Shorewall users - Aug 2012 - Rules in Place

Just a point of order here, and I''m sure I''m misinterpreting
this, but it looks like my firewall is wide open.  I''d understood that
the first matching rule it comes to, it accepts for a given packet.

Is it the policy DROP that''s calling the shots for each chain??

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
net2fw     all  --  anywhere             anywhere            
net2fw     all  --  anywhere             anywhere            
local2fw   all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
Drop       all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info
prefix "Shorewall:INPUT:DROP:"
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
net_frwd   all  --  anywhere             anywhere            
net_frwd   all  --  anywhere             anywhere                               
local2net  all  --  anywhere             anywhere                               
local2net  all  --  anywhere             anywhere                               
Drop       all  --  anywhere             anywhere                               
LOG        all  --  anywhere             anywhere             LOG level info
prefix "Shorewall:FORWARD:DROP:"
DROP       all  --  anywhere             anywhere                               
                                                                                
Chain OUTPUT (policy DROP)                                                      
target     prot opt source               destination                            
fw2net     all  --  anywhere             anywhere                               
fw2net     all  --  anywhere             anywhere                               
fw2local   all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
Drop       all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info
prefix "Shorewall:OUTPUT:DROP:"
DROP       all  --  anywhere             anywhere            

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 08/17/2012 10:14 AM, CACook@quantum-sci.com wrote:
>
> Just a point of order here, and I''m sure I''m
misinterpreting this, but it looks like my firewall is wide open.  I''d
understood that the first matching rule it comes to, it accepts for a given
packet.
>
> Is it the policy DROP that''s calling the shots for each chain??
No -- the problem is that a bare ''iptables -L'' command give
you
completely useless output. Try

	shorewall show

instead. That uses ''iptables -L -n -v'' which is the only way
to see what
your ruleset is really doing.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Friday, 17 August, 2012 10:41:40 Tom Eastep wrote:
> 	shorewall show
> 
> instead. That uses ''iptables -L -n -v'' which is the only
way to see what
> your ruleset is really doing.
OK.  But if the DROP policy is applied to each chain, and that rule is come to
first, why are all my packets not dropped?  Firewall seems to be working OK, but
trying to learn something.


# shorewall show
Shorewall 4.5.5.3 filter Table at hex - Fri Aug 17 11:54:29 PDT 2012

Counters reset Fri Aug 17 09:29:06 PDT 2012

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
15269   11M net2fw     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
    0     0 net2fw     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 local2fw   all  --  vboxnet0 *       0.0.0.0/0            0.0.0.0/0
 2708  199K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 net_frwd   all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
    0     0 net_frwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 local2net  all  --  vboxnet0 wlan0   0.0.0.0/0            0.0.0.0/0
    0     0 local2net  all  --  vboxnet0 eth0    0.0.0.0/0            0.0.0.0/0
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix "Shorewall:FORWARD:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
15038 2510K fw2net     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 fw2local   all  --  *      vboxnet0  0.0.0.0/0            0.0.0.0/0
 2708  199K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix "Shorewall:OUTPUT:DROP:"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 08/17/2012 11:58 AM, CACook@quantum-sci.com wrote:
> On Friday, 17 August, 2012 10:41:40 Tom Eastep wrote:
>> 	shorewall show
>>
>> instead. That uses ''iptables -L -n -v'' which is the
only way to see what
>> your ruleset is really doing.
> 
> OK.  But if the DROP policy is applied to each chain, and that rule is come
to first, why are all my packets not dropped?  Firewall seems to be working OK,
but trying to learn something.
The DROP policy is enforced only for packets that fall off the end of
the chain -- which should never happen in a Shorewall-generated ruleset.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/