LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-31-2004, 12:39 PM   #1
N3K0KUN
LQ Newbie
 
Registered: Sep 2003
Distribution: Gentoo
Posts: 7

Rep: Reputation: 0
Shorewall ignores the rules?


I have tried to set up Shorewall a guide for using it on a webserver, but I haven't had much luck. I've just installed shorewall so there were no settings, the guide didn't outline any policies so Shorewall wouldn't start. I made one to DROP everything from net to fw, since the rules would accept the rest.

But, whenever the firewall is up, I can't access my apache server even from with in the LAN, when I stop it and then run:
Code:
iptables -I INPUT 1 -j ACCEPT
iptables -I OUTPUT 1 -j ACCEPT
iptables -I FORWARD 1 -j ACCEPT
Everythings works fine, I can connect to the serrver. Once I start the firewall again I can't, even though there is a rule to accept net to fw on port 80.

Even stranger is when I change the policy to ACCEPT all traffic from net to fw, it STILL doesn't work. That's with a policy and a rule, both accepting connections on port 80.

I am using Slackware 10 with the 2.6.8.1 kernel. Any help would be greatly appreciated! (I don't have a high enough post count to LINK to the guide, but on the Shorewall website, under documentation, howtos, and guides written by other people its the only one listed.)

Last edited by N3K0KUN; 08-31-2004 at 01:39 PM.
 
Old 09-02-2004, 11:18 AM   #2
N3K0KUN
LQ Newbie
 
Registered: Sep 2003
Distribution: Gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
Erhm... I realize that not linking to the guide I followed isn't very helpful, so I will post what I have changed from the plain installation of shore wall.

shorewall.conf
Code:
IP_FORWARDING=Off
ROUTE_FILTER=Yes
interfaces
Code:
net      eth0           detect          norfc1918,nobogons,blacklist,nosmurfs
rules
Code:
ACCEPT   net            fw              icmp    8
ACCEPT   net            fw              tcp     20
ACCEPT   net            fw              tcp     21
ACCEPT   net            fw              tcp     22
ACCEPT   net            fw              tcp     25
ACCEPT   net            fw              tcp     53
ACCEPT   net            fw              udp     53
ACCEPT   net            fw              tcp     80
ACCEPT   net            fw              tcp     110
ACCEPT   net            fw              tcp     143
ACCEPT   net            fw              tcp     443
ACCEPT   net            fw              tcp     465
ACCEPT   net            fw              tcp     993
ACCEPT   net            fw              tcp     995
routestopped
Code:
eht0            192.168.8.20
zone
Code:
net                     Net             The Internet
After changing all of those settings, I ran
Code:
rm /etc/shorewall/startup_disabled -fr
shorewall start
And... I couldn't access the apache server. So I made two policies
policy
Code:
fw     net    ACCEPT
net    all    ACCEPT
Still, the firewall blocks all ports

Last edited by N3K0KUN; 09-02-2004 at 11:19 AM.
 
Old 09-05-2004, 05:55 PM   #3
N3K0KUN
LQ Newbie
 
Registered: Sep 2003
Distribution: Gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
i hate to bump this again... i still can't find any answers. here's the output when shorewall starts
Code:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
Determining Zones...
   Zones: net
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...Setting up Blacklisting...
   Blacklisting enabled on eth0:0.0.0.0/0
Adding Anti-smurf Rules
Enabling RFC1918 Filtering
Enabling Bogon Filtering
Setting up Kernel Route Filtering...
IP Forwarding Disabled!
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/ipsec...
Processing /etc/shorewall/rules...
   Rule "ACCEPT net fw icmp 8" added.
   Rule "ACCEPT net fw tcp 20" added.
   Rule "ACCEPT net fw tcp 21" added.   Rule "ACCEPT net fw tcp 143" added.
   Rule "ACCEPT net fw tcp 443" added.
   Rule "ACCEPT net fw tcp 465" added.
   Rule "ACCEPT net fw tcp 993" added.
   Rule "ACCEPT net fw tcp 995" added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "dropInvalid" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn" added.   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for net to fw using chain net2all
Masqueraded Networks and Hosts:
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
 
Old 09-06-2004, 02:48 PM   #4
camelrider
Member
 
Registered: Apr 2003
Location: Juneau, Alaska
Posts: 244

Rep: Reputation: 31
Have you no zone for FW?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 09:33 PM
Shorewall .....rules or tos? matthewa Linux - Security 3 06-26-2005 01:57 PM
iptables ignores rules bCookie Linux - Networking 1 01-27-2005 02:49 AM
shorewall - rules for multiple local sites gjmwalsh Linux - Security 9 06-19-2004 10:06 PM
Shorewall policies + rules richlawson Linux - Networking 2 06-29-2003 11:35 AM


All times are GMT -5. The time now is 11:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration