Is there a (reasonable/simple) way to send "shorewall drop/shorewall allow" commands to a firewall from a machine in the DMZ? I have a DNS server running in my DMZ behind a three interface shorewall firewall. I have started to see some DOS attacks on the name server and would like to be able to automate dropping traffic from the offending IP addresses at the firewall rather than at the DNS server. Thanks. --Richard ---------------------------------- I''m not allowed to run the train The whistle I can''t blow... I''m not allowed to say how far The railroad cars can go. I''m not allowed to shoot off steam, Nor even clang the bell¦ But let the damn train jump the track And see who catches Hell! ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
On Wed, Jan 28, 2009 at 04:12:47AM -0700, rpyne@shopsite.com wrote:> Is there a (reasonable/simple) way to send "shorewall drop/shorewall > allow" commands to a firewall from a machine in the DMZ? > > I have a DNS server running in my DMZ behind a three interface > shorewall firewall. I have started to see some DOS attacks on the > name server and would like to be able to automate dropping traffic > from the offending IP addresses at the firewall rather than at the > DNS server. >You could probably automate something like that using ssh and keys. However, beyond that nothing really exists. Interestingly enough, I proposed this just yesterday: http://trac.shorewall.net/wiki/ShorewallManagementDaemonProposal Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
> ... I have a DNS server running in my DMZ behind a three interface > shorewall firewall. I have started to see some DOS attacks on the > name server ...Dumb question: are there ANY legitimate external uses of your DNS servers? If the _only_ legitimate external use of your DNS servers is to look up the name->IP your firewall presents to the open Internet, maybe you can subcontract that one entry to some external provider (for example whatever service your DNS domain name is ''registered'' with). Then your own DNS servers become entirely private. (IMHO it often doesn''t make a whole lot of sense to expose an entire BIND server to the Internet for just one entry.) Once there are _no_ legitimate external uses of your DNS servers, it seems to me there''s a real simple answer: Allow DNS traffic that _originates_ from the servers (pulling zone transfers, recursing requests, etc.), but disallow all DNS traffic that comes from outside. Just add a rule something like this: DROP net dmz tcp 53 (If that definition of "originating" at first seems awkward, remember what matters to Shorwewall/IPtables is ''who spoke first?'', not ''which way is the data flowing?'', so it really does make sense.) Depending on your environment, maybe you don''t need the complexity of banning individual IPs after all - maybe just an unchanging blanket policy is sufficient. thanks! -Chuck Kollars ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
In this case, it is a public DNS servers, so, yes, there are legitimate external uses. This installation is a small ecommerce service provider that hosts about 30 domains. --Richard On 28 Jan 2009 at 9:38, Chuck Kollars wrote:> > ... I have a DNS server running in my DMZ behind a three interface > > shorewall firewall. I have started to see some DOS attacks on the > > name server ... > > Dumb question: are there ANY legitimate external uses of your DNS servers? > > If the _only_ legitimate external use of your DNS servers is to look up the name->IP your firewall presents to the open Internet, maybe you can subcontract that one entry to some external provider (for example whatever service your DNS domain name is ''registered'' with). Then your own DNS servers become entirely private. (IMHO it often doesn''t make a whole lot of sense to expose an entire BIND server to the Internet for just one entry.) > > Once there are _no_ legitimate external uses of your DNS servers, it seems to me there''s a real simple answer: Allow DNS traffic that _originates_ from the servers (pulling zone transfers, recursing requests, etc.), but disallow all DNS traffic that comes from outside. Just add a rule something like this: > DROP net dmz tcp 53 > (If that definition of "originating" at first seems awkward, remember what matters to Shorwewall/IPtables is ''who spoke first?'', not ''which way is the data flowing?'', so it really does make sense.) > > Depending on your environment, maybe you don''t need the complexity of banning individual IPs after all - maybe just an unchanging blanket policy is sufficient. > > thanks! -Chuck Kollars > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------- I''m not allowed to run the train The whistle I can''t blow... I''m not allowed to say how far The railroad cars can go. I''m not allowed to shoot off steam, Nor even clang the bell¦ But let the damn train jump the track And see who catches Hell! ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword