Dear experts, I asked a question some weeks ago regarding sharing bandwidth among several WAN interfaces. Tom answered that my problem was because of having an "ancient" version of Ubuntu. Now the latest Ubuntu 8.04 LTS has come out, and I have been attempting to upgrade, but have run into an apparent bug that prevents the LAN from receiving internet through the PPPoE lines. While that is an Ubuntu bug, apparently, and no concern of this list, I''ve run into some online advice that brings me to some questions regarding shorewall. The advice I found said to clear the iptables with such commands as these: sudo iptables -F sudo iptables -X sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT The instructions were that this would completely open up the iptables, and would require a firewall to take care of the security in place of the iptables. But now I ask: 1) Is this safe? 2) Does shorewall replace ALL of the necessary iptables rules with its own secure policies, or does it merely adjust the tables already there? 3) Would there be any better way of opening up the iptables? If you''re interested in the background issue with Ubuntu that I''m dealing with, and the advice I found online, you may look here: http://ubuntuforums.org/showthread.php?t=781744&highlight=linux+pppoe+ERROR+while+getting+interface+flags%26quot%3B+%26quot%3B70-persistent-net.rules Thank you! _________________________________________________________________ Get Free (PRODUCT) RED™ Emoticons, Winks and Display Pics. http://joinred.spaces.live.com?ocid=TXT_HMTG_prodredemoticons_052008 ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Thu, May 08, 2008 at 07:37:25PM -0700, Erik Mundall wrote:> > sudo iptables -F > sudo iptables -X > sudo iptables -P INPUT ACCEPT > sudo iptables -P OUTPUT ACCEPT > > The instructions were that this would completely open up the iptables, > and would require a firewall to take care of the security in place of > the iptables. > > But now I ask: > 1) Is this safe?I''m not sure what you mean by this. Basically, those commands completely flush all rules, delete all user-defined chains and default allow all inbound and outbound traffic. If your system faces the public Internet and you execute those commands and don''t follow them up with any protective measures, then that is certainly a recipe for disaster.> 2) Does shorewall replace ALL of the necessary iptables rules with its > own secure policies, or does it merely adjust the tables already > there?Shorewall replaces all the iptables rules, else there would be no sane way to do it.> 3) Would there be any better way of opening up the iptables? >If you run ''shorewall clear'' it has the same effect as the commands you listed above. Of course, then you leave yourself wide open. You can do this for troubleshooting, for example, to see if some misbehavior still occurs after clearing the iptables rules, which will tell you if the problem is with Shorewall or with something else. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Roberto C. Sánchez wrote:> On Thu, May 08, 2008 at 07:37:25PM -0700, Erik Mundall wrote: >> sudo iptables -F >> sudo iptables -X >> sudo iptables -P INPUT ACCEPT >> sudo iptables -P OUTPUT ACCEPT >> >> The instructions were that this would completely open up the iptables, >> and would require a firewall to take care of the security in place of >> the iptables. >> >> But now I ask: >> 1) Is this safe? > > I''m not sure what you mean by this. Basically, those commands > completely flush all rules, delete all user-defined chains and default > allow all inbound and outbound traffic. If your system faces the public > Internet and you execute those commands and don''t follow them up with > any protective measures, then that is certainly a recipe for disaster.And those rules do nothing with forwarded traffic, nat, mangle or raw rules. In other words, those rules are very incomplete.> >> 2) Does shorewall replace ALL of the necessary iptables rules with its >> own secure policies, or does it merely adjust the tables already >> there? > > Shorewall replaces all the iptables rules, else there would be no sane > way to do it. > >> 3) Would there be any better way of opening up the iptables? >> > If you run ''shorewall clear'' it has the same effect as the commands you > listed above.And much more. Of course, then you leave yourself wide open. You can do> this for troubleshooting, for example, to see if some misbehavior still > occurs after clearing the iptables rules, which will tell you if the > problem is with Shorewall or with something else.Agreed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Erik Mundall wrote:> ... > If you''re interested in the background issue with Ubuntu that I''m > dealing with, and the advice I found online, you may look here: > > http://ubuntuforums.org/showthread.php?t=781744&highlight=linux+pppoe+ERROR+while+getting+interface+flags%26quot%3B+%26quot%3B70-persistent-net.rulesThe iptables output you posted in the Ubuntu forum was not created with Shorewall. Is this even the same system as you previously posted about (http://permalink.gmane.org/gmane.comp.security.shorewall/19239)? Paul ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Thank you, Roberto and Tom. That helps me understand shorewall better. In any event, having now tried those iptables commands--they didn''t help in my case. When I do a "shorewall clear", does that actually leave the iptables/firewall wide open? Perhaps I have misunderstood, but I had thought that whenever shorewall "clears", that it replaces the previous iptables configuration that had existed before shorewall started. Is this not the case? To answer your question, Paul, the link I referenced regarding this Ubuntu problem is not presenting my case. Those are his iptables output. Yes, I am still dealing with the same server; however, I have been forced to practice on an "offline" server, which, when upgraded to Ubuntu 8.04, exhibits the exact same behavior. The problem is that the PPPoE lines will not pass internet through to the LAN when they are in the route with 8.04, and a network restart will always show these errors: ppp0: ERROR while getting interface flags: No such device Plugin rp-pppoe.so loaded. ppp1: ERROR while getting interface flags: No such device Plugin rp-pppoe.so loaded. I''ve posted to the Ubuntu forums, but received no response. As it turns out, I''ve experienced these same problems now on two different machines, and with both 7.10 and 8.04 of Ubuntu. I have also gone through the current list of Ubuntu distributions, by trial and error, to find the ones that will support the load balancing, and only these last two actually do it properly. So, it seems to be a case of breaking one thing to fix another. I may have to go back to using hardware routers to interface the pppoe lines for the server. The problem with doing it that way is that the routers seem to have a hardware limit for the number of connections going through, and when I have tried this previously, there were times when the internet was clogged up. Additionally, I have had some issues with the double NAT. Of course, almost none of my problems are directly related to shorewall. I had thought the load balancing might be, but I''m learning that is a kernel issue. I have really appreciated having shorewall, and want to thank Tom and any others who have provided this tool. Thank you all. Erik. _________________________________________________________________ With Windows Live for mobile, your contacts travel with you. http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_Refresh_mobile_052008 ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone