[Shorewall-newbies] firewall setup error help! please! asap

Alex Martin shorewall at rettc.com
Sun Dec 7 20:00:33 PST 2003


Ok. The policy file you have created makes most of your rules obsolete.

 >loc             net             ACCEPT
 >net             loc             ACCEPT

the above allows all traffic between your loc and net zones!!!! thus, 
any net2loc or loc2net rules are useless. This is a good way to get 
hacked. If you had windows boxes in the loc zone, I bet they did get hacked.

 > # remove the comment from the following line.
 > fw             net             ACCEPT

the above makes all fw2net rules uneccesary. I would comment this out 
and allow explicity (like you have done in your rules) fw2net traffic. 
this way you can see if your firewall gets hacked. for example, a test 
box of mine was hacked, with a rootkit installed. I saw in my logs the 
attempt of the root kit to go outbound on a port I did not explicitly 
allow. Of course this hacker could not figure out my firewalling 
mechanism, a good one would be familiar with iptables.

 > #net            all             DROP            ULOG
by commenting this out, all random internet traffic that is not allowed 
by your VERY liberal policy will reduce the accuracy of log entries as 
to where the traffic came form and as to where the traffic was headed.

 > all             all             REJECT          ULOG
 > #net            fw              DROP    icmp    8
 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Also, here is what I can glean from your minimal information. You have a 
two interface setup. You have a range of public ip's. You are in effect 
using the loc zone as a dmz. You have hosts with public ips in the loc 
zone. You are therefore not masquerading (/etc/shorewall/masq) nor 
nat'ing (/etc/shorewall/nat).

So, I would start with a fresh policy file, from the two interface 
samples avaiable from www.shorewall.net, or reinstall (clean!) the 
bering LRP package (i am not familiar with lrp/bering). Then, your rules 
are pretty good. Usually, the policy file does not need to be touched. 
People screw with it to try to make things work, and end up with a 
minimal firewall, or what some would call simply a router. You want a 
firewall though I assume ;).

How I start a firewall with shorewall is, to download the sample 
configuration closest to my end product plan, then modify minimally (ie 
remove masq entries, setup interface options). At this point, I try to 
do whatever my hosts/servers do, and watch the logs. The logs will 
indicate what rules you need to make. If in your case you have a 
webserver in the loc zone, then from the internet, try to web browse 
your server. With a naked shorewall install, you will not be able to 
browse your server, but you will on the firewall in /var/log/messages 
see that a policy (or rule if you have added any) has dropped those 
requests. Then, you add a rule, to accept web from the net to a specific 
server ip in the loc zone. Go from there.

Alex Martin
http://www.rettc.com


Sterling Martin wrote:

> This file determines your network zones. Columns are:
> #
> #       ZONE            Short name of the zone (5 Characters or less in 
> length).
> #       DISPLAY         Display name of the zone
> #       COMMENTS        Comments about the zone
> #
> #ZONE   DISPLAY         COMMENTS
> net     Net             Internet
> loc     Local           Local networks
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> 
> this is what the zone file has....
> 
> interfaces ....
> 
> ############################################################################## 
> 
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     eth0            detect          dhcp,routefilter,norfc1918
> loc     eth1            detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> 
> policy file
> 
> 
> ############################################################################### 
> 
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> loc             net             ACCEPT
> net             loc             ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw             net             ACCEPT
> #net            all             DROP            ULOG
> all             all             REJECT          ULOG
> #net            fw              DROP    icmp    8
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> 
> 
> and here is the rules file..... does it look right to you.... 
> pleasssssssssssse feel free to comment on how to make it better.... i 
> would like to be able to make it so that people can only ftp to on port 
> or ip address on one server but not sure how that's done cause as you 
> can see it's wide open "persay"
> 
> 
> any help would be greatly appreciated... :)
> 
> 
> sheldon
> 
> 
> 
> 
> 
>> Hello,
>>
>> Does this firewall have the ability to have what is know as a "DMZ" zone
>> .. ??
>>
>> (Requires Extra Interface) .. Because I am not totally sure what is in
>> the "LOC" zone .. but if you use a DMZ .. you will have isolation .. And
>> greater security ..
>>
>> Francesca
>>
>> PS: Please Reply To All So The List Gets The Thread
>>
> 
> _________________________________________________________________
> Wonder if the latest virus has gotten to your computer? Find out. Run 
> the FREE McAfee online computer scan! 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> 
> _______________________________________________
> Shorewall-newbies mailing list
> Post: Shorewall-newbies at lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-newbies
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm



More information about the Shorewall-newbies mailing list