I recently checked my config, and found to my horror that apparently my system
is wide open!
How can this be? What is wrong? Shorewall v4.5.3-1
------------------------------------------------------------------------------------------------
# iptables -L -n -v -x
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1950690 959838169 net2fw all -- wlan0 * 0.0.0.0/0
0.0.0.0/0
0 0 net2fw all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 local2fw all -- vboxnet0 * 0.0.0.0/0
0.0.0.0/0
452203 210805103 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix"
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
...
------------------------------------------------------------------------------------------------
# Outside (udp 33434:33523 is for traceroute)
ACCEPT $FW net:192.168.1.192 udp snmp -
ACCEPT $FW net tcp
bootps,controlpanel,controlpanel2,dict,domain,domaincp1,domaincp2,domaincp3,ftp,hkp,http,https,imaps,ircd,nicname,pop3s,printer,radio,ssh,ssmtp,svn,tor,ubnt
-
ACCEPT $FW net udp bootps,domain,mdns,ntp -
# Cygnus Services
ACCEPT $FW net:192.168.1.3 tcp ipp,sane-port -
ACCEPT $FW net:192.168.1.3 udp ipp,snmp -
# Backup Server
ACCEPT net:192.168.1.4 $FW tcp ssh -
# Cameras
ACCEPT $FW net:192.168.1.4 tcp camera1,www -
# IPMI
ACCEPT $FW net tcp cd,echo,floppy,hid,https,ipmi,ssh,video,www
ACCEPT $FW net udp ipmi
# Local LAN
#
#DNAT local net:192.168.111.1 tcp ftp,http,https -
-
ACCEPT local net tcp ftp,http,https -
ACCEPT local net udp domain,ntp -
ACCEPT local $FW tcp ftp,http,https -
ACCEPT local $FW udp domain,ntp -
# Pinging
#
ACCEPT $FW local icmp 8
ACCEPT $FW net icmp 8
ACCEPT local $FW icmp 8
ACCEPT local net icmp 8
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/27/2012 12:14 PM, CACook@quantum-sci.com wrote:> I recently checked my config, and found to my horror that apparently my system is wide open! > > How can this be? What is wrong? Shorewall v4.5.3-1 > > ------------------------------------------------------------------------------------------------ > # iptables -L -n -v -x > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 1950690 959838169 net2fw all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 local2fw all -- vboxnet0 * 0.0.0.0/0 0.0.0.0/0 > 452203 210805103 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ... > ------------------------------------------------------------------------------------------------ >Please explain to us why you believe that your system is ''wide open''. If you are looking at the ACCEPT rule, notice that the ''in'' column contains ''lo''; that simply allows the firewall to connect to itself. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wednesday, June 27, 2012 12:25:35 PM Tom Eastep wrote:> Please explain to us why you believe that your system is ''wide open''. If > you are looking at the ACCEPT rule, notice that the ''in'' column contains > ''lo''; that simply allows the firewall to connect to itself.Sure that''s what the rule says. But look at what is actually set in netfilter: pkts bytes target prot opt in out source destination 1950690 959838169 net2fw all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 Doesn''t this say to allow all from the net to the firewall? And isn''t it the first rule? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/27/2012 12:38 PM, CACook@quantum-sci.com wrote:> On Wednesday, June 27, 2012 12:25:35 PM Tom Eastep wrote: >> Please explain to us why you believe that your system is ''wide open''. If >> you are looking at the ACCEPT rule, notice that the ''in'' column contains >> ''lo''; that simply allows the firewall to connect to itself. > > Sure that''s what the rule says. But look at what is actually set in netfilter: > pkts bytes target prot opt in out source destination > 1950690 959838169 net2fw all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > > Doesn''t this say to allow all from the net to the firewall? And isn''t it the first rule?No -- it says to jump to the net2fw chain for all packets coming from the net. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wednesday, June 27, 2012 12:42:57 PM Tom Eastep wrote:> > Doesn''t this say to allow all from the net to the firewall? And isn''t it the first rule? > > No -- it says to jump to the net2fw chain for all packets coming from > the net.That''s a relief. I saw all those packets getting caught by that rule... So then, this seems to be the next section of concern: Chain net2fw (2 references) pkts bytes target prot opt in out source destination 6364 743420 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 6364 743420 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 6364 743420 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 1899882 947788300 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 1965451 969612212 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 5 384 ACCEPT tcp -- * * 192.168.111.0/28 0.0.0.0/0 tcp dpt:22 0 0 DROP tcp -- * * 92.62.52.90 0.0.0.0/0 tcp dpts:1:65535 0 0 DROP udp -- * * 92.62.52.90 0.0.0.0/0 udp dpts:1:65535 0 0 ACCEPT tcp -- * * 192.168.111.4 0.0.0.0/0 tcp dpt:22 6359 743036 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix" 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Am I understanding this to only allow SSH in? And to log everything else? How do you tell if this is stateful filtering? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/27/2012 01:40 PM, CACook@quantum-sci.com wrote:> On Wednesday, June 27, 2012 12:42:57 PM Tom Eastep wrote: >>> Doesn''t this say to allow all from the net to the firewall? And isn''t it the first rule? >> >> No -- it says to jump to the net2fw chain for all packets coming from >> the net. > > That''s a relief. I saw all those packets getting caught by that rule... > > So then, this seems to be the next section of concern: > Chain net2fw (2 references) > pkts bytes target prot opt in out source destination > 6364 743420 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 6364 743420 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 6364 743420 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW > 1899882 947788300 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 1965451 969612212 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED <==============> 5 384 ACCEPT tcp -- * * 192.168.111.0/28 0.0.0.0/0 tcp dpt:22 > 0 0 DROP tcp -- * * 92.62.52.90 0.0.0.0/0 tcp dpts:1:65535 > 0 0 DROP udp -- * * 92.62.52.90 0.0.0.0/0 udp dpts:1:65535 > 0 0 ACCEPT tcp -- * * 192.168.111.4 0.0.0.0/0 tcp dpt:22 > 6359 743036 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Am I understanding this to only allow SSH in?Yes.