sftf wrote: > Hi! > I have decent experience with self-maded iptables script for my > 3-legged firewall. > > Now I'm trying shorewall (3.2.6 on Debian stable) for my web-server in DMZ > and I have these > questions. > > 1. How iptables default policy of built-in chains (iptables -P) affect > shorewall > behaviour?
For the raw, mangle and nat tables, Shorewall won't work unless the default
policy is ACCEPT. That's because any packet that falls off the end of such a
chain is assumed to be accepted. The filter table policies don't matter but
shorewall sets them to DROP anyway.
>
> 2. Why default policy of built-in chains for stopped state is ACCEPT insteed
> of
> DROP/REJECT for extra security and hardcoded in shorewall?
The default policy of the built-in filter chains is NOT ACCEPT when shorewall is
stopped.
gateway:~ # shorewall stop
Stopping Shorewall...
done.
gateway:~ # shorewall show
Shorewall 4.0.5 filter Table at gateway - Fri Oct 5 15:37:56 PDT 2007
Counters reset Fri Oct 5 15:37:02 PDT 2007
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50 6474 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br0 * 192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 2 packets, 126 bytes)
pkts bytes target prot opt in out source destination
81 8100 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br0 * 192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT 0 -- * br0 0.0.0.0/0
192.168.0.0/22
Chain OUTPUT (policy ACCEPT 36 packets, 6234 bytes)
pkts bytes target prot opt in out source destination
gateway:~ #
In that system, OUTPUT has policy ACCEPT because ADMINISABSENTMINDED is
set to Yes in shorewall.conf.
> Can I configure default policy of built-in chains for running and
> stopped shorewall states respectively?
>
> "start" sript with
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> lines work well, but "stopped" script with same lines don't work for
> me (policies is still ACCEPT after "shorewall stop").
If you are seeing the reported behavior, it must be something that the
Debian maintainer is changing. No version of Shorewall ever released
from shorewall.net has had default policies of ACCEPT for INPUT and
FORWARD after 'shorewall stop'.
Please check the SVN repository under shorewall/tags/3.2.6 -- you will
see that the code in stop_firewall() in the 'firewall' script sets the
policies for the nat, raw and mangle chains to ACCEPT. But it sets the
others based on the setting of ADMINISABSENTMINDED.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
