Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING. It was like this for a couple of weeks. I found the reason was I''d removed ''tor'' from the services file and so Shorewall failed to start. I''ve removed tor from the rules file now, and of course it works. But routestopped has only eth0, which is not connected. (wlan0 is) The policy file seems to have everything DENYed. So I don''t understand how this could have happened? ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It''s a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
On 2013-05-05 13:57:10 +0000, CACook@quantum-sci.com said:> Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING. > It was like this for a couple of weeks. I found the reason was I''d > removed ''tor'' from the services file and so Shorewall failed to start. > I''ve removed tor from the rules file now, and of course it works. > > But routestopped has only eth0, which is not connected. (wlan0 is) The > policy file seems to have everything DENYed. > > So I don''t understand how this could have happened?Startup behavior with Shorewall can be a bit tricky. If you happen to run xUbuntu, you need to know that Upstart can''t guarantee that a ''shorewall stop'' command is issued (and locks down the firewall to routestopped) before the network is brought up. None of that matters, as you have discovered, with an invalid Shorewall configuration. While I haven''t tested this, it''s likely that this also applies to running ''shorewall stop'' to lock the firewall to the routestopped config. As I recall, Shorewall checks its configuration, and will not change *anything* without a valid config. This applies for both adding and removing of rules, policies, and so on. It appears likely you had an invalid config (as stated in your first paragraph), and had rebooted the machine. I''m willing to bet you didn''t notice the message that shorewall didn''t start - either because you weren''t watching, or because a boot splash hid the message. It doesn''t matter what your policy, rules, or anything else is configured. As I recall, if your configuration isn''t valid, shorewall won''t apply any of it. The default boot state for the Linux kernel allows any network connection. It''s likely it is also the state shorewall will leave you with if your configuration is not valid. ''shorewall check'' is very useful; ALWAYS run it after modifying your shorewall config. -- Troy Telford ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/6/13 4:31 PM, "Troy Telford" <ttelford.groups@gmail.com> wrote:>On 2013-05-05 13:57:10 +0000, CACook@quantum-sci.com said: >> Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING. >> It was like this for a couple of weeks. I found the reason was I''d >> removed ''tor'' from the services file and so Shorewall failed to start. >> I''ve removed tor from the rules file now, and of course it works. >> >> But routestopped has only eth0, which is not connected. (wlan0 is) The >> policy file seems to have everything DENYed. >> >> So I don''t understand how this could have happened? > >Startup behavior with Shorewall can be a bit tricky. > >If you happen to run xUbuntu, you need to know that Upstart can''t >guarantee that a ''shorewall stop'' command is issued (and locks down the >firewall to routestopped) before the network is brought up. > >None of that matters, as you have discovered, with an invalid Shorewall >configuration. > >While I haven''t tested this, it''s likely that this also applies to >running ''shorewall stop'' to lock the firewall to the routestopped >config. > >As I recall, Shorewall checks its configuration, and will not change >*anything* without a valid config. This applies for both adding and >removing of rules, policies, and so on. > >It appears likely you had an invalid config (as stated in your first >paragraph), and had rebooted the machine. > >I''m willing to bet you didn''t notice the message that shorewall didn''t >start - either because you weren''t watching, or because a boot splash >hid the message. > >It doesn''t matter what your policy, rules, or anything else is >configured. As I recall, if your configuration isn''t valid, shorewall >won''t apply any of it. > >The default boot state for the Linux kernel allows any network >connection. It''s likely it is also the state shorewall will leave you >with if your configuration is not valid. > >''shorewall check'' is very useful; ALWAYS run it after modifying your >shorewall config.Another thing here is to be sure to use ''shorewall show'' (or ''iptables -L -n -v'') when looking at the Netfilter filter table configuration. You can''t tell what the state of the ruleset is by simply issuing ''Iptables -L'' -- it''s output is almost useless and can make you believe that you are wide open when you are not. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 09:04:42 AM Tom Eastep wrote:> Another thing here is to be sure to use ''shorewall show'' (or ''iptables -L > -n -v'') when looking at the Netfilter filter table configuration. You > can''t tell what the state of the ruleset is by simply issuing ''Iptables > -L'' -- it''s output is almost useless and can make you believe that you are > wide open when you are not. > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice.This looks like all is open to me: # /etc/shorewall stop # shorewall show Shorewall 4.5.5.3 filter Table at droog - Tue May 7 09:09:26 PDT 2013 Counters reset Mon May 6 16:43:18 PDT 2013 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/7/13 4:29 PM, CACook@quantum-sci.com wrote:> On Tuesday, May 07, 2013 09:04:42 AM Tom Eastep wrote: >> Another thing here is to be sure to use ''shorewall show'' (or ''iptables -L >> -n -v'') when looking at the Netfilter filter table configuration. You >> can''t tell what the state of the ruleset is by simply issuing ''Iptables >> -L'' -- it''s output is almost useless and can make you believe that you are >> wide open when you are not. >> >> -Tom >> You do not need a parachute to skydive. You only need a parachute to >> skydive twice. > > This looks like all is open to me: > > # /etc/shorewall stop > # shorewall show > Shorewall 4.5.5.3 filter Table at droog - Tue May 7 09:09:26 PDT 2013 > > Counters reset Mon May 6 16:43:18 PDT 2013 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 >Impossible to tell -- if eth0 is your net interface, then *you* are allowing traffic from that interface in /etc/shorewall/routestopped or /etc/shorewall/stoppedrules. If it is an internal interface, then your firewall is safe from new connections. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 05:15:09 PM Tom Eastep wrote:> > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > > > Impossible to tell -- if eth0 is your net interface, then *you* are > allowing traffic from that interface in /etc/shorewall/routestopped or > /etc/shorewall/stoppedrules. If it is an internal interface, then your > firewall is safe from new connections.These specifically, look to me like everything is open. wlan0 is internet-connected. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 5/7/13 5:27 PM, CACook@quantum-sci.com wrote:> On Tuesday, May 07, 2013 05:15:09 PM Tom Eastep wrote: >>> Chain INPUT (policy DROP 0 packets, 0 bytes) >>> pkts bytes target prot opt in out source destination >>> 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >>> >>> Chain FORWARD (policy DROP 0 packets, 0 bytes) >>> pkts bytes target prot opt in out source destination >>> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >>> >>> Chain OUTPUT (policy DROP 0 packets, 0 bytes) >>> pkts bytes target prot opt in out source destination >>> 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >>> >> >> Impossible to tell -- if eth0 is your net interface, then *you* are >> allowing traffic from that interface in /etc/shorewall/routestopped or >> /etc/shorewall/stoppedrules. If it is an internal interface, then your >> firewall is safe from new connections. > > These specifically, look to me like everything is open. > > wlan0 is internet-connected.Then your firewall was *NOT* open from the net. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 06:19:01 PM Tom Eastep wrote:> Then your firewall was *NOT* open from the net.Well then why does it *say* everything is open? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 05/08/2013 02:50 PM, CACook@quantum-sci.com wrote:> On Tuesday, May 07, 2013 06:19:01 PM Tom Eastep wrote: >> Then your firewall was *NOT* open from the net. > > Well then why does it *say* everything is open?It doesn''t. There''s a DROP policy by default on every chain. It''s only open for traffic on the eth0 & lo interfaces. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On Tuesday, May 07, 2013 11:59:49 PM Paul Gear wrote:> On 05/08/2013 02:50 PM, CACook@quantum-sci.com wrote: > > On Tuesday, May 07, 2013 06:19:01 PM Tom Eastep wrote: > >> Then your firewall was *NOT* open from the net. > > > > Well then why does it *say* everything is open? > > It doesn''t. There''s a DROP policy by default on every chain. It''s only > open for traffic on the eth0 & lo interfaces.But notice that for every chain these are accept all? INPUT 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED FORWARD 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED OUTPUT 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 05/08/2013 06:43 AM, CACook@quantum-sci.com wrote:> On Tuesday, May 07, 2013 11:59:49 PM Paul Gear wrote: >> On 05/08/2013 02:50 PM, CACook@quantum-sci.com wrote: >>> On Tuesday, May 07, 2013 06:19:01 PM Tom Eastep wrote: >>>> Then your firewall was *NOT* open from the net. >>> >>> Well then why does it *say* everything is open? >> >> It doesn''t. There''s a DROP policy by default on every chain. It''s only >> open for traffic on the eth0 & lo interfaces. > > But notice that for every chain these are accept all? > > INPUT > 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > FORWARD > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > OUTPUT > 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >Accept all packets that are part of an *existing connection* or that are related to *an existing connection*. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
On 05/08/2013 07:16 AM, Tom Eastep wrote:> On 05/08/2013 06:43 AM, CACook@quantum-sci.com wrote: >> On Tuesday, May 07, 2013 11:59:49 PM Paul Gear wrote: >>> On 05/08/2013 02:50 PM, CACook@quantum-sci.com wrote: >>>> On Tuesday, May 07, 2013 06:19:01 PM Tom Eastep wrote: >>>>> Then your firewall was *NOT* open from the net. >>>> >>>> Well then why does it *say* everything is open? >>> >>> It doesn''t. There''s a DROP policy by default on every chain. It''s only >>> open for traffic on the eth0 & lo interfaces. >> >> But notice that for every chain these are accept all? >> >> INPUT >> 104 10002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >> >> FORWARD >> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >> >> OUTPUT >> 98 6364 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED >> > > Accept all packets that are part of an *existing connection* or that are > related to *an existing connection*. >The only time that you should see an open firewall after boot is when ${VARDIR}/firewall does not exist and compilation of the configuration fails. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O''Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may