Re: [Shorewall-users] /stoppedrules leaves INPUT from net <- ACCEPT after shorewall stop

[Tom Eastep]

On 7/15/2014 1:05 PM, sur...@emailengine.net wrote:
> I'm defining my stoppedrules
> 
> I set up a simple one to only allow SSH/VPN access from my HomeIPs
> 
>       /stoppedrules
>               #ACTION   SOURCE                   DEST   PROTO     DEST      
> SOURCE
>               #                                                 PORT(S)   
> PORT(S)
>                ACCEPT   EXT_IF:my.home.ip.x/29   $FW    tcp       22
>                ACCEPT   EXT_IF:my.home.ip.x/29   $FW    tcp,udp   1194      
> 1194
> 
> 
> After restart
> 
>       systemctl start shorewall-lite.service
>       systemctl stop shorewall-lite.service
>       iptables -L -n
>               Chain INPUT (policy DROP)
>               target     prot opt source               destination         
>               ACCEPT     tcp  --  my.home.ip.x/29      0.0.0.0/0            
> multiport dports 22
>               ACCEPT     tcp  --  my.home.ip.x/29      0.0.0.0/0            
> tcp spt:1194 dpt:1194
>               ACCEPT     udp  --  my.home.ip.x/29      0.0.0.0/0            
> udp spt:1194 dpt:1194
>               ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 
>               Chain FORWARD (policy DROP)
>               target     prot opt source               destination         
> 
>               Chain OUTPUT (policy DROP)
>               target     prot opt source               destination         
> 
> I notice INPUT from the entire net is allowed
> 
>       ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 
> I thought all traffic OTHER than what's explictily enabled in stoppedrules is 
> implicitly denied.
> 
> I want to (keep) open ONLY traffic for SSH/VPN.
> 
> Did I misunderstand or misconfigure?

You misunderstood. Always use 'shorewall show' to display your ruleset;
that command uses the options necessary to make iptables output useful.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users