I am setting up a server with Ubuntu 10.04 with Shorewall v4.4.8.4 to control access. I have successfully implemented rules for accepting traffic between the firewall and the rest of the world. The final modification I wanted to make is to reject all traffic not explicitly allowed by the rules I have created. When I add a reject rule between the external network and the firewall, I can no longer connect to the machine. Checking the logs I don''t see any errors during startup of shorewall. I have searched via Google though have not found a solution. I can supply details of my policies and rules as needed. ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Am 15.06.10 10:48, schrieb Derek Lewis:> I am setting up a server with Ubuntu 10.04 with Shorewall v4.4.8.4 to > control access. > > I have successfully implemented rules for accepting traffic between the > firewall and the rest of the world. > > The final modification I wanted to make is to reject all traffic not > explicitly allowed by the rules I have created. When I add a reject rule > between the external network and the firewall, I can no longer connect > to the machine. > > Checking the logs I don''t see any errors during startup of shorewall. I > have searched via Google though have not found a solution. > > I can supply details of my policies and rules as needed.Hi, that would help. Look at http://www.shorewall.net/support.htm#Guidelines too. As far as I remember, use the /etc/shorewall/policy file do deny/reject all traffic by default, and you use /etc/shorewall/rules to allow. Allow all from local lan to the dmz and http(s) and ftp to the internet: E.g.: policy file: ... loc dmz ACCEPT ... all all REJECT info rule file: ... ACCEPT loc net tcp http,https,ftp ... Regards. Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Thank you, I checked my connectivity with ping, webmin and Samba shares. I can reach the network and external ip addresses fine, though I am not sure my rules are working as expected. I will post them to the mailing list. -----Original Message----- From: Götz Reinicke - IT-Koordinator [mailto:goetz.reinicke@filmakademie.de] Sent: Tuesday, June 15, 2010 2:23 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] shorewall rules Am 15.06.10 10:48, schrieb Derek Lewis:> I am setting up a server with Ubuntu 10.04 with Shorewall v4.4.8.4 to > control access. > > I have successfully implemented rules for accepting traffic between the > firewall and the rest of the world. > > The final modification I wanted to make is to reject all traffic not > explicitly allowed by the rules I have created. When I add a reject rule > between the external network and the firewall, I can no longer connect > to the machine. > > Checking the logs I don''t see any errors during startup of shorewall. I > have searched via Google though have not found a solution. > > I can supply details of my policies and rules as needed.Hi, that would help. Look at http://www.shorewall.net/support.htm#Guidelines too. As far as I remember, use the /etc/shorewall/policy file do deny/reject all traffic by default, and you use /etc/shorewall/rules to allow. Allow all from local lan to the dmz and http(s) and ftp to the internet: E.g.: policy file: ... loc dmz ACCEPT ... all all REJECT info rule file: ... ACCEPT loc net tcp http,https,ftp ... Regards. Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Here are my current shorewall policies and rules. I intended to allow traffic through to the firewall explicitly via ip address and port # though I think my rules are flawed. I can still ping an external address which I thought required port 80 to open and an ACCEPT action for the address in question. /etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW dmz ACCEPT dmz $FW ACCEPT info #dmz $FW REJECT info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # ssh ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW tcp aa aa ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp aa aa # https ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW tcp bbbbb bbbbb ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp bbbbb bbbbb # Samba services: nmdb ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW udp ccc ccc ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp ccc ccc ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW udp ddd ddd ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp ddd ddd # Samba services: smdb ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW tcp eee eee ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp eee eee ACCEPT dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy $FW tcp fff fff ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy tcp ggg ggg # Samba services: share browsing ACCEPT $FW dmz:xxx.xxx.x.xxx-xxx.xxx.x.yyy udp hhh:iii hhh:iii # Time server port ACCEPT dmz $FW udp 123 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Hi, Am 16.06.10 11:55, schrieb Derek Lewis:> Here are my current shorewall policies and rules. I intended to allow > traffic through to the firewall explicitly via ip address and port # > though I think my rules are flawed. I can still ping an external > address which I thought required port 80 to open and an ACCEPT action > for the address in question.If you like to handel and controll all traffic by rules, than you should not allow anything by default/policy ... ping is not using port 80 (with udp or tcp) ... it is using icmp. http://en.wikipedia.org/wiki/Ping and http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>From which host do you try to ping which host?<...> /Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Reviewing the manpages, I see the error in my /etc/shorewall/policy file... I originally defined the first two rules as shown below to allow communication with my network. I added the ''reject all'' rule to prevent all other communication requests. I should set all policies below to reject. Then I can define my connections explicitly via the rules. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW dmz ACCEPT dmz $FW ACCEPT info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Regarding the site I tried to ping as a test: db.local.clamav.net This is one site I would want to connect to in order to get updates for clamav. -----Original Message----- From: Götz Reinicke - IT-Koordinator [mailto:goetz.reinicke@filmakademie.de] Sent: Wednesday, June 16, 2010 7:10 AM To: Shorewall Users Subject: Re: [Shorewall-users] shorewall rules Hi, Am 16.06.10 11:55, schrieb Derek Lewis:> Here are my current shorewall policies and rules. I intended to allow > traffic through to the firewall explicitly via ip address and port # > though I think my rules are flawed. I can still ping an external > address which I thought required port 80 to open and an ACCEPT action > for the address in question.If you like to handel and controll all traffic by rules, than you should not allow anything by default/policy ... ping is not using port 80 (with udp or tcp) ... it is using icmp. http://en.wikipedia.org/wiki/Ping and http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>From which host do you try to ping which host?<...> /Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo