Andy Kannberg | 8 Feb 12:07
Picon
Gravatar

shorewall noob question

Hi Folks,


Just subscribed as I am confused about shorewall...
Here's my story (in a nutshell)
I've inherited a shorewall configuration on a few systems. However, documentation is not available and I don't know shorewall at all.
So, at first I started digging in the man pages, configuration files, the shorewall website and searched the net with google and I thought I got
a feeling of how the applications works
However, there are some questions which I cannot get answered ( Or I am asking the wrong kind of questions, that's possible also) 
Anyway, for now I would like to know :

- Hoe does shorewall stand against iptables ? Does it need iptables or do both programs co-exist nicely ?
- How are chains defined in shorewall ? I get a lot of output when I do a 'shorewall show', but I cannot figure out where the chains come from. Or are they the result of shorewall combining the config from the policy config file ?

That's it for starters. Hope you guys can help me out or point me in the right direction.

cheers,
Andy


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Azfar Hashmi | 6 Feb 10:53

xtables with shorewall

Hi everyone,

I am getting following error with xtables.

RTNETLINK answers: Invalid argument
We have an error talking to the kernel
   ERROR: Command "tc filter add dev eth0 protocol all parent 1:0 prio
276 handle 0 fw classid 1:10" Failed

iptables-1.4.9.1
xtables-1.41
Shorewall-4.4.11.6
kernel-2.6.32-5-686
shorewall conf files:

tcrules:

RESTORE:F            -             -           all
CONTINUE:F           -             -           all         
-              -          -       !0
1:F                  -             -           ipp2p:all        edk
1:F                  -             -           ipp2p:all        dc
1:F                  -             -           ipp2p:all        kazaa
1:F                  -             -           ipp2p:all        bit
1:F                  -             -           ipp2p:all        apple
1:F                  -             -           ipp2p:all        winmx
1:F                  -             -           ipp2p:all        soul
1:F                  -             -           ipp2p:all        ares
SAVE:F               -             -           all         
-              -          -       1

tcdevices:
eth0            100mbps         100mbps
tun0            100mbps         100mbps
tun1            100mbps         100mbps

tcclasses:
eth0            0       full/2  full    1               default
eth0            1       1kbit   1kbit   2
tun0            0       full/4  full    1               default
tun0            1       1kbit   1kbit   2
tun1            0       full/4  full    1               default
tun1            1       1kbit   1kbit   2

Same setup working on other machines. Tried from module-assistant and
source of different version of both xtables and iptables. Shorewall show
capabilities showing all available and also shorewall check result ok.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
I.S.C. William | 2 Feb 16:18
Picon
Gravatar

How add two o more MAC Address in one line

Hi !!


As I can have more than two MAC addresses to apply a rule in shorewall, I have the following to block port 443:

REJECT      loc:~00-11-22-33-44-55    net    tcp     443

I try this

REJECT      loc:~00-11-22-33-44-55,~AA-BB-CC-DD-EE-FF    net    tcp    443

but, not rules ...

As a rule would be to put 2 or more MAC addresses on the same line of code? 

Grettings!! 

--
I.S.C. William López Jiménez
--
User Linux # 379636
MSN         wljkoala23 <at> hotmail.com
Jabber       koalasoft <at> jabber.org
Web:         www.koalasoftmx.tk
Twitter:      <at> koalasoft
Facebook:  william.koalasoft

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Angela Williams | 2 Feb 12:36
Picon
Gravatar

Shorewall and IMQ

Hi All
There is a little bit in the archive about shorewall and IMQ. 
http://www.mail-archive.com/shorewall-
users <at> lists.sourceforge.net/msg08109.html
Where Pablo gave a bit of info about putting the bits needed into the init 
script and and the shorewall start and stop files

The same site that I will be converting to shorewall currently runs a brute 
force ingress script using IMQ. It basically just throws away packets if the 
exceed a configured bandwidth. It also gives a bit of priority to ssh, https, 
vnc and nagios traffic and really works well. I used the howto at
http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
plus a few extra tweaks. 

What are the chances of keeping my IMQ stuff? 

Okay I know that IMQ is not in the kernel or in iptables either and both need 
to be patched. Even with Gentoo emerge this is quite easy with iptables. I 
just manually run ebuild

IMQ has had it's ups and downs but the dev guys seem quite on the ball 
currently. Patches for the latest 3.1.x kernel as well as the latest iptables.
Only reason I seem to have read a few years back was a personality clash that 
resulted in IMQ becoming a black sheep. Black sheep or not it works like a 
wiz.

Cheers
Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Picon
Favicon
Gravatar

IPTables / Shorewall.

Hello All,

I have a doubt about converting some iptables rules to shorewall, I have a setup with $FW, loc, net in my rules file I want to implement the following rule to use with IMSpector, I tried find something equivalent but no luck...

iptables -t nat -A OUTPUT -p tcp --destination-port 1863 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667

So if anyone can help I will be grateful!!!

Best regards,
Arnaldo Giacomitti Junior

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Angela Williams | 31 Jan 14:03
Picon
Gravatar

Shorewall and sshdfilter

Hi All!

Been quite a few years and lots of water under the bridge but here I am back!

I have a customer that has now decided they need a bit more bandwidth over and 
above their fixed line! They are not in a good area for ADSL because of copper 
theft and being a bit to far from the closest DSLAM! They have installed a 
wireless link and I have made certain that put it behind my simple iptables 
firewall! My old script will no longer cut it as I need all the raw power of 
Shorewall! I had total success with it in the past in a very complex 
situation! Almost like multiple DMZ type of setup!
Since those days the simple script based iptables generator has served me 
well!
Re-reading all the documentation the standardish 2 interface will do pretty 
well plus adding the extra bits to handle the two internet lines on one 
interface! What a joy that they both have static ip's!
I don't see any real problems in getting it up and running!

Now comes the little problem!

I chose many years ago to use sshdfilter because it was the most effective sshd 
blocker I found! Only suffers from a little problem!  It needs a table/chain 
created call SSHD and then a rule added like this!

# patched for sshdfilter
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD

The rest of the sshdfilter doing its work of added and removing ip address from 
the DROP table should be of no concern!

Now I had had a bit of a go at trying to figure out how to add the table and 
the rule but maybe I'm just asking the wrong question in Google! Even this 
mail list altohjgh it has a bit on brute force ssh attacks and discusses 
sshdfilter there is no reference to shorewal and creating the required extras!

At a guess I would start with the actions file to add a rule but adding the 
SSHD table is another whole story!

Any ideas anyone! Crack this one and Shorewall will go back into all my 
customers! My old script is past it's sell by date!

Cheers

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Michael Kress | 30 Jan 22:29
Picon
Gravatar

strange blacklist fail

Hi,

I've recently blocked a bunch of IP addresses from a country with a red 
flag, one big golden star in the top left corner and 4 smaller stars 
next to it, building the shape of a semi circle.
Many rules in /etc/shorewall/blacklist are valid and effective, like e.g.
208.115.192.0/18
216.245.192.0/19
221.200.0.0/14
I can see blacklist logs in syslog.

But I have one rule that doesn't block requests:
58.208.0.0/12

I have for sure restarted shorewall (using Shorewall-4.4.11.2), but I 
still get port scans and http requests from
58.218.199.227

An iptables -L -n shows the entry in the blacklist:

Chain blacklog (34 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 
level 6 prefix `Shorewall:blacklst:DROP:'
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain blacklst (14 references)
target     prot opt source               destination
blacklog   all  --  58.208.0.0/12        0.0.0.0/0

I have for sure equipped all external interfaces with the blacklist option:
net ppp0        -        blacklist
net ppp1        -        blacklist
net ippp1       -        blacklist
net ippp0       -        blacklist
net tun1        -        blacklist
net tun2        -        blacklist
vpn tun3        -        blacklist
loc eth0        detect
loc eth1        detect
loc eth2        detect

And BTW, the 58.208... reference is the only one in iptables -L -n.
How can I for sure block that IP? I thought, it was included in the 
above rule.
Do I have to worry about my kernel being tainted?

Thanx for any hints
Rergards
Michael

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
David Koscinski | 30 Jan 18:22
Picon
Gravatar

MARK accounting packet counts do not match mangle or tc

I am using complex traffic shaping and marking traffic with MARK 1 through 5.
Then I am using accounting to detect the MARKs and keep counts of each so that I can see that my traffic shaping is doing what I want.

