Hervé Werner
2014-Feb-28 17:05 UTC
ADMINISABSENTMINDED=No misbehaviour according to the manual
Hello.
I'm getting trouble with the ADMINISABSENTMINDED option, it doesn't seem
to work as stated in the manual.
When using the default ADMINISABSENTMINDED=Yes and no routestopped file,
here are the firewall state after executing shorewall stop :
Chain INPUT (policy DROP 473 packets, 106K bytes)
pkts bytes target prot opt in out source
destination
14 1653 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
4 1322 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
Chain OUTPUT (policy ACCEPT 30 packets, 2024 bytes)
pkts bytes target prot opt in out source
destination
(see attached shore1.gz)
Allright at this point.
But when changing ADMINISABSENTMINDED to No, RELATED and ESTABLISHED
traffic are still accepted :
Chain INPUT (policy DROP 216 packets, 70757 bytes)
pkts bytes target prot opt in out source
destination
2 104 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
1 328 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
Chain OUTPUT (policy DROP 2 packets, 128 bytes)
pkts bytes target prot opt in out source
destination
2 156 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
(see attached shore2.gz)
whereas the manual says that "When ADMINISABSENTMINDED=No, only traffic
to/from those addresses listed in shorewall-routestopped[5](5) is
accepted"
Here are all the steps I did :
$ curl -O
http://garr.dl.sourceforge.net/project/shorewall/Shorewall-4.5/4.5.21/shorewall-4.5.21.6.tar.bz2
$ tar -xjf shorewall-4.5.21.6.tar.bz2
$ cd shorewall-4.5.21.6 ; ./configure && make
I edited Samples/Universale/shorewall.conf et change CONFIG_PATH to :
CONFIG_PATH=/tmp/shorewall-4.5.21.6/Samples/Universal:/tmp/shorewall-4.5.21.6:/tmp/shorewall-4.5.21.6/Macros
I used this command to start Shorewall : sudo ./shorewall start
Samples/Universal/
and this one to stop it : sudo ./shorewall stop
I launched Shorewall with the default ADMINISABSENTMINDED value and
stopped it. I then did again the same test with ADMINISABSENTMINDED=No.
Do you agree or did I misunderstand the manual ?
H. Werner
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
Possibly Parallel Threads
Wisdom of the Ancients
