Hello! I have posted this question on linuxquestions.com but have not yet received a reply. Can any shorewall user help me out? http://www.linuxquestions.org/questions/slackware-14/shorewall-blacklisting-help-925149/ Thanks! ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote:> Hello! I have posted this question on linuxquestions.com but have not yet > received a reply. > Can any shorewall user help me out? >Your problem seems to be a result of the policy "fw net ACCEPT" but I do not use blacklisting, so to be certain I would need to see the output of ''shorewall dump''. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Here is the output of the command: Date: Mon, 23 Jan 2012 20:12:02 -0500 From: roberto@connexer.com To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote:> Hello! I have posted this question on linuxquestions.com but have not yet > received a reply. > Can any shorewall user help me out? >Your problem seems to be a result of the policy "fw net ACCEPT" but I do not use blacklisting, so to be certain I would need to see the output of ''shorewall dump''. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Looking at the output, it seems that your attempts to reach the blacklisted IP are matching in the fw2net policy (which is ACCEPT). This indicates that you are trying to reach the blacklisted host from your machine (which is allowed, as blacklisting works on incoming packets). What you are trying to accomplish is outbound traffic filtering. To do that, you will need to change your fw2net policy to REJECT and then specifically allow traffic to specific hosts and/or to specific ports. However, that can get rather complicated very quickly. Regards, -Roberto On Tue, Jan 24, 2012 at 08:59:39PM +0200, Christos Bakalis wrote:> Here is the output of the command: > > Date: Mon, 23 Jan 2012 20:12:02 -0500 > From: roberto@connexer.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote: > > Hello! I have posted this question on linuxquestions.com but have not yet > > received a reply. > > Can any shorewall user help me out? > > > Your problem seems to be a result of the policy "fw net ACCEPT" but I do > not use blacklisting, so to be certain I would need to see the output of > ''shorewall dump''. > > Regards, > > -Roberto > > -- > Roberto C. S�nchez > [1]http://people.connexer.com/~roberto > [2]http://www.connexer.com > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! The most > comprehensive online learning library for Microsoft developers is just > $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ Shorewall-users mailing > list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. http://people.connexer.com/%7Eroberto > 2. http://www.connexer.com/> root@slack:/home/cb# shorewall dump > Shorewall 4.4.27 Dump at slack - Tue Jan 24 20:57:02 EET 2012 > > Counters reset Tue Jan 24 20:56:12 EET 2012 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 34 4016 wlan0_in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 wlan0_fwd all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 15 785 fw2net all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain Broadcast (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST > 1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 > > Chain Drop (1 references) > pkts bytes target prot opt in out source destination > 1 36 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain Invalid (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID > > Chain NotSyn (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 > > Chain Reject (3 references) > pkts bytes target prot opt in out source destination > 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain blacklst (4 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 174.133.253.138 0.0.0.0/0 > > Chain dynamic (5 references) > pkts bytes target prot opt in out source destination > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain eth0_in (1 references) > pkts bytes target prot opt in out source destination > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain fw2net (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 15 785 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logdrop (0 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logreject (0 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net2fw (2 references) > pkts bytes target prot opt in out source destination > 25 1308 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 1 36 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net_frwd (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > Chain reject (11 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain sfilter (2 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain shorewall (0 references) > pkts bytes target prot opt in out source destination > > Chain wlan0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * wlan0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain wlan0_in (1 references) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 9 2708 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 8 2672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 26 1344 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Log (/var/log/messages) > > > NAT Table > > Chain PREROUTING (policy ACCEPT 1 packets, 36 bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Mangle Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 > 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain tcfor (1 references) > pkts bytes target prot opt in out source destination > > Chain tcin (1 references) > pkts bytes target prot opt in out source destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source destination > > Raw Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > > Conntrack Table (62 out of 65536) > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55083 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55083 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35950 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35950 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46678 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46678 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46686 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46686 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35951 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35951 [ASSURED] mark=0 use=2 > tcp 6 431940 ESTABLISHED src=192.168.1.67 dst=64.4.34.84 sport=43818 dport=80 src=64.4.34.84 dst=192.168.1.67 sport=80 dport=43818 [ASSURED] mark=0 use=2 > udp 17 25 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46675 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46675 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46689 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46689 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46685 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46685 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47341 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47341 [ASSURED] mark=0 use=2 > tcp 6 431918 ESTABLISHED src=192.168.1.67 dst=74.125.79.139 sport=47070 dport=80 src=74.125.79.139 dst=192.168.1.67 sport=80 dport=47070 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46704 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46704 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46705 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46705 [ASSURED] mark=0 use=2 > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55088 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55088 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53006 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53006 [ASSURED] mark=0 use=2 > tcp 6 68 TIME_WAIT src=192.168.1.67 dst=141.101.124.244 sport=55070 dport=80 src=141.101.124.244 dst=192.168.1.67 sport=80 dport=55070 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46682 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46682 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46697 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46697 [ASSURED] mark=0 use=2 > udp 17 114 src=192.168.1.67 dst=192.168.1.254 sport=42104 dport=53 src=192.168.1.254 dst=192.168.1.67 sport=53 dport=42104 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46707 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46707 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46684 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46684 [ASSURED] mark=0 use=2 > tcp 6 18 TIME_WAIT src=192.168.1.67 dst=64.4.61.111 sport=46612 dport=1863 src=64.4.61.111 dst=192.168.1.67 sport=1863 dport=46612 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46709 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46709 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46672 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46672 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46132 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46132 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=66.211.169.74 sport=57631 dport=443 src=66.211.169.74 dst=192.168.1.67 sport=443 dport=57631 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53005 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53005 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46674 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46674 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46673 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46673 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46679 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46679 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47340 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47340 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46727 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46727 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46703 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46703 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58134 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58134 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46690 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46690 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46692 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46692 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46710 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46710 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46676 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46676 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46687 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46687 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46728 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46728 [ASSURED] mark=0 use=2 > tcp 6 101 TIME_WAIT src=192.168.1.67 dst=207.46.124.167 sport=59723 dport=1863 src=207.46.124.167 dst=192.168.1.67 sport=1863 dport=59723 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46734 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46734 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46148 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46148 [ASSURED] mark=0 use=2 > tcp 6 431972 ESTABLISHED src=192.168.1.67 dst=64.4.44.85 sport=51576 dport=1863 src=64.4.44.85 dst=192.168.1.67 sport=1863 dport=51576 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46708 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46708 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46729 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46729 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35952 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35952 [ASSURED] mark=0 use=2 > tcp 6 431911 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47311 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47311 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58135 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58135 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46677 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46677 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46717 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46717 [ASSURED] mark=0 use=2 > tcp 6 431627 ESTABLISHED src=192.168.1.67 dst=62.1.38.9 sport=58460 dport=80 [UNREPLIED] src=62.1.38.9 dst=192.168.1.67 sport=80 dport=58460 mark=0 use=2 > tcp 6 431914 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47312 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47312 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46683 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46683 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=62.1.38.18 sport=42653 dport=80 src=62.1.38.18 dst=192.168.1.67 sport=80 dport=42653 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46680 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46680 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47314 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47314 [ASSURED] mark=0 use=2 > tcp 6 38 TIME_WAIT src=192.168.1.67 dst=95.172.94.55 sport=46162 dport=80 src=95.172.94.55 dst=192.168.1.67 sport=80 dport=46162 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53004 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53004 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46706 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46706 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46718 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46718 [ASSURED] mark=0 use=2 > > IP Configuration > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > inet 127.0.0.1/8 scope host lo > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > inet 192.168.1.67/24 brd 192.168.1.255 scope global wlan0 > > IP Stats > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > RX: bytes packets errors dropped overrun mcast > 880 16 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 880 16 0 0 0 0 > 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 > link/ether 00:1e:ec:a4:e8:fb brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 0 0 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 0 0 0 0 0 0 > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > link/ether 00:1f:e2:c1:93:32 brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 10211554 11641 0 20 0 0 > TX: bytes packets errors dropped carrier collsns > 1852705 9365 0 0 0 0 > > Bridges > > bridge name bridge id STP enabled interfaces > > Per-IP Counters > > iptaccount is not installed > > /proc > > /proc/version = Linux version 2.6.38.7-smp (root@midas) (gcc version 4.5.3 (GCC) ) #2 SMP Sat May 21 23:13:29 CDT 2011 > /proc/sys/net/ipv4/ip_forward = 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > /proc/sys/net/ipv4/conf/all/arp_ignore = 0 > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/all/log_martians = 0 > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > /proc/sys/net/ipv4/conf/default/arp_ignore = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/log_martians = 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 > /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 > /proc/sys/net/ipv4/conf/lo/arp_filter = 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/log_martians = 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/log_martians = 1 > > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table default: > > > Table local: > > local 192.168.1.67 dev wlan0 proto kernel scope host src 192.168.1.67 > broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > broadcast 192.168.1.255 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.67 metric 303 > 127.0.0.0/8 dev lo scope link > default via 192.168.1.254 dev wlan0 metric 303 > > ARP > > ? (192.168.1.254) at 00:1f:9f:eb:5c:9e [ether] on wlan0 > > Modules > > ip_set 10840 18 ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash > ip_set_iphash 6148 0 > ip_set_ipmap 2782 0 > ip_set_ipporthash 6531 0 > ip_set_iptree 4614 0 > ip_set_iptreemap 8076 0 > ip_set_macipmap 2821 0 > ip_set_nethash 7373 0 > ip_set_portmap 2936 0 > ip_tables 9267 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter > ipt_CLUSTERIP 4957 0 > ipt_ECN 1532 0 > ipt_LOG 6486 5 > ipt_MASQUERADE 1294 0 > ipt_NETMAP 901 0 > ipt_REDIRECT 875 0 > ipt_REJECT 2021 4 > ipt_SET 1267 0 > ipt_ULOG 4885 0 > ipt_addrtype 1589 4 > ipt_ah 857 0 > ipt_ecn 1084 0 > ipt_set 1108 0 > iptable_filter 1092 1 > iptable_mangle 1252 1 > iptable_nat 3388 0 > iptable_raw 1016 0 > nf_conntrack 44795 32 xt_CT,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 > nf_conntrack_amanda 1713 1 nf_nat_amanda > nf_conntrack_ftp 4789 1 nf_nat_ftp > nf_conntrack_h323 36572 1 nf_nat_h323 > nf_conntrack_ipv4 9597 15 iptable_nat,nf_nat > nf_conntrack_irc 2607 1 nf_nat_irc > nf_conntrack_netbios_ns 1070 0 > nf_conntrack_netlink 11900 0 > nf_conntrack_pptp 3890 1 nf_nat_pptp > nf_conntrack_proto_gre 3073 1 nf_conntrack_pptp > nf_conntrack_proto_sctp 5766 0 > nf_conntrack_proto_udplite 2315 0 > nf_conntrack_sane 2788 0 > nf_conntrack_sip 16024 1 nf_nat_sip > nf_conntrack_tftp 2497 1 nf_nat_tftp > nf_defrag_ipv4 1015 2 xt_TPROXY,nf_conntrack_ipv4 > nf_defrag_ipv6 4849 1 xt_TPROXY > nf_nat 12344 12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat > nf_nat_amanda 836 0 > nf_nat_ftp 1280 0 > nf_nat_h323 5291 0 > nf_nat_irc 1050 0 > nf_nat_pptp 2006 0 > nf_nat_proto_gre 1013 1 nf_nat_pptp > nf_nat_sip 5656 0 > nf_nat_snmp_basic 7101 0 > nf_nat_tftp 674 0 > nf_tproxy_core 824 1 xt_TPROXY,[permanent] > xt_CLASSIFY 681 0 > xt_CT 1415 0 > xt_DSCP 1703 0 > xt_NFLOG 834 0 > xt_NFQUEUE 1481 0 > xt_TPROXY 4043 0 > xt_comment 679 18 > xt_connlimit 2606 0 > xt_connmark 1457 0 > xt_conntrack 2237 12 > xt_dccp 1799 0 > xt_dscp 1231 0 > xt_hashlimit 6153 0 > xt_helper 1063 0 > xt_iprange 1316 0 > xt_length 864 0 > xt_limit 1447 0 > xt_mac 799 0 > xt_mark 889 1 > xt_multiport 1522 4 > xt_owner 867 0 > xt_physdev 1368 0 > xt_pkttype 807 0 > xt_policy 2150 0 > xt_realm 707 0 > xt_recent 6458 0 > xt_state 963 0 > xt_tcpmss 1125 0 > xt_tcpudp 1939 14 > xt_time 1663 0 > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Extended Connection Tracking Match Support: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > Rawpost Table: Not available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Extended MARK Target 2: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > Realm Match: Available > Helper Match: Available > Connlimit Match: Available > Time Match: Available > Goto Support: Available > LOGMARK Target: Not available > IPMARK Target: Not available > LOG Target: Available > ULOG Target: Available > NFLOG Target: Available > Persistent SNAT: Available > TPROXY Target: Available > FLOW Classifier: Available > fwmark route mask: Available > Mark in any table: Available > Header Match: Not available > ACCOUNT Target: Not available > AUDIT Target: Not available > ipset V5: Not available > Condition Match: Not available > iptables -S: Available > Basic Filter: Available > CT Target: Available > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1860/sshd > tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2244/X > tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 192.168.1.67:47311 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55088 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55083 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:43818 64.4.34.84:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47314 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:59723 207.46.124.167:1863 TIME_WAIT - > tcp 0 0 192.168.1.67:51576 64.4.44.85:1863 ESTABLISHED 2505/pidgin > tcp 0 0 192.168.1.67:47312 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47070 74.125.79.139:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:42653 62.1.38.18:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:57795 65.55.85.91:443 ESTABLISHED 2505/pidgin > tcp 0 0 :::22 :::* LISTEN 1860/sshd > tcp 0 0 :::6000 :::* LISTEN 2244/X > udp 0 0 0.0.0.0:512 0.0.0.0:* 1855/inetd > udp 0 0 0.0.0.0:37 0.0.0.0:* 1855/inetd > > Traffic Control > > Device eth0: > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > Device wlan0: > qdisc mq 0: root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > class mq :1 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :2 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :3 root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :4 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > TC Filters > > Device eth0: > > Device wlan0:> ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