I am finding that the accounting packet count is often 0 when the corresponding "shorewall show tc" piority does have a packet count.

Here is my tcclasses:
#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
#$NET_IF = eth0

$NET_IF         1       400kbit         full            1               tos=0x68/0xfc,tos=0xb8/0xfc     # voip: N trunks <at> 80kbit per trunk : at least 400kbit for 5 trunks.  Here 5% of 10mbit is 500kbit.
$NET_IF         2       full*10/100     full            2               tcp-ack,tos-minimize-delay      # interactive traffic
$NET_IF         3       full*10/100     full            3                                               # vpn traffic (encrypted)
$NET_IF         4       full*60/100     full            4               default                         # default
$NET_IF         5       full*10/100     full*95/100     5                                               # backups and other low priority stuff

Here are my tc and accounting results.  Notice how the tc packet count for priority 3 (which is mark 3) is 23477 whereas the accounting packet count for mark 3 is 0.  Conversely notice how tc packet count for priority 5 (which is mark 5) is 0 whereas the accounting packet count for mark 5 is 17130.  The counts for priority 1 pretty closely match the accounting counts for mark 1.


# shorewall show tc | tail -55 | head -35;shorewall show tc_0 tc_1 tc_2 tc_3 tc_4 tc_5
class htb 1:11 parent 1:1 leaf 2: prio 1 quantum 2000 rate 400000bit ceil 5000Kbit burst 1800b/8 mpu 0b overhead 0b cburst 4Kb/8 mpu 0b overhead 0b level 0
 Sent 7884354 bytes 37911 pkt (dropped 0, overlimits 0 requeues 0)
 rate 240bit 0pps backlog 0b 0p requeues 0
 lended: 37911 borrowed: 0 giants: 0
 tokens: 34720 ctokens: 6458

class htb 1:1 root rate 5000Kbit ceil 5000Kbit burst 4Kb/8 mpu 0b overhead 0b cburst 4Kb/8 mpu 0b overhead 0b level 7
 Sent 31397414 bytes 251481 pkt (dropped 0, overlimits 0 requeues 0)
 rate 107728bit 71pps backlog 0b 0p requeues 0
 lended: 1727 borrowed: 0 giants: 0
 tokens: 5959 ctokens: 5959

class htb 1:13 parent 1:1 leaf 4: prio 3 quantum 2500 rate 500000bit ceil 5000Kbit burst 1850b/8 mpu 0b overhead 0b cburst 4Kb/8 mpu 0b overhead 0b level 0
 Sent 7805243 bytes 23477 pkt (dropped 0, overlimits 0 requeues 0)
 rate 22088bit 13pps backlog 0b 0p requeues 0
 lended: 21781 borrowed: 1696 giants: 0
 tokens: 23584 ctokens: 5959

class htb 1:12 parent 1:1 leaf 3: prio 2 quantum 2500 rate 500000bit ceil 5000Kbit burst 1850b/8 mpu 0b overhead 0b cburst 4Kb/8 mpu 0b overhead 0b level 0
 Sent 9658166 bytes 169508 pkt (dropped 0, overlimits 0 requeues 0)
 rate 16104bit 33pps backlog 0b 0p requeues 0
 lended: 169493 borrowed: 4 giants: 0
 tokens: 28064 ctokens: 6407

class htb 1:15 parent 1:1 leaf 6: prio 5 quantum 2500 rate 500000bit ceil 4750Kbit burst 1850b/8 mpu 0b overhead 0b cburst 3974b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 29600 ctokens: 6694

class htb 1:14 parent 1:1 leaf 5: prio 4 quantum 15000 rate 3000Kbit ceil 5000Kbit burst 3099b/8 mpu 0b overhead 0b cburst 4Kb/8 mpu 0b overhead 0b level 0
 Sent 6049651 bytes 20585 pkt (dropped 0, overlimits 0 requeues 0)
 rate 69296bit 25pps backlog 0b 0p requeues 0
 lended: 20558 borrowed: 27 giants: 0
 tokens: 8138 ctokens: 6484
Shorewall 4.4.12.1 Chains tc_0 tc_1 tc_2 tc_3 tc_4 tc_5 at gw-cary.corp.ibcengineering.com - Mon Jan 30 11:10:59 CST 2012

