Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Prompt and Powerful Personal Firewalling with Shorewall
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
manicman
n00b
n00b


Joined: 30 Jun 2004
Posts: 19

PostPosted: Mon Apr 25, 2005 4:07 pm    Post subject: Reply with quote

hm... but if i start my shorewall first my defined rules will be loaded and after that the rules in /usr/share/shorewall will be loaded... and then samba wont work fine and somehow i cant surf anymore...
but this toppic would be something for the support thread...
but iam trying a bit more before i ask for support..:)
Back to top
View user's profile Send private message
manicman
n00b
n00b


Joined: 30 Jun 2004
Posts: 19

PostPosted: Mon Apr 25, 2005 4:12 pm    Post subject: Reply with quote

since you cited my post, i get error messages from the pre processor:

Code:

root@manicman-mobile - Mo Apr 25 18:03:43 - /var/log
>shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
IP Forwarding Disabled!
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
   Error: Missing Action File: action.DropSMB
Processing /etc/shorewall/stop ...
IP Forwarding Disabled!
Processing /etc/shorewall/stopped ...

and i can not imagine why

sry ive seen your reply too late.
Back to top
View user's profile Send private message
Shotpiece
Apprentice
Apprentice


Joined: 01 Jul 2004
Posts: 248

PostPosted: Tue Apr 26, 2005 6:01 pm    Post subject: Reply with quote

Amazing tutorial. Someone told me to set up iptables one day and the attempt blew my mind.

Having ONE problem though, i can't get FTP to work properly. With shorewall up, I am able to log in and navigate, but when i try to PUT a file, i get this:
Code:
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put
(local-file) /home/john/screenshot.png
(remote-file) ./screenshot.png
local: /home/john/screenshot.png remote: ./screenshot.png
200 PORT command successful.
and then it just freezes there. When i take shorewall down, everything works fine. Here's the applicable part of my "rules":
Code:
ACCEPT   fw             net             tcp     21 #ftp
ACCEPT   fw             net             udp     21 #ftp

Any insight?

EDIT: I just noticed the SUPPORT page for this... sorry for posting in the wrong place :(
Back to top
View user's profile Send private message
ChojinDSL
l33t
l33t


Joined: 07 Jul 2003
Posts: 784

PostPosted: Wed Apr 27, 2005 1:44 pm    Post subject: Reply with quote

You know what would be really cool? If someone could post a tutorial on setting up shorewall in combination with QOS. So that you can do things like: playing Enemy Territory online with a nice low ping and still have edonkey or bittorrent or other downloads running in the background.

I have been unsuccessfully trying to set that up for ages, but I just cant get my head around it, since most tutorials and howtos Ive seen regarding this are about using iptables scripts and not using shorewall.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17813

PostPosted: Fri Apr 29, 2005 4:41 am    Post subject: Reply with quote

Split off Why on earth do you need a PFW with Linux?
Back to top
View user's profile Send private message
Bob P
Advocate
Advocate


Joined: 20 Oct 2004
Posts: 3355
Location: Jackass! Development Labs

PostPosted: Fri Apr 29, 2005 4:43 am    Post subject: Reply with quote

pjp wrote:
Split off Why on earth do you need a PFW with Linux?

That was a good idea! :idea:
_________________
.
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks
Back to top
View user's profile Send private message
{{Azrael}}
Tux's lil' helper
Tux's lil' helper


Joined: 01 Mar 2005
Posts: 117

PostPosted: Fri Apr 29, 2005 11:12 am    Post subject: Reply with quote

Hey, what's the best way to configure three NICs to all use the same zone? So far I'm using three zones for each one, but I think it would be better to just use one zone for all of them.

And for some weird reason FTP and some file sharing service is open. All other common ports are good, and I'm not sure why. I'm new to all this Linux security stuff, and my laptop has been running with no firewall for a good six months. Is it possible someone has hacked my box? Because I certainly am not running a file sharing app or using FTP.

21
FTP
OPEN! FTP servers have many known security vulnerabilities and the payoff from exploiting an insecure FTP server can be significant. This system's open FTP port is inviting intruders to examine your system more closely.

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!

From GRC shields up.
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Sat Apr 30, 2005 12:55 am    Post subject: Reply with quote

Post the output of netstat -tap in the support thread, and let's see what is listening on port 21. As far as the samezone on multiple interfaces, give me a little information on your network topography, I'll help you set it up. Again, post in the support thread, not this thread.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
Lejban
n00b
n00b


Joined: 12 Dec 2003
Posts: 53
Location: Sweden

PostPosted: Fri May 13, 2005 3:49 pm    Post subject: Reply with quote

This looks really neat, but I have some questions:

How is this better than iptables?

Isn't this, by adding one more software which could contain bugs, less secure?
_________________
http://www.lejban.se|http://www.koad.se
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Sat May 14, 2005 3:08 am    Post subject: Reply with quote

Lejban wrote:
This looks really neat, but I have some questions:

How is this better than iptables?

Isn't this, by adding one more software which could contain bugs, less secure?
That is a good point, and in fact there have been security flaws in older versions of shorewall (see GLSA 200407-07). However, that was a local exploit (i.e., the attacker needed to have local user privileges before he could exploit it), and it was a while and several versions of shorewall ago. It is interesting to note however that around the same time another more serious bug was discovered in iptables (GLSA 200407-12) that was a remote bug only requiring the attacker to send a malformed TCP packet to send the CPU into an infinite loop, consuming all resources resulting in a DOS. So while you are correct that as a rule relying on additional programs increases the potential for bugs, you have too keep things in perspective. The real advantage of using Shorewall over simply iptables is that it makes firewall/router settings easier to configure, easier to modify, and easier to transfer to between networks.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
gary
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jan 2004
Posts: 110
Location: Auburn, CA

PostPosted: Mon May 16, 2005 9:46 pm    Post subject: Reply with quote

I'd like to add my apprecation for this tut. I know essentially nothing about iptables or security, but I was able to set up shorewall and get a "Perfect TruStealth" score from Gibson's ShieldsUp page in about half an hour.

No such thing as perfect security, of course, but this is about as good as I am likely to get on my home machine.

Now, on to...what used to be called IP Masquerading...what is it called now? Port forwarding?

Thanks again.
Back to top
View user's profile Send private message
monotux
l33t
l33t


Joined: 09 Sep 2003
Posts: 751
Location: Stockholm, Sweden

PostPosted: Mon May 16, 2005 10:58 pm    Post subject: Reply with quote

gary wrote:
Now, on to...what used to be called IP Masquerading...what is it called now? Port forwarding?

I believe you're talking about NAT :-)
_________________
Computer science is no more about computers than astronomy is about telescopes.
Back to top
View user's profile Send private message
gary
Tux's lil' helper
Tux's lil' helper


Joined: 11 Jan 2004
Posts: 110
Location: Auburn, CA

PostPosted: Tue May 17, 2005 12:40 am    Post subject: Reply with quote

Quote:
I believe you're talking about NAT


It seems so. After checking out the shorewall site it seems that what I am after is SNAT, or, since I use DHCP from my ISP, it is actually still called IP Masqureading.

I have set it up according to the tut there, but it dosen't actually work yet. On to the support forums!:o
Back to top
View user's profile Send private message
monotux
l33t
l33t


Joined: 09 Sep 2003
Posts: 751
Location: Stockholm, Sweden

PostPosted: Wed May 18, 2005 1:39 am    Post subject: Reply with quote

SNAT is useable only when having a fixed address - if you have DHCP, you have to use MASQ (it's a bit slower in theory, since the firewall has to check it's own IP every time it translates a package in and out from the LAN)... :-)
_________________
Computer science is no more about computers than astronomy is about telescopes.
Back to top
View user's profile Send private message
rbiswarup
n00b
n00b


Joined: 26 Jan 2005
Posts: 26
Location: India

PostPosted: Thu Jun 02, 2005 4:32 pm    Post subject: Reply with quote

I want to know whether the built-in firewall of rp-pppoe is sufficient or not? :?
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Thu Jun 02, 2005 5:00 pm    Post subject: Reply with quote

rbiswarup wrote:
I want to know whether the built-in firewall of rp-pppoe is sufficient or not? :?
For a single ended setup on a strictly client system it probably has all of the options you'll need. Not having any experience with it though, I can't give you any advice beyond that. :(
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
tshelt
n00b
n00b


Joined: 05 Sep 2003
Posts: 28

PostPosted: Sun Jun 05, 2005 5:24 am    Post subject: Great Tutorial... Reply with quote

This tutorial really was good. I got everything up and running with a minimum of fuss. So, now all is joy.

Thank You!
Tom
Back to top
View user's profile Send private message
<3
l33t
l33t


Joined: 21 Oct 2004
Posts: 918

PostPosted: Sun Jun 19, 2005 8:34 pm    Post subject: Reply with quote

nford wrote:
Thanks for the tutuorial - I managed to get a firewall running quite painlessly :D


I couldnot have said it better myself. Setting up iptables w/o shorewall is mindblowing. Thx for the tutorial. The best thing this tutorial has is examples that I could follow. Someone should add this to the Gentoo Security Documentation site.
Back to top
View user's profile Send private message
Sith_Happens
Veteran
Veteran


Joined: 15 Dec 2004
Posts: 1807
Location: The University of Maryland at College Park

PostPosted: Tue Jun 21, 2005 4:09 pm    Post subject: Reply with quote

The Shoreline Firewall v. 2.2.3 is now stable in portage. I'll be updating the guide soon to reflect the changes in this version.
_________________
"That question was less stupid; though you asked it in a profoundly stupid way."
I'm the brains behind Jackass! | Tutorials: Shorewall
Back to top
View user's profile Send private message
96140
Retired Dev
Retired Dev


Joined: 23 Jan 2005
Posts: 1324

PostPosted: Tue Jun 28, 2005 5:24 am    Post subject: Reply with quote

Thanks Ryan for the great tutorial; it's a good start on a desktop firewall. The default rules you've provided only gives two failed tests at Shields Up!, neither of which are critical. So it's a very good basic firewall.
Back to top
View user's profile Send private message
prolific
Apprentice
Apprentice


Joined: 19 Apr 2002
Posts: 237

PostPosted: Thu Jul 07, 2005 9:14 am    Post subject: Reply with quote

is there any point in using shorewall if i'm behind a router already ? (netgear mr814)
Back to top
View user's profile Send private message
hari
n00b
n00b


Joined: 28 Aug 2002
Posts: 3

PostPosted: Mon Jul 11, 2005 4:35 pm    Post subject: Reply with quote

Thanks for the nice tutorial. I did have a few problems though:

A change needs to be made in /etc/shorewall.conf
Code:
##############################################################################
#                      S T A R T U P   E N A B L E D
##############################################################################
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'

STARTUP_ENABLED=No

This needs to be "Yes" for shorewall to work!

Also, the default /etc/shorewall/zones file has no zones defined by default.
Code:
# /etc/init.d/shorewall start
 * Starting firewall ...
   Error: No Zones Defined
/etc/init.d/shorewall: line 13: 32442 Terminated              /sbin/shorewall start >/dev/null                                [ !! ]

So I added
Code:
#ZONE         DISPLAY      COMMENTS
net        Net            Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

This is with shorewall 2.2.3.
Back to top
View user's profile Send private message
jonny bravo
n00b
n00b


Joined: 29 May 2005
Posts: 31

PostPosted: Wed Jul 13, 2005 4:21 am    Post subject: Reply with quote

First off Sith I,d like to thank you for your time and effort for the Shorewall tutorial and Jackass/Gentoo project. I
have one question though. I'm still kind of a newbie (but if you don't ask you'll never know) I followed the Shorewall tutorial and then did a check on the Shields up site all my ports are stealthed but they were able to get an ICMP ping is there a way to stealth this? Or something I missed , also the other night I tried to get an iso from an ftp site all of the ftp links I couldn't connect to eccept for the http links. I'm not sure if it was just bad timming or if it's something to do with Shorewall. once again Thanks keep up the good work.
Back to top
View user's profile Send private message
lonrot_m
Apprentice
Apprentice


Joined: 18 Jun 2005
Posts: 274
Location: Mexico

PostPosted: Sun Jul 31, 2005 4:04 am    Post subject: Reply with quote

HI:

I followed everyword of this tutorial but
Code:
etc/init.d/shorewall start
 * Starting firewall ...                                                            [ !! ]

i recieve this when i try to start and like it doesnt return me any error i dont know what to do, by the way there is nothing on /var/log/messages

i am using gentoo sources 2.6.12-r6
thank you
Back to top
View user's profile Send private message
lonrot_m
Apprentice
Apprentice


Joined: 18 Jun 2005
Posts: 274
Location: Mexico

PostPosted: Sun Jul 31, 2005 4:42 pm    Post subject: Reply with quote

hi again :

i guess is because metalog isn't configured for shorewall, how do i do that can someone tell me?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum