Eduardo Diaz - Gmail | 24 Feb 10:48 2015
Picon

Can use shorewall to DROP 25 port using DNSBL

Hi to all I am fight with a DDOS based in smtp mail.

I am using Debian 7.7 x86 and Shorewall-4.5.5.3

I am getting errors to my domain trying to send mail every second or more.

2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] sender verify fail for <cikevek106 <at> adycoaduanas.com>: Unrouteable address
2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] F=<cikevek106 <at> adycoaduanas.com> rejected RCPT <cikevek106 <at> adycoaduanas.com>: Sender verify failed
2015-02-24 10:25:21 unexpected disconnection while reading SMTP command from ([58.187.161.220]) [58.187.161.220] (error: Connection reset by peer)


At the begining use fail2ban to ban the concurrent conexion but the bad people learn to not make the same conexion more than one. :-(

All the ipaddres are listed in DNSbl and I can use a simple script to test if this conexion is listed in DNSBL (using a internal program to cache every ip).

My intencion are:

Every conexion that is made shorewall launch the script or the rule if is listed in DNSBL-Drop if not allow to connect to the mailserver.

Shorewall has this funcionalty? because I search in the documentation and I don't find any similar only the blacklist funcionality.

Regards and thanks for the responses.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Donald S. Doyle | 20 Feb 08:26 2015

IP Info in Shorewall vs. Info in Spiceworks

Hello,

 

I am using Shorewall and Spiceworks.  They are on two different servers.  Spiceworks will send me a message that the router or a server on the network is communicating with a sus[icious IP address which I have blacklisted in Shorewall.  I asked Spiceworks about this and they sent to http://community.spiceworks.com/how_to/86147-how-to-investigate-alienvault-threat-alerts-in-spiceworks to explain how Spiceworks/AlienVault works.  Beyond that, they offered no other info as they do not know anything about Shorewall.

 

Can anyone shine any light on this?  It does not make sense to me.

 

Thanks for your time and have a great day,

 

Don

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
Øyvind 'bolt' Hvidsten | 17 Feb 13:07 2015
Picon

ICMP connection tracking in Raspbian

I found an unexpected issue today when configuring a Raspberry Pi as a 
WAN emulator (AP with packet loss, high, variable ping, etc). In the 
kernel of Raspbian (a Debian variant), version 3.18.5 at the time of 
writing, ICMP ping requests are tracked.

Thus, with a default policy of DROP for wlan2net, the following rule did 
not do what I expected:
-----------------------------------
SECTION NEW
Ping(ACCEPT) wlan net - - - - 1/sec:10
-----------------------------------

This would allow a flood of pings from wlan to net, as long as it was 
from and to the same machines.

However, putting the accept rule in the ALL section, followed by a DROP 
rule to counteract the default ALLOW rule for ESTABLISHED did what I 
wanted: one ping every second, with a pool of 10.
-----------------------------------
SECTION ALL
Ping(ACCEPT) wlan net - - - - 1/sec:10
Ping(DROP) wlan net
-----------------------------------

Connection tracking in progress:
-----------------------------------
$ shorewall show connections | grep icmp
icmp 1 29 src=10.101.0.53 dst=173.194.112.130 type=8 code=0 id=256 
src=173.194.112.130 dst=10.0.10.34 type=0 code=0 id=256 mark=0 use=2
-----------------------------------

While discussing this in #shorewall on freenode, it was suggested that I 
send a mail about this, so this is me doing just that.

If this situation isn't mentioned in the documentation or examples (I 
couldn't find it), it probably should be.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
Sassy Natan | 17 Feb 00:14 2015
Picon

Shorewall with Overlapping IPs

Hi Everyone,

I'm facing a problem which I hope someone will might help me here.

I'm trying to build a VPN site 2 site with my current shorewall + openswan configuration with a overlapping IP on both ends.

Here is my Topology.

Site A:
eth0 - 172.16.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - X.Y.Z.M - Public IP address


Site B
eth0 - 192.168.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - N.O.L.P - Public IP address


I want to setup a VPN from the Internal LAN of Site B (192.168.0.0/24) to the LAB LAN of Site A (10.0.0.0/24)

The problem is that Site B already have in it's local routing table setup to route traffic for the network ID 10.0.0.0/24 via the ETH1 interface. So traffic can't be routed to the remote site A, without (1) disabling this network or (2) do some NAT magic.

Since option 1 is not really an option, I made sure to configure my IPsec tunnel to use the a virtual NETID of 172.31.0.0/24 as the subnet of site A which I want to share on with site B.

Basically this mean that when machine from site B (with an IP of 192.168.0.X) want to talk with machine from site A (with an IP address 172.16.0.X) it basically send the packets to 172.31.0.X.

