LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-22-2011, 10:35 PM   #1
RyanRahl
LQ Newbie
 
Registered: May 2011
Location: The Pacific Northwest
Distribution: Debian/Ubuntu
Posts: 5

Rep: Reputation: Disabled
Shorewall rejecting allowed traffic for transmission-daemon


I have the Shorewall firewall running on Ubuntu 10.10 server and the issue I am having is the firewall is blocking traffic from my transmission-daemon even though I have allowed it in the /etc/shorewall/rules.

the rules file has the following lines
Code:
ACCEPT		$FW		net	tcp	60000:60035	
ACCEPT		net		$FW	tcp	60000:60035
ACCEPT		$FW		net	udp	51413	
ACCEPT		net		$FW	udp	51413
That match the rules in /etc/transmission-daemon/settings.json

Code:
"peer-port": 51413,
"peer-port-random-high": 60035,
"peer-port-random-low": 60000,
yet my syslog gives me this:

Code:
May 22 18:15:46 sleppery kernel: [ 4374.583353] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:30:48:71:1d:1f:00:22:2d:c9:d4:fb:08:00 SRC=129.241.75.171 DST=74.94.*.* LEN=60 TOS=0x00 PREC=0x20 TTL=48 ID=57853 DF PROTO=TCP SPT=58320 DPT=51413 WINDOW=11680 RES=0x00 SYN URGP=0 
May 22 18:15:47 sleppery kernel: [ 4375.596589] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=94.236.155.247 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=17176 LEN=75 
May 22 18:15:47 sleppery kernel: [ 4375.596704] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=68.14.72.15 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=47712 LEN=75 
May 22 18:15:47 sleppery kernel: [ 4375.596778] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=149.7.96.246 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=1063 LEN=75 
May 22 18:15:47 sleppery kernel: [ 4375.646765] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:30:48:71:1d:1f:00:22:2d:c9:d4:fb:08:00 SRC=188.40.51.2 DST=74.94.*.* LEN=60 TOS=0x00 PREC=0x20 TTL=47 ID=19185 DF PROTO=TCP SPT=43218 DPT=51413 WINDOW=5840 RES=0x00 SYN URGP=0
as you can see, Shorewall is rejecting packets with source and destination port 51413 on incoming net2fw and outgoing fw2net even though the rules are set to accept. any ideas or suggestions?
 
Old 05-23-2011, 12:49 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
DISCLAIMER: I'm not familiar with Shorewall.

Quote:
Originally Posted by RyanRahl View Post
as you can see, Shorewall is rejecting packets with source and destination port 51413 on incoming net2fw
It makes sense, because the relevant rules are for UDP while the filtered packets are TCP.

Quote:
and outgoing fw2net even though the rules are set to accept. any ideas or suggestions?
Assuming the rules stand for destination ports (as opposed to source ports), the behavior seems normal as there is no match.

Last edited by win32sux; 05-23-2011 at 12:52 AM.
 
Old 05-23-2011, 01:04 AM   #3
RyanRahl
LQ Newbie
 
Registered: May 2011
Location: The Pacific Northwest
Distribution: Debian/Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
good observation. i noticed this as well shortly after posting this and added rules for tcp and it is still doing the same thing. You'll notice that the fw2net traffic is actually udp (lines 2,3,4 in my example) while the net2fw traffic is tcp (first and last). here is the tail of my syslog after adding rules for tcp on port 51413

Code:
May 22 21:55:17 sleppery kernel: [17546.003187] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=190.66.161.232 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=25492 LEN=75 
May 22 21:55:17 sleppery kernel: [17546.003262] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=89.74.15.194 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=8974 LEN=75 
May 22 21:55:20 sleppery dhcpd: DHCPREQUEST for 10.1.10.116 from 00:26:37:55:88:5c via eth0
May 22 21:55:20 sleppery dhcpd: DHCPACK on 10.1.10.116 to 00:26:37:55:88:5c via eth0
May 22 21:55:23 sleppery kernel: [17552.380603] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=173.63.94.48 LEN=131 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=65115 LEN=111 
May 22 21:55:28 sleppery kernel: [17557.216594] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=92.235.231.92 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=40287 LEN=114 
May 22 21:55:28 sleppery kernel: [17557.216727] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=61.178.152.187 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=26501 LEN=114 
May 22 21:55:28 sleppery kernel: [17557.216798] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=92.7.165.135 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=27722 LEN=114 
May 22 21:55:34 sleppery kernel: [17562.840606] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=77.127.140.181 LEN=131 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=22926 LEN=111 
May 22 21:55:40 sleppery kernel: [17568.748106] Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=74.94.*.* DST=173.63.94.48 LEN=131 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51413 DPT=65115 LEN=111
these are all outgoing udp, im sure there are incoming tcp but this was just a quick 'cat syslog | tail' for examples sake

these are the new rules. is it ok/proper to have rules on the same port for tcp and udp?

Code:
ACCEPT          $FW             net     tcp     60000:60035     #Transmission Connect
ACCEPT          net             $FW     tcp     60000:60035
ACCEPT          $FW             net     udp     51413           # transmission peer port
ACCEPT          net             $FW     udp     51413
ACCEPT          $FW             net     tcp     51413                       
ACCEPT          net             $FW     tcp     51413
 
Old 05-23-2011, 02:31 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You're not getting anymore filtered inbound TCP/51413 packets, so you're making progress.

The remaining filtered packets don't match any of your rules, so things are working as expected. Practically speaking, the program is sending packets with destination ports outside the ranges you've written fw2net rules for. Why not try something like this instead:
Code:
ACCEPT          $FW             net
ACCEPT          net             $FW     udp     51413
ACCEPT          net             $FW     tcp     51413
This way the program can send packets with any destination port it requires, while you're only exposing ports 51413/TCP and 51413/UDP to the Internet. If this works fine (check the log), then you can proceed to tighten the outbound restrictions (if desired). Personally, I don't really see much benefit to limiting outbound packets to destination ports in a specific range, unless you're absolutely sure that nothing outside that range will be required. That said, perhaps restricting outbound packets with destination ports within the privileged range (up to 1024) may give you some peace of mind, in the sense that it limits attack propagation if the program is exploited, while not affecting functionality (assuming that you're not going to be using any other programs beside this one, which would be kinda weird for a desktop computer).

Last edited by win32sux; 05-23-2011 at 02:35 AM.
 
1 members found this post helpful.
Old 05-23-2011, 12:00 PM   #5
RyanRahl
LQ Newbie
 
Registered: May 2011
Location: The Pacific Northwest
Distribution: Debian/Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
You make very good points. I followed your suggestion about the outbound destination ports and it cleaned up my log file quite nicely. With these adjustments I'm keeping the traffic I want. I do worry that if my system was to become compromised the firewall would not block undesirable or malicious outgoing data, like becoming a bot in a botnet for DDOS attacks for example. Just to paint a better picture this isn't a desktop. It's a firewall/general server for my home and i use the transmission-daemon to start torrent downloads when I'm away from home. Should I change my logging sensitivity and write a script to look for "suspicious traffic" in said log? Is there a better way to do it?
 
Old 05-23-2011, 02:06 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, if you restrict the privileged ports (all those below 1025), then at least you'll know the box won't be successfully used as part of a DDoS against typical services (HTTP, SMTP, DNS, FTP, etc.). That is, unless the box is rooted, of course (in which case the host-based firewall doesn't do much good, if any). You could have a log file monitor program be on the lookout for any filtered traffic to such ports, and let it alert you if it spots anything. Actually, since you're looking for something so specific, perhaps just a simple shell script running as a cron job would suffice.

Last edited by win32sux; 05-23-2011 at 02:07 PM.
 
Old 05-23-2011, 02:27 PM   #7
RyanRahl
LQ Newbie
 
Registered: May 2011
Location: The Pacific Northwest
Distribution: Debian/Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
I think your right about the privileged ports, I can't picture someone using a compromised system to send on anything other than typical services like spamming off SMTP/25 or just flooding a remote host with tons of http get requests or something. I've started on the script that i'll run in either hourly or daily cron that will send me an email for 'suspicious' activity. I'm just a little hung up because i'm not great with regex and i need to be very specific, but I did find an awesome tutorial here: http://www.regular-expressions.info/tutorial.html

scripts running as cron jobs is probably one of the most useful tools in existence, i couldn't imagine living without it.

Thanks for all your help.
 
Old 05-23-2011, 03:05 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I'd just have any filtered packets with that destination port range use their own LOG prefix. Checking for it in the log wouldn't require any regular expressions at all. For example, with iptables it could be done like:
Code:
iptables -A OUTPUT -p TCP -o eth0 --dport ! 1024:65535 -m state --state NEW -j LOG --log-prefix "PRIV_PORT_REJECT: "
iptables -A OUTPUT -p TCP -o eth0 --dport ! 1024:65535 -m state --state NEW -j REJECT

iptables -A OUTPUT -p UDP -o eth0 --dport ! 1024:65535 -m state --state NEW -j LOG --log-prefix "PRIV_PORT_REJECT: "
iptables -A OUTPUT -p UDP -o eth0 --dport ! 1024:65535 -m state --state NEW -j REJECT
...in which case you'd just need to check the log for the string PRIV_PORT_REJECT, and raise an alert if it's found. I'm sure the same thing can be done with Shorewall, given that it's an iptables front end. BTW: The use of the NEW state match is important, otherwise you might end up filtering outbound packets which are part of your clients' connections to your general services.

Last edited by win32sux; 05-23-2011 at 03:16 PM.
 
1 members found this post helpful.
  


Reply

Tags
daemon, firewall, shorewall, syslog, transmission


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxying download traffic in Transmission bit torrent client vockleya Linux - Software 2 01-25-2010 10:35 AM
Traffic Shaping (Shorewall) ImpactDNI Linux - Software 1 08-29-2006 10:03 PM
No Shorewall/IPtables: not inbound connections allowed psychobyte Mandriva 3 05-25-2005 02:29 AM
Maillog: sendmail rejecting connections on daemon IPv4: load average: 22 J_Szucs Linux - Security 2 01-28-2004 08:17 AM
shorewall dropping/rejecting wanted connections (squid/webmin) win32sux Linux - Networking 2 08-01-2003 03:57 PM


All times are GMT -5. The time now is 12:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration