Shorewall users - Aug 2013 - Specifying ICMP type 3 codes

Hi Tom, list members,

With Shorewall''s REJECT rule handling, the firewall generates a RST for
TCP and an ICMP 3/1 destination host unreachable for the other
protocols. I think it is not possible to customise this behaviour.
Unless I overlooked something but I hope not, for the sake of this email. :)

Since the stack supports specifying type 3 rejection codes I am hoping
shorewall could support it too. In my case I''d like the firewall to
return code 15 "Communication administratively prohibited" or code 8
"Source host isolated" for when I''m in a BOFH mood.

One simple suggestion is to define a new PROHIBIT target with a static
alternative set in shorewall.conf.

I would have suggested it to be configurable on a per-rule basis but
remain unsure if that would require too much work for its purpose.

While searching if it would be, I fell into a discussion[1] on the
netfilter list. In it, people argued whether or not iptables should even
support tcp-rst at all. The discussion took place in year 2000 and
became quite passionate. It''s a hoot!

Now as it turns out we''re 13 years later which arguably makes that
discussion old. I''ll leave the boring clichés aside and try to rattle
the cage instead: is there an accepted approach these days for how to
reject?

Probably not: the Internet is a much bigger place these days. Although
it does feel like the opposite, doesn''t it?

While unintended it sounds cynical to say "thank you" here so let me
try
"kind regards" instead.*

Kind regards,

Mark

[1] http://lists.netfilter.org/pipermail/netfilter/2000-May/003862.html

* It worked.

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

On 8/30/2013 7:33 PM, Mark van Dijk wrote:
> Hi Tom, list members,
> 
> With Shorewall''s REJECT rule handling, the firewall generates a
RST for
> TCP and an ICMP 3/1 destination host unreachable for the other
> protocols. I think it is not possible to customise this behaviour.
> Unless I overlooked something but I hope not, for the sake of this email.
:)
> 
> Since the stack supports specifying type 3 rejection codes I am hoping
> shorewall could support it too. In my case I''d like the firewall
to
> return code 15 "Communication administratively prohibited" or
code 8
> "Source host isolated" for when I''m in a BOFH mood.
> 
> One simple suggestion is to define a new PROHIBIT target with a static
> alternative set in shorewall.conf.
> 
> I would have suggested it to be configurable on a per-rule basis but
> remain unsure if that would require too much work for its purpose.
> 
In 4.5.21, it will be possible to do that. See the sample action below.
Note that it doesn''t work with earlier versions because the compiler
rejects the ''--reject-with'' option when ''-j
REJECT'' is used with INLINE.
> 
> Probably not: the Internet is a much bigger place these days. Although
> it does feel like the opposite, doesn''t it?
> 
> While unintended it sounds cynical to say "thank you" here so let
me try
> "kind regards" instead.*
> 
:-)

The following is from the 4.5.21 Beta 1 release notes. I will be
uploading Beta 1 later this week.

1)  When a REJECT target is specified, Shorewall normally handles the
    packet as follows:

    - If the destination address is a broadcast or multicast address,
      the packet is dropped.

    - If the protocol is IGMP (1), then the packet is dropped.

    - If the protocol is TCP (6) then the packet is rejected with an
      RST.

    - If the protocol is UDP (17) then the packet is rejected with
      a ''port-unreachable'' ICMP (ICMP6).

    - If the protocol is ICMP (ICMP6), then the packet is rejected
      with a ''host-unreachable''
(''addr-unreachable'') ICMP (ICMP6).

    - Otherwise, the packet is rejected with a
''host-prohibited''
      (adm-prohibited) ICMP (ICMP6).

    Beginning with this release, this behavior may be modified using
    the new REJECT_ACTION option in shorewall.conf (shorewall6.conf).

    REJECT_ACTION=<action>

    where <action> is the name of an action that implements your
    alternative handling. The ''nolog'' option is automatically
assumed
    for the named <action> and it is recommended that the
''inline''
    option be specified for the action in /etc/shorewall/actions.

    The following action implements the standard behavior described
    above:

    ?format 2
    #TARGET		SOURCE	DEST	PROTO
    Broadcast(DROP) 	-	-	-
    DROP		-	-	2
    INLINE		-	-	6	; -j REJECT --reject-with tcp-reset
    ?if __ENHANCED_REJECT
    INLINE		-	-	17	; -j REJECT
    ?if __IPV4
    INLINE		-	-	1	; -j REJECT --reject-with icmp-host-unreachable
    INLINE		-	-	-	; -j REJECT --reject-with icmp-host-prohibited
    ?else
    INLINE		-	-	58	; -j REJECT --reject-with icmp6-addr-unreachable
    INLINE		-	-	-	; -j REJECT --reject-with icmp6-adm-prohibited
    ?endif
    ?else
    INLINE		-	-	-	; -j REJECT
    ?endif

Cheers,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk