Hi I need to stop IGMP packets "type: V2 Membership Query" source IP =192.168.32.2 dest IP=224.0.0.1 from reaching my shorewall. I do not mind if I block both adressess completely. I added these lines to /etc/shorewall/blacklist: 192.168.32.2 224.0.0.1 but the packets are still arriving. Why? I restarted Shorewall of course. -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Milos, Milos Prudek wrote:> I added these lines to /etc/shorewall/blacklist: > > 192.168.32.2 > 224.0.0.1 > > but the packets are still arriving. Why? I restarted Shorewall of course.May i ask: How do you see that the packets are still arriving? (If i''m not mistaking, tools like tcpdump that use libpcap will always see the packets arriving on the incoming interface, because they capture at an earlier stage than iptables) -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Milos Prudek wrote:> Hi > > I need to stop IGMP packets "type: V2 Membership Query" > source IP =192.168.32.2 > dest IP=224.0.0.1 > from reaching my shorewall. > > I do not mind if I block both adressess completely. > > I added these lines to /etc/shorewall/blacklist: > > 192.168.32.2 > 224.0.0.1 > > but the packets are still arriving. Why? I restarted Shorewall of course. >Did you set the ''blacklist'' option on the interface that is receiving these packets? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> May i ask: How do you see that the packets are still arriving?wireshark (used to be called ethereal) shows these IGMP packets with that source and dst address. wireshark uses libpcap, does it not? And gkrellm displays a load of 20 kB per second. Do you think they are stopped at the firewall? /var/log/messages shows no information about stopping any packets... -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Milos Prudek wrote:>> May i ask: How do you see that the packets are still arriving? > > wireshark (used to be called ethereal) shows these IGMP packets with that > source and dst address. > > wireshark uses libpcap, does it not? > > And gkrellm displays a load of 20 kB per second. > > Do you think they are stopped at the firewall? /var/log/messages shows no > information about stopping any packets... >By default, Shorewall does not clutter up your log with broadcast/multicast packets that it drops. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> Did you set the ''blacklist'' option on the interface that is receiving these > packets?I did not know that I should. I have set it now. No change, unfortunately. -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Milos Prudek wrote:>> Did you set the ''blacklist'' option on the interface that is receiving these >> packets? > > I did not know that I should. I have set it now. No change, unfortunately. >What do you mean, "No Change" -- what exactly is the problem? As others have pointed out, being able to see the packets via libpcap is normal. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> What do you mean, "No Change" -- what exactly is the problem? As others > have pointed out, being able to see the packets via libpcap is normal.OK, but if I add an IP address to the blacklist, I should not be able to ping it, and should not be able to access a http server on such address. I just added an IP of my webserver to the blacklist, restarted shorewall, and I can still access the webserver and ping it. -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Relevant chains from my config:
[root@localhost ~]# iptables -L eth0_in -v
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
410 162K dynamic all -- any any anywhere anywhere
state INVALID,NEW
410 162K blacklst all -- any any anywhere anywhere
state INVALID,NEW policy match dir in pol none
2253 1334K net2fw all -- any any anywhere anywhere
policy match dir in pol none
[root@localhost ~]# iptables -L blacklst -v
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
9 252 DROP all -- any any 192.168.32.2 anywhere
0 0 DROP all -- any any ALL-SYSTEMS.MCAST.NET anywhere
It looks like Shorewall created a correct config. I do not understand why I
can still ping 192.168.32.2 ?
--
Milos Prudek
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Milos Prudek wrote:>> What do you mean, "No Change" -- what exactly is the problem? As others >> have pointed out, being able to see the packets via libpcap is normal. > > OK, but if I add an IP address to the blacklist, I should not be able to ping > it, and should not be able to access a http server on such address. > > I just added an IP of my webserver to the blacklist, restarted shorewall, and > I can still access the webserver and ping it.Hold on, the blacklist is for blocking *incoming* connections, from your description above you seem to be pinging the other way, no? If you are thinking that one way or the other at least one of the echo''s or the replies should be dropped by the blacklist, i think this isn''t the case because the incoming replies are seen as ''related'' to the outgoing echo''s. -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> Hold on, the blacklist is for blocking *incoming* connections, from your > description above you seem to be pinging the other way, no? > > If you are thinking that one way or the other at least one of the echo''s > or the replies should be dropped by the blacklist, i think this isn''tYes, that was exactly my thinking. I was wrong. Thank you! OK, I tested it for an IP where I can log in via ssh and you are quite right. When that external IP is in the blacklist, I can login to that external IP but my pings back to my machine are dropped. These dropped packets do not appear in /var/log/messages, though. How can I make them appear in syslog? -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Milos Prudek wrote:> > If you are thinking that one way or the other at least one of the echo''s > > > or the replies should be dropped by the blacklist, i think this isn''t > > Yes, that was exactly my thinking. I was wrong. Thank you! > > OK, I tested it for an IP where I can log in via ssh and you are quite > right. When that external IP is in the blacklist, I can login to that > external IP but my pings back to my machine are dropped. > > These dropped packets do not appear in /var/log/messages, though. How > can I make them appear in syslog?You can, by setting BLACKLIST_LOGLEVEL in shorewall.conf, see the comments in that file or the documentation. But I agree with Tom''s reasoning that you normally wouldn''t want to log too much noise about blacklisted hosts. -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> You can, by setting BLACKLIST_LOGLEVEL in shorewall.conf, see the > comments in that file or the documentation. But I agree with Tom''sThank you, it works perfectly.> reasoning that you normally wouldn''t want to log too much noise about > blacklisted hosts.I agree. This is just temporary logging to make sure it works correctly. Thank you Bryan, Peiter, and Tom for helping me. -- Milos Prudek ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV