Shorewall config on Mandrake 9.0

Shorewall config on Mandrake 9.0

Post by Kevi » Mon, 02 Jun 2003 05:37:31



I'm trying to configure my firewall on Mandrake 9.0 using
Mandrake's Control Center as a start and then editing the
resulting shorewall configuration files in /etc/shorewall
to get what I want.  What I want for now is to allow only
ssh and smtp to access my machine.  I did this by specifying
this in my shorewall rules file:

    ACCEPT  net     fw      tcp     ssh,smtp        -
    ACCEPT  net     fw      udp     ssh,smtp        -

When I run nmap from outside my firewall I see ports for
those two protocols open, but also two others closed:

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Interesting ports on nobody.home.com (123.123.321.21):
    (The 1597 ports scanned but not shown below are in state: filtered)
    Port       State       Service
    22/tcp     open        ssh                    
    25/tcp     open        smtp                    
    113/tcp    closed      auth                    
    135/tcp    closed      loc-srv                

    Nmap run completed -- 1 IP address (1 host up) scanned in 422 seconds

What's the meaning of the two closed ports?  What's the risk of
their showing up?

Soon I'll need to change the smtp port so that it's only allowed
from a certain address range (network).  I haven't figured out
how to do that.  Any pointers?

At that time I'll also want to "open up UDP port 500 and IP
Protocol 50 to allow the IPSEC traffic through", so say the
networking staff where I work (I'll have IPSEC access from home).
I think I can figure out how to do this, except for the network
range part.

Pointers much appreciated people....  :^)

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

Shorewall config on Mandrake 9.0

Post by Liam O'Tool » Mon, 02 Jun 2003 07:02:19



> I'm trying to configure my firewall on Mandrake 9.0 using
> Mandrake's Control Center as a start and then editing the
> resulting shorewall configuration files in /etc/shorewall
> to get what I want.  What I want for now is to allow only
> ssh and smtp to access my machine.  I did this by specifying
> this in my shorewall rules file:

>     ACCEPT  net     fw      tcp     ssh,smtp        -
>     ACCEPT  net     fw      udp     ssh,smtp        -

> When I run nmap from outside my firewall I see ports for
> those two protocols open, but also two others closed:

>     Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
>     Interesting ports on nobody.home.com (123.123.321.21):
>     (The 1597 ports scanned but not shown below are in state: filtered)
>     Port       State       Service
>     22/tcp     open        ssh                    
>     25/tcp     open        smtp                    
>     113/tcp    closed      auth                    
>     135/tcp    closed      loc-srv                

>     Nmap run completed -- 1 IP address (1 host up) scanned in 422 seconds

> What's the meaning of the two closed ports?  What's the risk of
> their showing up?

http://www.shorewall.net/FAQ.htm#faq4

Quote:> Soon I'll need to change the smtp port so that it's only allowed
> from a certain address range (network).  I haven't figured out
> how to do that.  Any pointers?

> At that time I'll also want to "open up UDP port 500 and IP
> Protocol 50 to allow the IPSEC traffic through", so say the
> networking staff where I work (I'll have IPSEC access from home).
> I think I can figure out how to do this, except for the network
> range part.

> Pointers much appreciated people....  :^)

The specification of port ranges is described in the file
/etc/shorewall/rules.

--

Liam

E-mail: remove "_alias" from the address above

 
 
 

Shorewall config on Mandrake 9.0

Post by Kevi » Mon, 02 Jun 2003 13:39:06




> I'm trying to configure my firewall on Mandrake 9.0 using
> Mandrake's Control Center as a start and then editing the
> resulting shorewall configuration files in /etc/shorewall
> to get what I want.  What I want for now is to allow only
> ssh and smtp to access my machine.  I did this by specifying
> this in my shorewall rules file:

>     ACCEPT  net     fw      tcp     ssh,smtp        -
>     ACCEPT  net     fw      udp     ssh,smtp        -

> When I run nmap from outside my firewall I see ports for
> those two protocols open, but also two others closed:

>     Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
>     Interesting ports on nobody.home.com (123.123.321.21):
>     (The 1597 ports scanned but not shown below are in state: filtered)
>     Port       State       Service
>     22/tcp     open        ssh                    
>     25/tcp     open        smtp                    
>     113/tcp    closed      auth                    
>     135/tcp    closed      loc-srv                

>     Nmap run completed -- 1 IP address (1 host up) scanned in 422 seconds

Ooops.  I should have run nmap with the -sU option to scan the
UDP ports.  Almost all of them are open.  Gulp.  How can I shut
off all but a few?  The Mandrake Control Center seems to leave
them all open.

Thanks....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

Shorewall config on Mandrake 9.0

Post by M200 » Mon, 02 Jun 2003 16:02:13


Quote:> Ooops.  I should have run nmap with the -sU option to scan the UDP
> ports. Almost all of them are open.  Gulp.  How can I shut off all but a
> few? The Mandrake Control Center seems to leave them all open.

> Thanks....

Read the Shorewall help docs. There is a warning about results of UDP
scanning with Nmap. In short, because of the non-connection-control of
UDP protocol, Nmap will list as "Open" any port that doesn't reply.
 
 
 

Shorewall config on Mandrake 9.0

Post by Kevi » Wed, 04 Jun 2003 01:56:18





> > I should have run nmap with the -sU option to scan the
> > UDP ports.  Almost all of them are open.

> You must have missed Liam O'Toole's reply

> to your earlier post.  Liam O'Toole suggested this URL:
> http://www.shorewall.net/FAQ.htm#faq4
> and 4a. looks reassuring.

Yes, the FAQ got me going.  My firewall is up and running.  I
still need to check that masquerading from the rest of my network
(i.e. the other Linux PC) is working.

Thanks all....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

Shorewall config on Mandrake 9.0

Post by Kevi » Thu, 05 Jun 2003 07:45:42


OK, I got it sorted out.  My Mandrake 9.0 system now

  - Connects to the internet just fine.
  - Masquerades my other computer's connection to the internet
    just fine.
  - Blocks all traffic into my firewall host except for ssh, for
    any host, and smtp, for only one network of hosts (my work).

So that others might benefit from my experience (and it seems
there are a lot of people that just give up on shorewall on
Mandrake) here's what my shorewall files look like:

++++++++++++++++++++++++++++++
/etc/shorewall/interfaces
++++++++++++++++++++++++++++++
# eth0 connects to my DSL modem
# eth1 connects to my LAN (the other PC)
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    detect
masq    eth1    detect

++++++++++++++++++++++++++++++
/etc/shorewall/masq
++++++++++++++++++++++++++++++
#INTERFACE     SUBNET          ADDRESS
eth0    eth1

++++++++++++++++++++++++++++++
/etc/shorewall/policy
++++++++++++++++++++++++++++++
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
masq    net     ACCEPT
fw      net     ACCEPT
net     all     DROP    info
all     all     REJECT  info

++++++++++++++++++++++++++++++
/etc/shorewall/rules
++++++++++++++++++++++++++++++
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE  ORIGINAL
#                                               PORT    PORT(S) DEST
# OK, so I lied not everything is allowed to go from my LAN to my
# firewall.  Why open up more than I really can see needing?
ACCEPT  masq    fw      tcp     domain,bootps,http,https,631,smtp,nntp,ntp     -
ACCEPT  masq    fw      udp     domain,bootps,http,https,631,smtp,nntp,ntp     -
ACCEPT  net     fw      tcp     ssh     -
ACCEPT  net     fw      udp     ssh     -
ACCEPT  net:123.123.0.0/16      fw      tcp     smtp    -
ACCEPT  net:123.123.0.0/16      fw      udp     smtp    -
ACCEPT  net:123.123.0.0/16      fw      tcp     50      -
ACCEPT  net:123.123.0.0/16      fw      udp     500     -
ACCEPT  fw      masq    tcp     631,137,138,139 -
ACCEPT  fw      masq    udp     631,137,138,139 -

++++++++++++++++++++++++++++++
/etc/shorewall/zones
++++++++++++++++++++++++++++++
net     Net     Internet zone
masq    Masquerade      Masquerade Local

Hope that helps someone.....

--
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

 
 
 

1. shorewall setup issue with Mandrake 10C and sagem eagle usb modem

I have some problems seting up shorewall with the sagem eagle usb modem
under Mandrake 10 community. I have upgrade shorewall to version 2.0.2f
but with the original installed version I had the same problems.

At the moment I can only connect to the net after "shorewall stop"
I am confused how to setup shorewall with this usb modem. When the modem
is connected it shows 2 interfaces: "ppp0" and "eth1".
"eth0" is a network card that I have connected to an other PC.

To me it is not clear how I should use ppp0 and eth1 in the
/etc/shorewall/interfaces file.

Is ppp0 the the adsl connection between the modem and my ISP?
And eth1 is the connection between the modem and my computer?

How do I add both interfaces in the zones file?
Now I have:
net      eth1           detect          dhcp,tcpflags
loc      eth0           10.10.10.0/24   tcpflags

But should I have both ppp0 and eth1 in there? if yes how?

Thanks inadvance for help on this.
Paul

some info (after given command: shorewall stop):

2.0.2f

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:4c:fb:1d:03 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e0:4cff:fefb:1d03/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1:fffb:1d03/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:4c:28:8a:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.30/24 brd 192.168.60.255 scope global eth1
    inet6 fe80::260:4cff:fe28:8adc/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1:ff28:8adc/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 83.156.78.158 peer 212.129.9.71/32 scope global ppp0
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

ps: what is sit0?

2. How in H**L do I remove LILO from the MBR!!

3. Help: Can't get shorewall to work in Mandrake 10

4. Upgrading System with CVSUP and SendMail

5. Losing DNS when restarting Shorewall - Mandrake 9

6. PASCAL

7. Mandrake 9.0 & XP Coexisting

8. Loading Apache at startup

9. Mandrake 9.0: Please help - CD Burner is Detected for Burning, but not for reading

10. d10+ and mandrake 9.0

11. Mandrake 9.0 poll

12. Mandrake 9.0 rpms for KDE 3.1.1 or 3.1.1a

13. Mandrake 9.0 and roadrunner