Igor Sverkos | 23 Feb 11:29 2014

Blacklist questions

Hi,

1) I have multiple (ip)sets containing addresses to blacklist. I could
add them to the blrules file but for statistics (I need to know how
many connections were blocked from set A and how many were blocked
from set B) I need to differentiate between the sets.

Can I do that with blrules or do I have to use the rules file?

If I have to use the rules file, would I experience performances
issues because rules like tcp flag checks will run before my drop
rules?

2) I saw the "RATE LIMIT" and "CONNLIMIT" columns in the blrules file.
Can somebody explain to me the usage scenario of these columns in
blacklist? Does it mean if I set a limit of 10 cons per minute that
only 10 connection per minute will be blacklisted?

3) I need to log each blacklisted connection attempt. But to prevent
my logs from filling up with redundant data I'd like to set a log
limit like "log only 1 connection attempt per host/dst port
combination per n seconds" like I can do in the rules file. This
doesn't seems to be possible with the blrules files, right?

Regards,
Igor

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
(Continue reading)

Vieri Di Paola | 21 Feb 14:38 2014
Picon

ping: sendmsg: Operation not permitted

Hi,

Recently I've been seeing network failures on my shorewall firewall. For no apparent reason (no rules
changes - server untouched) some connections started failing.

For instance, I can see the following:

# ping 10.215.5.95
PING 10.215.5.95 (10.215.5.95) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
64 bytes from 10.215.5.95: icmp_req=2 ttl=60 time=3.27 ms
64 bytes from 10.215.5.95: icmp_req=3 ttl=60 time=2.96 ms
64 bytes from 10.215.5.95: icmp_req=4 ttl=60 time=2.63 ms
64 bytes from 10.215.5.95: icmp_req=5 ttl=60 time=3.11 ms
64 bytes from 10.215.5.95: icmp_req=6 ttl=60 time=2.98 ms
64 bytes from 10.215.5.95: icmp_req=7 ttl=60 time=2.44 ms
64 bytes from 10.215.5.95: icmp_req=8 ttl=60 time=2.57 ms
64 bytes from 10.215.5.95: icmp_req=9 ttl=60 time=5.11 ms
64 bytes from 10.215.5.95: icmp_req=10 ttl=60 time=2.67 ms
64 bytes from 10.215.5.95: icmp_req=11 ttl=60 time=2.58 ms
64 bytes from 10.215.5.95: icmp_req=12 ttl=60 time=3.20 ms

# shorewall version
4.4.27.3

That looks really odd and tried to shorewall stop ; start ; clear.
I also checked the system for rootkits with rkhunter but didn't find anything.

The only way I can fix this problem is to reboot the system (after a week or so, it starts failing
intermittently again).
(Continue reading)

I.S.C. William | 13 Feb 00:23 2014
Picon

Iptables interpret code in Shorewall - For Loop (Iptables)

How could interpret this code in shorewall? 

---------
Code in Iptables:

for URL in `grep -v "^#" /etc/squid/liberados_443`; do
#
iptables -I FORWARD -p tcp --dport 443 -d $URL -j ACCEPT
done

-------


I need to be able to output only to Internet Web sites I want to give access. 

Thank you.


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Farkas Levente | 12 Feb 20:54 2014

more problems in default configs

hi,
more warnings which can be fixed in the default shorewall.conf which
comes from the the default config file. imho all of these should have be
fixed:
--------------------------------
   WARNING: Unknown configuration option (REJECT_ACTION) ignored
shorewall.conf (line 197) at /usr/share/perl5/Shorewall/Config.pm line 4596
	Shorewall::Config::process_shorewall_conf(0, 0) called at
/usr/share/perl5/Shorewall/Config.pm line 5012
	Shorewall::Config::get_configuration(1, 0, 0, 0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 652
	Shorewall::Compiler::compiler('script', './firewall', 'directory', .,
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/lib/shorewall/compiler.pl line 145
   WARNING: Unknown configuration option (TRACK_RULES) ignored
shorewall.conf (line 221) at /usr/share/perl5/Shorewall/Config.pm line 4596
	Shorewall::Config::process_shorewall_conf(0, 0) called at
/usr/share/perl5/Shorewall/Config.pm line 5012
	Shorewall::Config::get_configuration(1, 0, 0, 0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 652
	Shorewall::Compiler::compiler('script', './firewall', 'directory', .,
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/lib/shorewall/compiler.pl line 145
   WARNING: Unknown capability (REAP_OPTION) ignored capabilities (line
76) at /usr/share/perl5/Shorewall/Config.pm line 4639
	Shorewall::Config::read_capabilities() called at
/usr/share/perl5/Shorewall/Config.pm line 4715
	Shorewall::Config::get_capabilities(1) called at
/usr/share/perl5/Shorewall/Config.pm line 5027
	Shorewall::Config::get_configuration(1, 0, 0, 0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 652
	Shorewall::Compiler::compiler('script', './firewall', 'directory', .,
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/lib/shorewall/compiler.pl line 145
--------------------------------

another warning which is really strange too since loc and vpn are both 3
letters zone so imho it can't be too shorter so why the prefix still too
long? if it's still to long than the default prefix generation should
have to be changed:
--------------------------------
   WARNING: Log Prefix shortened to "Shorewall:loc2vpn:DROP:Attac "
rules (line 48) at /usr/share/perl5/Shorewall/Chains.pm line 6003
	Shorewall::Chains::log_rule_limit('ULOG', 'HASH(0x1d7d888)', 'loc2vpn',
'DROP', '', 'Attack', 'add', '') called at
/usr/share/perl5/Shorewall/Chains.pm line 4059
	Shorewall::Chains::logchain('HASH(0x1d01060)', 'ULOG', 'Attack', '',
'DROP', 'DROP') called at /usr/share/perl5/Shorewall/Chains.pm line 7234
	Shorewall::Chains::expand_rule('HASH(0x1d01060)', 0, '', '',
'!10.10.10.0/24', '0.0.0.0/0', '', 'DROP', 'ULOG:Attack', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2671
	Shorewall::Rules::process_rule(undef, '', 'DROP:ULOG:Attack', '',
'loc:!10.10.10.0/24', 'vpn', '-', '-', '-', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 3063
	Shorewall::Rules::process_raw_rule() called at
/usr/share/perl5/Shorewall/Rules.pm line 3236
	Shorewall::Rules::process_rules(0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 821
	Shorewall::Compiler::compiler('script', './firewall', 'directory', .,
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/lib/shorewall/compiler.pl line 145
--------------------------------
regards.

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Farkas Levente | 12 Feb 20:14 2014

bad permission on /etc/shorewall/notrack

hi,
in the rpm packages 4.5.21-6 the file /etc/shorewall/notrack has 600
permission which should have to be 644.
regards.

--
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Göran Höglund | 12 Feb 13:23 2014
Picon

Routing issue

Hi List
I have a setup with multi isp and LSM this works very well.
I am using one isp as backup and and the other as main, no balancing.

When the ordinary Interface is down I would like to be able to reach the 
modem on port 80 on the ordinary IF.

My problem is sorting out a dnat rule to get this working in a way that 
i can reach the isp2 modem through
isp1 with dnat in the FW. Port fwd in isp1 modem is OK and I can see the 
traffic going out towards isp2 modem.

I assume this has to do with def gw in the modem and masq in the FW or 
is it something else I miss?

isp1 modem --------------- FW ----------------isp2 modem

I am using shorewall 4.5.16.1 the log complains about sfilter?
Thanks /GH

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Farkas Levente | 11 Feb 15:35 2014

bug in the docs

hi,
in the docs http://shorewall.net/MultiISP.html in the example
/etc/lsm/script file at the and you call the /sbin/shorewall script even
if only shorewall-lite installed. at the beginning there "if-else" for
shorewall-lite but the shoreall script is not if-ed.
regards.

--

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

redirect https traffic from gateway to a box in loc

Hello,

I’m using shorewall for years with this configuration : gateway (debian wheezy) with pppoe dsl
connection (213.41.184.2), loc in 192.168.0.0/24.
The versioning system is on 192.168.0.50 and is visible from inside and outside.
This configuration worked on debian squeeze, problems appeared after upgrade, so I suspect a bad config
param I introduced...

What I’m trying to do : access to https: on  213.41.184.2
from 88.172.230.130
I’d expect to have traffic redirected to 192.168.0.50.
But it works only "sometimes" : this box has nothing in logs, traffic seems blocked on shorewall.

After reading http://shorewall.net/FAQ.htm#faq1b I suspected routing. Here is the route table of the
gateway box :
# route -n
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         213.41.184.2    0.0.0.0         UG    0      0        0 ppp0
178.132.16.234  0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

Attached is status.txt as required on http://shorewall.net/support.htm.

