Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Tom Eastep 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/18/2017 10:17 AM, Nigel Aves wrote:
> 
> Just tested your fix. Everything seems to be working perfectly from
> the outside and the inside.
> 

Glad to hear that it is working, Nigel. Beginning with Shorewall
5.1.1, you will be able to specify BLACKLIST as a POLICY in your
policy file and you will end up with a similar ruleset.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYf+OOAAoJEJbms/JCOk0QWJ8P/1AAByrpp5uqLtv9W8gdRzIi
oF7y6B4HZ+bml5FWGeCUyo2MSqUMXBRCIixUkxZMqc3na4eB7SCiXtz3qHxynQQM
qln3/1Z7MXoA5o5R+M37tSfYnpEGO411WJHtsZAOzrmeWkddX5j22CWQPnQJyrEP
qmvDiGMpJ7hZ9ZZppPoyawko/L22PCpiZLvrWvLIolffho4su6BMWGVBH3sJ7X9r
FKDwI5B21Zv5OpZiW/QRFSkSPFd2hxe078Yl3o12Y0HQcBjOr4p52g9T6aZMDFyQ
OJcXi9CTVqYgkbrbhnWqFa/gZj9dP48ueeA67SscrC7S3wqLs/ySC+DoOKpSzzUM
pjS4Q6i/nU2bCUisaMR2ixG4S25EzNqn1Uu8g5JdzWGKOI2Dv7NC6RYRLKUlGNlX
DVke2anqmEbui+/NoRfxLHJcb0k2HPelcVxRpAy3ApD/OZt0muQ+yS+8ixpfdGoi
t+1HC3PWBsONGImg3sObSbReCQY9dc3zMfktfqxdUWtBI690cE4WVSQ970cKKloN
2fHBkN2IUpmEi4NU4JgW2ZQtrSejL2nJ9EjVnZ9zWqTxOnH4+usTwWpIcjmcGqwR
ffE+5i+4IOivz2vhmXDEPVtT5iw+M0nBVNafYgrlEi/pnZjNfX67drTWwTSKbtAe
CpjPozsdurROMw1HCjIK
=/1vK
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Nigel Aves 

Tom,

Just tested your fix. Everything seems to be working perfectly from the 
outside and the inside.


Many Thanks,

Nigel.

On 1/18/2017 10:12 AM, Tom Eastep wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/18/2017 07:01 AM, Nigel Aves wrote:

I've become a little stuck on setting up ipset correctly.  I
followed the instructions from an email as follows:


DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src)net$FW

and after some testing  everything seemed to be working all OK.
Using Shorewall  5.0.14.1

I have port 80 (web server) and 25 (Postfix server) open in my
Rules file. Internal network using 192.168.1.1 on eth1

But as soon as I tried using the browser on my local network
machine web sites, like Facebook, just stopped working.

I've tried to find a simple (I'm no IT specialist, just home
hobbyist) explanation as to what I have done wrong or missed,  and
seemed to have hit a brick wall.

If someone could point me in right direction I would be very
gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPTlocfw # # DHCPfwd/ACCEPT$FWloc # #
Accept for web -server ACCEPTnet$FWtcp80 # no
ssl #  ACCEPTnet$FW   tcp443 # # # Turn FTP off
when not transfering files from VideoKing # #  FTP/ACCEPTnet
fw-21 #  ACCEPTnet$FWtcp6000:6100 # ##
use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips. # # ACCEPTnet$FW
tcp1 # # SMTP/ACCEPTnet$FW-25 # DNS(ACCEPT)
$FWnet #Accept DNS connections from the firewall to the
network # SSH(ACCEPT)loc$FW # #Accept SSH
connections from the local network for administration #
Ping(ACCEPT)loc$FW # #Allow Ping from the local
network # # ## Internal accepts # #Cable TV forward DNATnet
loc:192.168.1.180udp27177 DNATnetloc:192.168.1.180
udp27178 DNATnetloc:192.168.1.180tcp27177 DNAT
netloc:192.168.1.180tcp27178 # ACCEPT loc
$FW  tcp ACCEPT loc$FW  udp #
DNS(ACCEPT)  loc$FW SMB(ACCEPT)  loc$FW
SMB(ACCEPT)  $FWloc # DNS(ACCEPT)  phone
$FW # # Drop Ping from the "bad" net zone.. and prevent your log
from being flooded.. # Ping(DROP)net$FW ACCEPT
$FWlocicmp ACCEPT$FWnet
icmp # ACCEPT$FWphoneicmp # # turn on ipset
to stop testing ports from outside # # ADD(SW_DBL4:src)net
$FW


