I tried your suggestion of telent'ing to port 80 of a website.
I could reach it OK with the firewall off but when I started the firewall -no go.
I looked at my firewall rules and policies and removed a rule stopping port 80
I can surf OK now, I just need to check that my firewall is still secure.
Can you please review my firewall files.
Here is my Shorewall Policy file...
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc all ACCEPT -
$FW all ACCEPT -
#
# THE FOLLOWING POLICY MUST BE LAST
#
net all DROP info
wls net ACCEPT -
wls loc DROP -
all all REJECT info
and here is my Shorewall Rules file...
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc all ACCEPT -
$FW all ACCEPT -
#
# THE FOLLOWING POLICY MUST BE LAST
#
net all DROP info
wls net ACCEPT -
wls loc DROP -
all all REJECT info
If you would prefer it in iptables, here is the result of iptables -L...
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
wlan0_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP !icmp -- anywhere anywhere state INVALID
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
wlan0_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
fw2wls all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain Drop (2 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain
Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:loc-srv
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:loc-srv
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900
Chain Reject (3 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn all -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:loc-srv
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:loc-srv
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain all2all (6 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dmz2fw (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain dmz2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain dmz2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain dmz2wls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
tcpflags tcp -- anywhere anywhere
net2loc all -- anywhere anywhere
net2wls all -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
norfc1918 all -- anywhere anywhere state NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2wls all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
loc2fw all -- anywhere anywhere
Chain fw2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain fw2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere
Chain fw2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
fw2all all -- anywhere anywhere
Chain icmpdef (0 references)
target prot opt source destination
Chain loc2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere
Chain loc2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
loc2all all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags
ROP:'
DROP all -- anywhere anywhere
Chain net2all (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all
ROP:'
DROP all -- anywhere anywhere
Chain net2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere
Chain net2wls (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
net2all all -- anywhere anywhere
Chain norfc1918 (2 references)
target prot opt source destination
rfc1918 all -- 172.16.0.0/12 anywhere
rfc1918 all -- anywhere anywhere ctorigdst 172.16.0.0/12
rfc1918 all -- 192.168.0.0/16 anywhere
rfc1918 all -- anywhere anywhere ctorigdst 192.168.0.0/16
rfc1918 all -- external/8 anywhere
rfc1918 all -- anywhere anywhere ctorigdst external/8
Chain reject (10 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 10.255.255.255 anywhere
DROP all -- 192.168.1.255 anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:rfc1918
ROP:'
DROP all -- anywhere anywhere
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
LOG all -- 10.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs
ROP:'
DROP all -- 10.255.255.255 anywhere
LOG all -- 192.168.1.255 anywhere LOG level info prefix `Shorewall:smurfs
ROP:'
DROP all -- 192.168.1.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs
ROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs
ROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:SYN,RST,ACK/SYN
Chain wlan0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
wls2net all -- anywhere anywhere
wls2loc all -- anywhere anywhere
Chain wlan0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
wls2fw all -- anywhere anywhere
Chain wls2dmz (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain wls2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
all2all all -- anywhere anywhere
Chain wls2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain wls2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP igmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:auth
DROP tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere
Thanks,
Don =)