We are running Shorewall 2.2.0 on a Mandrake 9.2 firewall which has worked well for a few years. Recently, after a severe power outage followed by backup genset failure, we had some difficulty getting the interfaces to establish link with our ISP''s fiber transceiver. After a few ipdowns/ifups and power cycling of the transceiver, things starting working. At this point, we were still on auxilary power, and had only a few servers running. Shortly afterward, the on-access virus scanner on an NT4 server detected a virus known to spread using a DCOM vulnerability (possibly one which can''t be patched in NT4 without disabling DCOM.) Anyway, to shorten an already too-long story... we now suspect that the firewall somehow managed to let traffic through to these servers, two of which happen to be on public IPs, but do not normally have any ports open to the internet. We came to this suspicion after isolating our core network by shutting down all ports leading out of the core on our Cisco Cat6000. There was no power on campus outside our building, but we wanted to keep things isolated should the power be restored. Because of multiple equipment problems during this incident, we were unable to verify, log, or trace the possibility of packets getting through the firewall that shouldn''t have. I realize that I should be upgrading to Shorewall 3.x asap, and plan to do so very soon. What I hoped to find out is this: 1. Is the suspicion we have about the firewall not filtering correctly after an ifdown/ifup a possibility? 2. What is the correct way to deal with this issue. ie: having to manually take down & bring up an interface? What other measures should be taken? Thanks, and sorry if I haven''t provided appropriate details. Feel free to say RTFM, but I have searched docs and the FAQ and couldn''t find the answers... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Shawn Wright wrote:> I realize that I should be upgrading to Shorewall 3.x asap, and plan to do so very > soon. What I hoped to find out is this: > > 1. Is the suspicion we have about the firewall not filtering correctly after an > ifdown/ifup a possibility?Very unlikely. It is my experience that ifdown/ifup produces the opposite effect (firewall won''t pass traffic that it should).> 2. What is the correct way to deal with this issue. ie: having to manually take > down & bring up an interface? What other measures should be taken?I typically restart Shorewall after I down/up an interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 5 Dec 2006 at 17:40, Tom Eastep wrote:> Shawn Wright wrote: > > > I realize that I should be upgrading to Shorewall 3.x asap, and plan to do so very > > soon. What I hoped to find out is this: > > > > 1. Is the suspicion we have about the firewall not filtering correctly after an > > ifdown/ifup a possibility? > > Very unlikely. It is my experience that ifdown/ifup produces the > opposite effect (firewall won''t pass traffic that it should).Thanks, this is good to know. I believe we have seen cases where no traffic passes, but can''t be sure. This machine (Dell PE650 with Intel E1000 dual port) seems to have trouble establishing link reliably after an outage.> > 2. What is the correct way to deal with this issue. ie: having to manually take > > down & bring up an interface? What other measures should be taken? > > I typically restart Shorewall after I down/up an interface.This is also good to know. I will try to upgrade to 3.x over the holidays. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV