Big Chiz | 21 Oct 01:37 2004
Picon

Re: Help on setting up shorewall

The ff would help:
http://www.shorewall.net/shorewall_quickstart_guide.htm
http://www.shorewall.net/FAQ.htm

On Wed, 20 Oct 2004 16:40:03 -0600, John Smith <info <at> telecomwest.net> wrote:
> HI
> 
> I am running mandrake 9.2.  I have shorewall installed and running.  I have two interfaces and the same
public IP scheme.  How do you set it up to allow other people through the firewall?
> 
> Thanks for all you help
> 
> Andy
> 
> Telecom West
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users <at> lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
Gary Buckmaster | 21 Oct 03:11 2004
Picon

Dynamic Rules for Active Directory Authenticated Users

This question may be beyond the scope of Shorewall, and perhaps beyond
the current abilities of iptables, but I'll ask anyhow.

For my current network environment it is desireable to have a
mechanism in the firewall that will dynamically add masq rules for
users who have authenticated against the active directory server. 
Ideally we would be able to specify a group policy for users allowed
internet access and then as a user in said group authenticates, a masq
rule is added and they are now able to go outbound.  Is this something
that is possible with iptables and specifically with Shorewall?

Best,

Gary
Tom Eastep | 21 Oct 03:18 2004
Picon

Re: Dynamic Rules for Active Directory Authenticated Users


Gary Buckmaster wrote:
> This question may be beyond the scope of Shorewall, and perhaps beyond
> the current abilities of iptables, but I'll ask anyhow.
>
> For my current network environment it is desireable to have a
> mechanism in the firewall that will dynamically add masq rules for
> users who have authenticated against the active directory server.
> Ideally we would be able to specify a group policy for users allowed
> internet access and then as a user in said group authenticates, a masq
> rule is added and they are now able to go outbound.  Is this something
> that is possible with iptables and specifically with Shorewall?

You are asking the wrong question. Masquerade is a mechanism for
modifying the source address of outbound connections; IT IS NOT AN
ACCESS CONTROL MECHANISM.

What you should be asking is "How can I limit access to xxx to only
those hosts who have authenticated using <insert your favorite
authentication mechanism here>?"

The answer to that question is "Shorewall dynamic zones". These are
described in the Shorewall IPSEC documentation but they are useful in
any instance where you wish to dynamically grant and revoke access
permissions to individual hosts by IP address.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
(Continue reading)

Gary Buckmaster | 21 Oct 04:37 2004
Picon

Re: Dynamic Rules for Active Directory Authenticated Users

Tom,

Sorry, you're right.  I didn't mean to imply that Masq is an ACM, I
was merely trying to simplify the explanation.  Dynamic Zones looks
like the solution.  I assume the process be something like setting up
an appropriate PAM configuration to do the authentication checks and
perhaps a script that will add the correctly authenticated IP address
to the appropriate dynamic zone.  Is this roughly what I'm looking
for?

-Gary

On Wed, 20 Oct 2004 18:18:58 -0700, Tom Eastep <teastep <at> shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Gary Buckmaster wrote:
> > This question may be beyond the scope of Shorewall, and perhaps beyond
> > the current abilities of iptables, but I'll ask anyhow.
> >
> > For my current network environment it is desireable to have a
> > mechanism in the firewall that will dynamically add masq rules for
> > users who have authenticated against the active directory server.
> > Ideally we would be able to specify a group policy for users allowed
> > internet access and then as a user in said group authenticates, a masq
> > rule is added and they are now able to go outbound.  Is this something
> > that is possible with iptables and specifically with Shorewall?
> 
(Continue reading)

Tom Eastep | 21 Oct 04:40 2004
Picon

Re: Dynamic Rules for Active Directory Authenticated Users


Gary Buckmaster wrote:

> Sorry, you're right.  I didn't mean to imply that Masq is an ACM, I
> was merely trying to simplify the explanation.  Dynamic Zones looks
> like the solution.  I assume the process be something like setting up
> an appropriate PAM configuration to do the authentication checks and
> perhaps a script that will add the correctly authenticated IP address
> to the appropriate dynamic zone.  Is this roughly what I'm looking
> for?

Yes -- although in my view, the more interesting problem is how to
revoke the access right via "shorewall delete" when appropriate.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep | 21 Oct 04:49 2004
Picon

Re: Very OT -- To all RedSox Fans.....


John Andersen wrote:

>
> Of course the Yanks also have at least one Ex-Mariner we Mariner
> fans love to hate - ARod, and we hate him not for moving on or
> going after the money, (more power to him)

<OT+++>

I disagree -- his "it's not the money" speech was one of the biggest
piles of Bu....it that I've ever been asked to swallow (and I didn't).

</0t+++>

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep | 21 Oct 05:20 2004
Picon

Re: Dynamic Rules for Active Directory Authenticated Users


Gary Buckmaster wrote:
>>How do you know when the user who authenticated on your firewall logged
>>out on a host and when someone else logged in?
>
>
> Although that is a problem, I suspect that it will be a pretty minor
> one.  Assuming that the firewall will re-verify authentication after a
> brief window (arbitrarily say 2-5 minutes), a user who managed to gain
> access to the same IP address would only have illicit internet access
> for a very brief window.  Throwing DHCP into the mix, the chances of
> getting onto an allowed IP address in that same window seems
> reasonably small.

So from a client system, how does this work? Am I prompted for my user
id and password every 2-5 minutes?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Shorewall Admin User | 21 Oct 06:30 2004

IPTABLES question in general

Hello All,

I have a question in regards to iptables in general, I have been getting these
log messages for a while now, and I am trying to figure out why these are 
coming in, I know that I am dropping all packets from the net 2 dmz named
service.  My question is why would I get these all the time, they are from 
multiple different sites.  Are they trying to do something to my host or is 
this a common occurance?

-------- cut ----------
Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36 
Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36 
Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36
Gary Buckmaster | 21 Oct 05:56 2004
Picon

Re: IPTABLES question in general

They look like blocked DNS requests.  Is there a DNS server somewhere
saying that your firewall (or the DMZ behind your firewall) is the
authoritative DNS server for some domain?

On Wed, 20 Oct 2004 23:30:42 -0500, Shorewall Admin User
<shorewall <at> thebuc.com> wrote:
> Hello All,
> 
> I have a question in regards to iptables in general, I have been getting these
> log messages for a while now, and I am trying to figure out why these are
> coming in, I know that I am dropping all packets from the net 2 dmz named
> service.  My question is why would I get these all the time, they are from
> multiple different sites.  Are they trying to do something to my host or is
> this a common occurance?
> 
> -------- cut ----------
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36
> Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users <at> lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
(Continue reading)

Patrick Benson | 21 Oct 14:53 2004
Picon

Re: IPTABLES question in general

Shorewall Admin User wrote:
> 
> Hello All,
> 
> I have a question in regards to iptables in general, I have been getting these
> log messages for a while now, and I am trying to figure out why these are
> coming in, I know that I am dropping all packets from the net 2 dmz named
> service.  My question is why would I get these all the time, they are from
> multiple different sites.  Are they trying to do something to my host or is
> this a common occurance?
> 
> -------- cut ----------
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36
> Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SPT=55524 DPT=53 LEN=36
> Oct 20 23:16:18 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=64.12.66.11
DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=9253 DPT=53 LEN=36

It's still quite a nuisance. They started to show up at about the
beginning of 2001, actually. Several people started to notice this on
the LEAF-LRP lists and then appeared promptly on the Incidents list at
Securityfocus.com and Usenet. When a pop-up ad appeared, showing a cam,
in a web browser, it triggered a load of DROP, DENY messages in the
logs, non-SYN packets destined to port 53 on users' machines, like your
own. You can see a brief detailed explanation below, with the
coyotepoint.com link. It's a way of getting the end user to see the ad
at its closest location rather than circumventing the globe to reach a
very remote host, hosting the same ad, wasting bandwidth resources.
Unfortunately, www.geocrawler.com seems to be down for the moment, where
(Continue reading)


Gmane