I suspect that you are blacklisting the upstream DNS name servers.

Try this:

#
# Filter out noise
#
Dropnet $FW
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info   net $FW

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who

Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T
uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm
uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr
U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ
TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm
Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b
a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi
UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP
s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt
Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH
OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl
+sUjPxll2PfUOca4CW7m
=j8jw
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Tom Eastep 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/18/2017 07:01 AM, Nigel Aves wrote:
> I've become a little stuck on setting up ipset correctly.  I
> followed the instructions from an email as follows:
> 
> 
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
> 
> and in Rules at end
> 
> ADD(SW_DBL4:src)net$FW
> 
> and after some testing  everything seemed to be working all OK.
> Using Shorewall  5.0.14.1
> 
> I have port 80 (web server) and 25 (Postfix server) open in my
> Rules file. Internal network using 192.168.1.1 on eth1
> 
> But as soon as I tried using the browser on my local network
> machine web sites, like Facebook, just stopped working.
> 
> I've tried to find a simple (I'm no IT specialist, just home
> hobbyist) explanation as to what I have done wrong or missed,  and
> seemed to have hit a brick wall.
> 
> If someone could point me in right direction I would be very
> gratefully.
> 
> Kind Regards, Nigel Aves.
> 
> 
> In case it helps, here is my rules file.
> 
> DHCPfwd/ACCEPTlocfw # # DHCPfwd/ACCEPT$FWloc # #
> Accept for web -server ACCEPTnet$FWtcp80 # no
> ssl #  ACCEPTnet$FW   tcp443 # # # Turn FTP off
> when not transfering files from VideoKing # #  FTP/ACCEPTnet
> fw-21 #  ACCEPTnet$FWtcp6000:6100 # ##
> use Webmin while away, turn off when returned. Here is the setting 
> # Don't forget to turn on for trips. # # ACCEPTnet$FW
> tcp1 # # SMTP/ACCEPTnet$FW-25 # DNS(ACCEPT)
> $FWnet #Accept DNS connections from the firewall to the
> network # SSH(ACCEPT)loc$FW # #Accept SSH
> connections from the local network for administration # 
> Ping(ACCEPT)loc$FW # #Allow Ping from the local
> network # # ## Internal accepts # #Cable TV forward DNATnet
> loc:192.168.1.180udp27177 DNATnetloc:192.168.1.180
> udp27178 DNATnetloc:192.168.1.180tcp27177 DNAT
> netloc:192.168.1.180tcp27178 # ACCEPT loc
> $FW  tcp ACCEPT loc$FW  udp # 
> DNS(ACCEPT)  loc$FW SMB(ACCEPT)  loc$FW 
> SMB(ACCEPT)  $FWloc # DNS(ACCEPT)  phone
> $FW # # Drop Ping from the "bad" net zone.. and prevent your log
> from being flooded.. # Ping(DROP)net$FW ACCEPT
> $FWlocicmp ACCEPT$FWnet
> icmp # ACCEPT$FWphoneicmp # # turn on ipset
> to stop testing ports from outside # # ADD(SW_DBL4:src)net
> $FW
> 

I suspect that you are blacklisting the upstream DNS name servers.

