Shorewall users - Oct 2008 - [Fwd: Question]

I am forwarding this post to the Shorewall Users mailing list. The email
address ''support@shorewall.net'' is reserved for sending large
or
confidential attachments to the Shorewall support team.

See http://www.shorewall.net/support.htm

-Tom

-------- Original Message --------
Subject: Question
Date: Mon, 20 Oct 2008 11:30:04 +0000
From: Raul <rfunez@polar.es>
To: support@shorewall.net

Good morning,
i''m trying to configure shorewall firewall in my laptop to reject all
conections to the site http://www.marca.com. My laptop is in the local
network of my company and we connect to Internet by a Proxy Server.
My config files are like this:

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#ZONE   TYPE             OPTIONS
fw      firewall
net     ipv4
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ZONE    INTERFACE      BROADCAST     OPTIONS
net       eth0           detect

#LAST LINE -- DO NOT REMOVE
#SOURCE ZONE     DESTINATION ZONE    POLICY     LOG     LIMIT:BURST
#                                               LEVEL
fw               net                 ACCEPT
net              all                 DROP       $LOG
all              all                 REJECT     $LOG

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
#REJECT    fw        net:194.224.66.0/24         tcp          80
#ACTION   SOURCE    DESTINATION     PROTO
REJECT    net:eth0:194.224.66.0-194.224.66.255  fw


I always type a shorewall restart after changing any configuration file
and start ups with no problem.
My external device is eth0

kreator:/var/log/ulog# ip route ls
172.22.0.0/18 dev eth0  proto kernel  scope link  src 172.22.2.161
default via 172.22.0.1 dev eth0


With this configuration i think it should work fine but it doesnt. Where
is the problem?.

Thanks in advanced!!.

Best Regards:Raul.





-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep wrote:
> I am forwarding this post to the Shorewall Users mailing list. The email
> address ''support@shorewall.net'' is reserved for sending
large or
> confidential attachments to the Shorewall support team.
> 
> See http://www.shorewall.net/support.htm
> 
> -Tom
> 
> -------- Original Message --------
> Subject: Question
> Date: Mon, 20 Oct 2008 11:30:04 +0000
> From: Raul <rfunez@polar.es>
> To: support@shorewall.net
> 
> Good morning,
> i''m trying to configure shorewall firewall in my laptop to reject
all
> conections to the site http://www.marca.com. My laptop is in the local
>
> #ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
> #REJECT    fw        net:194.224.66.0/24         tcp          80
> #ACTION   SOURCE    DESTINATION     PROTO
> REJECT    net:eth0:194.224.66.0-194.224.66.255  fw
> 
> With this configuration i think it should work fine but it doesnt. Where
> is the problem?.
As you are discovering, a packet filter like Shorewall is a very poor
tool for restricting web access.

See here:

ursa:/home/teastep/shorewallBuild/4.2 # dig www.marca.com

; <<>> DiG 9.4.2-P1 <<>> www.marca.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 0

;; QUESTION SECTION:
;www.marca.com.			IN	A

;; ANSWER SECTION:
www.marca.com.		86400	IN	CNAME	www.marca.com.edgesuite.net.
www.marca.com.edgesuite.net. 21600 IN	CNAME	a751.g.akamai.net.
a751.g.akamai.net.	20	IN	A	72.246.51.56
a751.g.akamai.net.	20	IN	A	72.246.51.104


Neither of those addresses are in the range you are blocking. Also, look
at the TTL on those entries -- 20 Seconds! So in 20 seconds, you get a
totally different answer:

ursa:/home/teastep/shorewallBuild/4.2 # dig www.marca.com

; <<>> DiG 9.4.2-P1 <<>> www.marca.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3332
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 0

;; QUESTION SECTION:
;www.marca.com.			IN	A

;; ANSWER SECTION:
www.marca.com.		86012	IN	CNAME	www.marca.com.edgesuite.net.
www.marca.com.edgesuite.net. 21212 IN	CNAME	a751.g.akamai.net.
a751.g.akamai.net.	20	IN	A	204.203.18.163
a751.g.akamai.net.	20	IN	A	204.203.18.138

Those addresses aren''t in the range you are blocking either!

I would configure squid as a proxy on your laptop and use its ACL
capability to block this access. That is the correct approach.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/