Thanks for your help.
Attachment (status.txt.gz): application/x-gzip, 22 KiB
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Rodrigo Cortes | 10 Feb 15:27 2014
Picon

incoming block connections

HI!

i have a centos 6.5 x64 with latest shorewall stable.  All is ok until use dnat to permit incoming smtp/https
to Exchange. For some reason some time de incoming conecctions tu smtp/https to Exchange is block, the
port dont response.

some idea for this error?!

Thx..

pd:sorry for my english...
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Tom Eastep | 10 Feb 01:27 2014
Picon

Re: Fw: Rate limit not stopping icmp

On 2/9/2014 2:22 PM, Andrew wrote:
>   Dear Tom,
> Sorry to bother You, I am new to this list and I have the feeling that
> my very first message sent to shorewall-users <at> lists.sourceforge.net in
> both plain & html format bounces back unread. I get:
> - Results:
>    Ignoring non-text/plain MIME parts
> - Unprocessed:
> - - - - - - - -  - -
> 
> If the message has been received and repeated, please ignore this
> repetition.
>    Andrew
> 
> 
> 
> 
> Hi!
> 
> I have been using Shorewall for several years and it has been working
> without a glitch.
> 
> Last week I tried to introduce RateLimit, Shorewall starts and everything
> seems working fine, but when I test with ping, the RateLimit seems not
> limiting anything. I have this in rules:
> 
> ACCEPT  net   $FW icmp -  - - s:icmp:5/min:5
> 
> and I ping intensely the WAN interface from several other machines - ping
> response goes on and on. I expected it to stop after 5 consequent
> pings.Changed RateLimit field to s:icmp:1/min:1 with no result.
> 
> Same effect is observed on Fedora17 32 bit with Shorewall 4.5.7, then
> updated to 4.5.15 and on Fedora19 64 bit box with Shorewall 4.5.15, all
> installed from Fedora RPMs.
> 
> I have read in the mailing list an old post explaining that browser does
> not
> break http connection and quickly pressing F5 does not actually create new
> connections and therefore RateLimit is not applied. Does the same refer to
> ping command and icmp protocole? How to test if RateLimit is operational?
> 
> Attached is a compressed dump from F17 box. Thanks in advance!
> 
> One more question: On F19 box some capabilities are not available: ACCOUNT
> Target,  IMQ Target,  IPMARK Target,  IPP2P Match. First is said to be
> needed. Any idea which rpm contains these capabilities?

If you want to limit total echo-requests, you need to put your rule in
the ALL section of the rules file rather than in the NEW section.

-Tom

PS -- I have no idea how F19 is packaged. But I assume that there is an
xtables-addons package of some sort.
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
Tony Middleton | 9 Feb 17:39 2014
Picon

DNAT rules do not seem to be actioned

I have a small network with a firewall running Debian 7.4.  I have a set
of rules as follows

DNAT            net     loc:192.168.1.10        tcp     6881
DNAT            net     loc:192.168.1.10        udp     6881
DNAT            net     loc:192.168.1.10        tcp     7881
DNAT            net     loc:192.168.1.10        udp     7881
DNAT            net     loc:192.168.1.10        tcp     8881
DNAT            net     loc:192.168.1.10        udp     8881

However, the log appears to show that packets are being processed in the
input chain and thus dropped. Examples:

Feb  9 11:04:35 hawthorn kernel: [   33.755144]
Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:05:5d:df:2b:c0:00:30:b8:d1:dd:34:08:00 SRC=84.236.104.54
DST=86.16.18.41 LEN=58 TOS=0x00 PREC=0x00 TTL=114 ID=16849 PROTO=UDP
SPT=43226 DPT=6881 LEN=38

Feb  9 16:24:13 hawthorn kernel: [13732.666341]
Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:05:5d:df:2b:c0:00:30:b8:d1:dd:34:08:00 SRC=105.237.76.28
DST=86.16.18.41 LEN=129 TOS=0x00 PREC=0x00 TTL=111 ID=16779 PROTO=UDP
SPT=55180 DPT=7881 LEN=109

I've probably done something stupid but can't find it.  While I can find
a number of examples of this in my logs,  the problem came to light as,
over the past few days, I am receiving a constant stream of packets and
the messages blew my /var/logs

Dump attached.

Regards

Tony

Attachment (shorewalldump.txt.gz): application/gzip, 72 KiB
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk

Gmane