Tuesday, December 05, 2006

Shorewall Firewall

At this time, I have more things to read. I have to strengthen my knowledge about network security monitoring and firewall. I'm still doing testing about netfilter and ipfilter firewall. So, i spare my time to test Shorewall in Fedora Linux Core 3.

What is Shorewall?? Shorewall is a high-level tool for configuring Netfilter. It work with the help of the iptables utility an configures Netfilter to match your requirements. More information about it: http://www.shorewall.net/index.htm

I download Shorewall version 3.2 rpm package for Redhat/Fedora. Everthing is there, you just uncomment whatever you want to customize to ensure it work properly. I setup it on IP 10.1.2.32 and I only allow SSH connection from specific PC. I just added one rule in /etc/shorewall/rules:

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE PORT PORT(S) DEST LIMIT #SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net:10.1.2.29 $FW tcp 22

I log it to /var/log/messages and then i'm trying to SSH from 10.1.2.21. I view it's log (tail -f /var/log/messages):

Dec 5 01:21:28 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4919 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 5 01:21:37 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4923 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

What we can see above, it dropped packets for SSH connection from 10.1.2.21 to 10.1.2.32. And then i tried to ping 10.1.2.32. We can see from this, it also dropped ICMP packet because i configure to dropped it:

Dec 5 02:07:14 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=56851 SEQ=0
Dec 5 02:07:15 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=56851 SEQ=1

After that, i run curl --head 10.1.2.32 from IP 10.1.2.21 to test HTTP connection and it also dropped the packet:

Dec 5 02:12:31 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=943 DF PROTO=TCP SPT=36311 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 5 02:12:34 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=945 DF PROTO=TCP SPT=36311 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

I edit /etc/shorewall/rules and then modify the rules above with this rules to allow SSH connection from 10.1.2.21:

ACCEPT net:10.1.2.21 $FW tcp 22

After that, i run /etc/init.d/shorewall restart to restart Shorewall with new rules:

Dec 5 01:56:54 monitoring12 shorewall: Compiling...
Dec 5 01:56:54 monitoring12 shorewall: Initializing...
Dec 5 01:56:54 monitoring12 shorewall: Determining Zones...
Dec 5 01:56:54 monitoring12 shorewall: IPv4 Zones: net
Dec 5 01:56:54 monitoring12 shorewall: Firewall Zone: fw
Dec 5 01:56:54 monitoring12 shorewall: Validating interfaces file...
Dec 5 01:56:54 monitoring12 shorewall: Validating hosts file...
Dec 5 01:56:54 monitoring12 shorewall: Validating Policy file...
Dec 5 01:56:54 monitoring12 shorewall: Determining Hosts in Zones...
Dec 5 01:56:54 monitoring12 shorewall: net Zone: eth0:0.0.0.0/0
Dec 5 01:56:55 monitoring12 shorewall: Pre-processing Actions...
Dec 5 01:56:55 monitoring12 shorewall: Pre-processing /usr/share/shorewall/action.Drop...
Dec 5 01:56:55 monitoring12 shorewall: Pre-processing /usr/share/shorewall/action.Reject...
Dec 5 01:56:55 monitoring12 shorewall: Pre-processing /usr/share/shorewall/action.Limit...
Dec 5 01:56:55 monitoring12 shorewall: Deleting user chains...
Dec 5 01:56:55 monitoring12 shorewall: Compiling /etc/shorewall/routestopped ...
Dec 5 01:56:55 monitoring12 shorewall: Compiling Accounting...
Dec 5 01:56:55 monitoring12 shorewall: Creating Interface Chains...
Dec 5 01:56:55 monitoring12 shorewall: Compiling Proxy ARP
Dec 5 01:56:55 monitoring12 shorewall: Compiling NAT...
Dec 5 01:56:55 monitoring12 shorewall: Compiling NETMAP...
Dec 5 01:56:55 monitoring12 shorewall: Compiling Common Rules
Dec 5 01:56:55 monitoring12 shorewall: Compiling IP Forwarding...
Dec 5 01:56:55 monitoring12 shorewall: Compiling IPSEC...
Dec 5 01:56:55 monitoring12 shorewall: Compiling /etc/shorewall/rules...
Dec 5 01:56:55 monitoring12 shorewall: Compiling /etc/shorewall/tunnels...
Dec 5 01:56:55 monitoring12 shorewall: Compiling Actions...
Dec 5 01:56:55 monitoring12 shorewall: Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Dec 5 01:56:55 monitoring12 shorewall: Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Dec 5 01:56:56 monitoring12 shorewall: Compiling /etc/shorewall/policy...
Dec 5 01:56:56 monitoring12 shorewall: Compiling Masquerading/SNAT
Dec 5 01:56:56 monitoring12 shorewall: Compiling /etc/shorewall/tos...
Dec 5 01:56:56 monitoring12 shorewall: Compiling /etc/shorewall/ecn...
Dec 5 01:56:56 monitoring12 shorewall: Compiling Traffic Control Rules...
Dec 5 01:56:56 monitoring12 shorewall: Validating /etc/shorewall/tcdevices...
Dec 5 01:56:56 monitoring12 shorewall: Validating /etc/shorewall/tcclasses...
Dec 5 01:56:56 monitoring12 shorewall: Compiling Rule Activation...
Dec 5 01:56:56 monitoring12 shorewall: Compiling Refresh of Black List...
Dec 5 01:56:56 monitoring12 shorewall: Compiling Refresh of /etc/shorewall/ecn...
Dec 5 01:56:56 monitoring12 shorewall: Validating /etc/shorewall/tcdevices...
Dec 5 01:56:56 monitoring12 shorewall: Validating /etc/shorewall/tcclasses...
Dec 5 01:56:56 monitoring12 shorewall: Shorewall configuration compiled to /var/lib/shorewall/.restart
Dec 5 01:56:56 monitoring12 shorewall: Processing /etc/shorewall/params ...
Dec 5 01:56:56 monitoring12 shorewall: Restarting Shorewall....
Dec 5 01:56:57 monitoring12 shorewall: Initializing...
Dec 5 01:56:57 monitoring12 shorewall: Processing /etc/shorewall/init ...
Dec 5 01:56:57 monitoring12 shorewall: Clearing Traffic Control/QOS
Dec 5 01:56:57 monitoring12 shorewall: Deleting user chains...
Dec 5 01:56:57 monitoring12 shorewall: Processing /etc/shorewall/continue ...
Dec 5 01:56:57 monitoring12 shorewall: WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables
Dec 5 01:56:57 monitoring12 shorewall: Enabling Loopback and DNS Lookups
Dec 5 01:56:57 monitoring12 shorewall: Setting up Accounting...
Dec 5 01:56:57 monitoring12 shorewall: Creating Interface Chains...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Proxy ARP...
Dec 5 01:56:57 monitoring12 shorewall: Setting up one-to-one NAT...
Dec 5 01:56:57 monitoring12 shorewall: Setting up SMURF control...
Dec 5 01:56:57 monitoring12 shorewall: Processing /etc/shorewall/initdone ...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Black List...
Dec 5 01:56:57 monitoring12 shorewall: Setting up ARP filtering...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Accept Source Routing...
Dec 5 01:56:57 monitoring12 shorewall: IP Forwarding Enabled
Dec 5 01:56:57 monitoring12 shorewall: Setting up SYN Flood Protection...
Dec 5 01:56:57 monitoring12 shorewall: Setting up IPSEC management...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Rules...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Tunnels...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Actions...
Dec 5 01:56:57 monitoring12 shorewall: Creating action chain Drop
Dec 5 01:56:57 monitoring12 shorewall: Creating action chain Reject
Dec 5 01:56:57 monitoring12 izhar: Shorewall restarted
Dec 5 01:56:57 monitoring12 shorewall: Creating action chain dropBcast
Dec 5 01:56:57 monitoring12 shorewall: Creating action chain dropInvalid
Dec 5 01:56:57 monitoring12 shorewall: Creating action chain dropNotSyn
Dec 5 01:56:57 monitoring12 shorewall: Applying Policies...
Dec 5 01:56:57 monitoring12 shorewall: Setting up Masquerading/SNAT...
Dec 5 01:56:57 monitoring12 shorewall: Setting up TOS...
Dec 5 01:56:57 monitoring12 shorewall: Setting up ECN...
Dec 5 01:56:57 monitoring12 shorewall: Setting up TC Rules...
Dec 5 01:56:57 monitoring12 shorewall: Activating Rules...
Dec 5 01:56:57 monitoring12 shorewall: Processing /etc/shorewall/start ...
Dec 5 01:56:57 monitoring12 shorewall: Processing /etc/shorewall/started ...
Dec 5 01:56:57 monitoring12 shorewall: done.
Dec 5 01:56:57 monitoring12 shorewall: shorewall startup succeeded

An then SSH to IP 10.1.2.32 from 10.1.2.21 and ...it works!!!.:

Dec 5 02:01:01 monitoring12 crond(pam_unix)[7812]: session opened for user root by (uid=0)
Dec 5 02:01:01 monitoring12 crond(pam_unix)[7812]: session closed for user root
Dec 5 02:01:20 monitoring12 sshd(pam_unix)[7816]: session opened for user john by (uid=0)
Dec 5 02:02:03 monitoring12 sshd(pam_unix)[7816]: session closed for user john

Conclusion: My firewall works!!!! Enjoy this firewall for newbies!!

11 comments:

RPG said...

I would love to know about the names that crop up in the logs. In particular "net2all," what the heck does that string correspond to? Even a find over all of /etc doesn't give me anything about net2all, so that string isn't used in any of the shorewall configuration info. Desperately googling for "net2all shorewall" doesn't help either.

I'd also love to have some help in figuring out how to configure shorewall to work smoothly with broadcasting. For example, on my linux system, CUPS broadcasts to find printers, a slimserver broadcasts to find players, and some of Mandriva's configuration tools broadcast to find services. All of these broadcasts seem to be gonked by Shorewall's net2all; they all give net2all drops. Are these drops done outgoing (so that they aren't seen at the endpoints you want), are the responses being dropped, or is it just the packets that are coming back from the source to itself that are dropped? I have tried repeatedly to figure this out with no luck.

Anonymous said...

Can anyone recommend the top performing Remote Desktop utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central network manager
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Can anyone recommend the top performing MSP program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central service management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Download videos and read stories about incest: [url=http://www.adambagatto.com/picture_library/girlfriends-mom-porn.html ]Dad And Son Sex [/url], [url=http://www.adambagatto.com/video/video/porn-movie-of-mother-fucking-son.html ]Mom Tgp [/url], [url=http://www.adambagatto.com/images/gallery/3D/moms-and-daughters-porn-video.html ]Mother Daughter Rape [/url], [url=http://www.andrewdabeka.ca/images/real-mature-free-porn-tube-clips.html ]Hot Mom Naked [/url], [url=http://www.andrewdabeka.ca/img/icons/skinny-brunettes-mature-porno.html ]Father Daughter Hentai [/url], [url=http://www.andrewdabeka.ca/picture_library/big-brothers-leah-porn-vids.html ]Father Son Spanking [/url], [url=http://www.ashphotography.ca/images/mature-porn-uk-free-pics.html ]Mom And Son Xxx [/url], [url=http://www.ashphotography.ca/zenphoto/uploaded/photos-of-brother-sister-porn.html ]Father Mother Sex [/url], [url=http://www.ashphotography.ca/jes-new/pages/son-fuck-his-mom.html ]Free Gay Incest Family [/url], [url=http://www.ashphotography.ca/justine/pure-mother-son.html ]Moms Giving Sons Blowjobs [/url]

Anonymous said...

Download videos and read stories about incest: [url=http://dannycraig.com/images/small ]Mother Fucking Daughter [/url], [url=http://dannycraig.com/images/small/map.html ]Do My Mom [/url], [url=http://degeneratemeonline.com/images ]One Big Incest Family [/url], [url=http://debbiebraden.ca/img/glyph/map.html ]Mother Sucks Son [/url], [url=http://dannycraig.com/img/glyph ]Free Incest Video Clips [/url], [url=http://dannycraig.com/tracks/map.html ]Naked Moms [/url], [url=http://degeneratemeonline.com/images ]Teenage Fathers In School [/url], [url=http://debbiebraden.ca/picture_library/map.html ]Father And Son Gay Incest [/url], [url=http://degeneratemeonline.com/images ]Free Sexy Moms [/url], [url=http://debbiebraden.ca/img/glyph/map.html ]Incest Mom Son [/url]

Anonymous said...

посмотреть порно ролик онлайн бесплатно
порно фото леди
детский хуй
секс измена
www sex ry
развлекательная эротика
женщины желают секса
хочу смотреть порно
nude sex порноролики
грудастые эротика

Anonymous said...

is porn the only winner during credit crunch?


----------------
killergram

Anonymous said...

does anyone think porn is the only business still thriving during the credit cruch? I think many folks seek refuge in buying and wanking porn during the crunch


----------------
killergram

Anonymous said...

piracy affects porn but it's still winner during the crunch


----------------
kelly divine

Anonymous said...

Thank u :) you should look at this emo boy hair at this blog:
http://www.emo--boys.info

chandra said...

That was awesome! Probably one of the more interesting reads in awhile.


Sales Job Descriptions