Carlos Carrero Gutierrez
2008-Oct-18 07:25 UTC
Shorewall not Reject or drop my connections
I have configured the firewall as says: REJECT net $FW TCP 80 or Web/REJECT net $FW However, the connection is still working. How this happen? I cannot find an answer in the FAQ or documentation. Thank you. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Sat, Oct 18, 2008 at 09:25:44AM +0200, Carlos Carrero Gutierrez wrote:> I have configured the firewall as says: > > REJECT net $FW TCP 80 > > or > > Web/REJECT net $FW > > However, the connection is still working. How this happen? I cannot find an > answer in the FAQ or documentation. >You do not provide enough information. Where is the web server running? Also, if you are rejecting in your rules file, then you almost certainly have your policy set incorrectly. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez wrote:> I have configured the firewall as says: > > REJECT net $FW TCP 80 > > or > > Web/REJECT net $FW > > However, the connection is still working. How this happen? I cannot find > an answer in the FAQ or documentation.If by "the connection is still working", you mean that an existing connections stil works, that is how stateful firewall work! They only block NEW connections. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez
2008-Oct-18 20:25 UTC
Re: Shorewall not Reject or drop my connections
Well, the problem that i have now is different. I have configured Shorewall with two-interfaces and works properly. But, i want use Bittorrent and i cannot download or upload even though i open the ports and use the macro.Bittorrent. How i fix that?¿ The config is the default. Thank you very much. 2008/10/18 Tom Eastep <teastep@shorewall.net>> Carlos Carrero Gutierrez wrote: > > I have configured the firewall as says: > > > > REJECT net $FW TCP 80 > > > > or > > > > Web/REJECT net $FW > > > > However, the connection is still working. How this happen? I cannot find > > an answer in the FAQ or documentation. > > If by "the connection is still working", you mean that an existing > connections stil works, that is how stateful firewall work! They only > block NEW connections. > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez wrote:> Well, the problem that i have now is different. I have configured > Shorewall with two-interfaces and works properly. But, i want use > Bittorrent and i cannot download or upload even though i open the ports > and use the macro.Bittorrent. > > How i fix that?Change your configuration. -Tom PS -- when you don''t give us the information we need to help you, that is the kind of help you get. See http://www.shorewall.net/support.htm#Guidelines -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez
2008-Oct-19 10:21 UTC
Re: Shorewall not Reject or drop my connections
Rules: Web/ACCEPT $FW net # Accept DNS connections from the firewall to the network # DNS/ACCEPT $FW net # # Accept SSH connections from the local network for administration # SSH/ACCEPT loc $FW # # Allow Ping from the local network # Ping/ACCEPT loc $FW # # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping/REJECT net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # Policy: loc net DROP loc $FW REJECT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net REJECT info $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Zones: fw firewall net ipv4 loc ipv4 This is the configuration, how i get download by Bittorrent? Thank you very much. 2008/10/19 Tom Eastep <teastep@shorewall.net>> Carlos Carrero Gutierrez wrote: > > Well, the problem that i have now is different. I have configured > > Shorewall with two-interfaces and works properly. But, i want use > > Bittorrent and i cannot download or upload even though i open the ports > > and use the macro.Bittorrent. > > > > How i fix that? > > Change your configuration. > > -Tom > PS -- when you don''t give us the information we need to help you, that > is the kind of help you get. See > http://www.shorewall.net/support.htm#Guidelines > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez wrote:> Rules: > Web/ACCEPT $FW net > > # Accept DNS connections from the firewall to the network > # > DNS/ACCEPT $FW net > # > # Accept SSH connections from the local network for administration > # > SSH/ACCEPT loc $FW > # > # Allow Ping from the local network > # > Ping/ACCEPT loc $FW > > # > # Reject Ping from the "bad" net zone.. and prevent your log from being > flooded.. > # > > Ping/REJECT net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > # > > Policy: > loc net DROPThat policy prohibits all access from your local systems to the Internet. And it does so silently (No log messages are produced). It is NOT the default -- the default is loc net ACCEPT Changing that policy will allow bittorrent from your local systems (and all other access like web, DNS, email, etc).> loc $FW REJECT info > loc all REJECT info > > # > # Policies for traffic originating from the firewall ($FW) > # > # If you want open access to the Internet from your firewall, change the > # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. > # This may be useful if you run a proxy server on the firewall. > $FW net REJECT infoThat policy prohibits all access from the firewall to the Internet. You have a couple of rules above that allow DNS, Ping, and Web access BUT THAT IS ALL. So if you want bittorrent access from the firewall itself, you need to add something like: BitTorrent/ACCEPT $FW net in /etc/shorewall/rules.> $FW loc REJECT info > $FW all REJECT info > > # > # Policies for traffic originating from the Internet zone (net) > # > net $FW DROP info > net loc DROP info > net all DROP info > > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > Zones: > fw firewall > net ipv4 > loc ipv4 > > This is the configuration, how i get download by Bittorrent?It depends on whether you want to run a bittorrent client on the firewall or on a local system behind the firewall. See above. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos, Parece que la configuración que tiene va seguir causando problemas. On Sun, Oct 19, 2008 at 12:21:33PM +0200, Carlos Carrero Gutierrez wrote:> > Policy: > loc net DROP > loc $FW REJECT info > loc all REJECT info >Con estos, estás bloquendo paquetes que tratan de salir. Debes quitar esas tres lineas.> # > # Policies for traffic originating from the firewall ($FW) > # > # If you want open access to the Internet from your firewall, change the > # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. > # This may be useful if you run a proxy server on the firewall. > $FW net REJECT info > $FW loc REJECT info > $FW all REJECT info >Lo mismo con estos.> # > # Policies for traffic originating from the Internet zone (net) > # > net $FW DROP info > net loc DROP info > net all DROP info > > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info >Estos tienen sentido. En mi configuración, yo tengo lo siguiente: loc net ACCEPT fw all ACCEPT net all DROP info all all REJECT info Ahora, para ayudarte en más detalle, hace falta saber cual versión de Shorewall usas (y si es Shorewall-shell o Shorewall-perl). Tambien, cual distribución de Linux y cual es la versión de la distribución. Tambien, este documento: http://www.shorewall.net/two-interface.htm La configuración que se da en esa página funciona para la mayoria de la gente que tienen una sistema con dos interfazes. Saludos, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Carlos Carrero Gutierrez
2008-Oct-20 13:40 UTC
Re: Shorewall not Reject or drop my connections
Well, i have considered change my configuration and accept connections, but i don''t know the risk that i could suffer. Then, I was thinking about a method (rules) for change only that connection. Also, i have to allow IMAPs and SMTPs (thunderbird) but happens the same (connection refused). In that case, i will modify loc net but i don''t know if its secure or not. El 19 de octubre de 2008 18:41, Roberto C. Sánchez <roberto@connexer.com>escribió:> Carlos, > > Parece que la configuración que tiene va seguir causando problemas. > > On Sun, Oct 19, 2008 at 12:21:33PM +0200, Carlos Carrero Gutierrez wrote: > > > > Policy: > > loc net DROP > > loc $FW REJECT info > > loc all REJECT info > > > Con estos, estás bloquendo paquetes que tratan de salir. Debes quitar > esas tres lineas. > > > # > > # Policies for traffic originating from the firewall ($FW) > > # > > # If you want open access to the Internet from your firewall, change the > > # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. > > # This may be useful if you run a proxy server on the firewall. > > $FW net REJECT info > > $FW loc REJECT info > > $FW all REJECT info > > > Lo mismo con estos. > > > # > > # Policies for traffic originating from the Internet zone (net) > > # > > net $FW DROP info > > net loc DROP info > > net all DROP info > > > > # THE FOLLOWING POLICY MUST BE LAST > > all all REJECT info > > > Estos tienen sentido. > > En mi configuración, yo tengo lo siguiente: > > loc net ACCEPT > fw all ACCEPT > net all DROP info > all all REJECT info > > Ahora, para ayudarte en más detalle, hace falta saber cual versión de > Shorewall usas (y si es Shorewall-shell o Shorewall-perl). Tambien, > cual distribución de Linux y cual es la versión de la distribución. > > Tambien, este documento: http://www.shorewall.net/two-interface.htm > > La configuración que se da en esa página funciona para la mayoria de la > gente que tienen una sistema con dos interfazes. > > Saludos, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto<http://people.connexer.com/%7Eroberto> > http://www.connexer.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFI+2Mh5SXWIKfIlGQRAqMaAJ4juZqoh7mkwDI7Jz4Li6vV+PSRZgCfe6+X > L74JsArAQYxw51k4xDqJLjo> =cwJM > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Mon, Oct 20, 2008 at 03:40:01PM +0200, Carlos Carrero Gutierrez wrote:> Well, i have considered change my configuration and accept connections, but > i don''t know the risk that i could suffer. Then, I was thinking about a > method (rules) for change only that connection. Also, i have to allow IMAPs > and SMTPs (thunderbird) but happens the same (connection refused). > > In that case, i will modify loc net but i don''t know if its secure or not. >Well, filtering outbound traffic is generally a very complicated thing to get right, as you are seeing. I recommend that you start with the policy (or rather the whole configuration) given in the particular HOWTO that matches your machine''s setup (the two-interface HOWTO in your case). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/