Once the FW on site A get's the packet for the 172.31.0.X , I use DNAT to route it back to the packet to 10.0.0.X.

This however doesn't seems to work, which is why I'm asking the community help.

The first question I have in mind is if  have to create a fake virtual Interface (like a TAP Device) which will be configure with the IP address of 172.31.0.1 in order this to work?

(OpenSwan with netkey do not create a virtual interface such as when you use the klips or mast module)

When creating a TAP device or an alias device (like eth0:1) I can easily ping from one site to the other, but then I will have to configure and change setting in the interface, zone, policy and rules files which is something I want to avoid (I have multi ISP in my configuration with mutli VPNs site to site, including a road vpn client so my setup is a little bit more complicated).

I have look into the netmap, masq and nat files under shorewall, but as far as I can tell nothing works.

Doing more debugging it seems like the IPSEC device is not really applying my settings, as when I do traceroute to a machine in site A with IP address of 172.16.0.X to a machine is Site B with an IP of 192.168.0.X  i would expect to the see the next hope after my firewall (site A) is to go to the next firewall IP (site B) ending at the dest machine. However the route goes to the public internet which explain that the IPSEC doesn't consider this packet as a packet which got out from the NETID of 172.31.0.X even if I do SNAT.

Is it somehow connect to a pre-routing issues?

I know there are some doc on how to setup IPSEC with shorewall, but in most cases I do it without shorewall involved (expect of configuring the roles to allow traffic from both network and disabling NAT within them)

Any Ideas?

Thank You
Sassy
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
shorewall | 16 Feb 00:27 2015

Multi-ISP without routing cache

Hallo,

I'm updating some shorewall firewalls from CentOS6 to CentOS7. They have
multiple internet providers.
With CentOS6 kernel, routes were cached, and the same target was always
reached via the same internet provider and the same IP. In linux-3.6,
routing cache was removed, and I'm facing problems in CentOS7 accessing
services which track where a client is coming from. 
The routing cache solution was sub-optimal, since all the sources were going
to use the same provider to access the same host, but it did work. I worked
around the problem by statically defining which provider to use to access
the problematic services, changing the provider when needed (see LSM 0.178
and 0.179). But again this solution is not optimal.
So, is it possible in Shorewall to make sure that the same triplet (source
ip, dest ip, dest port) will always go with the same provider?

If not, I found a thread here
http://www.spinics.net/lists/netfilter/msg55150.html .
There, the outgoing packets are added to appropriate ipsets in the
POSTROUTING mangle chain. The set is chosen based on the outgoing interface
(i.e. the provider) chosen by the routing algorithm.
The ipsets are of type hash:ip,port,ip.
Then, the ipsets are used to mark subsequent packets to always go to the
same provider.

Is it possible to do something like this in Shorewall? If not, would it be
fine to add an ACTION in the magle file, similarly to ADD/DEL in rules file?
(or maybe, would it be possible to specify which chain to add the rule for
ADD/DEL in rules?)

Thank you
Luigi

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Raimonds Cicans | 13 Feb 21:03 2015
Picon

IPSEC & masq

Hello.

I have following Shorewall (4.5.21.10) configuration (simplified)

--- Zone file ---
zlan ipv4
zdmz ipv4
zinet ipv4
zvpn ipv4

--- Interfaces file ---
zlan lan
zdmz dmz
zinet inet

--- Hosts file ---
zvpn inet:remote_internal_lan,remote_external_ip ipsec

--- Masq file ---
inet dmz
inet lan

--- Policy file ---
$FW all ACCEPT
zlan zinet ACCEPT
zlan zdmz ACCEPT
zlan zvpn ACCEPT

zinet all DROP info
all all REJECT info

--- Tunnels file ---
ipsec zinet remote_external_ip

---------------------

Everything is working fine, but I need to add access from zdmz zone to zvpn.
In FreeSwan configuration only zlan have access to zvpn, so it looks I 
need some
kind of masquerading.
Is this theoretically possible?

I tried following:
1. step
add to beginning of Policy file:
zdmz zvpn ACCEPT

2. step
add to beginning of Masq file
inet:remote_internal_lan dmz ip_of_lan_interface

But when I try to ping zvpn hosts from zdmz I get:
Shorewall:zdmz2zinet:REJECT:IN=dmz OUT=inet ... SRC=some_zdmz_ip 
DST=some_zvpn_ip

Honestly speaking in second step I tried almost all possible 
combinations of IP/net addresses
and when I ping I always get same error.

What I am doing wrong?

Thank you for any help in advance.

