aMule, shorewall and a router... :(

dmvianna

Hi.

I had the kmyfirewall initscript running for some time in my box. I used to be able to run

dmvianna · Posted: Fri Feb 04, 2005 1:56 pm Post subject:

Just got rid of norfc1918,routefilter,dhcp,tcpflags options in the interfaces file. It worked!!! What does that mean??? Is it safe?
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro

rbr28 · Tux's lil' helper Joined: 09 Feb 2004 Posts: 126

It's the norfc part that did it. What that does is it blocks routing of any IP's that are not typically routable, such as the 192.168.x.x ip that your machine has. It's a bit of a security risk to dump that, but a necessary one in your case. You would never want to remove that norfc option for a machine on the internet, because it should definitely not be getting hit with traffic from non-routable ip's.

If you were really paranoid, you could configure the firewall to drop all other non-routable IP addresses fairly easily, without using the norfc option.

dmvianna · Posted: Sat Feb 05, 2005 12:13 am Post subject:

How do I do that? :oops:

_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro

rbr28 · Tux's lil' helper Joined: 09 Feb 2004 Posts: 126

The easiest way I can think of is to use the blacklist. Add blacklist to the options in your in your /etc/shorewall/interfaces file. The file is well documented and you can see what the blacklist option enables. Then edit the /etc/shorewall/blacklist file. Again, it's well commented and simple to setup.

The IP's that the norfc1918 would normally block include the following:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The first two ranges you can block completely. If you look at the comments in /etc/shorewall/rules, you can see what syntax you use for specifying the ranges. You can do exactly as above for the first two, in your blacklist...just put 10.0.0.0/8 and 172.16.0.0/12 in your blacklist file.

The last range you would have to break up, because that includes your IP. Do something like 192.168.0.0-192.168.0.4 and 192.168.0.6-192.168.255.255. I say that because your IP in your post was 192.168.0.5 .

You don't need to specify port or protocol in the blacklist, because you would want to block everything form these IP's.

Doing all that would give you the same effect as norfc1918, except for letting your ip pass through the firewall. If you do all that, make sure too, that you always get the same IP on that machine. If you are using DHCP from a home router or something, you can usually set a reservation in the router so that you do get the same IP all the time. If you don't do that, you could get a different 192.168.x.x address when you reboot, and you would have problems again.

There are other alternatives too, such as leaving a range open in your firewall, that is the same as the IP range used by DHCP on your router. I'd say that's really a last resort though, if you can reserve the IP with your particular setup.

Also, someone else may have a better idea than using the blacklist. There are other ways such as just specifying those IP's in the rules file, but you'd get pretty much the same effect.

dmvianna · Posted: Sat Feb 05, 2005 2:53 am Post subject:

Thanks, rbr18.

Completely blocking subnets works, but I can't find a syntax that would work for ranges within subnets.

I can't find anything like it in http://shorewall.net/Documentation.htm#Blacklist either. Can shorewall do that?
_________________
Proprietary is theft. Pierre-Joseph Proudhon, if he had a chance
Powered by a MacBook Pro

rbr28 · Tux's lil' helper Joined: 09 Feb 2004 Posts: 126

The text below is from the Shorewall documentation:

Beginning with Shorewall 2.2.0, if you kernel and iptables have iprange match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12.

To see if your kernel and iptables have the required support, use the shorewall check command:

>~ shorewall check
...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
IP range Match: Available <--------------

dmvianna · Posted: Sat Feb 05, 2005 10:58 pm Post subject:

infirit · Posted: Mon Oct 24, 2005 5:24 pm Post subject:

I would like to share my shorewall rules on my linksys router running openwrt

for amule. I have setup rules that forward connections on emule ports tcp 4663 and udp 4673 to my workstation. Hope it is usefull for someone :wink: