I''m trying to introduce some time based rules into my shorewall firewall. I have reason to believe that my kernel and iptables installations support time matched rules (because I can create them directly using iptables), but I can''t get shorewall to create any. AFAICT all I need to do is create the correct entry in /etc/shorewall/rules but I''m having difficulty and, surprisingly, I can''t get Google to help me. If anyone could point me to an example of a working rules file, or point out how I could get some better diagnostics then I''d be very gratefull. I''ve included everything I think might be relevant below. Sorry for the long posting. Thanks -------------------------------------------------------------------------------------------------------------------- What I''m running: Fedora Core 10 # uname -r 2.6.27.21-170.2.56.fc10.i586 # rpm -qa | grep iptables iptables-1.4.3.2-1.fc10.i386 iptables-ipv6-1.4.3.2-1.fc10.i386 # rpm -qa | grep shorewall shorewall-common-4.2.10-1.fc10.1.noarch shorewall-shell-4.2.10-1.fc10.1.noarch shorewall-perl-4.2.10.3-1.fc10.1.noarch shorewall-4.2.10-1.fc10.1.noarch Shorewall appears to have Time Matching available # shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Extended Connection Tracking Match Support: Available Old Connection Tracking Match Syntax: Not available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Realm Match: Available Helper Match: Available Connlimit Match: Available Time Match: Available Goto Support: Available Starting Shorewall # shorewall debug start <snip> + qt /sbin/iptables -A fooX24622 -m time --timestart 23:00 -j DROP + /sbin/iptables -A fooX24622 -m time --timestart 23:00 -j DROP + TIME_MATCH=Yes <snip> Manually creating a test ''Time Matching'' rule # iptables -A INPUT -s 200.200.200.1 -j DROP -m time --timestart 14:00 --timestop 16:00 # iptables -L | grep 200.200 DROP all -- 200.200.200.1 anywhere TIME from 14:00:00 to 16:00:00 Configuring Shorewall According to the man page the Time column is the 12th column in the rules file, so I have this test entry: DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05,timestop=22:15 but after restarting shorewall # shorewall debug start <snip> ++ expand DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00 ++ eval echo ''"DROP'' loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - ''utc,timestart=22:05:00,timestop=22:15:00"'' +++ echo ''DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00'' + echo DROP loc:192.168.0.14 net:84.53.134.200 tcp http - - - - - - utc,timestart=22:05:00,timestop=22:15:00 <snip> and # iptables -L <snip> DROP tcp -- 192.168.0.14 84.53.134.200 tcp dpt:http <snip> So no time match clause ! ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
On 11/9/10 12:36 PM, David Watkins wrote:> I''m trying to introduce some time based rules into my shorewall firewall. > > I have reason to believe that my kernel and iptables installations > support time matched rules (because I can create them directly using > iptables), but I can''t get shorewall to create any. > > AFAICT all I need to do is create the correct entry in > /etc/shorewall/rules but I''m having difficulty and, surprisingly, I > can''t get Google to help me. > > If anyone could point me to an example of a working rules file, or > point out how I could get some better diagnostics then I''d be very > gratefull. > > I''ve included everything I think might be relevant below. Sorry for > the long posting. > > Thanks > > -------------------------------------------------------------------------------------------------------------------- > > > What I''m running: > > Fedora Core 10 > > # uname -r > 2.6.27.21-170.2.56.fc10.i586 > > # rpm -qa | grep iptables > iptables-1.4.3.2-1.fc10.i386 > iptables-ipv6-1.4.3.2-1.fc10.i386 > > # rpm -qa | grep shorewall > shorewall-common-4.2.10-1.fc10.1.noarch > shorewall-shell-4.2.10-1.fc10.1.noarch > shorewall-perl-4.2.10.3-1.fc10.1.noarch > shorewall-4.2.10-1.fc10.1.noarchWhy, on FC10, are you using such an old version of Shorewall? (the current version is 4.4.14) And from the trace output, you are using Shorewall-shell which was discontinued with version 4.4.0 and which doesn''t support time-based rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
> Why, on FC10, are you using such an old version of Shorewall? (the > current version is 4.4.14)That was the version I got after installing FC10 and doing a ''yum update''. I tend not do do subsequent updates unless I know I need to. Not sure if that\''s a bad habit or not?> And from the trace output, you are using Shorewall-shell which was > discontinued with version 4.4.0 and which doesn''t support time-based rules.I guess that was the default. If it doesn''t support time-based rules then I''ll switch to Shorewall-perl and see how I get on. Thanks for the pointer. D ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
On 11/9/10 3:25 PM, David Watkins wrote:>> Why, on FC10, are you using such an old version of Shorewall? (the >> current version is 4.4.14) > > That was the version I got after installing FC10 and doing a ''yum > update''. I tend not do do subsequent updates unless I know I need to. > Not sure if that\''s a bad habit or not?Check the Shorewall Download page -- there are Fedora/RedHat repositories that provide up-to-date Shorewall packages.> > >> And from the trace output, you are using Shorewall-shell which was >> discontinued with version 4.4.0 and which doesn''t support time-based rules. > > I guess that was the default. If it doesn''t support time-based rules > then I''ll switch to Shorewall-perl and see how I get on. >Good plan -- Shorewall-shell is very buggy and was becoming impossible to maintain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev