Simon, I'm afraid that's not the case, unless you have SELINUX enabled, or other equivalent security modules installed like, for instance, AppArmor, ModSecurity, Systrace or even Zorp.
You can test whether that's the case or not by launching the command that I've provided. Type it on a linux box addressing another linux box on the Internet you have access to (the target) where Shorewall runs and replacing the port and the target IP address according to your configuration. Now check the /var/log/httpd/access.log on the target for the presence or not of a copy of the command. If it is in your log, than you can be sure that it was the Apache process who received it, no matter what port was used in the end within the target machine. -----Original Message----- From: Simon Hobson [mailto:li...@thehobsons.co.uk] Sent: 09 January 2013 21:01 To: Shorewall Users Subject: Re: [Shorewall-users] constraint port access to specific application "Costantino" wrote: > OK, let me provide more info. > As I discovered, using a rule like the following: > DNAT net fw:$FW_LAN_side:22 tcp 7805 > did not prevent an attacker from going through my Shorewall firewall by > issuing a command equivalent to the following: > wget > "http://<IP-addr>:7805/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../.../../../../../etc/passwd%00%20-n > HTTP/1.1" 302 527 "-" "curl/7.19.4 (i386-redhat-linux-gnu) libcurl/7.19.4 > NSS/3.12.2.0 zlib/1.2.3 libidn/0.6.14 libssh2/0.18" > as I could discover in the /var/log/access.log log file. > Hence my question about whether there is a feature that allows to associate a > port to a specific process running on the firewall. > In this case, for instance, dedicating port 7805 to process sshd. In the rule you've given, the packet will be delivered to the service listening on port 22 (ie your SSH server) - it will not be delivered to any other service. SSH should simply discard the packet and "not making sense". ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
