Hi all, I have read and implemented the configuration for Xen dom0 as described in "Xen - Shorewall in Bridged Xen Dom0". I have one question though. It seems to me that there is no protection for Dom0 in the configuration as described.Shouldn''t the lines in /etc/shorewall/policy : ursa all ACCEPT net ursa ACCEPT rather be ursa all ACCEPT net ursa REJECT INFO And then allow ports in in /etc/shorewall/rules -- The only port I can see useful for Dom0 is port 22 for remote maintenance? E.G. ACCEPT net xen ssh #where xen is enbr0:vif0.0 At least in my setup for servers I have a minimal Dom0 and just use it to run and control the virtual machines. It needs the most protection as breaching Dom0 will result in all virtual machines being vulnerable. Am I missing something? Regards Mark ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Mark Clarke wrote:> Hi all, > > I have read and implemented the configuration for Xen dom0 as described > in "Xen - Shorewall in Bridged Xen Dom0". I have one question though. > > It seems to me that there is no protection for Dom0 in the configuration > as described.Shouldn''t the lines in /etc/shorewall/policy : > > ursa all ACCEPT > net ursa ACCEPT > > rather be > > ursa all ACCEPT > net ursa REJECT INFO > > And then allow ports in in /etc/shorewall/rules -- The only port I can > see useful for Dom0 is port 22 for remote maintenance? > E.G. > > ACCEPT net xen ssh #where xen is enbr0:vif0.0 > > > At least in my setup for servers I have a minimal Dom0 and just use it > to run and control the virtual machines. It needs the most protection as > breaching Dom0 will result in all virtual machines being vulnerable. > > Am I missing something?Yes. And your confusion only serves to underscore how difficult it is to understand and firewall a bridged Dom0. The ursa zone is an artifact of how Shorewall defines zones and is basically empty. ''ursa'' is a superset of the the $FW zone but the complement of the $FW zone in ursa never has an processes running in it and it never has any IPv4 addresses. So protecting the ursa zone gives you nothing that isn''t already provided by protecting the $FW zone. And your statement that Dom0 needs the most protection is also suspect. From a firewall point of view, the DomUs are *outside of Dom0*. So they are perfectly accessible without going through Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>> >> Am I missing something? > > Yes. And your confusion only serves to underscore how difficult it is to > understand and firewall a bridged Dom0. > > The ursa zone is an artifact of how Shorewall defines zones and is basically > empty. ''ursa'' is a superset of the the $FW zone but the complement of the > $FW zone in ursa never has an processes running in it and it never has any > IPv4 addresses. So protecting the ursa zone gives you nothing that isn''t > already provided by protecting the $FW zone.Hi Tom, Thanks for the info. Xen networking is very arcane for me :(. I will need some time to adjust the model I have in my head to account for your information ... hopefully it doesn''t take too long. I am still a bit confused about the protection offered though. If there is no real firewall traffic going through the ursa zone then shouldn''t the lines in policy disallow access from all, and the net zone in particular, to the firewall? all fw ACCEPT fw all ACCEPT Maybe the gap in my understanding is that ursa/firewall is protected by the dmz zone rules/policy? Maybe this line in /etc/interfaces is the part I am missing? i.e dmz == all doms including dom0. dmz xenbr0:vif+ routeback I can understand that everything on peth0 should be allowed in as it is essentially in promiscuous mode and needs to forward/broadcast all traffic through to the bridge. Then shorewall just needs to ensure that only legitimate traffic is allowed through the virtual interfaces.> > And your statement that Dom0 needs the most protection is also suspect. From > a firewall point of view, the DomUs are *outside of Dom0*. So they are > perfectly accessible without going through Dom0. >My understanding is that they are protected by the dmz zone rules running in Dom0? thanks for the help. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Mark Clarke wrote: ong.> > I am still a bit confused about the protection offered though. If there > is no real firewall traffic going through the ursa zone then shouldn''t > the lines in policy disallow access from all, and the net zone in > particular, to the firewall? > > all fw ACCEPT > fw all ACCEPT > > Maybe the gap in my understanding is that ursa/firewall is protected by > the dmz zone rules/policy? Maybe this line in /etc/interfaces is the > part I am missing? i.e dmz == all doms including dom0. > > dmz xenbr0:vif+ routeback > > I can understand that everything on peth0 should be allowed in as it is > essentially in promiscuous mode and needs to forward/broadcast all > traffic through to the bridge. Then shorewall just needs to ensure that > only legitimate traffic is allowed through the virtual interfaces.Mark, It sounds like you are confused about the purpose of this particular firewall example. From the article: In this example, we will assume that the system is behind a second firewall that restricts incoming traffic so that we only have to worry about protecting the local LAN from the systems running in the DomU''s. Sounds like you mssed that assumption. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi I have a PC with asterisk on my lan, the registration to my sip provider is good throught shorewall but i have not audio when I call a external sip account. I will not make that on shorewall (very not secure but functionnal !): Forward UDP Port 5060-5082 to local_ip_asterisk Forward UDP Port 10000 to 20000 to local_ip_asterisk I will use ip_conntrack_sip and ip_nat_sip, they are activated in /usr/share/horewall/modules and good loaded, and the sip netfilter is functionnal between 2 zones on shorewall. On shorewall the rule initiating for sip netfilter : lan ----> wan udp 5060 is present tail -f /var/log/messages is quiet on shorewall for this problem ! Thanks VUILLET damien System Administrator ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
lpa du morvan wrote:>I have a PC with asterisk on my lan, the registration to my sip provider is >good throught shorewall but i have not audio when I call a external sip >account. > >I will not make that on shorewall (very not secure but functionnal !): > >Forward UDP Port 5060-5082 to local_ip_asterisk >Forward UDP Port 10000 to 20000 to local_ip_asterisk > >I will use ip_conntrack_sip and ip_nat_sip, they are activated in >/usr/share/horewall/modules and good loaded, and the sip netfilter is >functionnal between 2 zones on shorewall. > >On shorewall the rule initiating for sip netfilter : lan ----> wan udp 5060 >is present > >tail -f /var/log/messages is quiet on shorewall for this problem !First thought - do you use NAT ? Have your properly configured Asterisk for this (/etc/asterisk/sip_nat.conf IIRC) ? Also, you can open less ports for RTP by editing rtp.conf. And I think you only need port 5060, not ports 5060 to 5082. Finally, if you correctly configure Asterisk for the NAT then do NOT load ip_nat_sip which (I think) will mangle your SIP packets for you. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
----- Original Message ----- From: "Simon Hobson" <linux@thehobsons.co.uk> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, May 15, 2007 9:19 AM Subject: Re: [Shorewall-users] shorewall & asterisk> lpa du morvan wrote: > > >I have a PC with asterisk on my lan, the registration to my sip provideris> >good throught shorewall but i have not audio when I call a external sip > >account. > > > >I will not make that on shorewall (very not secure but functionnal !): > > > >Forward UDP Port 5060-5082 to local_ip_asterisk > >Forward UDP Port 10000 to 20000 to local_ip_asterisk > > > >I will use ip_conntrack_sip and ip_nat_sip, they are activated in > >/usr/share/horewall/modules and good loaded, and the sip netfilter is > >functionnal between 2 zones on shorewall. > > > >On shorewall the rule initiating for sip netfilter : lan ----> wan udp5060> >is present > > > >tail -f /var/log/messages is quiet on shorewall for this problem ! > > First thought - do you use NAT ? Have your properly configured > Asterisk for this (/etc/asterisk/sip_nat.conf IIRC) ? > > Also, you can open less ports for RTP by editing rtp.conf. > > And I think you only need port 5060, not ports 5060 to 5082. > > Finally, if you correctly configure Asterisk for the NAT then do NOT > load ip_nat_sip which (I think) will mangle your SIP packets for you.Hi, thanks for your answer. But I did not make any configuration on my asterisk because when I used MNF2, all is functionnal with the native installation of asterisk, and on MNF2 I have right addition in /etc/shorewall/rules ACCEPT lan wan udp 1024:65535 and nothing of changed in /etc/shorewall/modules (sip_conntrack and sip_nat did not exist at that time !) only this: ---------------------------------------------------------- module ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp loadmodule ip_conntrack_tftp loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp loadmodule ip_nat_tftp loadmodule ip_nat_irc ---------------------------------------------------------------------------- - I must thus preserve my MNF2 only for my asterisk !!! and I would like to give up my MNF2 completely. Thanks VUILLET Damien ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
lpa du morvan wrote:>But I did not make any configuration on my asterisk because when I used >MNF2, all is functionnal with the native installation of asterisk, and on >MNF2 I have right addition in /etc/shorewall/rulesMNF2 ?>I must thus preserve my MNF2 only for my asterisk !!! and I would like to >give up my MNF2 completely.MNF2 is another firewall ? I''m not entirely sure what you are saying, but what I can tell you is : 1) SIP does NOT work through NAT without some help. 2) Some firewalls have a SIP ALG (Application Level Gateway) which intercept all SIP traffic and do some mangling to the addresses contained within. The ALG may also do automatic port forwarding - again by using the content of the SIP packets it passes. I''m guessing that your MNF2 system had such an ALG. 3) Asterisk has a setting that will tell it to take account of NAT (IIRC it''s sip_nat.conf). For SIP exchanges Asterisk determines (based on what you tell it) are to go out through a NAT gateway, Asterisk will use the correct public IP & port in it''s messages. This DOES work. 4) Just for completeness, many SIP devices have STUN (Simple Traversal of UDP through NAT) which use exchanges with an external server to determine the public IP & port, and the type of NAT in use. This isn''t relevant to your problem. IMHO, the best way to make Asterisk work through NAT is : Configure sip_nat.conf correctly. Configure the firewall to map between port 5060 on the public IP and port 5060 on the Asterisk box. Similarly configure port forwarding for the RTP ports specified in rtp.conf - and I would suggest significantly reducing the number of ports used unless you expect to need in excess of 5 thousand simultaneous calls going on ! Do NOT configure a SIP ALG on the gateway as it will conflict with the ''corrections'' done by Asterisk. Since (I assume) you are using a Linux box as your gateway, the following will also not apply - but I include it for completeness. Some NAT gateways (Zyxel take note) are well and truly f***ed up by design ! They do stupid things like mapping outbound packets from port 5060 to a random public port in spite of you having created an inbound rule to map port 5060 to 5060 - this breaks SIP. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
> MNF2 ?It''s shorewall 2.0 by Mandriva, no SIP ALG at that time ! I thus will configure asterisk (sip_nat.conf and rtp.conf !) Thanks for your help VUILLET Damien ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/