Try this:

#
# Filter out noise
#
Dropnet $FW
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info   net $FW

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T
uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm
uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr
U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ
TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm
Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b
a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi
UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP
s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt
Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH
OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl
+sUjPxll2PfUOca4CW7m
=j8jw
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2017-01-18 Thread Nigel Aves 
I've become a little stuck on setting up ipset correctly.  I followed 
the instructions from an email as follows:



DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

and in Rules at end

ADD(SW_DBL4:src)net$FW

and after some testing  everything seemed to be working all OK. Using 
Shorewall  5.0.14.1


I have port 80 (web server) and 25 (Postfix server) open in my Rules 
file. Internal network using 192.168.1.1 on eth1


But as soon as I tried using the browser on my local network machine web 
sites, like Facebook, just stopped working.


I've tried to find a simple (I'm no IT specialist, just home hobbyist) 
explanation as to what I have done wrong or missed,  and seemed to have 
hit a brick wall.


If someone could point me in right direction I would be very gratefully.

Kind Regards, Nigel Aves.


In case it helps, here is my rules file.

DHCPfwd/ACCEPTlocfw
#
#
DHCPfwd/ACCEPT$FWloc
#
# Accept for web -server
ACCEPTnet$FWtcp80
# no ssl
#  ACCEPTnet$FW   tcp443
#
#
# Turn FTP off when not transfering files from VideoKing
#
#  FTP/ACCEPTnetfw-21
#  ACCEPTnet$FWtcp6000:6100
#
##  use Webmin while away, turn off when returned. Here is the setting
# Don't forget to turn on for trips.
#
# ACCEPTnet$FW tcp1
#
#
SMTP/ACCEPTnet$FW-25
#
DNS(ACCEPT)$FWnet
#Accept DNS connections from the firewall to the network
#
SSH(ACCEPT)loc$FW
#
#Accept SSH connections from the local network for administration
#
Ping(ACCEPT)loc$FW
#
#Allow Ping from the local network
#
#
## Internal accepts
#
#Cable TV forward
DNATnetloc:192.168.1.180udp27177
DNATnetloc:192.168.1.180udp27178
DNATnetloc:192.168.1.180tcp27177
DNATnetloc:192.168.1.180tcp27178
#
ACCEPT loc$FW  tcp
ACCEPT loc$FW  udp
#
DNS(ACCEPT)  loc$FW
SMB(ACCEPT)  loc$FW
SMB(ACCEPT)  $FWloc
#
DNS(ACCEPT)  phone$FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being 
flooded..

#
Ping(DROP)net$FW
ACCEPT$FWlocicmp
ACCEPT$FWneticmp
#
ACCEPT$FWphoneicmp
#
# turn on ipset to stop testing ports from outside
#
# ADD(SW_DBL4:src)net$FW







<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-12-01 Thread Nigel Aves 

Vieri,

Thank you for your help. I'm running Shorewall 5.0.8.2-1.el7, so that 
explains it.


Typically I prefer to use the updates as they become "official" in the 
repositories. (I'm no Linux expert :) and I use Webmin / Virtualmin to 
help me keep the system running ). I'll hold off for the moment, though 
I did find all the required RPMs.


Kind Regards - Nigel.


On 12/1/2016 12:49 AM, Vieri Di Paola wrote:


- Original Message -
From: Nigel Aves 


But following this post, when I try and change "DYNAMIC_BLACKLIST" it always 
errors out. (Tried both
solutions in email)>
  ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST

or

  ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 
5.0.14.1 now.

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Vieri Di Paola 


- Original Message -
From: Nigel Aves 

> But following this post, when I try and change "DYNAMIC_BLACKLIST" it always 
> errors out. (Tried both 

> solutions in email)>
>  ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST
>
> or
> 
>  ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I had the same issue with an older Shorewall 5 version. Just upgrade. I'm using 
5.0.14.1 now.

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Nigel Aves 

I was trying to implement this "ipset" solution and I keep hitting a brick 
wall. I'm no expert on this, so I was hoping for some guidance.
I have searched and searched trying to find the solution but to no avail.

In the Shorewall dump I have the following (which from some documentation seems 
to be correct, and what I need):-

   Ipset Match (IPSET_MATCH): Available
   Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
   Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
   ipset V5 (IPSET_V5): Available

But following this post, when I try and change "DYNAMIC_BLACKLIST" it always 
errors out. (Tried both solutions in email)

 ERROR: Invalid value (ipset-only,timeout=3600::info) for DYNAMIC_BLACKLIST

or

 ERROR: Invalid value (ipset-only,timeout=3600) for DYNAMIC_BLACKLIST

I'd be very grateful if someone could point me in the right direction as to 
what I am doing wrong.

Many Thanks - Nigel


On 11/28/2016 6:06 AM, Vieri Di Paola wrote:



From: Tom Eastep 

Configure ipset-based dynamic blacklisting:> > 
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

then put this at the bottom of your rules:

ADD(SW_DBL4,src)net$FW


I believe the seperator is : instead of ,.

I have this now in rules:
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW

and this in shorewall.conf:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600

ipset list SW_DBL4 shows that the set is growing fast...

I understand there's no special flag requirement for net "interfaces", not even 
"blacklist" as we're using ipsets here, not files.

Thanks,

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Vieri Di Paola 


- Original Message -
From: Tom Eastep 
> First, remove the ADD rules from /etc/shorewall/rules.
>
> You can then copy action.Drop to /etc/shorewall/ and then add this to

> the copy as the last line:>

>ADD(SW_DBL4:src)

Unfortunately, private IP addresses from my dmz zone were also put into SW_DBL4 
for some reason.

So I thought I should create a custom DROP action.

# cat /etc/shorewall/actions
DROPBL  # drop and blacklist

Created a copy of the standard DROP action and added the line at the bottom:
# tail -n 2 /etc/shorewall/action.DROPBL 
DropDNSrep(@5)
ADD(SW_DBL4:src)

# tail -n 3 rules 
DROPBL  net1$FW
DROPBL  net2$FW
DROPBL  net3$FW

This overrides the net*2fw "policy" because I cannot specify custom actions in 
the POLICY column of /etc/shorewall/policy, right?

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Tom Eastep 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/30/2016 03:41 AM, Vieri Di Paola wrote:
> 
> 
> - Original Message - From: Tom Eastep
> 
>> Configure ipset-based dynamic blacklisting: 
>> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at
>> the bottom of your rules:
> 
>> ADD(SW_DBL4,src)net$FW
> 
> 
> I seem to have a few issues with the ipset-based solution.
> 
> The first is really not that important:
> 
> # grep IPSET /etc/shorewall/shorewall.conf IPSET= 
> IPSET_WARNINGS=Yes SAVE_IPSETS=No
> 
> After a shorewall restart I can list the ipset and it has hundreds
> of entries:
> 
> # ipset list SW_DBL4
> 
> Shouldn't it have been cleared out?

No.

> I actually prefer to set SAVE_IPSETS=Yes and then manually flush
> the ipset whenever I want to. I'm just wondering if this config
> variable applies to SW_* ipsets.

Yes, it does.

> 
> The second issue is described below.
> 
> The policy file contains: net3$FW DROP
> info net3loc DROPinfo net2
> $FW DROPinfo net2loc
> DROPinfo net1$FW DROP
> info net3loc DROPinfo
> 
> shorewall.conf has: 
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
> 
> rules file contains among many other entries: [...] DNATnet1
> loc:10.215.144.91   tcp   25-   -   3/sec:10 DNAT
> net2loc:10.215.144.91   tcp   25-   -   3/sec:10 
> ACCEPTnet3$FW tcp   25-   -   
> 3/sec:10 [...] 
> ACCEPTnet2$FW tcp[...] 
> ADD(SW_DBL4:src)
> net1$FW ADD(SW_DBL4:src)net2$FW ADD(SW_DBL4:src)
> net3$FW
> 
> In the shorewall log I can see DROP messages concerning port 25
> such as:
> 
> Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2
> LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309
> DPT=25 WINDOW=0 RES=0 x00 RST URGP=0 MARK=0x2
> 
> # ipset list SW_DBL4 | grep IP1 IP1 timeout 3541 packets 1 bytes
> 48
> 
> Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1
> was blacklisted because there's no explicit rule for traffic from
> net2 to $FW on port 25 so it reaches ADD(SW_DBL4:src) net2 $FW. 
> However, I'm not really sure about this. If the host at IP1 tried
> to connect for the first time to the net2 external interface, it
> should have succeeded and established an SMTP link to an internal
> server (DNAT). As I see it, it never should have reached the ADD
> action at the bottom of my rules file.

If IP1 tried to connect to ANY port that wasn't allowed by the
ruleset, then it gets blacklisted and subsequent attempts to connect
to port 25 will be rejected, even if those attempts are allowed by the
ruleset.

> 
> My third issue is that I see these entries in the log:
> 
> Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13
> SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126
> ID=29724 PROTO=UDP SPT=54141 DPT=53 LEN=40 Nov 30 09:12:28
> Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8
> DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866
> PROTO=UDP SPT=53 DPT=20938 LEN=56 MARK=0x3
> 
> where enp0s13 is net3's interface and 192.168.101.2 its IP
> address. So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset.
> 
> I don't care if Google can connect or not but then I also see
> messages like these:
> 
> Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
> SRC=xxx.xxx.xxx.xx1 DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00
> TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=14686 WINDOW=28960 RES=0x00 ACK
> SYN URGP=0 MARK=0x3 Nov 30 09:49:33
> Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2
> DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF
> PROTO=TCP SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0
> MARK=0x3 Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT=
> SRC=xxx.xxx.xxx.xx3 DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00
> TTL=89 ID=61483 DF PROTO=TCP SPT=443 DPT=28519 WINDOW=0 RES=0x00
> RST URGP=0 MARK=0x3
> 
> They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each
> time a client in my loc zone surfs the web, the web servers' IP
> addresses are bound to get blacklisted.
> 
> Another example when a client in the loc zone accesses a web server
> (note that there are several internet providers with load
> balancing):
> 
> Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11
> SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00
> TTL=126 ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00
> SYN URGP=0 Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9
> OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00
> PREC=0x00 TTL=126 ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192
> RES=0x00 SYN URGP=0 Nov 30 09:58:05
> Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 SRC=10.215.248.190
>

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-30 Thread Vieri Di Paola 


- Original Message -
From: Tom Eastep 
> Configure ipset-based dynamic blacklisting:
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
> then put this at the bottom of your rules:

> ADD(SW_DBL4,src)net$FW


I seem to have a few issues with the ipset-based solution.

The first is really not that important:

# grep IPSET /etc/shorewall/shorewall.conf
IPSET=
IPSET_WARNINGS=Yes
SAVE_IPSETS=No

After a shorewall restart I can list the ipset and it has hundreds of entries:

# ipset list SW_DBL4

Shouldn't it have been cleared out?
I actually prefer to set SAVE_IPSETS=Yes and then manually flush the ipset 
whenever I want to. I'm just wondering if this config variable applies to SW_* 
ipsets.

The second issue is described below.

