Hello everyone.
I'm currently setting up Shorewall on another machine (the fifth in
our company, this time a web server). A nice and simple "firewall for
one machine" setup, only one interface, eth0.
However, it seems as if Shorewall has thrown me out of my box, despite
ADMINISABSENTMINDED=yes.
Fortunately I have a 'shorewall clear' timebomb ticking away at the
moment (800 seconds feels like a long, long time...), which I'm hoping
is going to solve the problem. Only issue is this isn't the first time
I've been locked out of a machine because of Shorewall (again, with
adminisabsentminded=yes set), and last time it took a tech plugging a
serial console into it to get it moving again.
Can anyone shed some light on why shorewall is being nitpicky about
who admins it? :)
configuration instructions/infodump included.
Thanks.
Jan
[EMAIL PROTECTED] [/etc/shorewall]# shorewall start
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: net
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling IPSEC...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Masquerading/SNAT
Compiling /etc/shorewall/tos...
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Compiling Refresh of /etc/shorewall/ecn...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does
not appear to have ip6tables
Enabling Loopback and DNS Lookups
Setting up Accounting...
Creating Interface Chains...
Setting up Proxy ARP...
Setting up one-to-one NAT...
Setting up SMURF control...
Processing /etc/shorewall/initdone ...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up RFC1918 Filtering...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
WARNING: Cannot set route filtering on eth0
Setting up Martian Logging...
WARNING: Cannot set Martian logging on eth0
Setting up Accept Source Routing...
IP Forwarding Enabled
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Tunnels...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
[Putty message here: Network error: Software caused connection abort]
Configuration instructions:
### Shorewall guide, modified to suit standalone Master configuration.
4. Shorewall.
cd /root/installs
wget
http://shorewall.infohiiway.com/pub/shorewall/CURRENT_STABLE_VERSION_IS_3.2/shorewall-3.2.5/shorewall-3.2.5.tgz
tar -xvzf shorewall-3.2.5.tgz
cd shorewall-3.2.5
./install.sh
## edit configuration files.
cd /etc/shorewall
nano zones
## paste the following in below 'fw firewall':
net
nano interfaces
net eth0 detect
routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist,routeback
nano policy
## paste the following in before '#LAST LINE -- DO NOT REMOVE':
# default deny for internet to server connections
net fw DROP
fw net DROP info
# boring last rule
all all DROP info
nano rules
### Net zone ###
ACCEPT net fw icmp 8
# accept pings
ACCEPT:info net fw tcp 443
# accept VPN connections
ACCEPT:info net fw tcp ssh
# for remote administration
ACCEPT net fw tcp http
# for testfile.bin and speedometer scripts
# ACCEPT net fw udp 53 #
allow DNS queries from internet
# commented out for now, due to controversiality
# Cpanel connections to common, cpanel-regulated services,
including
http/https,smtp,pop3,imap,cpanel,whm,webmail,etc
ACCEPT net fw tcp
20,21,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096
ACCEPT net fw tcp 21,465
### Outgoing Net zone ###
ACCEPT fw net udp 1812,1813
# allow radius packets out
ACCEPT fw net tcp http,https,ftp
# allow HTTP and HTTPS out (eg,
for patching)
ACCEPT fw net udp 53 #
allow server to resolve DNS names
# Cpanel outbound connections from common, cpanel-regulated
services
ACCEPT fw net tcp
20,21,25,26,37,43,53,80,113,465,873,2089
ACCEPT fw net udp 21,465,53,873
nano accounting
######## Total traffic totalling #########
total_traffic - eth0 - all
-
total_traffic - - eth0 all
-
COUNT total_traffic eth0 -
COUNT total_traffic - eth0
nano routestopped
eth0 -
nano shorewall.conf
## find STARTUP_ENABLED=No and change to
## check for errors, typos etc
shorewall check
## run a 'timebomb' in the background in case something goes wrong,
and the box goes localhost. write down the pid it gives you!
sleep 800 && shorewall clear &
## meanwhile, apply the rules:
shorewall start
## if it's successful, defuse the timebomb:
kill PID_GOES_HERE
# done!
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
