ACCEPT net fw udp 53,22,20,21 - ACCEPT net fw tcp 53,22,20,21 - ACCEPT masq fw udp 53,22,20,21,631 - ACCEPT masq fw tcp 53,22,20,21,631 - ACCEPT loc fw udp 53,22,20,21,631 - ACCEPT loc fw tcp 53,22,20,21,631 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - REJECT net fw tcp 631,137,138,139,389,636 - REJECT net fw udp 631,137,138,139,389,636 - REJECT net masq tcp 631,137,138,139,389,636 - REJECT net masq udp 631,137,138,139,389,636 - REJECT net loc tcp 631,137,138,139,389,636 - REJECT net loc udp 631,137,138,139,389,636 -
So what I want to know is why netstat says the following:
[root@enigma shorewall]# netstat -lntu Active Internet connections (only servers)See what I mean? 636 seems to be open to everyone and many other settings are not in alignment with the shorewall settings. That is unless I am mistaken about what 0.0.0.0:* means. My understanding of it is that it represents any address with any port. How can I get rid of all this extra gabage?
Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:32776 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32779 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 192.168.1.253:53 0.0.0.0:* LISTEN tcp 0 0 208.152.4.207:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 0.0.0.0:2049 0.0.0.0:* udp 0 0 0.0.0.0:32770 0.0.0.0:* udp 0 0 0.0.0.0:32772 0.0.0.0:* udp 0 0 0.0.0.0:32773 0.0.0.0:* udp 0 0 192.168.1.253:137 0.0.0.0:* udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 192.168.1.253:138 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:* udp 0 0 0.0.0.0:10001 0.0.0.0:* udp 0 0 192.168.1.253:53 0.0.0.0:* udp 0 0 208.152.4.207:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:7741 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 2176 0 0.0.0.0:68 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 0.0.0.0:631 0.0.0.0:* udp 0 0 192.168.1.253:123 0.0.0.0:* udp 0 0 208.152.4.207:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* [root@enigma shorewall]#
I see that /etc/shorewall/zone contains:
My understanding of this is that net is the internet (a.k.a eth0), masq represents the masqueraded internal local network, and loc is the local network. However in the rules file where did fw come from and what does it represent? What exactly does it mean when you add a rule like:#ZONE DISPLAY COMMENTS net Net Internet zone masq Masquerade Masquerade Local loc Local Local #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
REJECT net loc tcp [list of ports] -
I mean I know what tcp/udp is but for example, does this line state that connections from the net on these ports are to be sent to the local network and is this incluseive or exclusive of the gateway/firewall machine? What are the implications of sending something to masq?
What I want specifically is as follows:
named on both interfaces,ftp on both interfaces, ssh on both interfaces incomeing and outgoing (Currently only outgoing seems to work) masq (Internet Connection Shareing) where required. No netbios, ldap or print services exposed to the internet but explicitly allowed on the local net.
Anyway,
Thanks for having a look.
Jim C.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
