Hi, I am a newbie to shorewall, i have a debian 3.1, recently i installed shorewall 3.0.4 with ipp2p 0.8.0. i recompiled kernel 2.6.15 and iptables 1.3.4 everything work fine. i can detect some p2p packets and drop them directly. my problem is when using shorewall it cannot detect p2p packets. this what i add in my /etc/shorewall/rules DROP loc net ipp2p didn''t apply the tcrules as in manual coz i want to totally block p2p packets. with this rule p2p packets can still traverse the firewall. is there something lacking with my rule or the rule i added is wrong? Please help TIA, Wesley ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Hi Wesley, is your rule in the ESTABLISHED section rather than the NEW section of the rules file? It has to be in the ESTABLISHEDsection, otherwise it won''t work. And maybe you have to add "ipp2p" in the port column as well. (port in case of ipp2p means the P2P protocol rather than an TCP/UDP port, AFAIK ipp2p without this parameter means all implemented P2P protocols, so probably it also work without) But better try with ipp2p "port" entry, because this line simply "works for me (TM)": REJECT loc net ipp2p ipp2p To check if it works you can add logging options like: REJECT:info:P2P loc0 net ipp2p ipp2p My advice is also to reject packets instead of silently dropping them, this will make P2P clients give up much earlier. HTH, Alex Wesley Jay Deypalan schrieb:>Hi, > >I am a newbie to shorewall, i have a debian 3.1, recently i installed >shorewall 3.0.4 with ipp2p 0.8.0. i recompiled kernel 2.6.15 and iptables >1.3.4 everything work fine. i can detect some p2p packets and drop them >directly. my problem is when using shorewall it cannot detect p2p packets. >this what i add in my /etc/shorewall/rules > >DROP loc net ipp2p > >didn''t apply the tcrules as in manual coz i want to totally block p2p >packets. with this rule p2p packets can still traverse the firewall. is >there something lacking with my rule or the rule i added is wrong? Please >help > >TIA, > >Wesley > > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
hi alex
i tried your advice:
SECTION ESTABLISHED
REJECT loc net ipp2p ipp2p
but when i do iptables -L i get these
Chain loc2net (1 references)
target prot opt source destination
reject tcp -- anywhere anywhere state
ESTABLISHED ipp2p v0.8.0 --ipp2p
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
only the tcp packets is rejected, i haven''t tried the new rule with an
actual p2p client running on a workstation, but with iptable -L it looks
like it has the same effect with my previous config. anyways i will try it
with actual workstation with p2p, see if there are changes.
Wesley
> Hi Wesley,
>
> is your rule in the ESTABLISHED section rather than the NEW section of
> the rules file? It has to be in the ESTABLISHEDsection, otherwise it
> won''t work.
>
> And maybe you have to add "ipp2p" in the port column as well.
(port in
> case of ipp2p means the P2P protocol rather than an TCP/UDP port, AFAIK
> ipp2p without this parameter means all implemented P2P protocols, so
> probably it also work without)
>
> But better try with ipp2p "port" entry, because this line simply
"works
> for me (TM)":
>
> REJECT loc net ipp2p ipp2p
>
> To check if it works you can add logging options like:
>
> REJECT:info:P2P loc0 net ipp2p ipp2p
>
> My advice is also to reject packets instead of silently dropping them,
> this will make P2P clients give up much earlier.
>
> HTH,
> Alex
>
>
> Wesley Jay Deypalan schrieb:
>
>>Hi,
>>
>>I am a newbie to shorewall, i have a debian 3.1, recently i installed
>>shorewall 3.0.4 with ipp2p 0.8.0. i recompiled kernel 2.6.15 and
iptables
>>1.3.4 everything work fine. i can detect some p2p packets and drop them
>>directly. my problem is when using shorewall it cannot detect p2p
>> packets.
>>this what i add in my /etc/shorewall/rules
>>
>>DROP loc net ipp2p
>>
>>didn''t apply the tcrules as in manual coz i want to totally
block p2p
>>packets. with this rule p2p packets can still traverse the firewall. is
>>there something lacking with my rule or the rule i added is wrong?
Please
>>help
>>
>>TIA,
>>
>>Wesley
>>
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>> files
>>for problems? Stop! Download the new AJAX search engine that makes
>>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>>_______________________________________________
>>Shorewall-users mailing list
>>Shorewall-users@lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Thursday 12 January 2006 16:45, Wesley Jay Deypalan wrote:> hi alex > > i tried your advice: > > SECTION ESTABLISHED > REJECT loc net ipp2p ipp2p > > but when i do iptables -L i get these > > Chain loc2net (1 references) > target prot opt source destination > reject tcp -- anywhere anywhere state > ESTABLISHED ipp2p v0.8.0 --ipp2p > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > > only the tcp packets is rejected,In the PROTO column: a) ''ipp2p'' means TCP b) ''ipp2p:udp" means UDP b) If you want all P2P, then you must specify ''ipp2p:all'' -Tom -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key