[Shorewall-users] few issues with new events feature in 4.5.19

Thu, 25 Jul 2013 04:59:53 -0700 

Hello shorewall users,

I'm testing the new Events feature in shorewall 4.5.19 (on Arch Linux)
and noticed there are a few things that seem to be amiss:

- in /usr/share/shorewall/action.IfEvent, line 50, it says second, not
seconds (as is documented in the iptables-extensions man page).

- to use SSH limiting as is described in the example on
http://www.shorewall.net/Events.html, I need to define an additional
SSH_BLACKLIST action in /etc/shorewall/actions or shorewall check will
fail with:

ERROR: Unknown ACTION (SSH_BLACKLIST) /usr/share/shorewall/action.IfEvent

- after I add the SSH_BLACKLIST action I get the following warning when
running shorewall check:

Checking /etc/shorewall/action.SSH_BLACKLIST for chain SSH_BLACKLIST...
   WARNING: Log Prefix shortened to "Shorewall:SSH_BLACKLIST:LOG: "
/etc/shorewall/action.SSH_BLACKLIST (line 10)
      from /usr/share/shorewall/action.IfEvent (line 138)
      from /etc/shorewall/action.SSH_LIMIT (line 14)
      from /etc/shorewall/rules (line 37)


- shorewall check validates the configuration, but when I do a shorewall
restart I get the following error:

Running /sbin/iptables-restore...
iptables-restore v1.4.19.1: unknown option "--reap"
Error occurred at line: 85
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
/usr/share/shorewall/lib.common: line 113:  9618 Terminated
 $SHOREWALL_SHELL $script $options $@

The contents of iptables-restore-input are in the attachment.

Anything I can do to work around or fix this?

Best regards,

Tiemen

#
# Generated by Shorewall 4.5.19 - Thu Jul 25 13:30:27 2013
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p 17 --dport 10080 -j CT --helper amanda
-A PREROUTING -p 6 --dport 21 -j CT --helper ftp
-A PREROUTING -p 6 --dport 6667 -j CT --helper irc
-A PREROUTING -p 17 --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p 6 --dport 1723 -j CT --helper pptp
-A PREROUTING -p 6 --dport 6566 -j CT --helper sane
-A PREROUTING -p 17 --dport 5060 -j CT --helper sip
-A PREROUTING -p 17 --dport 161 -j CT --helper snmp
-A PREROUTING -p 17 --dport 69 -j CT --helper tftp
-A OUTPUT -p 17 --dport 10080 -j CT --helper amanda
-A OUTPUT -p 6 --dport 21 -j CT --helper ftp
-A OUTPUT -p 6 --dport 6667 -j CT --helper irc
-A OUTPUT -p 17 --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p 6 --dport 1723 -j CT --helper pptp
-A OUTPUT -p 6 --dport 6566 -j CT --helper sane
-A OUTPUT -p 17 --dport 5060 -j CT --helper sip
-A OUTPUT -p 17 --dport 161 -j CT --helper snmp
-A OUTPUT -p 17 --dport 69 -j CT --helper tftp
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-mark 0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:%IfEvent - [0:0]
:%IfEvent1 - [0:0]
:Broadcast - [0:0]
:Drop - [0:0]
:IfEvent - [0:0]
:Reject - [0:0]
:SSH_BLACKLIST - [0:0]
:SSH_LIMIT - [0:0]
:dynamic - [0:0]
:fw2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:reject - [0:0]
:smurflog - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:~log0 - [0:0]
-A INPUT -i eth0 -j net2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-level 6 --log-prefix "Shorewall:INPUT:REJECT:"
-A INPUT -g reject
-A FORWARD -j Reject
-A FORWARD -j LOG --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:"
-A FORWARD -g reject
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:REJECT:"
-A OUTPUT -g reject
-A %IfEvent -m recent --rcheck --second 120 --reap --hitcount 5 --name SSH 
--rsource -j SSH_BLACKLIST
-A %IfEvent1 -m recent --update --second 2 --hitcount 1 --name SSH --rsource -g 
~log0
-A Broadcast -m addrtype --dst-type BROADCAST -j DROP
-A Broadcast -m addrtype --dst-type MULTICAST -j DROP
-A Broadcast -m addrtype --dst-type ANYCAST -j DROP
-A Broadcast -d 224.0.0.0/4 -j DROP
-A Drop
-A Drop -j Broadcast
-A Drop -p 1 --icmp-type 3/4 -j ACCEPT -m comment --comment "Needed ICMP types"
-A Drop -p 1 --icmp-type 11 -j ACCEPT -m comment --comment "Needed ICMP types"
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p 17 -m multiport --dports 135,445 -j DROP -m comment --comment "SMB"
-A Drop -p 17 --dport 137:139 -j DROP -m comment --comment "SMB"
-A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP -m comment --comment "SMB"
-A Drop -p 6 -m multiport --dports 135,139,445 -j DROP -m comment --comment 
"SMB"
-A Drop -p 17 --dport 1900 -j DROP -m comment --comment "UPnP"
-A Drop -p 6 ! --syn -j DROP
-A Drop -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies"
-A IfEvent -m recent --rcheck --second 300 --hitcount 1 --name SSH_COUNTER 
--rsource -j reject
-A Reject
-A Reject -j Broadcast
-A Reject -p 1 --icmp-type 3/4 -j ACCEPT -m comment --comment "Needed ICMP 
types"
-A Reject -p 1 --icmp-type 11 -j ACCEPT -m comment --comment "Needed ICMP types"
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p 17 -m multiport --dports 135,445 -j reject -m comment --comment 
"SMB"
-A Reject -p 17 --dport 137:139 -j reject -m comment --comment "SMB"
-A Reject -p 17 --dport 1024:65535 --sport 137 -j reject -m comment --comment 
"SMB"
-A Reject -p 6 -m multiport --dports 135,139,445 -j reject -m comment --comment 
"SMB"
-A Reject -p 17 --dport 1900 -j DROP -m comment --comment "UPnP"
-A Reject -p 6 ! --syn -j DROP
-A Reject -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies"
-A SSH_BLACKLIST -j LOG --log-level 4 --log-prefix 
"Shorewall:SSH_BLACKLIST:LOG: "
-A SSH_BLACKLIST -m recent --name SSH_COUNTER --set --rsource -j reject
-A SSH_LIMIT -j IfEvent
-A SSH_LIMIT -j %IfEvent
-A SSH_LIMIT -j %IfEvent1
-A SSH_LIMIT -m recent --name SSH_COUNTER --remove --rsource -j LOG --log-level 
4 --log-prefix "Shorewall:SSH_LIMIT:Removed:"
-A SSH_LIMIT -m recent --name SSH --set --rsource -j ACCEPT
-A fw2net -p udp --dport 67:68 -j ACCEPT
-A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2net -p 1 -j ACCEPT
-A fw2net -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-ip-options --log-level 6 --log-prefix 
"Shorewall:logflags:DROP:"
-A logflags -j DROP
-A logreject -j reject
-A net2fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
-A net2fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j smurfs
-A net2fw -p udp --dport 67:68 -j ACCEPT
-A net2fw -p tcp -j tcpflags
-A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2fw -m conntrack --ctstate INVALID -p 6 -j DROP
-A net2fw -p 1 --icmp-type 8 -j DROP -m comment --comment "Ping"
-A net2fw -s w.x.y.z -p 6 --dport 22 -j ACCEPT -m comment --comment "SSH"
-A net2fw -s w.x.y.z -p 6 --dport 587 -j ACCEPT -m comment --comment 
"Submission"
-A net2fw -p 6 --dport 22 -j SSH_LIMIT
-A net2fw -j Drop
-A net2fw -j LOG --log-level 6 --log-prefix "Shorewall:net2fw:DROP:"
-A net2fw -j DROP
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p 2 -j DROP
-A reject -p 6 -j REJECT --reject-with tcp-reset
-A reject -p 17 -j REJECT
-A reject -p 1 -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurflog -j LOG --log-level 6 --log-prefix "Shorewall:smurfs:DROP:"
-A smurflog -j DROP
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags
-A tcpflags -p tcp --tcp-flags ALL NONE -g logflags
-A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -g logflags
-A tcpflags -p tcp --syn --sport 0 -g logflags
-A ~log0 -j LOG --log-level 4 --log-prefix "Shorewall:SSH_LIMIT:Added:"
-A ~log0 -j reject
COMMIT

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to