Counters reset Mon Jan 30 10:14:52 CST 2012

Chain tc_0 (2 references)
 pkts bytes target     prot opt in     out     source               destination
 389K  495M            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0/0xff
 213K   21M            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0/0xff

Chain tc_1 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x1/0xff
37909 7353K            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x1/0xff

Chain tc_2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x2/0xff
   49  8504            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x2/0xff

Chain tc_3 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x3/0xff
    0     0            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x3/0xff

Chain tc_4 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x4/0xff
    0     0            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x4/0xff

Chain tc_5 (2 references)
 pkts bytes target     prot opt in     out     source               destination
17130 2652K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           MARK match 0x5/0xff
    0     0            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x5/0xff


Here are my shorewall capabilities that are lacking:
# shorewall show capabilities|grep Not
   Extended Connection Tracking Match Support: Not available
   IPP2P Match: Not available
   Repeat match: Not available
   Extended MARK Target 2: Not available
   Time Match: Not available
   LOGMARK Target: Not available
   IPMARK Target: Not available
   Persistent SNAT: Not available
   TPROXY Target: Not available
   FLOW Classifier: Not available
   fwmark route mask: Not available

Do I misunderstand the capabilities of the MARK column in the accounting table?  Or have I misconfigured something?

Thanks for the help.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
Ross Wakelin | 30 Jan 05:19
Picon
Gravatar

multi-isp dynamic connections - is shorewall right for this?

Hi everyone.

We are putting together a network appliance for emergency management
use, and it has to be
adaptable to different network connections.
eth0 is a connection to whatever physical ethernet is available on
site, if any, including satellite.
ppp0 is a 3G modem connection, if available
br0 is the internal network supporting IAX2, SIP, general internet use
and video monitoring, over
eth1 and wlan0.

When the system is started, there may be 0, 1 or 2 possible network
connections available,
and if there are two, then eth0 is preferred over ppp0, which should
be shut down if it is active.
All of the possible external network connections will present as
dynamic addresses,
using dhcp on eth0 and ppp on ppp0.

I am looking for a firewall/failover system that will route/filter ALL
traffic between br0 and whatever external
connection is available at the time, failing over between eth0 and
ppp0 as required.

Does this sound like shorewall with lsm, and if so, any hints/gotchas
before I tear out what is left
of my hair.  The linux platform is Voyage One, which is based on Debian.

thanks
Ross

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
Christ Schlacta | 24 Jan 21:17
Favicon

Any good guides to synchronize ipsets across multiple hosts?

I've got a couple of systems running shorewall, and I want an ipset 
added on any of these hosts to appear on all of these hosts.  Are there 
any good tools that already exist to do this, or am I on my own?

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Troy Telford | 24 Jan 20:20
Picon
Gravatar

Slightly off topic: I don't know the terms to look for to RTFM (IPv6)

I've used a tunnel broker for IPv6 for quite some time; the biggest 
advantage is a static IP address.

For bandwidth & latency reasons, I've been considering switching to 
using my ISP's 6to4 - which means a dynamic IPv6 subnet.

The thing is: I want to have some hosts inside the firewall with open 
SSH ports, but not every host. While the stateless autoconfig 'suffix' 
(I don't know the proper term) is going to be the same, as it's based 
on the Ethernet MAC address, the IPv6 prefix is obviously going to 
change (as it's based on the IPv4 address with 6to4).

Is there any sort of mechanism so I can say "This host (on the inside 
of the firewall) has a MAC address of <foo>. The IPv6 prefix is going 
to change. The IP address will only be found on (the firewall's) eth2.  
I want a stateful firewall to block incoming connections for everything 
but SSH for that host.

Is this sort of a pipe dream?

It seems to me that with a dynamically assigned IPv6 subnet, firewalls 
become impossible to really manage, as the IPv6 prefix keeps changing, 
which in turn changes the 'destination' IP of every computer that is on 
the subnet...

Is there something that is supposed to handle this? If so, what's it 
called so I can RTFM?

I realize a workaround would be to use multiple IPv6 tunnels (similar 
to the multi-ISP shorewall example) - where I use the tunnel broker's 
static subnet for incoming connections. I'm wondering if its also the 
only solution.
--

-- 
Troy Telford

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

Gmane