Hello everyone. I''m currently setting up Shorewall on another machine (the fifth in our company, this time a web server). A nice and simple "firewall for one machine" setup, only one interface, eth0. However, it seems as if Shorewall has thrown me out of my box, despite ADMINISABSENTMINDED=yes. Fortunately I have a ''shorewall clear'' timebomb ticking away at the moment (800 seconds feels like a long, long time...), which I''m hoping is going to solve the problem. Only issue is this isn''t the first time I''ve been locked out of a machine because of Shorewall (again, with adminisabsentminded=yes set), and last time it took a tech plugging a serial console into it to get it moving again. Can anyone shed some light on why shorewall is being nitpicky about who admins it? :) configuration instructions/infodump included. Thanks. Jan root@chi01-050-04 [/etc/shorewall]# shorewall start Compiling... Initializing... Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Compiling Martian Logging... Compiling IP Forwarding... Compiling IPSEC... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/tunnels... Compiling Actions... Compiling /usr/share/shorewall/action.Drop for Chain Drop... Compiling /usr/share/shorewall/action.Reject for Chain Reject... Compiling /etc/shorewall/policy... Compiling Masquerading/SNAT Compiling /etc/shorewall/tos... Compiling /etc/shorewall/ecn... Compiling Traffic Control Rules... Validating /etc/shorewall/tcdevices... Validating /etc/shorewall/tcclasses... Compiling Rule Activation... Compiling Refresh of Black List... Compiling Refresh of /etc/shorewall/ecn... Validating /etc/shorewall/tcdevices... Validating /etc/shorewall/tcclasses... Shorewall configuration compiled to /var/lib/shorewall/.start Processing /etc/shorewall/params ... Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Clearing Traffic Control/QOS Deleting user chains... Processing /etc/shorewall/continue ... WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables Enabling Loopback and DNS Lookups Setting up Accounting... Creating Interface Chains... Setting up Proxy ARP... Setting up one-to-one NAT... Setting up SMURF control... Processing /etc/shorewall/initdone ... Setting up Black List... Adding Anti-smurf Jumps... Setting up RFC1918 Filtering... Setting up TCP Flags checking... Setting up ARP filtering... Setting up Route Filtering... WARNING: Cannot set route filtering on eth0 Setting up Martian Logging... WARNING: Cannot set Martian logging on eth0 Setting up Accept Source Routing... IP Forwarding Enabled Setting up SYN Flood Protection... Setting up IPSEC management... Setting up Rules... Setting up Tunnels... Setting up Actions... Creating action chain Drop Creating action chain Reject Creating action chain dropBcast Creating action chain dropInvalid Creating action chain dropNotSyn Applying Policies... Setting up Masquerading/SNAT... [Putty message here: Network error: Software caused connection abort] Configuration instructions: ### Shorewall guide, modified to suit standalone Master configuration. 4. Shorewall. cd /root/installs wget http://shorewall.infohiiway.com/pub/shorewall/CURRENT_STABLE_VERSION_IS_3.2/shorewall-3.2.5/shorewall-3.2.5.tgz tar -xvzf shorewall-3.2.5.tgz cd shorewall-3.2.5 ./install.sh ## edit configuration files. cd /etc/shorewall nano zones ## paste the following in below ''fw firewall'': net nano interfaces net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist,routeback nano policy ## paste the following in before ''#LAST LINE -- DO NOT REMOVE'': # default deny for internet to server connections net fw DROP fw net DROP info # boring last rule all all DROP info nano rules ### Net zone ### ACCEPT net fw icmp 8 # accept pings ACCEPT:info net fw tcp 443 # accept VPN connections ACCEPT:info net fw tcp ssh # for remote administration ACCEPT net fw tcp http # for testfile.bin and speedometer scripts # ACCEPT net fw udp 53 # allow DNS queries from internet # commented out for now, due to controversiality # Cpanel connections to common, cpanel-regulated services, including http/https,smtp,pop3,imap,cpanel,whm,webmail,etc ACCEPT net fw tcp 20,21,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096 ACCEPT net fw tcp 21,465 ### Outgoing Net zone ### ACCEPT fw net udp 1812,1813 # allow radius