Raimonds Cicans

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Marko Weber | 8000 | 13 Feb 16:55 2015
Picon

typo on page?

http://shorewall.net/upgrade_issues.htm#idp8704902640

Beginning with Shorewall 4.6.0, ection headers are now preceded by '?'

means

Beginning with Shorewall 4.6.0, Section headers are now preceded by '?'

or ?

greetings , Marko

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Matthias F. Brandstetter | 13 Feb 02:21 2015
Picon

Unable to setup DNAT via VPN

Hello, I am running Shorewall 4.5.5.3 on a Debian machine.

I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2) via OpenVPN. On the firewall the VPN interface is called tun0. So in my shorewall configuration I have this:

$ cat interfaces #ZONE INTERFACE OPTIONS - lo ignore vpn tun+ optional net eth+ dhcp,physical=+,routeback,optional $ cat zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vpn ipv4 net ip $ cat policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW net ACCEPT $FW vpn ACCEPT vpn all ACCEPT net all DROP info

Now I want to forward all traffic from the public net coming to TCP port 2222 on the firewall to the internal server port 22. So I have added the following two lines:

$ cat rules ACCEPT net $FW tcp 2222 DNAT:info net vpn:10.8.0.2:22 tcp 2222

In my shorewall.conf file I have this line:

IP_FORWARDING=On

However, this does not seem to work.
In the log file I can see these lines:

Feb 13 01:59:44 helios kernel: [2390648.826670] Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP> DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0

What am I missing here?

Cheers!


--
Matthias F. Brandstetter
haimat <at> gmail.com
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
h15234 | 8 Feb 01:59 2015

shorewall startp/stop works ok, but during pkg version upgrade drops network and needs network+shorewall restarts?

Hi

I recently inherited a few linuxes box with Shorewall on them.

They needs some clean up so I'm taking it one step at a time.

First I'm dealing with startup and shutdown.

I notice that when shorewall's installed and running on a local system (Opensuse 13.2), if I do a package
upgrade to a newer version of shorewall (using the distro's "zypper dup" command), that the upgrade
occurs OK, but the network drops and I need to restart shorewall (always) and the network (sometimes).

Then everything's back to normal.

I don't have any problems with normal shorewall startup / shutdown, either on boot or from the command line. 
Only when I do this package upgrade.

Not really an issue if the machine's local (THIS one is). BUt I can see this could be a nasty problem if I'm remote.

I notice that there's some custom systemd startup scripts in here.  I also see there's been some discussion
in the recent past on the list about systemd startup issues and so on.  

I don't know enough about what's going on DURING the pkg upgrade yet, but thought I'd ask here to figure out
where to poke 1st.

Is there a setting or procedure to prevent something like this in Shorewall?  I can't quite figure out what
would be unique to the pkg upgrade procedure that's not also done in a start/stop.

Cheers,

Hanlon

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Tom Eastep | 7 Feb 00:49 2015
Picon

Shorewall 4.6.6.2

Shorewall 4.6.6.2 is now available for download.

Problems Corrected:

1)  The compiler failed to parse the construct +<ipset>[n] where n is an
    integer (e.g., +bad[2]).

2)  Orion Paplawski has provided a patch that adds 'ko.xz' to the
    default MODULE_SUFFIX setting. This change deals with recent Fedora
    releases where the module names now end with ".ko.xz".

    In addition to Orion's patch, the sample configurations have been
    modified to specify MODULE_SUFFIX="ko ko.xz".

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Joseph DeGraw | 5 Feb 18:46 2015
Picon
Picon

Forwarding 81 to internal lan webserver

Hello,

I installed Shorewall for the first time last night and I am very 
impressed. I installed it to try and fix an issue that I really do not 
understand.

I have a typical 2 interface setup. I have comcast as my ISP. I did a 
redirect on port 2100 to my local computer to play a game and it works 
fine. So, I know redirect works ok.

Now, I have a client that I have designed a webpage for and it is hosted 
on one of my other local computers. Its ip is 10.0.1.33 I can access it 
fine locally. But what I wanted to do is redirect port 5000 on the FW to 
10.0.1.33:80 . This would let my client view their new website and 
critique it. However, What happens when they try 
(www.renuecomputers.com:5000) is that they end up at my company website 
(www.renuecomputers.com) so I tried having them test it by my external 
ip:5000 and I get the same outcome. They never make it to the internal 
computer (10.0.1.33) and end up at my website on the FW.

If I shutdown my company website (apache2) and have them try again then 
the browser errors out on the connection.

This is my rule for the redirect to my internal webserver:

DNAT net loc:10.0.1.33:80 tcp 5000

I did re-read the the docs on the two-interface setup and anything else 
I could find but really do not have a clue. Anyone ever experience 
something like this?

What am I missing? or How should I troubleshoot this ?

Thank you,

JD

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

Gmane