr ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Hi Peter. First, I''m no expert and may be wrong about this. I run shorewall but doesn''t remember specific setup by hand, but: I understand it like you want these services accessible from the internet? Then the rules you want normally are "net" to "fw", witch you may also have?!? The problem with limiting outgoing connections from i.e. the web service on the fw is that port 80 for http is only used when connection from the client to the server. The server sends information back out on different ports. Maybe some of the macros etc. can be used? I don''t know. The rules you have listed makes it possible for the fw to connect to there services on external serves. (in the ''net'' zone) This will also only have effect on traffic form the firewall it selves. Not locale machines you may have. my to cents (or øre, since I''m from Norway) Kristian. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Petr Sent: 9. desember 2005 09:36 To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] default deny policy for outgoing traffic Hi, I have standalone web server with shorewall and want to disable default ''outgoing accept policy'' and implement ''outgoing deny policy''. I know I need to change this line in ''policy'' file fw net ACCEPT to fw net DROP but what to add to ''rules'' file to not kill my server services? There is running: www sftp mail sshd What outgoing legal traffic I can imagine: dns ping ssh ntp (time synchronization) So I think I should add to ''rules'' file: #dns ACCEPT fw net udp - 53 #ntp ACCEPT fw net udp - 123 #ssh ACCEPT fw net tcp - 22 #ping ACCEPT fw net icmp Am I right? Did I forgot anything? Any ideas? Thanks, Petr ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Hi Petr As Kristian writes you are doing the right thing if you want to limit the connections that the server makes to the internet. (Though personally, I would just allow the server to make any outgoing connection -- unless the server is hacked, it is not likely to make "bad" connections to the outside). Also, you need to specify the connections the server will accept from the web in the same way. In policy: net fw DROP And in rules: # http: ACCEPT net fw tcp 80 # sftp and ssh ACCEPT net fw tcp 22 # pop3-mail ACCEPT net fw tcp 110 # smtp-mail ACCEPT net fw tcp 25 Kristian is quite correct in saying that the response from the server will go back out from a random port. But that is not a problem: Shorewall will allow or drop the entire connection based on the port that is used when the connection is first established. Rune On 12/9/05, Petr <pesmail@gmail.com> wrote:> Hi, > > I have standalone web server with shorewall and want to disable > default ''outgoing accept policy'' and implement ''outgoing deny policy''. > > I know I need to change this line in ''policy'' file > fw net ACCEPT > to > fw net DROP > but what to add to ''rules'' file to not kill my server services? > > There is running: > > www > sftp > mail > sshd > > What outgoing legal traffic I can imagine: > > dns > ping > ssh > ntp (time synchronization) > > So I think I should add to ''rules'' file: > > #dns > ACCEPT fw net udp - 53 > #ntp > ACCEPT fw net udp - 123 > #ssh > ACCEPT fw net tcp - 22 > #ping > ACCEPT fw net icmp > > Am I right? Did I forgot anything? Any ideas? > > Thanks, > > Petr > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&opclick > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Oh, and one more thing: You write:>So I think I should add to ''rules'' file: > >#dns >ACCEPT fw net udp - 53 >#ntp >ACCEPT fw net udp - 123 >#ssh >ACCEPT fw net tcp - 22 >#ping >ACCEPT fw net icmpYou will want to remove the dashes (-). Your rules above allows the server to access any DNS-servers on the internet and so on, so the ports are destination ports, not source ports. By the way, DNS uses both UDP and TCP port 53. Rune On 12/9/05, Rune Kock <rune.kock@gmail.com> wrote:> Hi Petr > > As Kristian writes you are doing the right thing if you want to limit > the connections that the server makes to the internet. (Though > personally, I would just allow the server to make any outgoing > connection -- unless the server is hacked, it is not likely to make > "bad" connections to the outside). > > Also, you need to specify the connections the server will accept from > the web in the same way. > > In policy: > net fw DROP > > And in rules: > # http: > ACCEPT net fw tcp 80 > # sftp and ssh > ACCEPT net fw tcp 22 > # pop3-mail > ACCEPT net fw tcp 110 > # smtp-mail > ACCEPT net fw tcp 25 > > Kristian is quite correct in saying that the response from the server > will go back out from a random port. But that is not a problem: > Shorewall will allow or drop the entire connection based on the port > that is used when the connection is first established. > > > > Rune > > On 12/9/05, Petr <pesmail@gmail.com> wrote: > > Hi, > > > > I have standalone web server with shorewall and want to disable > > default ''outgoing accept policy'' and implement ''outgoing deny policy''. > > > > I know I need to change this line in ''policy'' file > > fw net ACCEPT > > to > > fw net DROP > > but what to add to ''rules'' file to not kill my server services? > > > > There is running: > > > > www > > sftp > > mail > > sshd > > > > What outgoing legal traffic I can imagine: > > > > dns > > ping > > ssh > > ntp (time synchronization) > > > > So I think I should add to ''rules'' file: > > > > #dns > > ACCEPT fw net udp - 53 > > #ntp > > ACCEPT fw net udp - 123 > > #ssh > > ACCEPT fw net tcp - 22 > > #ping > > ACCEPT fw net icmp > > > > Am I right? Did I forgot anything? Any ideas? > > > > Thanks, > > > > Petr > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > > for problems? Stop! Download the new AJAX search engine that makes > > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > > http://ads.osdn.com/?ad_idv37&alloc_id865&opclick > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Good to see that I''m not totally wrong all the time. :-) Does this mean that one can add a policy like fw net DROP and a rule like ACCEPT net fw tcp 80 and the web-server on the fw will operate correctly? /K -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Rune Kock Sent: 9. desember 2005 10:38 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] default deny policy for outgoing traffic Hi Petr As Kristian writes you are doing the right thing if you want to limit the connections that the server makes to the internet. (Though personally, I would just allow the server to make any outgoing connection -- unless the server is hacked, it is not likely to make "bad" connections to the outside). Also, you need to specify the connections the server will accept from the web in the same way. In policy: net fw DROP And in rules: # http: ACCEPT net fw tcp 80 # sftp and ssh ACCEPT net fw tcp 22 # pop3-mail ACCEPT net fw tcp 110 # smtp-mail ACCEPT net fw tcp 25 Kristian is quite correct in saying that the response from the server will go back out from a random port. But that is not a problem: Shorewall will allow or drop the entire connection based on the port that is used when the connection is first established. Rune On 12/9/05, Petr <pesmail@gmail.com> wrote:> Hi, > > I have standalone web server with shorewall and want to disable > default ''outgoing accept policy'' and implement ''outgoing deny policy''. > > I know I need to change this line in ''policy'' file > fw net ACCEPT > to > fw net DROP > but what to add to ''rules'' file to not kill my server services? > > There is running: > > www > sftp > mail > sshd > > What outgoing legal traffic I can imagine: > > dns > ping > ssh > ntp (time synchronization) > > So I think I should add to ''rules'' file: > > #dns > ACCEPT fw net udp - 53 > #ntp > ACCEPT fw net udp - 123 > #ssh > ACCEPT fw net tcp - 22 > #ping > ACCEPT fw net icmp > > Am I right? Did I forgot anything? Any ideas? > > Thanks, > > Petr > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through logfiles> for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&opclick > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Yes, that is my understanding. Rune On 12/9/05, K <shorewall@duggfrisk.net> wrote:> Good to see that I''m not totally wrong all the time. :-) > > Does this mean that one can add a policy like > > fw net DROP > > and a rule like > > ACCEPT net fw tcp 80 > > and the web-server on the fw will operate correctly? > > /K > > > -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Rune Kock > Sent: 9. desember 2005 10:38 > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] default deny policy for outgoing traffic > > Hi Petr > > As Kristian writes you are doing the right thing if you want to limit > the connections that the server makes to the internet. (Though > personally, I would just allow the server to make any outgoing > connection -- unless the server is hacked, it is not likely to make > "bad" connections to the outside). > > Also, you need to specify the connections the server will accept from > the web in the same way. > > In policy: > net fw DROP > > And in rules: > # http: > ACCEPT net fw tcp 80 > # sftp and ssh > ACCEPT net fw tcp 22 > # pop3-mail > ACCEPT net fw tcp 110 > # smtp-mail > ACCEPT net fw tcp 25 > > Kristian is quite correct in saying that the response from the server > will go back out from a random port. But that is not a problem: > Shorewall will allow or drop the entire connection based on the port > that is used when the connection is first established. > > > > Rune > > On 12/9/05, Petr <pesmail@gmail.com> wrote: > > Hi, > > > > I have standalone web server with shorewall and want to disable > > default ''outgoing accept policy'' and implement ''outgoing deny policy''. > > > > I know I need to change this line in ''policy'' file > > fw net ACCEPT > > to > > fw net DROP > > but what to add to ''rules'' file to not kill my server services? > > > > There is running: > > > > www > > sftp > > mail > > sshd > > > > What outgoing legal traffic I can imagine: > > > > dns > > ping > > ssh > > ntp (time synchronization) > > > > So I think I should add to ''rules'' file: > > > > #dns > > ACCEPT fw net udp - 53 > > #ntp > > ACCEPT fw net udp - 123 > > #ssh > > ACCEPT fw net tcp - 22 > > #ping > > ACCEPT fw net icmp > > > > Am I right? Did I forgot anything? Any ideas? > > > > Thanks, > > > > Petr > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > > for problems? Stop! Download the new AJAX search engine that makes > > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > > http://ads.osdn.com/?ad_idv37&alloc_id865&opclick > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&opclick > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Friday 09 December 2005 01:45, Rune Kock wrote:> Oh, and one more thing: > > You write: > >So I think I should add to ''rules'' file: > > > >#dns > >ACCEPT fw net udp - 53 > >#ntp > >ACCEPT fw net udp - 123 > >#ssh > >ACCEPT fw net tcp - 22 > >#ping > >ACCEPT fw net icmp > > You will want to remove the dashes (-). Your rules above allows the > server to access any DNS-servers on the internet and so on, so the > ports are destination ports, not source ports. > > By the way, DNS uses both UDP and TCP port 53. > >FWIW, here are my current rules for traffic from my server to the internet. ACCEPT dmz net udp domain,ntp ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,8080 ACCEPT dmz net:$POPSERVERS tcp pop3 Ping/ACCEPT dmz net # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG dmz net tcp 1024: 20 YMMV, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks to all, I''ve applied new rules modified with your recommendations and it''s working great. Petr ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click