> And to log everything else?Log and DROP, yes. How do you tell if this is stateful filtering? See the rule above that I''ve marked with <===================== That says to ACCEPT any packet that is part of an established connection and to accept new connections that are related to an existing connection. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wednesday, June 27, 2012 01:49:25 PM Tom Eastep wrote:> That says to ACCEPT any packet that is part of an established connection > and to accept new connections that are related to an existing connection.Sure, but that''s just necessary for TCP. I''m wondering about the firewall -tracking- stateful connexions. IOW if someone just sends a FIN out of the blue. Will this be logged? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/27/2012 02:11 PM, CACook@quantum-sci.com wrote:> On Wednesday, June 27, 2012 01:49:25 PM Tom Eastep wrote: >> That says to ACCEPT any packet that is part of an established connection >> and to accept new connections that are related to an existing connection. > > Sure, but that''s just necessary for TCP.Not so -- Netfilter generalizes the concept of ''connection'' to include all protocols. Think of ''flow'' rather than ''connection.> > I''m wondering about the firewall -tracking- stateful connexions. IOW if someone just sends a FIN out of the blue. Will this be logged?No. A FIN out of the blue will be in the INVALID connection state. I personally have a rule like this one at the top of my rules: Invalid(DROP) net all tcp That silently drops such packets. But if you don''t have that sort of rule, then if the packet matches an ACCEPT rule, it will be accepted by Netfilter and the TCP stack will discard it. Otherwise, it will end up in the ''Drop'' chain which contains this rule: 22 880 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID So it will be silently dropped and not logged. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wednesday, June 27, 2012 02:22:19 PM Tom Eastep wrote:> But if you don''t have that sort of rule, then if the packet matches an > ACCEPT rule, it will be accepted by Netfilter and the TCP stack will > discard it. Otherwise, it will end up in the ''Drop'' chain which contains > this rule:OK, but what I am getting at is I would like to know when someone is trying a FIN or any other type of scan. But I don''t know the best way to go about monitoring my network. At this point my plan is to set up a VirtualBox VM which is bridged to the LAN interface so it bypasses the Host''s Shorewall. It will be running Debian Testing and Prelude, although setup for Prelude is busted and it will take me hours of analysis to get it running apparently. I''m hoping that with this I can monitor the LAN for intrusion attempts, in an isolated OS which has full listening ability. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/27/2012 02:43 PM, CACook@quantum-sci.com wrote:> On Wednesday, June 27, 2012 02:22:19 PM Tom Eastep wrote: > >> But if you don''t have that sort of rule, then if the packet matches >> an ACCEPT rule, it will be accepted by Netfilter and the TCP stack >> will discard it. Otherwise, it will end up in the ''Drop'' chain >> which contains this rule: > > OK, but what I am getting at is I would like to know when someone is > trying a FIN or any other type of scan. But I don''t know the best > way to go about monitoring my network.The ''tcpflags'' interface option along with non-empty ''TCP_FLAGS_LOG_LEVEL'' will catch most of those. Adding this at the top of your rules file will catch and log the rest: Invalid(DROP):info net all tcp I also run fwlogwatch which will dynamically add DROP rules for IP addresses that generate too many Netfilter log messages. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> -Tomthank you tom, for this great support! it also helps the people just reading silently on this list. kindly regards julian ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Strangely today I tried to get a DHCP lease when I know 68 is closed, yet there was no complaint from Shorewall. My last policy is: net all DROP info all all DROP info ... and yet there was nothing in dmesg. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/28/2012 03:16 PM, CACook@quantum-sci.com wrote:> > Strangely today I tried to get a DHCP lease when I know 68 is closed, yet there was no complaint from Shorewall. > > My last policy is: > net all DROP info > all all DROP info > > ... and yet there was nothing in dmesg.DHCP uses raw sockets which are independent of the IP stack (and hence independent of Netfilter). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Thursday, June 28, 2012 03:57:22 PM Tom Eastep wrote:> DHCP uses raw sockets which are independent of the IP stack (and hence > independent of Netfilter).Meh? So I don''t need bootpc in my rules at all? Wonder why it couldn''t get a lease... ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 6/28/12 4:16 PM, CACook@quantum-sci.com wrote:> On Thursday, June 28, 2012 03:57:22 PM Tom Eastep wrote: >> DHCP uses raw sockets which are independent of the IP stack (and hence >> independent of Netfilter). > > Meh? So I don''t need bootpc in my rules at all? > > Wonder why it couldn''t get a lease...There are two cases: a) Initial Lease. This is a broadcast with a null source IP. The Shorewall log doesn''t show dropped broadcasts because there is so much broadcast noise in the typical environment. b) Renew Lease. This is a unicast UDP packet which will get logged. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/