packets out ACCEPT fw net tcp http,https,ftp # allow HTTP and HTTPS out (eg, for patching) ACCEPT fw net udp 53 # allow server to resolve DNS names # Cpanel outbound connections from common, cpanel-regulated services ACCEPT fw net tcp 20,21,25,26,37,43,53,80,113,465,873,2089 ACCEPT fw net udp 21,465,53,873 nano accounting ######## Total traffic totalling ######### total_traffic - eth0 - all - total_traffic - - eth0 all - COUNT total_traffic eth0 - COUNT total_traffic - eth0 nano routestopped eth0 - nano shorewall.conf ## find STARTUP_ENABLED=No and change to ## check for errors, typos etc shorewall check ## run a ''timebomb'' in the background in case something goes wrong, and the box goes localhost. write down the pid it gives you! sleep 800 && shorewall clear & ## meanwhile, apply the rules: shorewall start ## if it''s successful, defuse the timebomb: kill PID_GOES_HERE # done! ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jan Mulders wrote:> Hello everyone. > > I''m currently setting up Shorewall on another machine (the fifth in > our company, this time a web server). A nice and simple "firewall for > one machine" setup, only one interface, eth0.> Setting up Route Filtering... > WARNING: Cannot set route filtering on eth0 > Setting up Martian Logging... > WARNING: Cannot set Martian logging on eth0Those WARNING messages usually indicate that eth0 is down!!! Is something in your configuration causing eth0 to lose it''s IPv4 configuration during restart? (hint -- what does your config look like). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Eth0 doesn''t appear to be down... Odd.
root@chi01-050-04 [/etc]# ifconfig
eth1 Link encap:Ethernet HWaddr 00:30:48:57:B1:4B
inet addr:208.X.Y.Z Bcast:208.X.Y.Z Mask:255.255.255.240
inet6 addr: fe80::230:48ff:fe57:b14b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:525410 errors:0 dropped:0 overruns:0 frame:0
TX packets:459358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:113655358 (108.3 MiB) TX bytes:225164484 (214.7 MiB)
Interrupt:185
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:42383 errors:0 dropped:0 overruns:0 frame:0
TX packets:42383 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38888290 (37.0 MiB) TX bytes:38888290 (37.0 MiB)
My configuration (/etc/shorewall folder) is here: www.beoch.net/shorewall.tar.gz
root@chi01-050-04 [/etc]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@chi01-050-04 [/etc]#
Let me know if there''s any other information I should provide.
Thanks,
Jan
On 14/11/06, Tom Eastep <teastep@shorewall.net>
wrote:> Jan Mulders wrote:
> > Hello everyone.
> >
> > I''m currently setting up Shorewall on another machine (the
fifth in
> > our company, this time a web server). A nice and simple "firewall
for
> > one machine" setup, only one interface, eth0.
>
> > Setting up Route Filtering...
> > WARNING: Cannot set route filtering on eth0
> > Setting up Martian Logging...
> > WARNING: Cannot set Martian logging on eth0
>
> Those WARNING messages usually indicate that eth0 is down!!! Is something
in
> your configuration causing eth0 to lose it''s IPv4 configuration
during restart?
> (hint -- what does your config look like).
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jan Mulders wrote:> Eth0 doesn''t appear to be down... Odd.There is no eth0 -- that''s eth1 -Tom> > root@chi01-050-04 [/etc]# ifconfig > eth1 Link encap:Ethernet HWaddr 00:30:48:57:B1:4B-- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Nothing is foolproof to a sufficiently talented fool. Never have truer words been spoken. *headdesk* Next time I''ll make sure to read my own diagnostics before posting! Thanks for your help. Jan On 14/11/06, Tom Eastep <teastep@shorewall.net> wrote:> Jan Mulders wrote: > > Eth0 doesn''t appear to be down... Odd. > > There is no eth0 -- that''s eth1 > > -Tom > > > > root@chi01-050-04 [/etc]# ifconfig > > eth1 Link encap:Ethernet HWaddr 00:30:48:57:B1:4B > > > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jan Mulders wrote:> Nothing is foolproof to a sufficiently talented fool. > > Never have truer words been spoken. > > *headdesk* > > Next time I''ll make sure to read my own diagnostics before posting! > > Thanks for your help.You''re welcome :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV