Shorewall users - Oct 2006 - eth0_mac before Drop?

In looking at the resulting iptables rules (-L -nv) generated by
shorewall 3.2.3 I am noticing that the eth0_mac (for an eth0 interface
with the maclist option) chain is traversed before the Drop chain,
resulting in logging what would normally be dropped (unlogged) traffic
from non-maclisted clients.  i.e. broadcast noise, like SMB.

It seems to me that the Drop (i.e. SMB noise) should happen before the
maclist test as the permission of that mac is quite irrelevant to the
fact that we want noise suppressed from the logs.

I do want normal traffic from non-maclisted clients logged however as I
can then determine when people are dropping new hosts on the network.

Thoughts?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> In looking at the resulting iptables rules (-L -nv) generated by
> shorewall 3.2.3 I am noticing that the eth0_mac (for an eth0 interface
> with the maclist option) chain is traversed before the Drop chain,
> resulting in logging what would normally be dropped (unlogged) traffic
> from non-maclisted clients.  i.e. broadcast noise, like SMB.
> 
> It seems to me that the Drop (i.e. SMB noise) should happen before the
> maclist test as the permission of that mac is quite irrelevant to the
> fact that we want noise suppressed from the logs.
> 
> I do want normal traffic from non-maclisted clients logged however as I
> can then determine when people are dropping new hosts on the network.
The ''Drop'' chain is generated by the Drop action which gets
called because it is
the default action for DROP policies
(http://www.shorewall.net/Actions.html#id2500209). In other words, it gets
called just before a DROP policy is enforced. So waiting until then to do MAC
filtration wouldn''t work because traffic from banned MAC addresses
might have
already been allowed by ACCEPT, DNAT, or REDIRECT rules.

Also, when MACLIST_TABLE=mangle in shorewall.conf, MAC filtration takes place
out of the Netfilter mangle table and rules in that table currently cannot
invoke Drop (or any other action).

I''ll consider this an enhancement request to allow log filtration of
messages
generated by maclist and try to get something into 3.3.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote:
> 
> The ''Drop'' chain is generated by the Drop action which
gets called because it is
> the default action for DROP policies
> (http://www.shorewall.net/Actions.html#id2500209).
Indeed.
> In other words, it gets
> called just before a DROP policy is enforced.
Right.
> So waiting until then to do MAC
> filtration wouldn''t work because traffic from banned MAC addresses
might have
> already been allowed by ACCEPT, DNAT, or REDIRECT rules.
Agreed.

INPUT->eth0_in->eth0_mac
> I''ll consider this an enhancement request to allow log filtration
of messages
> generated by maclist and try to get something into 3.3.
How about jumping to the Drop table right before the

LOG  all  --  *  *  0.0.0.0/0  0.0.0.0/0  LOG flags 0 level 6 prefix
`Shorewall:eth0_mac:REJECT:''

rule in the eth0_mac table (of course eth0 is just one interface.  The
same would be done for all interfaces with maclist on them)?

Hrm.  But that would not cause a RETURN back from Drop to eth0_mac for
anything that did not match the Drop table so that it could be logged by
eth0_mac, yes?  Or would it?  It seems there are lots of "LOG" rules
right after a Drop target.

Actually I just did:

# iptables -I eth0_mac 7 -j Drop

and it seems to have the desired effect.  Too bad the 7 is dependent on
how many macs are in maclist for that interface and you can''t reference
line numbers relative from the end (afaik) or I would just add the above
to the start file (until 3.3 provides a solution).  I guess I could grep
maclist and count to derive the line number in eth0_mac.

Thoughts?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote:
>> The ''Drop'' chain is generated by the Drop action
which gets called because it is
>> the default action for DROP policies
>> (http://www.shorewall.net/Actions.html#id2500209).
> 
> Indeed.
> 
>> In other words, it gets
>> called just before a DROP policy is enforced.
> 
> Right.
> 
>> So waiting until then to do MAC
>> filtration wouldn''t work because traffic from banned MAC
addresses might have
>> already been allowed by ACCEPT, DNAT, or REDIRECT rules.
> 
> Agreed.
> 
> INPUT->eth0_in->eth0_mac
> 
>> I''ll consider this an enhancement request to allow log
filtration of messages
>> generated by maclist and try to get something into 3.3.
> 
> How about jumping to the Drop table right before the
> 
> LOG  all  --  *  *  0.0.0.0/0  0.0.0.0/0  LOG flags 0 level 6 prefix
`Shorewall:eth0_mac:REJECT:''
A) There is no guarantee that there will even be a Drop chain.
B) There is NEVER a Drop chain in the mangle table.

So until I release a solution, you will have to use the start file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Brian J. Murrell wrote:
>> On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote:
>>> The ''Drop'' chain is generated by the Drop action
which gets called because it is
>>> the default action for DROP policies
>>> (http://www.shorewall.net/Actions.html#id2500209).
>> Indeed.
>>
>>> In other words, it gets
>>> called just before a DROP policy is enforced.
>> Right.
>>
>>> So waiting until then to do MAC
>>> filtration wouldn''t work because traffic from banned MAC
addresses might have
>>> already been allowed by ACCEPT, DNAT, or REDIRECT rules.
>> Agreed.
>>
>> INPUT->eth0_in->eth0_mac
>>
>>> I''ll consider this an enhancement request to allow log
filtration of messages
>>> generated by maclist and try to get something into 3.3.
>> How about jumping to the Drop table right before the
>>
>> LOG  all  --  *  *  0.0.0.0/0  0.0.0.0/0  LOG flags 0 level 6 prefix
`Shorewall:eth0_mac:REJECT:''
> 
> A) There is no guarantee that there will even be a Drop chain.
> B) There is NEVER a Drop chain in the mangle table.
> 
> So until I release a solution, you will have to use the start file.
I assume that you are seeing a log of messages in your log -- hence your
request. Is the traffic mostly broadcasts? Or is there unicast traffic as well?
I''m wondering if I just suppressed logging of broadcast/multicast if
that would
be enough.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Tom Eastep wrote:
>> Brian J. Murrell wrote:
>>> On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote:
>>>> The ''Drop'' chain is generated by the Drop
action which gets called because it is
>>>> the default action for DROP policies
>>>> (http://www.shorewall.net/Actions.html#id2500209).
>>> Indeed.
>>>
>>>> In other words, it gets
>>>> called just before a DROP policy is enforced.
>>> Right.
>>>
>>>> So waiting until then to do MAC
>>>> filtration wouldn''t work because traffic from banned
MAC addresses might have
>>>> already been allowed by ACCEPT, DNAT, or REDIRECT rules.
>>> Agreed.
>>>
>>> INPUT->eth0_in->eth0_mac
>>>
>>>> I''ll consider this an enhancement request to allow log
filtration of messages
>>>> generated by maclist and try to get something into 3.3.
>>> How about jumping to the Drop table right before the
>>>
>>> LOG  all  --  *  *  0.0.0.0/0  0.0.0.0/0  LOG flags 0 level 6
prefix `Shorewall:eth0_mac:REJECT:''
>> A) There is no guarantee that there will even be a Drop chain.
>> B) There is NEVER a Drop chain in the mangle table.
>>
>> So until I release a solution, you will have to use the start file.
> 
> I assume that you are seeing a log of messages in your log --
Should have been "... a *lot* of messages ..."

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thu, 2006-12-10 at 13:38 -0700, Tom Eastep wrote:
> I assume that you are seeing a log of messages in your log -- hence your
> request.
Indeed.  Windows boxes doing the SMB discovery thing.
> Is the traffic mostly broadcasts?
Yeah.
> Or is there unicast traffic as well?
Hrm.  There would be for the misguided user, but I probably want to log
that.
> I''m wondering if I just suppressed logging of broadcast/multicast
if that would
> be enough.
I wonder if that''s "the right thing" to do though. 
I''d think letting
people define what traffic they don''t want to log using the existing
macros even if they want, would not be better.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> On Thu, 2006-12-10 at 13:38 -0700, Tom Eastep wrote:
>> I assume that you are seeing a log of messages in your log -- hence
your
>> request.
> 
> Indeed.  Windows boxes doing the SMB discovery thing.
> 
>> Is the traffic mostly broadcasts?
> 
> Yeah.
> 
>> Or is there unicast traffic as well?
> 
> Hrm.  There would be for the misguided user, but I probably want to log
> that.
> 
>> I''m wondering if I just suppressed logging of
broadcast/multicast if that would
>> be enough.
> 
> I wonder if that''s "the right thing" to do though. 
I''d think letting
> people define what traffic they don''t want to log using the
existing
> macros even if they want, would not be better.
I''ll await your patch then that allows using macros and actions in the
Netfilter
mangle table. You keep ignoring the fact that MAC filtration can occur in that
table too.

And remember that REJECT isn''t even allowed in the mangle table so the
existing
Drop action (which rejects Auth) can''t be directly used there even if
Shorewall
supported mangle actions.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thu, 2006-12-10 at 13:59 -0700, Tom Eastep wrote:
>  
> > I wonder if that''s "the right thing" to do though. 
I''d think letting
> > people define what traffic they don''t want to log using the
existing
> > macros even if they want, would not be better.
> 
> I''ll await your patch then that allows using macros and actions in
the Netfilter
> mangle table. You keep ignoring the fact that MAC filtration can occur in
that
> table too.
Probably because that''s not my particular itch.  :-)  I''m not
trying to
be difficult though, just trying to offer POV.  Perhaps more
functionality can be offered to those willing to do the MAC
authentication in the filter table?  I think there are other such
tradeoffs in shorewall isn''t there?
> And remember that REJECT isn''t even allowed in the mangle table so
the existing
> Drop action (which rejects Auth) can''t be directly used there even
if Shorewall
> supported mangle actions.
I''ve not really done much with the mangle table directly with iptables,
so I can only plead ignorance and defer to you on that.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> On Thu, 2006-12-10 at 13:59 -0700, Tom Eastep wrote:
>>  
>>> I wonder if that''s "the right thing" to do
though.  I''d think letting
>>> people define what traffic they don''t want to log using
the existing
>>> macros even if they want, would not be better.
>> I''ll await your patch then that allows using macros and
actions in the Netfilter
>> mangle table. You keep ignoring the fact that MAC filtration can occur
in that
>> table too.
> 
> Probably because that''s not my particular itch.  :-)  I''m
not trying to
> be difficult though, just trying to offer POV.  Perhaps more
> functionality can be offered to those willing to do the MAC
> authentication in the filter table? 
It''s not a question of willingness -- where the output interface is a
bridge,
maclist filtering in the filter table just *doesn''t work*.
> I think there are other such tradeoffs in shorewall isn''t there?
I really try not to punish people for decisions where they have no choice (as in
this case).

I''ve added a MACLIST_LOG_BROADCASTS option to shorewall.conf in the 3.3
thread.
If I come up with something more elegant, I''ll let you know.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> 
> I''ve added a MACLIST_LOG_BROADCASTS option to shorewall.conf in
the 3.3 thread.
> If I come up with something more elegant, I''ll let you know.
Here''s possibly a better idea.

How about if I add a ''maclist'' extension script? It would be
invoked just before
logging. That way, you can place your ''run_iptables -A''
command in that script
and they will be inserted at the proper place in the chain.  That gives you all
the flexibility you need -- you can even make your file a one-liner:

	run_iptables -A $CHAIN -j Drop

And I''d be happy to slip that into the next 3.2 release :-)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thu, 2006-12-10 at 15:52 -0700, Tom Eastep wrote:
> How about if I add a ''maclist'' extension script? It would
be invoked just before
> logging. That way, you can place your ''run_iptables -A''
command in that script
> and they will be inserted at the proper place in the chain.
Sounds decent.
> That gives you all
> the flexibility you need -- you can even make your file a one-liner:
> 
> 	run_iptables -A $CHAIN -j Drop
So $CHAIN is defined to be the name of the relevant chain when the
script is invoked?
> And I''d be happy to slip that into the next 3.2 release :-)
Nice.  :-)

The whole thing seems pretty good to me.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> On Thu, 2006-12-10 at 15:52 -0700, Tom Eastep wrote:
>> How about if I add a ''maclist'' extension script? It
would be invoked just before
>> logging. That way, you can place your ''run_iptables
-A'' command in that script
>> and they will be inserted at the proper place in the chain.
> 
> Sounds decent.
> 
>> That gives you all
>> the flexibility you need -- you can even make your file a one-liner:
>>
>> 	run_iptables -A $CHAIN -j Drop
> 
> So $CHAIN is defined to be the name of the relevant chain when the
> script is invoked?
> 
>> And I''d be happy to slip that into the next 3.2 release :-)
> 
> Nice.  :-)
> 
> The whole thing seems pretty good to me.
>
Good.

One change -- the user exit will be called maclog rather than maclist (since
that file name is already taken).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote:
> One change -- the user exit will be called maclog rather than maclist
(since
> that file name is already taken).
Great.  Can you point me at the commit when you make it?  Or just point
me at your browse_cvs and I can watch for it.

Thanx!

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian J. Murrell wrote:
> On Fri, 2006-13-10 at 08:57 -0700, Tom Eastep wrote:
>> One change -- the user exit will be called maclog rather than maclist
(since
>> that file name is already taken).
> 
> Great.  Can you point me at the commit when you make it?  Or just point
> me at your browse_cvs and I can watch for it.
You can subscribe to the shorewall-coding mailing list and see all commits. Or
you can browse SVN (linked from the Shorewall download page).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642