The policy file contains:
net3$FW DROPinfo
net3loc DROPinfo
net2$FW DROPinfo
net2loc DROPinfo
net1$FW DROPinfo
net3loc DROPinfo

shorewall.conf has:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

rules file contains among many other entries:
[...]
DNATnet1loc:10.215.144.91   tcp   25-   -   3/sec:10
DNATnet2loc:10.215.144.91   tcp   25-   -   3/sec:10
ACCEPT  net3$FW tcp   25-   -   3/sec:10
[...]
ACCEPT  net2$FW tcp   
[...]
ADD(SW_DBL4:src)net1$FW
ADD(SW_DBL4:src)net2$FW
ADD(SW_DBL4:src)net3$FW

In the shorewall log I can see DROP messages concerning port 25 such as:

Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2 LEN=40
TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309 DPT=25 WINDOW=0 RES=0
x00 RST URGP=0 MARK=0x2

# ipset list SW_DBL4 | grep IP1
IP1 timeout 3541 packets 1 bytes 48

Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1 was 
blacklisted because there's no explicit rule for traffic from net2 to $FW on 
port 25 so it reaches ADD(SW_DBL4:src) net2 $FW.
However, I'm not really sure about this. If the host at IP1 tried to connect 
for the first time to the net2 external interface, it should have succeeded and 
established an SMTP link to an internal server (DNAT). As I see it, it never 
should have reached the ADD action at the bottom of my rules file.

My third issue is that I see these entries in the log:

Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13 
SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=29724 
PROTO=UDP SPT=54141 DPT=53 LEN=40
Nov 30 09:12:28 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8 
DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866 PROTO=UDP SPT=53 
DPT=20938 LEN=56 MARK=0x3

where enp0s13 is net3's interface and 192.168.101.2 its IP address.
So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset.

I don't care if Google can connect or not but then I also see messages like 
these:

Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx1 
DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=80 
DPT=14686 WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x3
Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2 
DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF PROTO=TCP 
SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0 MARK=0x3
Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx3 
DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=61483 DF PROTO=TCP 
SPT=443 DPT=28519 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3

They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each time a client 
in my loc zone surfs the web, the web servers' IP addresses are bound to get 
blacklisted.

Another example when a client in the loc zone accesses a web server (note that 
there are several internet providers with load balancing):

Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 
SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 
ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 
SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 
ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 30 09:58:05 Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 
SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 
ID=3087 DF PROTO=TCP SPT=64183 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Nov 30 09:58:05 Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=xxx.xxx.xxx.xx4 
DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 
DPT=64183 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x2
(192.168.100.2 is on net2)

So I'm wondering if I can avoid false positives in the dynamic blacklist.

I'm also looking at PSAD as suggested by Mark but the conf file

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-28 Thread Vieri Di Paola 



From: Tom Eastep 
> Configure ipset-based dynamic blacklisting:> > 
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
> 
> then put this at the bottom of your rules:
> 
> ADD(SW_DBL4,src)net$FW


I believe the seperator is : instead of ,.

I have this now in rules:
ADD(SW_DBL4:src) net1 $FW
ADD(SW_DBL4:src) net2 $FW
ADD(SW_DBL4:src) net3 $FW

and this in shorewall.conf:
DYNAMIC_BLACKLIST=ipset-only,timeout=3600

ipset list SW_DBL4 shows that the set is growing fast...

I understand there's no special flag requirement for net "interfaces", not even 
"blacklist" as we're using ipsets here, not files.

Thanks,

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-27 Thread Mark D. Montgomery II 


Quoting Vieri Di Paola :


Hi,

Suppose I have rules such as:

ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]

I'd like to automatically/dynamically blacklist all IP addresses of  
hosts that try to connect to any other unlisted port (eg. port tcp  
 or 1234, etc.). So if a host tries to connect to port tcp 1234  
(on which my site does not serve anything) I'd like the "net" SRC  
address to be blacklisted "globally", ie. it should not be able to  
connect to ANY port, not even those listed above (80,443,3389), for  
at least 1 hour.




Personally I use PSAD for this, it works nicely with Shorewall.
I'm a little more obnoxious and set it to a 24 hr block.  ;)

I've read about shorewall events (BTW there's a missing ',-' in the  
example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it fits  
my needs.


The following doesn't seem to do what I want:

ACCEPT net $FW tcp 80,443
DNAT net loc:IP tcp 3389
[...etc...]
AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all

Aren't the IP addresses in ABL_BL supposed to be REJECTed regardless  
of where they're trying to connect to?


Maybe there's a simpler way to do this with Shorewall actions and  
dynamic blacklisting?


Thanks,

Vieri

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Mark D. Montgomery II
http://www.techiem2.net



binW43PSfJ8A7.bin
Description: PGP Public Key


pgpWdOTcH2HRd.pgp
Description: PGP Digital Signature
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] blacklist if connection attempt on unused port

2016-11-27 Thread Tom Eastep 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/25/2016 07:12 AM, Vieri Di Paola wrote:
> Hi,
> 
> Suppose I have rules such as:
> 
> ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...]
> 
> I'd like to automatically/dynamically blacklist all IP addresses of
> hosts that try to connect to any other unlisted port (eg. port tcp
>  or 1234, etc.). So if a host tries to connect to port tcp 1234
> (on which my site does not serve anything) I'd like the "net" SRC
> address to be blacklisted "globally", ie. it should not be able to
> connect to ANY port, not even those listed above (80,443,3389), for
> at least 1 hour.
> 
> I've read about shorewall events (BTW there's a missing ',-' in the
> example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it
> fits my needs.
> 
> The following doesn't seem to do what I want:
> 
> ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...] 
> AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all
> 
> Aren't the IP addresses in ABL_BL supposed to be REJECTed
> regardless of where they're trying to connect to?

You don't want to use AutoBL in this way. AutoBL is is intended to be
used to blacklist clients who make repeated attempts to connect to a
service which they are allowed to use. The most common use case it to
stop dictionary attacks.

> 
> Maybe there's a simpler way to do this with Shorewall actions and
> dynamic blacklisting?
> 

Configure ipset-based dynamic blacklisting:

DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info

then put this at the bottom of your rules:

ADD(SW_DBL4,src)net $FW

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYOxHhAAoJEJbms/JCOk0QPNYP/i1Qiai5HDWAdQPo6/Fs3en+
9PvfopqJXNXB7ISb7IPaLiKWagDcOwir3pBeV6TQ9IowbRCD6p3D2zdpLXQtEqWR
6oU6FV8a2ifqaKv83j9tXediN1/dtWcoc1qbw1MUbuTEh7fbF5THElcqlU15TlZR
0JBKy3JMx4F5/Mg9c/ibvvS5zLPcT08N3Lji3QMMw3m12YP72XreXt8idgJ2fGGD
/rwCHg6+TqVKLcQIvXKpF83mCcfq3+DHZe6IAJh/3pUKJpnyZvM7mIuIRMmnthPY
hbznPzMEoQFto70oUtyZ7aasoCFhCrWQW4SsUeymMpYRSQFBsQqUiKZ2+hgUqRTv
Ol4c+9197eerTPVJrjPVBK5iF48tNiMcI0GBrySZHOOgkfpRKXwCL/1HjuaPJ19b
Q0mumAFL9ymtkEO3zZudZ9OoCYWhZwwg4oHGTGgHhXOUEjBv7BWG3RoopAMO93O4
6XKEF2cOHsZ4TlPRfKGvGGrpL00WK3txZuPOlYWw+6uMAS2wwjWdWPilh8B3EqgM
7ru2T1Sp861ec5tkrfx/ucrQWrC0o2KZQ65EtN+TF5+eBfQ1h5bNFDU+tlaczOdy
EQMFwihBVYFnLktm4n3u/rZuCvSyD8sxFd4T7PKxlwyM/qj9IGGhA7E6HX9c2K/6
N+C3p8oKWOeycB4YSCfN
=+CzM
-END PGP SIGNATURE-

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users