Hi, My firewall script doesn't have a problem with it's rules it is just missing something important because when firehol tries it it doesn't give any significant errors. When I turn on my previous firewall it works fine. The place I am working in is a remote place where I am just setting up a network. I have a small sized network here and my connection is rogers cable. I seem to have problems just accepting anything. I believe it to be the cause of some faulty strategy I had when making these rules up, or maybe I need something extra that I haven't yet added. I am going to display the iptables-save output in the hopes that someone might understand the problem quicker then me.
Best Regards kc # Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005 *nat :PREROUTING DROP [0:0] :POSTROUTING DROP [0:0] :OUTPUT DROP [0:0] COMMIT # Completed on Sun Jul 3 18:18:43 2005 # Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005 *mangle :PREROUTING DROP [939:56233] :INPUT ACCEPT [37647:1995360] :FORWARD ACCEPT [120683:61189142] :OUTPUT DROP [128:10168] :POSTROUTING ACCEPT [157981:67483601] COMMIT # Completed on Sun Jul 3 18:18:43 2005 # Generated by iptables-save v1.2.11 on Sun Jul 3 18:18:43 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :EXT-icmp-in - [0:0] :EXT-icmp-out - [0:0] :EXT-input - [0:0] :EXT-log-in - [0:0] :EXT-log-out - [0:0] :EXT-output - [0:0] :connection-tracking - [0:0] :destination-address-check - [0:0] :local-dhcp-client-query - [0:0] :local-dns-server-query - [0:0] :local-tcp-client-request - [0:0] :local-tcp-server-response - [0:0] :local-udp-client-request - [0:0] :log-tcp-state - [0:0] :remote-dhcp-server-response - [0:0] :remote-dns-server-response - [0:0] :remote-tcp-client-request - [0:0] :remote-tcp-server-response - [0:0] :remote-udp-server-response - [0:0] :source-address-check - [0:0] :tcp-state-flags - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -j tcp-state-flags -A INPUT -j connection-tracking -A INPUT -i eth1 -p udp -m udp --sport 67 --dport 68 -j remote-dhcp-server-response -A INPUT -p ! tcp -j source-address-check -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j source-address-check -A INPUT -j destination-address-check -A INPUT -d 192.168.3.1 -i eth1 -j EXT-input -A INPUT -d 224.0.0.0/240.0.0.0 -i eth1 -p udp -j DROP -A INPUT -j EXT-log-in -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -j tcp-state-flags -A OUTPUT -j connection-tracking -A OUTPUT -o eth1 -p udp -m udp --sport 68 --dport 67 -j local-dhcp-client-query -A OUTPUT -j destination-address-check -A OUTPUT -s 192.168.3.1 -d 224.0.0.0/240.0.0.0 -o eth1 -p udp -j DROP -A OUTPUT -s 192.168.3.1 -o eth1 -j EXT-output -A OUTPUT -j EXT-log-out -A EXT-icmp-in -f -j LOG --log-prefix "Fragmented incoming ICMP: " -A EXT-icmp-in -f -j DROP -A EXT-icmp-in -p icmp -m icmp --icmp-type 0 -j ACCEPT -A EXT-icmp-in -s 24.156.100.1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A EXT-icmp-in -s 24.156.100.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A EXT-icmp-in -p icmp -m icmp --icmp-type 3 -j ACCEPT -A EXT-icmp-in -p icmp -m icmp --icmp-type 12 -j ACCEPT -A EXT-icmp-in -p icmp -m icmp --icmp-type 11 -j ACCEPT -A EXT-icmp-in -p icmp -m icmp --icmp-type 4 -j ACCEPT -A EXT-icmp-out -f -j LOG --log-prefix "Fragmented outgoing ICMP: " -A EXT-icmp-out -f -j DROP -A EXT-icmp-out -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A EXT-icmp-out -p icmp -m icmp --icmp-type 8 -j ACCEPT -A EXT-icmp-out -d 24.156.100.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A EXT-icmp-out -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A EXT-icmp-out -p icmp -m icmp --icmp-type 12 -j ACCEPT -A EXT-icmp-out -p icmp -m icmp --icmp-type 4 -j ACCEPT -A EXT-input -p udp -m udp --sport 53 --dport 53 -j remote-dns-server-response -A EXT-input -p udp -m udp --dport 1024:65535 -j remote-udp-server-response -A EXT-input -p icmp -j EXT-icmp-in -A EXT-log-in -p icmp -m icmp ! --icmp-type 8 -m limit --limit 3/hour -j LOG -A EXT-log-in -p tcp -m tcp --dport 0:650 -j LOG -A EXT-log-in -p udp -m udp --dport 0:110 -j LOG -A EXT-log-out -j LOG -A EXT-output -p udp -m udp --sport 53 --dport 53 -j local-dns-server-query -A EXT-output -p tcp -m tcp --sport 1024:65535 --dport 53 -j local-dns-server-query -A EXT-output -p tcp -m tcp --sport 53 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j remote-dns-server-response -A EXT-output -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j local-tcp-server-response -A EXT-output -p udp -m udp --sport 1024:65535 -j local-udp-client-request -A EXT-output -p icmp -j EXT-icmp-out -A connection-tracking -m state --state RELATED,ESTABLISHED -j ACCEPT -A connection-tracking -m state --state INVALID -j LOG --log-prefix "INVALID packet:" -A connection-tracking -m state --state INVALID -j DROP -A destination-address-check -d 255.255.255.255 -j DROP -A destination-address-check -d 192.168.3.0 -j DROP -A destination-address-check -d 192.168.3.255 -j DROP -A destination-address-check -d 224.0.0.0/240.0.0.0 -p ! udp -j DROP -A destination-address-check -p tcp -m tcp --dport 6000:6063 --tcp-flags SYN,RST,ACK SYN -j DROP -A local-dhcp-client-query -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT -A local-dhcp-client-query -s 0.0.0.0 -d 24.153.100.1 -j ACCEPT -A local-dhcp-client-query -s 192.168.3.1 -d 24.153.100.1 -j ACCEPT -A local-dns-server-query -d 24.153.22.195 -m state --state NEW -j ACCEPT -A local-dns-server-query -d 24.153.23.66 -m state --state NEW -j ACCEPT -A local-dns-server-query -d 130.63.168.21 -m state --state NEW -j ACCEPT -A local-dns-server-query -d 24.153.22.195 -j ACCEPT -A local-dns-server-query -d 24.153.23.66 -j ACCEPT -A local-dns-server-query -d 130.63.168.21 -j ACCEPT -A local-tcp-client-request -d 24.51.33.11 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A local-tcp-client-request -d 24.51.33.11 -p tcp -m tcp --dport 22 -j ACCEPT -A local-tcp-client-request -p tcp -m multiport --dports 80,443 -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A local-tcp-client-request -p tcp -m multiport --dports 80,443 -j ACCEPT -A local-tcp-server-response -d 24.51.33.11 -p tcp -m tcp --sport 22 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A log-tcp-state -p tcp -j LOG --log-prefix "Illegal TCP state: " --log-tcp-options --log-ip-options -A log-tcp-state -j DROP -A remote-dhcp-server-response -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT -A remote-dhcp-server-response -s 24.153.100.1 -d 255.255.255.255 -j ACCEPT -A remote-dhcp-server-response -s 24.153.100.1 -j ACCEPT -A remote-dns-server-response -d 24.153.22.195 -j ACCEPT -A remote-dns-server-response -d 24.153.23.66 -j ACCEPT -A remote-dns-server-response -d 130.63.168.21 -j ACCEPT -A remote-tcp-client-request -s 24.51.33.11 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A remote-tcp-client-request -s 24.51.33.11 -p tcp -m tcp --dport 22 -j ACCEPT -A remote-tcp-server-response -s 24.51.33.11 -p tcp -m tcp --sport 22 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A remote-tcp-server-response -p tcp -m multiport --sports 80,443 -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A source-address-check -s 10.0.0.0/255.0.0.0 -j DROP -A source-address-check -s 172.16.0.0/255.240.0.0 -j DROP -A source-address-check -s 192.168.0.0/255.255.0.0 -j DROP -A source-address-check -s 224.0.0.0/240.0.0.0 -j DROP -A source-address-check -s 240.0.0.0/248.0.0.0 -j DROP -A source-address-check -s 127.0.0.0/255.0.0.0 -j DROP -A source-address-check -s 0.0.0.0/255.0.0.0 -j DROP -A source-address-check -s 169.254.0.0/255.255.0.0 -j DROP -A source-address-check -s 192.0.2.0/255.255.255.0 -j DROP -A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags FIN,ACK FIN -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags PSH,ACK PSH -j log-tcp-state -A tcp-state-flags -p tcp -m tcp --tcp-flags ACK,URG URG -j log-tcp-state COMMIT Paul Gear wrote: > Daniel Pittman wrote: > >>... >>Shorewall, like many firewall packages, gives you[1] a whole bunch of >>configuration options, which turn on or off features in the pre-packaged >>firewall you have. >> >>This tends to make it hard to do strange things like playing with DSCP >>tagging of packets, or deciding to use the 'uid' option to an iptables >>rule, or whatever. The recent ipt_recent protection against SSH, etc, >>brute force attacks is a good example of this sort of stuff. >> >>It also tends to encourage "shortcuts" in the firewall, like accepting >>any RELATED/ESTABLISHED packets, > > > Am i right in understanding that you consider accepting > RELATED/ESTABLISHED packets a bad thing? > > >>... >>Shorewall was *NOT* one of the tools that I evaluated to the level of a >>generated firewall -- it didn't let me do some of the stuff I was doing >>already, so I didn't try it. > > > What were the main things you wanted that shorewall didn't do? > > >>... >>Firehol suits me, personally, because it makes it easy to write a really >>good and secure firewall, because it takes the hard work out of >>iptables, but it still doesn't get in the way of doing, well, anything I >>want. > > > You can integrate arbitrary iptables commands into shorewall also. > > >>... >> >>>I have heared some opinions like "shorewall is bad" so I'm really >>>thinking of switching to something else. But I dont't know why... >>>noone was able to give me a good reason. >> >>... >>Also, in general I don't recommend changing *anything* just because >>someone else tells you they don't like it -- and if they can't tell you >>*why*, it is just that they "don't like it." > > > Couldn't agree more. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
