I hope this is a quick question for the experts...I''m at a loss as to how to do this: Drop packets with dest port 4321 with the rst flag set. Here''s what the rule I have in mind would look like (iptables -L) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:4321 flags:RST/RST How can this be done in the shorewall rules file? or do I need to create a special macro or something? The box running shorewall is doing NAT for my lan...so in the end I would like this rule to apply to packets heading to clients on the lan. (something like: DROP net loc tcp 4321 with the tcp flags information added somewhere...) I know this will leave hanging tcp sockets, but it''s needed in my case :( -- matt mattlist@fastmail.fm -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
mattjackets wrote:> I hope this is a quick question for the experts...I''m at a loss as to > how to do this: > Drop packets with dest port 4321 with the rst flag set. > > Here''s what the rule I have in mind would look like (iptables -L) > target prot opt source destination > DROP tcp -- anywhere anywhere tcp > dpt:4321 flags:RST/RST > > How can this be done in the shorewall rules file? or do I need to > create a special macro or something? > >Use an Action defined with an Extension script. The best short example is probably this one: http://www.shorewall.net/3.0/shorewall_extension_scripts.htm#NFQUEUE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
mattjackets wrote:> I hope this is a quick question for the experts...I''m at a loss as to > how to do this: > Drop packets with dest port 4321 with the rst flag set. > > Here''s what the rule I have in mind would look like (iptables -L) > target prot opt source destination > DROP tcp -- anywhere anywhere tcp > dpt:4321 flags:RST/RST > > How can this be done in the shorewall rules file? or do I need to > create a special macro or something? > > The box running shorewall is doing NAT for my lan...so in the end I > would like this rule to apply to packets heading to clients on the lan. > (something like: DROP net loc tcp 4321 with the tcp flags information > added somewhere...) > > I know this will leave hanging tcp sockets, but it''s needed in my case > :(Wrong URL in my last post -- s/b: http://www.shorewall.net/3.0/Actions.html#NFQUEUE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Sun, 26 Aug 2007 07:39:36 -0700, "Tom Eastep" <teastep@shorewall.net> said:> mattjackets wrote: > > I hope this is a quick question for the experts...I''m at a loss as to > > how to do this: > > Drop packets with dest port 4321 with the rst flag set. > > > > Here''s what the rule I have in mind would look like (iptables -L) > > target prot opt source destination > > DROP tcp -- anywhere anywhere tcp > > dpt:4321 flags:RST/RST > > > > How can this be done in the shorewall rules file? or do I need to > > create a special macro or something? > > > > > > Use an Action defined with an Extension script. The best short example is > probably this one: > > http://www.shorewall.net/3.0/shorewall_extension_scripts.htm#NFQUEUE > > -TomTom, I quickly scanned the document you linked, and have a few questions. Are you suggesting that I use the equivalent iptables command (using run_iptables) in the extension? (on start: run_iptables -A whatever.... on stop: run_iptables -D whatever...) If so, I''m not sure which chain to apply the rule to. Shorewall sets up many chains, and I''m not sure which would be the most appropriate. Below are the chains defined by shorewall on my firewall: Chain INPUT (policy DROP) Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP) Chain Drop (3 references) Chain Reject (9 references) Chain all2all (0 references) Chain dropBcast (2 references) Chain dropInvalid (2 references) Chain dropNotSyn (2 references) Chain dynamic (4 references) Chain eth0_fwd (1 references) Chain eth0_in (1 references) Chain eth1_fwd (1 references) Chain eth1_in (1 references) Chain fw2all (0 references) Chain fw2loc (3 references) Chain fw2net (1 references) Chain loc2all (0 references) Chain loc2fw (1 references) Chain loc2net (1 references) Chain logdrop (0 references) Chain logflags (5 references) Chain logreject (0 references) Chain net2all (0 references) Chain net2fw (1 references) Chain net2loc (1 references) Chain norfc1918 (2 references) Chain reject (18 references) Chain rfc1918 (6 references) Chain shorewall (0 Chain smurfs (4 references) Chain tcpflags (4 references) my guess would be net2loc, or maybe drop, or maybe tcpflags, or maybe it dosn''t matter at all....I had no idea so many chains were created by shorewall... Thanks for your help! -- matt mattlist@fastmail.fm -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
mattjackets wrote:> On Sun, 26 Aug 2007 07:39:36 -0700, "Tom Eastep" <teastep@shorewall.net> > said: >> mattjackets wrote: >>> I hope this is a quick question for the experts...I''m at a loss as to >>> how to do this: >>> Drop packets with dest port 4321 with the rst flag set. >>> >>> Here''s what the rule I have in mind would look like (iptables -L) >>> target prot opt source destination >>> DROP tcp -- anywhere anywhere tcp >>> dpt:4321 flags:RST/RST >>> >>> How can this be done in the shorewall rules file? or do I need to >>> create a special macro or something? >>> >>> >> Use an Action defined with an Extension script. The best short example is >> probably this one: >> >> http://www.shorewall.net/3.0/shorewall_extension_scripts.htm#NFQUEUE >> >> -Tom > > > Tom, > > I quickly scanned the document you linked, and have a few questions.I''ve spent thousands of hours designing, writing and documenting Shorewall. Please do me the courtesy of reading the documentation carefully and completely before asking for me to spend more of my time helping you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> mattjackets wrote: >> On Sun, 26 Aug 2007 07:39:36 -0700, "Tom Eastep" <teastep@shorewall.net> >> said: >>> mattjackets wrote: >>>> I hope this is a quick question for the experts...I''m at a loss as to >>>> how to do this: >>>> Drop packets with dest port 4321 with the rst flag set. >>>> >>>> Here''s what the rule I have in mind would look like (iptables -L) >>>> target prot opt source destination >>>> DROP tcp -- anywhere anywhere tcp >>>> dpt:4321 flags:RST/RST >>>> >>>> How can this be done in the shorewall rules file? or do I need to >>>> create a special macro or something? >>>> >>>> >>> Use an Action defined with an Extension script. The best short example is >>> probably this one: >>> >>> http://www.shorewall.net/3.0/shorewall_extension_scripts.htm#NFQUEUE >>> >>> -Tom >> >> Tom, >> >> I quickly scanned the document you linked, and have a few questions. > > I''ve spent thousands of hours designing, writing and documenting > Shorewall. Please do me the courtesy of reading the documentation > carefully and completely before asking for me to spend more of my time > helping you. >In a second email, I referred you to another article about Actions -- that is the document that you should be reading firest. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/