ARUN CHAKRAPANI RAO | 11 Jul 21:19 2014
Picon

Can shorewall block specific url

Hi,
 Please do forgive me if this is the wrong place to as this Q?
We are an isp looking for a tool which can block specific url instead of the domain itself.
for example
https://twitter.com/canweblockurl

The reason being, we get mails from the Government ordering us to block specific url's.
We are about to evaluate Shorewall, wanted to know from any one of you as to whether this is possible.

If this is not the tool, anybody can guide as to which open source is stable enought to do this job along with the firewall ?

Thanks in Advance
Arun
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Mallory, Danny | 10 Jul 17:21 2014

Logging question

Hello
I just upgraded from Debian 6(squeeze) to Debian 7(Wheezy) and my logging does not seem to be working
anymore.  "shorewall show log" looks normal pointing to /var/log/messages but I get no logging of drops or
rejects anymore. It appears to be doing kernel level logging as the messages are showing up via dmesg but
not in any real log file. Is this a known issue? 

Here are a couple of telnet test and output showing up in dmesg. 

[ 2624.917558] Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:50:56:ab:29:5a:a4:4c:11:e5:6b:00:08:00 SRC=10.132.230.254 DST=10.132.194.109 LEN=60
TOS=0x00 PREC=0x00 TTL=62 ID=11800 DF PROTO=TCP SPT=54655 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 
[ 2625.919632] Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:50:56:ab:29:5a:a4:4c:11:e5:6b:00:08:00 SRC=10.132.230.254 DST=10.132.194.109 LEN=60
TOS=0x00 PREC=0x00 TTL=62 ID=28097 DF PROTO=TCP SPT=54656 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 

nothing in /var/log/messages (or any other log file) 

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended
recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the
message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons other than the intended
recipient. Thank you.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
ray klassen | 10 Jul 17:41 2014
Picon

KLIPS openswan l2tp tunnels

I have 30 odd permanent vpns running pure ipsec over KLIPS, the openswan option erroneously called 2.4 kernel in the shorewall documentation. It still works way better than NETKEY. Switching over to KLIPS from NETKEY after using it for years solved innumerable problems with workstations not staying connected to the samba 3.x domain. I only include this bit of info here to avoid people replying to me with "switch over to NETKEY and come out of the dark ages." It's not going to happen.

But now I want to implement l2tp/ipsec and shorewall documentation suffers as regards this configuration and any help would be appreciated. Basically incoming lt2p traffic authenticates fine as regards ipsec, but then there is nothing. dmesg reports martians on interface ipsec0 and xl2tpd never processes the request.

my tunnels file includes a reference to
l2tp  L2TP     0.0.0.0/0  VPN
So that VPN is the gateway zone.



and I've got the rules set like so.

L2TP(REJECT):info    SHAW     $FW
REJECT          $FW     SHAW     udp     -       1701
# l2tp over the IPsec VPN
ACCEPT          VPN     $FW     udp     1701

As I understand it with KLIPS, you don't declare that the zone is ipsec, because the traffic is delivered unencrypted to the kernel from an 'interface' ipsec0. interfaces declares ipsec+ to be part of the VPN zone, so, per the above rule, the $FW system should accept traffic from VPN on udp 1701 but isn't.







------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Michael Johannes | 9 Jul 18:28 2014
Picon

Using Shorewall as a gateway EC2 Instance on Ubuntu in AWS: Rule/Policy Problem

I have a question about a secure way to firewall and route traffic from an EC2 instance in AWS. The setup is
different from any other shorewall configuration i have used (OpenWRT, OpenVPN, etc). 
In this case there are two subnets in one VPC 
VPC - 10.252.0.0/16 
1) Public - 10.252.128.0/17 
2) Private - 10.252.0.0/17 
I have created an instance in the Public subnet with an elastic IP 54.x.x.100 which is NAT'ed to the eth0
interface on that server: 
NAT/GW/VPN Shorewall Server: 
10.252.128.200 (1 interface - ETH0) 
Traffic flows in and out to the internet without issue. The IGW (internet gateway) on AWS is properly
configured. The route tables are correct. 
In the private subnet, there is a test windows server with IP address 10.252.0.10. It is currently
configured to use the Shorewall Server as it's gateway. When I configure the Shorewall policy file to use
ALL to ALL ACCEPT (I know this is not secure - obviously...) it works. Traffic comes in and out to
10.252.0.10. With Shorewall simply passing packets with no firewalling, everything works as expected. 
But when I try to secure it, I end up with this error in the log no matter how many rules I try to use: 
kernel: [ 5138.802818] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
So instead of a typical configuration with an eth1 (loc) and eth0 (net) interface, there is only one
'physical' interface which is eth0 
The masq file looks like this: 
#MASQ 
eth0	0.0.0.0/0  #--> allow any server to be masq'd as eth0 
How can I keep the correct Shorewall policy (all all REJECT info) while using the rules file to allow traffic
in/out through the same eth0 interface? 
I cannot do the following like I could on a physical server (which would work) 
loc net ACCEPT 
Mike

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Kay Obermueller | 9 Jul 18:19 2014
Picon

shorewall-4.4.12.2 on OS X 10.6.8 as administrative system for OpenWRT

Hello,
I try to use a Mac OS X 10.6.8 machine to administrate a router with
OpenWRT. I created two export directories, one according to
http://shorewall.net/CompiledPrograms.html and another one copied over
from another Linux machine where it was working with the router before
to find out how to get this going.
When I try:
# make compile
in both directories it complains (with and without a path to iptables in
shorewall.conf):
"Can't find iptables executable"
Of course it can't on a Mac. But how is this supposed to work on OS X?
Many thanks in advance.

Kay

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Jan Lühr | 9 Jul 11:49 2014
Picon

Limiting Bandwith per ip?

Hello folks,

I'm new on shorewall while using shorewall4 and shorewall6 on Debian
Wheezy (4.5.5.3)
Beeing confused about http://shorewall.net/simple_traffic_shaping.html
I'd like to ask:

Shorewall4 and 6 are used on a central Router on our network, while
doing Masquerading for IPv4. How can I limit the total bandwith per
client-IP-Adresse to 5 MBit/s?

Keep smiling
yanosz

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Db Clinton | 8 Jul 19:08 2014
Picon

Interfaces arguments won't compile

Hi,
Shorewall on a new installation isn't compiling and reports this error:

ERROR: Invalid BROADCAST address /etc/shorewall/interfaces (line 2)

I've read that until version 4.2.x there was a bug that could lead to this error, but I'm using 4.4.26.1-1. And in any case, I haven't got a BROADCAST column. The problem goes away when I remove all arguments (tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0) from the interface entry. Any one argument will make the compile fail. As I'd like to use arguments, does anyone have any idea what I should be doing differently?
Thanks,
David
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Ruud Baart | 8 Jul 14:30 2014
Picon

Blocking DNS cache queries

Good day,

I have a problem in protecting one of our DNS severs (Debian, bind9). 
One of our DNS servers is attacked with cache queries. Our servers are 
protected the best way I can but this type of requests are coming from 
everywhere and I can not find a effective way of stopping these queries.

The queries look like these (tcpdump):
14:17:52.521563 IP 36.234.214.186.7824 > <my DNS server>.53: 47574+ A? 
kjaveb.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.522458 IP 72.37.49.70.49040 > <my DNS server>.53: 17713+ A? 
mdsfcn.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.523229 IP <my DNS server>.53 > 36.234.214.186.7824: 47574 
Refused- 0/0/0 (70)
14:17:52.523313 IP <my DNS server>.53 > 72.37.49.70.49040: 17713 
Refused- 0/0/0 (70)

Bind security  log:
08-Jul-2014 14:18:37.276 client 192.225.235.160#46655 
(mxgbcfqdqdsh.www.fh1688.cn): query (cache) 
'mxgbcfqdqdsh.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:37.632 client 192.225.236.196#43452 
(ibermzmjingh.www.fh1688.cn): query (cache) 
'ibermzmjingh.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:37.632 client 192.225.232.157#27740 
(mzgrqlylyrsv.www.fh1688.cn): query (cache) 
'mzgrqlylyrsv.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.128 client 23.208.175.177#41119 
(wjkrofctef.www.fh1688.cn): query (cache) 
'wjkrofctef.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.181 client 24.87.218.48#10407 
(ibqlqzkheb.www.fh1688.cn): query (cache) 
'ibqlqzkheb.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.577 client 108.117.95.12#13816 
(efml.www.fh1688.cn): query (cache) 'efml.www.fh1688.cn/A/IN' denied

I have configured bind with rate limits, no recursion etc. And I have 
installed fail2ban. All these countermeasures are not sufficient. With 
extreme strict fail2ban rules I banned +/- 25.000 IP addresses in a few 
hours but the DNS cache queries still continue.

fial2ban log:
2014-07-08 14:23:12,337 fail2ban.actions: WARNING [named-refused] Ban 
23.49.193.58
2014-07-08 14:23:12,662 fail2ban.actions: WARNING [named-refused] Ban 
66.190.8.57
2014-07-08 14:23:12,993 fail2ban.actions: WARNING [named-refused] Ban 
24.6.177.245
2014-07-08 14:23:13,316 fail2ban.actions: WARNING [named-refused] Ban 
24.252.152.111
2014-07-08 14:23:13,656 fail2ban.actions: WARNING [named-refused] Ban 
25.145.60.69
2014-07-08 14:23:13,987 fail2ban.actions: WARNING [named-refused] Ban 
24.249.113.165
2014-07-08 14:23:14,334 fail2ban.actions: WARNING [named-refused] Ban 
24.213.230.250
2014-07-08 14:23:14,699 fail2ban.actions: WARNING [named-refused] Ban 
23.217.118.188
2014-07-08 14:23:15,029 fail2ban.actions: WARNING [named-refused] Ban 
23.228.90.135
2014-07-08 14:23:15,353 fail2ban.actions: WARNING [named-refused] Ban 
24.181.151.152
2014-07-08 14:23:15,684 fail2ban.actions: WARNING [named-refused] Ban 
24.42.26.21

I can't find a pattern in the banned IP addresses: they don't belong to 
one or a few IP address blocks.

So my question: is there a way to drop DNS query cache requests with 
shorewall without interfering the intended DNS service?

--

-- 

Met vriendelijke groeten/Regards,
Tiswe/R.J. Baart Automatisering B.V.

Ruud Baart

Tel: +31 6 51318104

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
OBones | 7 Jul 10:07 2014
Picon

Use an interface when it is present

Hello,

I have a quite simple and classical setup with eth0 being local network 
and eth3 being the net interface which masquerades local.
The setup is using shorewall 4.4, works just fine and I'm very happy 
with it, many thanks for your dedicated hard work.

 From times to times, I have issues with the network connection on eth3 
and then decide to plugin a data enabled cell phone in modem mode which 
gives me the usb0 interface. Note that eth3 does not go down, the link 
is still up but hardly responsive.
I have thus declared usb0 in the interfaces file with the optional flag 
like this:

net    usb0    optional
net    eth3    -
loc    eth0    -

I also have this in the masq file:

usb0    10.10.10.0/24
eth3    10.10.10.0/24

What I would like is that when usb0 is present, all packets are routed 
through its gateway and nothing goes through eth3 until I unplug usb0.
In my current setup, two default routes are created, one through eth3 
with metric 0, the other through usb0 with metric 10, which that all 
packets are routed through eth3.
Manually editing the default route that goes through for eth3 via the 
route command setting a metric above 10 makes it work. However, this 
does not "stick" when a reboot or shorewall restart occurs.
I have searched the documentation for the "metric" keyword and found it 
inside the providers file. To me, this looked like the solution and so I 
went forward and declared two providers like this:

cell    1    1    -    usb0    detect    -
adsl    2    2    -    eth3    detect    fallback,track

However, when I plug the usb0 interface, the route for eth3 does not get 
change and still gets its metric value of 0.

I must have missed something obvious and would very much appreciate your 
help here.

Regards,
Olivier

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
TN Patriot | 6 Jul 15:00 2014
Face
Picon

Confused, as usual...


Hi folks,

  I've honestly tried reading the FAQ's and the other references on the
  Shorewall website, but I either just don't know what I'm looking at or for, or
  somehow missed it.

  My small problem - I've installed apcupsd on my Slackware 14.1 and need to
  somehow make port 3551 open/seeable for apcupsd to work correctly.

  Any help with this is greatly appreciated, and my apologies if it's something
  so simple an idiot should have been able to do it (I'm obviously slower than
  Forrest Gump :(  )

   JB

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Lee Brown | 6 Jul 11:45 2014

Shorewall 4.6.1.2 / CentOS6.5 / ipset / SELinux

Dear All,

I could find no reference to SELinux in the documentation to this,
hopefully it helps others.
When I added ipset into the mix and played around from the command
line, everything worked as expected.  However during boot, shorewall
complains:

00:36:00 ERROR: ipset names in Shorewall configuration files require
Ipset Match in your kernel and iptables /etc/shorewall/rules (line 39)

And immediately after boot a shorewall start is totally successful.
This is a SELinux enforcement issue in my case:

type=AVC msg=audit(1404632169.296:45): avc:  denied  { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.296:45): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff5f7f9590 items=0 ppid=2760
pid=2761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.299:46): avc:  denied  { create } for
pid=2763 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.299:46): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7ffffe3fc1c0 items=0 ppid=2762
pid=2763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.301:47): avc:  denied  { create } for
pid=2765 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.301:47): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff63d428e0 items=0 ppid=2764
pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.402:61): avc:  denied  { create } for
pid=2810 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.402:61): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff51509c50 items=0 ppid=2809
pid=2810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.405:62): avc:  denied  { create } for
pid=2812 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.405:62): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fffc9256d20 items=0 ppid=2811
pid=2812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404635091.599:45): avc:  denied  { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socke

which may be resolved with:

semanage fcontext -a -t iptables_exec_t /path/to/ipset
restorecon -v /path/to/ipset

(you'll need policycoreutils-python installed)

documented at:

https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html

Regards - lee

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

Gmane