Greetings, I am a new user of Shorewall. thanks Tom for all your work and your unbelievable responsiveness on this list. You must not sleep :) I recently switched the firewall for our small network to Shorewall. Everything is working great. I am running Shorewall on openSuse 11.4. I want to make sure that all security patches for the OS are applied. Naturally connections from the firewall to the net are blocked by default. My first thought is to add a rule allowing access from the firewall to the particular mirror that I use for openSuse updates (ftp.utexas.edu). openSuse uses wget for updates and the ftp.utexas.edu accepts http as well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 The Rule would then be: ACCEPT $FW net:146.6.54.21 tcp 21 or else ACCEPT $FW net:146.6.54.21 tcp 80 or even ACCEPT $FW net:146.6.54.21 tcp 21,80 To my untrained eye this seems pretty safe. If necessary I could comment out the rule when not checking or updates and restart shorewall. I just wondered if this is okay adn what other people do to update the OS that is running shorewall. Mike -- Michael A. Coan Woodlawn Foundation 524 North Avenue, Suite 203 New Rochelle, NY 10801-3410 Tel: 914-632-3778 Fax: 914-632-5502 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
El 11/07/11 11:49, mikecoan escribió:> Greetings, > > I am a new user of Shorewall. thanks Tom for all your work and your > unbelievable responsiveness on this list. You must not sleep :) > > I recently switched the firewall for our small network to Shorewall. > Everything is working great. I am running Shorewall on openSuse 11.4. I > want to make sure that all security patches for the OS are applied. > Naturally connections from the firewall to the net are blocked by default. > > My first thought is to add a rule allowing access from the firewall to > the particular mirror that I use for openSuse updates (ftp.utexas.edu). > openSuse uses wget for updates and the ftp.utexas.edu accepts http as > well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 > > The Rule would then be: > > ACCEPT $FW net:146.6.54.21 tcp 21 > > or else > > ACCEPT $FW net:146.6.54.21 tcp 80 > > or even > > ACCEPT $FW net:146.6.54.21 tcp 21,80 > > To my untrained eye this seems pretty safe. If necessary I could comment > out the rule when not checking or updates and restart shorewall. I just > wondered if this is okay adn what other people do to update the OS that > is running shorewall. > > Mike >You can also use : ACCEPT $FW net:146.6.54.21 tcp and allow any port on tcp protocol to 146.6.54.21 Anyways, i use a policy rule for $FW /etc/shorewall/policy : $FW all ACCEPT that allow all traffic from Firewall to local net, internet, etc, so i dont need such rule in /etc/shorewall/rules ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Ricardo,>> >> I am a new user of Shorewall. thanks Tom for all your work and your >> unbelievable responsiveness on this list. You must not sleep :) >> >> I recently switched the firewall for our small network to Shorewall. >> Everything is working great. I am running Shorewall on openSuse 11.4. I >> want to make sure that all security patches for the OS are applied. >> Naturally connections from the firewall to the net are blocked by default. >> >> My first thought is to add a rule allowing access from the firewall to >> the particular mirror that I use for openSuse updates (ftp.utexas.edu). >> openSuse uses wget for updates and the ftp.utexas.edu accepts http as >> well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 >> >> The Rule would then be: >> >> ACCEPT $FW net:146.6.54.21 tcp 21 >> >> or else >> >> ACCEPT $FW net:146.6.54.21 tcp 80 >> >> or even >> >> ACCEPT $FW net:146.6.54.21 tcp 21,80 >> >> To my untrained eye this seems pretty safe. If necessary I could comment >> out the rule when not checking or updates and restart shorewall. I just >> wondered if this is okay adn what other people do to update the OS that >> is running shorewall. >> >> Mike >> > > You can also use : > > ACCEPT $FW net:146.6.54.21 tcp > > and allow any port on tcp protocol to 146.6.54.21 > > Anyways, i use a policy rule for $FW /etc/shorewall/policy : > > $FW all ACCEPT > > that allow all traffic from Firewall to local net, internet, etc, so i > dont need such rule in /etc/shorewall/rulesThanks for the response. I tend to minimize allowable connections from the firewall. Your policy rule would simplify my Rules file. I ahve a caching nameserver on the firewall and allow DNS from the firewall to the net. If I changed the policy rule I could eliminate that rule. I am a little reluctant to change the policy to allow all connections from the firewall to the net, but maybe it is not a big problem. Mike -- Michael A. Coan Woodlawn Foundation 524 North Avenue, Suite 203 New Rochelle, NY 10801-3410 Tel: 914-632-3778 Fax: 914-632-5502 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Dnia 2011-07-11, pon o godzinie 10:49 -0400, mikecoan pisze:> Greetings, > > I am a new user of Shorewall. thanks Tom for all your work and your > unbelievable responsiveness on this list. You must not sleep :) > > I recently switched the firewall for our small network to Shorewall. > Everything is working great. I am running Shorewall on openSuse 11.4. I > want to make sure that all security patches for the OS are applied. > Naturally connections from the firewall to the net are blocked by default. > > My first thought is to add a rule allowing access from the firewall to > the particular mirror that I use for openSuse updates (ftp.utexas.edu). > openSuse uses wget for updates and the ftp.utexas.edu accepts http as > well as ftp. Dig shows that ftp.utexas.edu has ip address 146.6.54.21 > > The Rule would then be: > > ACCEPT $FW net:146.6.54.21 tcp 21 > > or else > > ACCEPT $FW net:146.6.54.21 tcp 80 > > or even > > ACCEPT $FW net:146.6.54.21 tcp 21,80 > > To my untrained eye this seems pretty safe. If necessary I could comment > out the rule when not checking or updates and restart shorewall. I just > wondered if this is okay adn what other people do to update the OS that > is running shorewall. > > Mike >Hi, I''m running a few Debian machines with the firewall outbound policy set to allow. While this can be called a poor security practice, I see no reason to strengthen the iptables protection in this simple case. If an attacker were to gain control of the firewall machine somehow (SSH? remote kernel exploit?), then he could probably just disable Shorewall before joining the machine into the botnet, and since the outbound policy is supposed to prevent contacting a malicious host "out there", it proves futile in this case. If you want to be serious about defending the firewall, pay attention to the assumptions that are made at each step. In this particular case, for the outbound policy to do anything useful, there needs to be a strong guarantee that the rules can not be subverted due to activity done on the inside. I''d recommend using grsecurity, which allows one to restrict permissions so that even root can not mess with iptables. Plus, it should make gaining access more difficult by preventing code injection and a whole lot of different attack techniques. To sum up, either cover all the bases or don''t overthink it :) Robert ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2