I understand what you mean but it is totally impractical. Creating a blacklisting firewall for all sites and excluding 5-6? There's got to be another way Date: Tue, 24 Jan 2012 17:00:38 -0500 From: roberto@connexer.com To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user Looking at the output, it seems that your attempts to reach the blacklisted IP are matching in the fw2net policy (which is ACCEPT). This indicates that you are trying to reach the blacklisted host from your machine (which is allowed, as blacklisting works on incoming packets). What you are trying to accomplish is outbound traffic filtering. To do that, you will need to change your fw2net policy to REJECT and then specifically allow traffic to specific hosts and/or to specific ports. However, that can get rather complicated very quickly. Regards, -Roberto On Tue, Jan 24, 2012 at 08:59:39PM +0200, Christos Bakalis wrote:> Here is the output of the command: > > Date: Mon, 23 Jan 2012 20:12:02 -0500 > From: roberto@connexer.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote: > > Hello! I have posted this question on linuxquestions.com but have not yet > > received a reply. > > Can any shorewall user help me out? > > > Your problem seems to be a result of the policy "fw net ACCEPT" but I do > not use blacklisting, so to be certain I would need to see the output of > 'shorewall dump'. > > Regards, > > -Roberto > > -- > Roberto C. S�nchez > [1]http://people.connexer.com/~roberto > [2]http://www.connexer.com > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! The most > comprehensive online learning library for Microsoft developers is just > $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ Shorewall-users mailing > list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. http://people.connexer.com/%7Eroberto > 2. http://www.connexer.com/> root@slack:/home/cb# shorewall dump > Shorewall 4.4.27 Dump at slack - Tue Jan 24 20:57:02 EET 2012 > > Counters reset Tue Jan 24 20:56:12 EET 2012 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 34 4016 wlan0_in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 wlan0_fwd all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 15 785 fw2net all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain Broadcast (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST > 1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 > > Chain Drop (1 references) > pkts bytes target prot opt in out source destination > 1 36 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain Invalid (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID > > Chain NotSyn (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 > > Chain Reject (3 references) > pkts bytes target prot opt in out source destination > 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain blacklst (4 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 174.133.253.138 0.0.0.0/0 > > Chain dynamic (5 references) > pkts bytes target prot opt in out source destination > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain eth0_in (1 references) > pkts bytes target prot opt in out source destination > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain fw2net (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 15 785 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logdrop (0 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logreject (0 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net2fw (2 references) > pkts bytes target prot opt in out source destination > 25 1308 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 1 36 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net_frwd (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > Chain reject (11 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain sfilter (2 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain shorewall (0 references) > pkts bytes target prot opt in out source destination > > Chain wlan0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * wlan0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain wlan0_in (1 references) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 9 2708 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 8 2672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 26 1344 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Log (/var/log/messages) > > > NAT Table > > Chain PREROUTING (policy ACCEPT 1 packets, 36 bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Mangle Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 > 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain tcfor (1 references) > pkts bytes target prot opt in out source destination > > Chain tcin (1 references) > pkts bytes target prot opt in out source destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source destination > > Raw Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > > Conntrack Table (62 out of 65536) > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55083 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55083 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35950 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35950 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46678 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46678 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46686 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46686 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35951 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35951 [ASSURED] mark=0 use=2 > tcp 6 431940 ESTABLISHED src=192.168.1.67 dst=64.4.34.84 sport=43818 dport=80 src=64.4.34.84 dst=192.168.1.67 sport=80 dport=43818 [ASSURED] mark=0 use=2 > udp 17 25 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46675 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46675 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46689 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46689 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46685 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46685 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47341 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47341 [ASSURED] mark=0 use=2 > tcp 6 431918 ESTABLISHED src=192.168.1.67 dst=74.125.79.139 sport=47070 dport=80 src=74.125.79.139 dst=192.168.1.67 sport=80 dport=47070 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46704 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46704 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46705 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46705 [ASSURED] mark=0 use=2 > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55088 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55088 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53006 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53006 [ASSURED] mark=0 use=2 > tcp 6 68 TIME_WAIT src=192.168.1.67 dst=141.101.124.244 sport=55070 dport=80 src=141.101.124.244 dst=192.168.1.67 sport=80 dport=55070 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46682 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46682 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46697 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46697 [ASSURED] mark=0 use=2 > udp 17 114 src=192.168.1.67 dst=192.168.1.254 sport=42104 dport=53 src=192.168.1.254 dst=192.168.1.67 sport=53 dport=42104 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46707 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46707 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46684 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46684 [ASSURED] mark=0 use=2 > tcp 6 18 TIME_WAIT src=192.168.1.67 dst=64.4.61.111 sport=46612 dport=1863 src=64.4.61.111 dst=192.168.1.67 sport=1863 dport=46612 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46709 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46709 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46672 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46672 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46132 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46132 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=66.211.169.74 sport=57631 dport=443 src=66.211.169.74 dst=192.168.1.67 sport=443 dport=57631 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53005 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53005 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46674 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46674 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46673 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46673 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46679 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46679 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47340 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47340 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46727 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46727 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46703 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46703 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58134 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58134 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46690 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46690 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46692 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46692 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46710 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46710 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46676 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46676 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46687 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46687 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46728 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46728 [ASSURED] mark=0 use=2 > tcp 6 101 TIME_WAIT src=192.168.1.67 dst=207.46.124.167 sport=59723 dport=1863 src=207.46.124.167 dst=192.168.1.67 sport=1863 dport=59723 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46734 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46734 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46148 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46148 [ASSURED] mark=0 use=2 > tcp 6 431972 ESTABLISHED src=192.168.1.67 dst=64.4.44.85 sport=51576 dport=1863 src=64.4.44.85 dst=192.168.1.67 sport=1863 dport=51576 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46708 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46708 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46729 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46729 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35952 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35952 [ASSURED] mark=0 use=2 > tcp 6 431911 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47311 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47311 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58135 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58135 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46677 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46677 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46717 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46717 [ASSURED] mark=0 use=2 > tcp 6 431627 ESTABLISHED src=192.168.1.67 dst=62.1.38.9 sport=58460 dport=80 [UNREPLIED] src=62.1.38.9 dst=192.168.1.67 sport=80 dport=58460 mark=0 use=2 > tcp 6 431914 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47312 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47312 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46683 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46683 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=62.1.38.18 sport=42653 dport=80 src=62.1.38.18 dst=192.168.1.67 sport=80 dport=42653 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46680 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46680 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47314 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47314 [ASSURED] mark=0 use=2 > tcp 6 38 TIME_WAIT src=192.168.1.67 dst=95.172.94.55 sport=46162 dport=80 src=95.172.94.55 dst=192.168.1.67 sport=80 dport=46162 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53004 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53004 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46706 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46706 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46718 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46718 [ASSURED] mark=0 use=2 > > IP Configuration > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > inet 127.0.0.1/8 scope host lo > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > inet 192.168.1.67/24 brd 192.168.1.255 scope global wlan0 > > IP Stats > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > RX: bytes packets errors dropped overrun mcast > 880 16 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 880 16 0 0 0 0 > 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 > link/ether 00:1e:ec:a4:e8:fb brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 0 0 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 0 0 0 0 0 0 > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > link/ether 00:1f:e2:c1:93:32 brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 10211554 11641 0 20 0 0 > TX: bytes packets errors dropped carrier collsns > 1852705 9365 0 0 0 0 > > Bridges > > bridge name bridge id STP enabled interfaces > > Per-IP Counters > > iptaccount is not installed > > /proc > > /proc/version = Linux version 2.6.38.7-smp (root@midas) (gcc version 4.5.3 (GCC) ) #2 SMP Sat May 21 23:13:29 CDT 2011 > /proc/sys/net/ipv4/ip_forward = 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > /proc/sys/net/ipv4/conf/all/arp_ignore = 0 > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/all/log_martians = 0 > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > /proc/sys/net/ipv4/conf/default/arp_ignore = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/log_martians = 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 > /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 > /proc/sys/net/ipv4/conf/lo/arp_filter = 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/log_martians = 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/log_martians = 1 > > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table default: > > > Table local: > > local 192.168.1.67 dev wlan0 proto kernel scope host src 192.168.1.67 > broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > broadcast 192.168.1.255 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.67 metric 303 > 127.0.0.0/8 dev lo scope link > default via 192.168.1.254 dev wlan0 metric 303 > > ARP > > ? (192.168.1.254) at 00:1f:9f:eb:5c:9e [ether] on wlan0 > > Modules > > ip_set 10840 18 ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash > ip_set_iphash 6148 0 > ip_set_ipmap 2782 0 > ip_set_ipporthash 6531 0 > ip_set_iptree 4614 0 > ip_set_iptreemap 8076 0 > ip_set_macipmap 2821 0 > ip_set_nethash 7373 0 > ip_set_portmap 2936 0 > ip_tables 9267 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter > ipt_CLUSTERIP 4957 0 > ipt_ECN 1532 0 > ipt_LOG 6486 5 > ipt_MASQUERADE 1294 0 > ipt_NETMAP 901 0 > ipt_REDIRECT 875 0 > ipt_REJECT 2021 4 > ipt_SET 1267 0 > ipt_ULOG 4885 0 > ipt_addrtype 1589 4 > ipt_ah 857 0 > ipt_ecn 1084 0 > ipt_set 1108 0 > iptable_filter 1092 1 > iptable_mangle 1252 1 > iptable_nat 3388 0 > iptable_raw 1016 0 > nf_conntrack 44795 32 xt_CT,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 > nf_conntrack_amanda 1713 1 nf_nat_amanda > nf_conntrack_ftp 4789 1 nf_nat_ftp > nf_conntrack_h323 36572 1 nf_nat_h323 > nf_conntrack_ipv4 9597 15 iptable_nat,nf_nat > nf_conntrack_irc 2607 1 nf_nat_irc > nf_conntrack_netbios_ns 1070 0 > nf_conntrack_netlink 11900 0 > nf_conntrack_pptp 3890 1 nf_nat_pptp > nf_conntrack_proto_gre 3073 1 nf_conntrack_pptp > nf_conntrack_proto_sctp 5766 0 > nf_conntrack_proto_udplite 2315 0 > nf_conntrack_sane 2788 0 > nf_conntrack_sip 16024 1 nf_nat_sip > nf_conntrack_tftp 2497 1 nf_nat_tftp > nf_defrag_ipv4 1015 2 xt_TPROXY,nf_conntrack_ipv4 > nf_defrag_ipv6 4849 1 xt_TPROXY > nf_nat 12344 12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat > nf_nat_amanda 836 0 > nf_nat_ftp 1280 0 > nf_nat_h323 5291 0 > nf_nat_irc 1050 0 > nf_nat_pptp 2006 0 > nf_nat_proto_gre 1013 1 nf_nat_pptp > nf_nat_sip 5656 0 > nf_nat_snmp_basic 7101 0 > nf_nat_tftp 674 0 > nf_tproxy_core 824 1 xt_TPROXY,[permanent] > xt_CLASSIFY 681 0 > xt_CT 1415 0 > xt_DSCP 1703 0 > xt_NFLOG 834 0 > xt_NFQUEUE 1481 0 > xt_TPROXY 4043 0 > xt_comment 679 18 > xt_connlimit 2606 0 > xt_connmark 1457 0 > xt_conntrack 2237 12 > xt_dccp 1799 0 > xt_dscp 1231 0 > xt_hashlimit 6153 0 > xt_helper 1063 0 > xt_iprange 1316 0 > xt_length 864 0 > xt_limit 1447 0 > xt_mac 799 0 > xt_mark 889 1 > xt_multiport 1522 4 > xt_owner 867 0 > xt_physdev 1368 0 > xt_pkttype 807 0 > xt_policy 2150 0 > xt_realm 707 0 > xt_recent 6458 0 > xt_state 963 0 > xt_tcpmss 1125 0 > xt_tcpudp 1939 14 > xt_time 1663 0 > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Extended Connection Tracking Match Support: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > Rawpost Table: Not available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Extended MARK Target 2: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > Realm Match: Available > Helper Match: Available > Connlimit Match: Available > Time Match: Available > Goto Support: Available > LOGMARK Target: Not available > IPMARK Target: Not available > LOG Target: Available > ULOG Target: Available > NFLOG Target: Available > Persistent SNAT: Available > TPROXY Target: Available > FLOW Classifier: Available > fwmark route mask: Available > Mark in any table: Available > Header Match: Not available > ACCOUNT Target: Not available > AUDIT Target: Not available > ipset V5: Not available > Condition Match: Not available > iptables -S: Available > Basic Filter: Available > CT Target: Available > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1860/sshd > tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2244/X > tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 192.168.1.67:47311 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55088 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55083 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:43818 64.4.34.84:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47314 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:59723 207.46.124.167:1863 TIME_WAIT - > tcp 0 0 192.168.1.67:51576 64.4.44.85:1863 ESTABLISHED 2505/pidgin > tcp 0 0 192.168.1.67:47312 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47070 74.125.79.139:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:42653 62.1.38.18:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:57795 65.55.85.91:443 ESTABLISHED 2505/pidgin > tcp 0 0 :::22 :::* LISTEN 1860/sshd > tcp 0 0 :::6000 :::* LISTEN 2244/X > udp 0 0 0.0.0.0:512 0.0.0.0:* 1855/inetd > udp 0 0 0.0.0.0:37 0.0.0.0:* 1855/inetd > > Traffic Control > > Device eth0: > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > Device wlan0: > qdisc mq 0: root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > class mq :1 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :2 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :3 root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :4 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > TC Filters > > Device eth0: > > Device wlan0:> ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 01/24/2012 02:22 PM, Christos Bakalis wrote:> I understand what you mean but it is totally impractical. > Creating a blacklisting firewall for all sites and excluding 5-6? > There''s got to be another wayShorewall does offer destination-based blacklisting. Check out the OPTIONS column of /etc/shorewall/blacklist. Recent versions also offer zone-based blacklisting via the /etc/shorewall/blrules file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Assuming you''re running 4.4.13 or later: I believe that if you enter ''dst'' in the optional 4th column of the blacklist file then the outbound connections would be blocked. You probably would want to have two entries for each blocked subnet, one inbound and one outbound. There are a couple of useful notes about requirements in the man page (http://shorewall.net/manpages/shorewall-blacklist.html) On 24 Jan 2012, at 22:22, Christos Bakalis wrote:> I understand what you mean but it is totally impractical. > Creating a blacklisting firewall for all sites and excluding 5-6? There''s got to be another way > > Date: Tue, 24 Jan 2012 17:00:38 -0500 > From: roberto@connexer.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > Looking at the output, it seems that your attempts to reach the > blacklisted IP are matching in the fw2net policy (which is ACCEPT). > This indicates that you are trying to reach the blacklisted host from > your machine (which is allowed, as blacklisting works on incoming > packets). What you are trying to accomplish is outbound traffic > filtering. To do that, you will need to change your fw2net policy to > REJECT and then specifically allow traffic to specific hosts and/or to > specific ports. However, that can get rather complicated very quickly. > > Regards, > > -Roberto > > On Tue, Jan 24, 2012 at 08:59:39PM +0200, Christos Bakalis wrote: > > Here is the output of the command: > > > > Date: Mon, 23 Jan 2012 20:12:02 -0500 > > From: roberto@connexer.com > > To: shorewall-users@lists.sourceforge.net > > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > > > On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote: > > > Hello! I have posted this question on linuxquestions.com but have not yet > > > received a reply. > > > Can any shorewall user help me out? > > > > > Your problem seems to be a result of the policy "fw net ACCEPT" but I do > > not use blacklisting, so to be certain I would need to see the output of > > ''shorewall dump''. > > > > Regards, > > > > -Roberto > > > > -- > > Roberto C. S�nchez > > [1]http://people.connexer.com/~roberto > > [2]http://www.connexer.com > > > > ------------------------------------------------------------------------------ > > Keep Your Developer Skills Current with LearnDevNow! The most > > comprehensive online learning library for Microsoft developers is just > > $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > > Style Apps, more. Free future releases when you subscribe now! > > http://p.sf.net/sfu/learndevnow-d2d > > _______________________________________________ Shorewall-users mailing > > list Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > References > > > > Visible links > > 1. http://people.connexer.com/%7Eroberto > > 2. http://www.connexer.com/ > > > root@slack:/home/cb# shorewall dump > > Shorewall 4.4.27 Dump at slack - Tue Jan 24 20:57:02 EET 2012 > > > > Counters reset Tue Jan 24 20:56:12 EET 2012 > > > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 34 4016 wlan0_in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:" > > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 0 0 wlan0_fwd all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" > > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 15 785 fw2net all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > > 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" > > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > > > Chain Broadcast (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST > > 1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST > > 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 > > > > Chain Drop (1 references) > > pkts bytes target prot opt in out source destination > > 1 36 all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > > 1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > > > Chain Invalid (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID > > > > Chain NotSyn (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 > > > > Chain Reject (3 references) > > pkts bytes target prot opt in out source destination > > 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > > 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > > > Chain blacklst (4 references) > > pkts bytes target prot opt in out source destination > > 0 0 reject all -- * * 174.133.253.138 0.0.0.0/0 > > > > Chain dynamic (5 references) > > pkts bytes target prot opt in out source destination > > > > Chain eth0_fwd (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0 [goto] > > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain eth0_in (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > > 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain fw2net (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > > 15 785 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain logdrop (0 references) > > pkts bytes target prot opt in out source destination > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain logreject (0 references) > > pkts bytes target prot opt in out source destination > > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain net2fw (2 references) > > pkts bytes target prot opt in out source destination > > 25 1308 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > 1 36 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:" > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain net_frwd (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > > > Chain reject (11 references) > > pkts bytes target prot opt in out source destination > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST > > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > > 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset > > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable > > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > > > Chain sfilter (2 references) > > pkts bytes target prot opt in out source destination > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain shorewall (0 references) > > pkts bytes target prot opt in out source destination > > > > Chain wlan0_fwd (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 sfilter all -- * wlan0 0.0.0.0/0 0.0.0.0/0 [goto] > > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain wlan0_in (1 references) > > pkts bytes target prot opt in out source destination > > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 9 2708 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > > 8 2672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > > 26 1344 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Log (/var/log/messages) > > > > > > NAT Table > > > > Chain PREROUTING (policy ACCEPT 1 packets, 36 bytes) > > pkts bytes target prot opt in out source destination > > > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > > > Mangle Table > > > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > > pkts bytes target prot opt in out source destination > > 34 4016 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain INPUT (policy ACCEPT 5 packets, 808 bytes) > > pkts bytes target prot opt in out source destination > > 34 4016 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 > > 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > > pkts bytes target prot opt in out source destination > > 15 785 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes) > > pkts bytes target prot opt in out source destination > > 15 785 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > Chain tcfor (1 references) > > pkts bytes target prot opt in out source destination > > > > Chain tcin (1 references) > > pkts bytes target prot opt in out source destination > > > > Chain tcout (1 references) > > pkts bytes target prot opt in out source destination > > > > Chain tcpost (1 references) > > pkts bytes target prot opt in out source destination > > > > Chain tcpre (1 references) > > pkts bytes target prot opt in out source destination > > > > Raw Table > > > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > > pkts bytes target prot opt in out source destination > > > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > > pkts bytes target prot opt in out source destination > > > > Conntrack Table (62 out of 65536) > > > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55083 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55083 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35950 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35950 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46678 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46678 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46686 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46686 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35951 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35951 [ASSURED] mark=0 use=2 > > tcp 6 431940 ESTABLISHED src=192.168.1.67 dst=64.4.34.84 sport=43818 dport=80 src=64.4.34.84 dst=192.168.1.67 sport=80 dport=43818 [ASSURED] mark=0 use=2 > > udp 17 25 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46675 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46675 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46689 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46689 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46685 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46685 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47341 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47341 [ASSURED] mark=0 use=2 > > tcp 6 431918 ESTABLISHED src=192.168.1.67 dst=74.125.79.139 sport=47070 dport=80 src=74.125.79.139 dst=192.168.1.67 sport=80 dport=47070 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46704 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46704 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46705 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46705 [ASSURED] mark=0 use=2 > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55088 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55088 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53006 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53006 [ASSURED] mark=0 use=2 > > tcp 6 68 TIME_WAIT src=192.168.1.67 dst=141.101.124.244 sport=55070 dport=80 src=141.101.124.244 dst=192.168.1.67 sport=80 dport=55070 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46682 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46682 [ASSURED] mark=0 use=2 > > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46697 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46697 [ASSURED] mark=0 use=2 > > udp 17 114 src=192.168.1.67 dst=192.168.1.254 sport=42104 dport=53 src=192.168.1.254 dst=192.168.1.67 sport=53 dport=42104 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46707 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46707 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46684 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46684 [ASSURED] mark=0 use=2 > > tcp 6 18 TIME_WAIT src=192.168.1.67 dst=64.4.61.111 sport=46612 dport=1863 src=64.4.61.111 dst=192.168.1.67 sport=1863 dport=46612 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46709 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46709 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46672 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46672 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46132 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46132 [ASSURED] mark=0 use=2 > > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=66.211.169.74 sport=57631 dport=443 src=66.211.169.74 dst=192.168.1.67 sport=443 dport=57631 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53005 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53005 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46674 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46674 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46673 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46673 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46679 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46679 [ASSURED] mark=0 use=2 > > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47340 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47340 [ASSURED] mark=0 use=2 > > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46727 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46727 [ASSURED] mark=0 use=2 > > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46703 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46703 [ASSURED] mark=0 use=2 > > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58134 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58134 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46690 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46690 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46692 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46692 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46710 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46710 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46676 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46676 [ASSURED] mark=0 use=2 > > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46687 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46687 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46728 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46728 [ASSURED] mark=0 use=2 > > tcp 6 101 TIME_WAIT src=192.168.1.67 dst=207.46.124.167 sport=59723 dport=1863 src=207.46.124.167 dst=192.168.1.67 sport=1863 dport=59723 [ASSURED] mark=0 use=2 > > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46734 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46734 [ASSURED] mark=0 use=2 > > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46148 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46148 [ASSURED] mark=0 use=2 > > tcp 6 431972 ESTABLISHED src=192.168.1.67 dst=64.4.44.85 sport=51576 dport=1863 src=64.4.44.85 dst=192.168.1.67 sport=1863 dport=51576 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46708 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46708 [ASSURED] mark=0 use=2 > > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46729 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46729 [ASSURED] mark=0 use=2 > > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35952 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35952 [ASSURED] mark=0 use=2 > > tcp 6 431911 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47311 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47311 [ASSURED] mark=0 use=2 > > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58135 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58135 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46677 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46677 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46717 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46717 [ASSURED] mark=0 use=2 > > tcp 6 431627 ESTABLISHED src=192.168.1.67 dst=62.1.38.9 sport=58460 dport=80 [UNREPLIED] src=62.1.38.9 dst=192.168.1.67 sport=80 dport=58460 mark=0 use=2 > > tcp 6 431914 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47312 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47312 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46683 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46683 [ASSURED] mark=0 use=2 > > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=62.1.38.18 sport=42653 dport=80 src=62.1.38.18 dst=192.168.1.67 sport=80 dport=42653 [ASSURED] mark=0 use=2 > > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46680 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46680 [ASSURED] mark=0 use=2 > > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47314 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47314 [ASSURED] mark=0 use=2 > > tcp 6 38 TIME_WAIT src=192.168.1.67 dst=95.172.94.55 sport=46162 dport=80 src=95.172.94.55 dst=192.168.1.67 sport=80 dport=46162 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53004 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53004 [ASSURED] mark=0 use=2 > > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46706 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46706 [ASSURED] mark=0 use=2 > > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46718 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46718 [ASSURED] mark=0 use=2 > > > > IP Configuration > > > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > > inet 127.0.0.1/8 scope host lo > > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > > inet 192.168.1.67/24 brd 192.168.1.255 scope global wlan0 > > > > IP Stats > > > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > RX: bytes packets errors dropped overrun mcast > > 880 16 0 0 0 0 > > TX: bytes packets errors dropped carrier collsns > > 880 16 0 0 0 0 > > 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 > > link/ether 00:1e:ec:a4:e8:fb brd ff:ff:ff:ff:ff:ff > > RX: bytes packets errors dropped overrun mcast > > 0 0 0 0 0 0 > > TX: bytes packets errors dropped carrier collsns > > 0 0 0 0 0 0 > > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > > link/ether 00:1f:e2:c1:93:32 brd ff:ff:ff:ff:ff:ff > > RX: bytes packets errors dropped overrun mcast > > 10211554 11641 0 20 0 0 > > TX: bytes packets errors dropped carrier collsns > > 1852705 9365 0 0 0 0 > > > > Bridges > > > > bridge name bridge id STP enabled interfaces > > > > Per-IP Counters > > > > iptaccount is not installed > > > > /proc > > > > /proc/version = Linux version 2.6.38.7-smp (root@midas) (gcc version 4.5.3 (GCC) ) #2 SMP Sat May 21 23:13:29 CDT 2011 > > /proc/sys/net/ipv4/ip_forward = 1 > > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > > /proc/sys/net/ipv4/conf/all/arp_ignore = 0 > > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > > /proc/sys/net/ipv4/conf/all/log_martians = 0 > > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > > /proc/sys/net/ipv4/conf/default/arp_ignore = 0 > > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > > /proc/sys/net/ipv4/conf/default/log_martians = 1 > > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > > /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 > > /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 > > /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 > > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 > > /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 > > /proc/sys/net/ipv4/conf/lo/arp_filter = 0 > > /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 > > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > > /proc/sys/net/ipv4/conf/lo/log_martians = 1 > > /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0 > > /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0 > > /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0 > > /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0 > > /proc/sys/net/ipv4/conf/wlan0/log_martians = 1 > > > > Routing Rules > > > > 0: from all lookup local > > 32766: from all lookup main > > 32767: from all lookup default > > > > Table default: > > > > > > Table local: > > > > local 192.168.1.67 dev wlan0 proto kernel scope host src 192.168.1.67 > > broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.67 > > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > > broadcast 192.168.1.255 dev wlan0 proto kernel scope link src 192.168.1.67 > > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > > > Table main: > > > > 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.67 metric 303 > > 127.0.0.0/8 dev lo scope link > > default via 192.168.1.254 dev wlan0 metric 303 > > > > ARP > > > > ? (192.168.1.254) at 00:1f:9f:eb:5c:9e [ether] on wlan0 > > > > Modules > > > > ip_set 10840 18 ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash > > ip_set_iphash 6148 0 > > ip_set_ipmap 2782 0 > > ip_set_ipporthash 6531 0 > > ip_set_iptree 4614 0 > > ip_set_iptreemap 8076 0 > > ip_set_macipmap 2821 0 > > ip_set_nethash 7373 0 > > ip_set_portmap 2936 0 > > ip_tables 9267 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter > > ipt_CLUSTERIP 4957 0 > > ipt_ECN 1532 0 > > ipt_LOG 6486 5 > > ipt_MASQUERADE 1294 0 > > ipt_NETMAP 901 0 > > ipt_REDIRECT 875 0 > > ipt_REJECT 2021 4 > > ipt_SET 1267 0 > > ipt_ULOG 4885 0 > > ipt_addrtype 1589 4 > > ipt_ah 857 0 > > ipt_ecn 1084 0 > > ipt_set 1108 0 > > iptable_filter 1092 1 > > iptable_mangle 1252 1 > > iptable_nat 3388 0 > > iptable_raw 1016 0 > > nf_conntrack 44795 32 xt_CT,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 > > nf_conntrack_amanda 1713 1 nf_nat_amanda > > nf_conntrack_ftp 4789 1 nf_nat_ftp > > nf_conntrack_h323 36572 1 nf_nat_h323 > > nf_conntrack_ipv4 9597 15 iptable_nat,nf_nat > > nf_conntrack_irc 2607 1 nf_nat_irc > > nf_conntrack_netbios_ns 1070 0 > > nf_conntrack_netlink 11900 0 > > nf_conntrack_pptp 3890 1 nf_nat_pptp > > nf_conntrack_proto_gre 3073 1 nf_conntrack_pptp > > nf_conntrack_proto_sctp 5766 0 > > nf_conntrack_proto_udplite 2315 0 > > nf_conntrack_sane 2788 0 > > nf_conntrack_sip 16024 1 nf_nat_sip > > nf_conntrack_tftp 2497 1 nf_nat_tftp > > nf_defrag_ipv4 1015 2 xt_TPROXY,nf_conntrack_ipv4 > > nf_defrag_ipv6 4849 1 xt_TPROXY > > nf_nat 12344 12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat > > nf_nat_amanda 836 0 > > nf_nat_ftp 1280 0 > > nf_nat_h323 5291 0 > > nf_nat_irc 1050 0 > > nf_nat_pptp 2006 0 > > nf_nat_proto_gre 1013 1 nf_nat_pptp > > nf_nat_sip 5656 0 > > nf_nat_snmp_basic 7101 0 > > nf_nat_tftp 674 0 > > nf_tproxy_core 824 1 xt_TPROXY,[permanent] > > xt_CLASSIFY 681 0 > > xt_CT 1415 0 > > xt_DSCP 1703 0 > > xt_NFLOG 834 0 > > xt_NFQUEUE 1481 0 > > xt_TPROXY 4043 0 > > xt_comment 679 18 > > xt_connlimit 2606 0 > > xt_connmark 1457 0 > > xt_conntrack 2237 12 > > xt_dccp 1799 0 > > xt_dscp 1231 0 > > xt_hashlimit 6153 0 > > xt_helper 1063 0 > > xt_iprange 1316 0 > > xt_length 864 0 > > xt_limit 1447 0 > > xt_mac 799 0 > > xt_mark 889 1 > > xt_multiport 1522 4 > > xt_owner 867 0 > > xt_physdev 1368 0 > > xt_pkttype 807 0 > > xt_policy 2150 0 > > xt_realm 707 0 > > xt_recent 6458 0 > > xt_state 963 0 > > xt_tcpmss 1125 0 > > xt_tcpudp 1939 14 > > xt_time 1663 0 > > > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available > > Extended Multi-port Match: Available > > Connection Tracking Match: Available > > Extended Connection Tracking Match Support: Available > > Packet Type Match: Available > > Policy Match: Available > > Physdev Match: Available > > Physdev-is-bridged Support: Available > > Packet length Match: Available > > IP range Match: Available > > Recent Match: Available > > Owner Match: Available > > Ipset Match: Available > > CONNMARK Target: Available > > Extended CONNMARK Target: Available > > Connmark Match: Available > > Extended Connmark Match: Available > > Raw Table: Available > > Rawpost Table: Not available > > IPP2P Match: Not available > > CLASSIFY Target: Available > > Extended REJECT: Available > > Repeat match: Available > > MARK Target: Available > > Extended MARK Target: Available > > Extended MARK Target 2: Available > > Mangle FORWARD Chain: Available > > Comments: Available > > Address Type Match: Available > > TCPMSS Match: Available > > Hashlimit Match: Available > > NFQUEUE Target: Available > > Realm Match: Available > > Helper Match: Available > > Connlimit Match: Available > > Time Match: Available > > Goto Support: Available > > LOGMARK Target: Not available > > IPMARK Target: Not available > > LOG Target: Available > > ULOG Target: Available > > NFLOG Target: Available > > Persistent SNAT: Available > > TPROXY Target: Available > > FLOW Classifier: Available > > fwmark route mask: Available > > Mark in any table: Available > > Header Match: Not available > > ACCOUNT Target: Not available > > AUDIT Target: Not available > > ipset V5: Not available > > Condition Match: Not available > > iptables -S: Available > > Basic Filter: Available > > CT Target: Available > > > > Active Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1860/sshd > > tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1855/inetd > > tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2244/X > > tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1855/inetd > > tcp 0 0 192.168.1.67:47311 209.85.229.94:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:55088 173.194.70.120:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:55083 173.194.70.120:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:43818 64.4.34.84:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:47314 209.85.229.94:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:59723 207.46.124.167:1863 TIME_WAIT - > > tcp 0 0 192.168.1.67:51576 64.4.44.85:1863 ESTABLISHED 2505/pidgin > > tcp 0 0 192.168.1.67:47312 209.85.229.94:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:47070 74.125.79.139:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:42653 62.1.38.18:80 ESTABLISHED 2506/firefox > > tcp 0 0 192.168.1.67:57795 65.55.85.91:443 ESTABLISHED 2505/pidgin > > tcp 0 0 :::22 :::* LISTEN 1860/sshd > > tcp 0 0 :::6000 :::* LISTEN 2244/X > > udp 0 0 0.0.0.0:512 0.0.0.0:* 1855/inetd > > udp 0 0 0.0.0.0:37 0.0.0.0:* 1855/inetd > > > > Traffic Control > > > > Device eth0: > > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > > > > > Device wlan0: > > qdisc mq 0: root > > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > > > class mq :1 root > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > class mq :2 root > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > class mq :3 root > > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > class mq :4 root > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > backlog 0b 0p requeues 0 > > > > > > TC Filters > > > > Device eth0: > > > > Device wlan0: > > > ------------------------------------------------------------------------------ > > Keep Your Developer Skills Current with LearnDevNow! > > The most comprehensive online learning library for Microsoft developers > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > > Metro Style Apps, more. Free future releases when you subscribe now! > > http://p.sf.net/sfu/learndevnow-d2d > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com > > ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
I found the solution (mainly thanks to Tom E.) I just put the desired IP first on the first column of the /etc/shorewall/blacklist without any options. Then I entered the same IP in the /etc/shorewall/blrules (DROP all net:XXX.XXX.XXX.XXX) Thanks for your help all! From: dominic@lenny.cus.org Date: Wed, 25 Jan 2012 09:09:10 +0000 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user Assuming you're running 4.4.13 or later: I believe that if you enter 'dst' in the optional 4th column of the blacklist file then the outbound connections would be blocked.You probably would want to have two entries for each blocked subnet, one inbound and one outbound. There are a couple of useful notes about requirements in the man page (http://shorewall.net/manpages/shorewall-blacklist.html) On 24 Jan 2012, at 22:22, Christos Bakalis wrote:I understand what you mean but it is totally impractical. Creating a blacklisting firewall for all sites and excluding 5-6? There's got to be another way Date: Tue, 24 Jan 2012 17:00:38 -0500 From: roberto@connexer.com To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user Looking at the output, it seems that your attempts to reach the blacklisted IP are matching in the fw2net policy (which is ACCEPT). This indicates that you are trying to reach the blacklisted host from your machine (which is allowed, as blacklisting works on incoming packets). What you are trying to accomplish is outbound traffic filtering. To do that, you will need to change your fw2net policy to REJECT and then specifically allow traffic to specific hosts and/or to specific ports. However, that can get rather complicated very quickly. Regards, -Roberto On Tue, Jan 24, 2012 at 08:59:39PM +0200, Christos Bakalis wrote:> Here is the output of the command: > > Date: Mon, 23 Jan 2012 20:12:02 -0500 > From: roberto@connexer.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote: > > Hello! I have posted this question on linuxquestions.com but have not yet > > received a reply. > > Can any shorewall user help me out? > > > Your problem seems to be a result of the policy "fw net ACCEPT" but I do > not use blacklisting, so to be certain I would need to see the output of > 'shorewall dump'. > > Regards, > > -Roberto > > -- > Roberto C. S�nchez > [1]http://people.connexer.com/~roberto > [2]http://www.connexer.com > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! The most > comprehensive online learning library for Microsoft developers is just > $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ Shorewall-users mailing > list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. http://people.connexer.com/%7Eroberto > 2. http://www.connexer.com/> root@slack:/home/cb# shorewall dump > Shorewall 4.4.27 Dump at slack - Tue Jan 24 20:57:02 EET 2012 > > Counters reset Tue Jan 24 20:56:12 EET 2012 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 34 4016 wlan0_in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 wlan0_fwd all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 15 785 fw2net all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] > > Chain Broadcast (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST > 1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 > > Chain Drop (1 references) > pkts bytes target prot opt in out source destination > 1 36 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain Invalid (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID > > Chain NotSyn (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 > > Chain Reject (3 references) > pkts bytes target prot opt in out source destination > 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ > 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ > > Chain blacklst (4 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 174.133.253.138 0.0.0.0/0 > > Chain dynamic (5 references) > pkts bytes target prot opt in out source destination > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain eth0_in (1 references) > pkts bytes target prot opt in out source destination > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain fw2net (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 15 785 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logdrop (0 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain logreject (0 references) > pkts bytes target prot opt in out source destination > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net2fw (2 references) > pkts bytes target prot opt in out source destination > 25 1308 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 1 36 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net_frwd (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > Chain reject (11 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain sfilter (2 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain shorewall (0 references) > pkts bytes target prot opt in out source destination > > Chain wlan0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 sfilter all -- * wlan0 0.0.0.0/0 0.0.0.0/0 [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain wlan0_in (1 references) > pkts bytes target prot opt in out source destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 9 2708 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 8 2672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 26 1344 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Log (/var/log/messages) > > > NAT Table > > Chain PREROUTING (policy ACCEPT 1 packets, 36 bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Mangle Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > 34 4016 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 > 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > 15 785 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain tcfor (1 references) > pkts bytes target prot opt in out source destination > > Chain tcin (1 references) > pkts bytes target prot opt in out source destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source destination > > Raw Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source destination > > Conntrack Table (62 out of 65536) > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55083 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55083 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35950 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35950 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46678 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46678 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46686 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46686 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35951 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35951 [ASSURED] mark=0 use=2 > tcp 6 431940 ESTABLISHED src=192.168.1.67 dst=64.4.34.84 sport=43818 dport=80 src=64.4.34.84 dst=192.168.1.67 sport=80 dport=43818 [ASSURED] mark=0 use=2 > udp 17 25 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46675 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46675 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46689 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46689 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46685 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46685 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47341 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47341 [ASSURED] mark=0 use=2 > tcp 6 431918 ESTABLISHED src=192.168.1.67 dst=74.125.79.139 sport=47070 dport=80 src=74.125.79.139 dst=192.168.1.67 sport=80 dport=47070 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46704 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46704 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46705 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46705 [ASSURED] mark=0 use=2 > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55088 dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55088 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53006 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53006 [ASSURED] mark=0 use=2 > tcp 6 68 TIME_WAIT src=192.168.1.67 dst=141.101.124.244 sport=55070 dport=80 src=141.101.124.244 dst=192.168.1.67 sport=80 dport=55070 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46682 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46682 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46697 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46697 [ASSURED] mark=0 use=2 > udp 17 114 src=192.168.1.67 dst=192.168.1.254 sport=42104 dport=53 src=192.168.1.254 dst=192.168.1.67 sport=53 dport=42104 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46707 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46707 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46684 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46684 [ASSURED] mark=0 use=2 > tcp 6 18 TIME_WAIT src=192.168.1.67 dst=64.4.61.111 sport=46612 dport=1863 src=64.4.61.111 dst=192.168.1.67 sport=1863 dport=46612 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46709 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46709 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46672 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46672 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46132 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46132 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=66.211.169.74 sport=57631 dport=443 src=66.211.169.74 dst=192.168.1.67 sport=443 dport=57631 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53005 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53005 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46674 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46674 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46673 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46673 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46679 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46679 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47340 dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47340 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46727 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46727 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46703 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46703 [ASSURED] mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58134 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58134 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46690 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46690 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46692 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46692 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46710 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46710 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46676 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46676 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46687 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46687 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46728 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46728 [ASSURED] mark=0 use=2 > tcp 6 101 TIME_WAIT src=192.168.1.67 dst=207.46.124.167 sport=59723 dport=1863 src=207.46.124.167 dst=192.168.1.67 sport=1863 dport=59723 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46734 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46734 [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46148 dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46148 [ASSURED] mark=0 use=2 > tcp 6 431972 ESTABLISHED src=192.168.1.67 dst=64.4.44.85 sport=51576 dport=1863 src=64.4.44.85 dst=192.168.1.67 sport=1863 dport=51576 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46708 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46708 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46729 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46729 [ASSURED] mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35952 dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35952 [ASSURED] mark=0 use=2 > tcp 6 431911 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47311 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47311 [ASSURED] mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58135 dport=80 src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58135 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46677 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46677 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46717 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46717 [ASSURED] mark=0 use=2 > tcp 6 431627 ESTABLISHED src=192.168.1.67 dst=62.1.38.9 sport=58460 dport=80 [UNREPLIED] src=62.1.38.9 dst=192.168.1.67 sport=80 dport=58460 mark=0 use=2 > tcp 6 431914 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47312 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47312 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46683 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46683 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=62.1.38.18 sport=42653 dport=80 src=62.1.38.18 dst=192.168.1.67 sport=80 dport=42653 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46680 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46680 [ASSURED] mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47314 dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47314 [ASSURED] mark=0 use=2 > tcp 6 38 TIME_WAIT src=192.168.1.67 dst=95.172.94.55 sport=46162 dport=80 src=95.172.94.55 dst=192.168.1.67 sport=80 dport=46162 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53004 dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53004 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46706 dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46706 [ASSURED] mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46718 dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46718 [ASSURED] mark=0 use=2 > > IP Configuration > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > inet 127.0.0.1/8 scope host lo > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > inet 192.168.1.67/24 brd 192.168.1.255 scope global wlan0 > > IP Stats > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > RX: bytes packets errors dropped overrun mcast > 880 16 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 880 16 0 0 0 0 > 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 > link/ether 00:1e:ec:a4:e8:fb brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 0 0 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 0 0 0 0 0 0 > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 > link/ether 00:1f:e2:c1:93:32 brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 10211554 11641 0 20 0 0 > TX: bytes packets errors dropped carrier collsns > 1852705 9365 0 0 0 0 > > Bridges > > bridge name bridge id STP enabled interfaces > > Per-IP Counters > > iptaccount is not installed > > /proc > > /proc/version = Linux version 2.6.38.7-smp (root@midas) (gcc version 4.5.3 (GCC) ) #2 SMP Sat May 21 23:13:29 CDT 2011 > /proc/sys/net/ipv4/ip_forward = 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > /proc/sys/net/ipv4/conf/all/arp_ignore = 0 > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/all/log_martians = 0 > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > /proc/sys/net/ipv4/conf/default/arp_ignore = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/log_martians = 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 > /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 > /proc/sys/net/ipv4/conf/lo/arp_filter = 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/log_martians = 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/log_martians = 1 > > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table default: > > > Table local: > > local 192.168.1.67 dev wlan0 proto kernel scope host src 192.168.1.67 > broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > broadcast 192.168.1.255 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.67 metric 303 > 127.0.0.0/8 dev lo scope link > default via 192.168.1.254 dev wlan0 metric 303 > > ARP > > ? (192.168.1.254) at 00:1f:9f:eb:5c:9e [ether] on wlan0 > > Modules > > ip_set 10840 18 ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash > ip_set_iphash 6148 0 > ip_set_ipmap 2782 0 > ip_set_ipporthash 6531 0 > ip_set_iptree 4614 0 > ip_set_iptreemap 8076 0 > ip_set_macipmap 2821 0 > ip_set_nethash 7373 0 > ip_set_portmap 2936 0 > ip_tables 9267 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter > ipt_CLUSTERIP 4957 0 > ipt_ECN 1532 0 > ipt_LOG 6486 5 > ipt_MASQUERADE 1294 0 > ipt_NETMAP 901 0 > ipt_REDIRECT 875 0 > ipt_REJECT 2021 4 > ipt_SET 1267 0 > ipt_ULOG 4885 0 > ipt_addrtype 1589 4 > ipt_ah 857 0 > ipt_ecn 1084 0 > ipt_set 1108 0 > iptable_filter 1092 1 > iptable_mangle 1252 1 > iptable_nat 3388 0 > iptable_raw 1016 0 > nf_conntrack 44795 32 xt_CT,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 > nf_conntrack_amanda 1713 1 nf_nat_amanda > nf_conntrack_ftp 4789 1 nf_nat_ftp > nf_conntrack_h323 36572 1 nf_nat_h323 > nf_conntrack_ipv4 9597 15 iptable_nat,nf_nat > nf_conntrack_irc 2607 1 nf_nat_irc > nf_conntrack_netbios_ns 1070 0 > nf_conntrack_netlink 11900 0 > nf_conntrack_pptp 3890 1 nf_nat_pptp > nf_conntrack_proto_gre 3073 1 nf_conntrack_pptp > nf_conntrack_proto_sctp 5766 0 > nf_conntrack_proto_udplite 2315 0 > nf_conntrack_sane 2788 0 > nf_conntrack_sip 16024 1 nf_nat_sip > nf_conntrack_tftp 2497 1 nf_nat_tftp > nf_defrag_ipv4 1015 2 xt_TPROXY,nf_conntrack_ipv4 > nf_defrag_ipv6 4849 1 xt_TPROXY > nf_nat 12344 12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat > nf_nat_amanda 836 0 > nf_nat_ftp 1280 0 > nf_nat_h323 5291 0 > nf_nat_irc 1050 0 > nf_nat_pptp 2006 0 > nf_nat_proto_gre 1013 1 nf_nat_pptp > nf_nat_sip 5656 0 > nf_nat_snmp_basic 7101 0 > nf_nat_tftp 674 0 > nf_tproxy_core 824 1 xt_TPROXY,[permanent] > xt_CLASSIFY 681 0 > xt_CT 1415 0 > xt_DSCP 1703 0 > xt_NFLOG 834 0 > xt_NFQUEUE 1481 0 > xt_TPROXY 4043 0 > xt_comment 679 18 > xt_connlimit 2606 0 > xt_connmark 1457 0 > xt_conntrack 2237 12 > xt_dccp 1799 0 > xt_dscp 1231 0 > xt_hashlimit 6153 0 > xt_helper 1063 0 > xt_iprange 1316 0 > xt_length 864 0 > xt_limit 1447 0 > xt_mac 799 0 > xt_mark 889 1 > xt_multiport 1522 4 > xt_owner 867 0 > xt_physdev 1368 0 > xt_pkttype 807 0 > xt_policy 2150 0 > xt_realm 707 0 > xt_recent 6458 0 > xt_state 963 0 > xt_tcpmss 1125 0 > xt_tcpudp 1939 14 > xt_time 1663 0 > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Extended Connection Tracking Match Support: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > Rawpost Table: Not available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Extended MARK Target 2: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > Realm Match: Available > Helper Match: Available > Connlimit Match: Available > Time Match: Available > Goto Support: Available > LOGMARK Target: Not available > IPMARK Target: Not available > LOG Target: Available > ULOG Target: Available > NFLOG Target: Available > Persistent SNAT: Available > TPROXY Target: Available > FLOW Classifier: Available > fwmark route mask: Available > Mark in any table: Available > Header Match: Not available > ACCOUNT Target: Not available > AUDIT Target: Not available > ipset V5: Not available > Condition Match: Not available > iptables -S: Available > Basic Filter: Available > CT Target: Available > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1860/sshd > tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2244/X > tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1855/inetd > tcp 0 0 192.168.1.67:47311 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55088 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55083 173.194.70.120:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:43818 64.4.34.84:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47314 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:59723 207.46.124.167:1863 TIME_WAIT - > tcp 0 0 192.168.1.67:51576 64.4.44.85:1863 ESTABLISHED 2505/pidgin > tcp 0 0 192.168.1.67:47312 209.85.229.94:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47070 74.125.79.139:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:42653 62.1.38.18:80 ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:57795 65.55.85.91:443 ESTABLISHED 2505/pidgin > tcp 0 0 :::22 :::* LISTEN 1860/sshd > tcp 0 0 :::6000 :::* LISTEN 2244/X > udp 0 0 0.0.0.0:512 0.0.0.0:* 1855/inetd > udp 0 0 0.0.0.0:37 0.0.0.0:* 1855/inetd > > Traffic Control > > Device eth0: > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > Device wlan0: > qdisc mq 0: root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > class mq :1 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :2 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :3 root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :4 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > TC Filters > > Device eth0: > > Device wlan0:> ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d