Re: [Shorewall-users] Shorewall 4.5.15 with ipset ADD and logging [SOLVED]

Wed, 29 Jan 2014 10:53:09 -0800 

Thanks, Tom. The patch works:
-A inet-fw -p 17 --dport 53 -j ~log3 -m comment --comment "timeout port scanners" -A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment --comment "timeout port scanners" -A inet-fw -p 17 -m multiport --dports 80,443 -j ~log4 -m comment --comment "timeout port scanners" -A inet-fw -p 6 --dport 8443 -j ~log4 -m comment --comment "timeout port scanners" 

Tested (now dropped instead of rejected:

Shorewall:inet-fw:ADD(+IpOne IN=pwrbd OUT= 
MAC=68:05:ca:18:9e:61:a4:4c:11:f8:8e:c0:08:00 S... URGP=0
Shorewall:inet-fw:DROP:IN=pwrbd OUT= 
MAC=68:05:ca:18:9e:61:a4:4c:11:f8:8e:c0:08:00 SRC=61.... URGP=0




Now, is there any way to set the Shorewall prefix on this ADD with 
logging tag?  I'd like to get rid of:
WARNING: Log Prefix shortened to "Shorewall:inet-fw:ADD(+IpPor " 
/etc/shorewall/rules (line 207)



It only shows once per list, but I don't want to get in the habit of 
ignoring warnings.



I don't know how to express how much I appreciate your labors so, just 
Thanks:

Bill


On 1/29/2014 11:19 AM, Tom Eastep wrote:

On 1/29/2014 5:58 AM, Bill Shirley wrote:

Just wanted to report a bug in Shorewall.  I've looked for a Shorewall
bugzilla but couldn't find one.

I just discovered that using an ADD rule with logging, Shorewall uses a
'- g' instead of a '-j' for the target in iptables.  This makes a new
connection hit my 'all all REJECT notice' instead of my 'inet all DROP
info'.  Also, no other rule following the ADD with logging will be used.

[0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall
shorewall-core-4.5.15-1.fc19.noarch
shorewall-4.5.15-1.fc19.noarch


/etc/shorewall/rules:
?COMMENT timeout port scanners
ADD(+IpOneDay:src)              inet            fw      tcp 22    # uses -j
ADD(+IpOneDay:src):notice       inet            fw      udp 80,443  # no
such udp service: uses -g
ADD(+IpOneDay:src):notice       inet            fw      tcp     8443


/etc/shorewall/policy:
#-------------------------------------------------------------------------------
#inet   all     REJECT          info
inet    all     DROP            info


#-------------------------------------------------------------------------------
#
# THE FOLLOWING POLICY MUST BE LAST
#
#-------------------------------------------------------------------------------
all     all     REJECT          notice
#all    all     DROP            notice


/var/lib/shorewall/.restart:
-A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment
--comment "timeout port scanners"
-A inet-fw -p 17 -m multiport --dports 80,443 -g ~log4 -m comment
--comment "timeout port scanners"
-A inet-fw -p 6 --dport 8443 -g ~log4 -m comment --comment "timeout port
scanners"
-A inet-fw -p 17 --dport 1063:1067 -g ~log3 -m comment --comment
"timeout port scanners"
-A inet-fw -j Drop


iptables -nvL:
Chain ~log4 (2 references)
   pkts bytes target     prot opt in     out     source destination
      0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0            limit: up to 3/min burst 2 mode srcip /* timeout
port scanners */ LOG flags 0 level 5 prefix "Shorewall:inet-fw:ADD(+IpOne "
      0     0 SET        all  --  *      *       0.0.0.0/0
0.0.0.0/0            /* timeout port scanners */ add-set IpOneDay src

The attached patch seems to correct the problem. It will apply with an
offset to your version.

-Tom


------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to