| View previous topic :: View next topic |
| Author |
Message |
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
 Posted: Thu Sep 25, 2008 2:21 pm Post subject: [SOLVED]Very basic Shorewall assistance needed - won't go |
 |
|
Must be my bad but I have been trying to get the most basic shorewall running all night since getting the chance to colocate my server tomorrow.
Everything is pretty much in readyness and I have based my configs on my existing shorewall install but that was debian and I am at a loss with the error I now have.
I had some kernel configs wrong but now I am stumped.
| Code: |
helios log # /etc/init.d/shorewall start
* Caching service dependencies ... [ ok ]
* Starting firewall ...
WARNING: Zone loc is empty
iptables v1.4.0: bad rate `Yes'
Try `iptables -h' or 'iptables --help' for more information.
/sbin/shorewall: line 375: 16701 Terminated ${VARDIR}/.start $debugging start [ !! ]
helios log #
|
| Code: |
]
helios log # /etc/init.d/shorewall check
* Checking configuration files ...
Checking...
Initializing...
Determining Zones...
IPv4 Zones: net loc
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
WARNING: Zone loc is empty
Deleting user chains...
Checking /etc/shorewall/routestopped ...
Creating Interface Chains...
Checking Common Rules
Compiling IP Forwarding...
Checking /etc/shorewall/rules...
Checking Actions...
Checking /usr/share/shorewall/action.Drop for Chain Drop...
Checking /usr/share/shorewall/action.Reject for Chain Reject...
Checking /etc/shorewall/policy...
Checking Traffic Control Rules...
Checking Rule Activation...
Shorewall configuration verified [ ok ]
helios log #
|
What I want to start with is a set of rules that deny everything from the net to the server except ssh from my home machine.
Fortunately I have iLO on the server so if I get locked out I can local in. Previously when it was falling over it was locking my ssh client session and every time I had to rebuild the kernel in the iLO console - but it worked well enough to prove that I will be safe enough configuring once I have the machine in the remote rack.
Hope I can get some patient guidance on this.
TIA
Will
my basics are currently this (more and more permissive to try and get it to go)
| Code: |
helios shorewall # cat interfaces
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect #norfc1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
helios shorewall # cat rules
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT loc net tcp
ACCEPT net loc tcp
ACCEPT net loc udp
ACCEPT loc net udp
ACCEPT loc net icmp
#ACCEPT net $FW tcp ssh #SSH to the
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
helios shorewall # cat policy
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT info
fw loc ACCEPT info
loc fw ACCEPT info
loc net ACCEPT
net all ACCEPT info
#LAST LINE -- DO NOT REMOVE
|
_________________
]8P
Last edited by stardotstar on Sat Oct 11, 2008 1:06 am; edited 1 time in total |
|
| Back to top |
|
 |
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Thu Sep 25, 2008 3:22 pm Post subject: |
|
|
Looks like you have not defined the local zone/interface. Could you post your:- /etc/shorewall/zones
- /etc/shorewall/interfaces
// Steve |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Thu Sep 25, 2008 9:04 pm Post subject: |
|
|
Thank you!
| Code: |
helios shorewall # cat zones
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
helios shorewall # cat interfaces
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect #norfc1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
\\'
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Thu Sep 25, 2008 9:16 pm Post subject: |
|
|
| stardotstar wrote: | | Code: |
helios shorewall # cat zones
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE |
|
That is the problem! You have a zone loc but looking in your interfaces file, you don't have any definition for the loc zone. So please disable the loc zone and try to restart Shorewall. Or if you have an interface for loc, then change the interfaces file and add loc with the corresponding interface.
| stardotstar wrote: | | Code: | helios shorewall # cat interfaces
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect #norfc1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
|
// SteveB |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Thu Sep 25, 2008 9:38 pm Post subject: |
|
|
SteveB - Thank you very much - as soon as I get the server on power I will do as you say and report back!
Will
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Thu Sep 25, 2008 9:40 pm Post subject: |
|
|
| stardotstar wrote: | | SteveB - Thank you very much - as soon as I get the server on power I will do as you say and report back! |
Okay. If I don't report asap back then it's because I am from Europe and because of the time difference to your location.
// Steve |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Sep 27, 2008 7:38 am Post subject: |
|
|
Now I am in over my head; cant wait for the penny to drop...
I have a server on the web at my co-location site. It currently has one operating lan interface eth0, connected directly to the net via the local vlan gateway.
I have another interface eth1 but it is not up or connected yet.
I also have iLO on another IP.
I don't understand the implications of zones when using a single interface. Basically I guess I really only have net and fw not loc... So thinking I should drop the loc policies and try to get fw and net to do what I want.
Initially I want to deny everything from the net to my server but make an exception rule for ssh...
policy
net deny all
rule
net ssh accept
or something like that.
I have been rushed into getting onto site but then again I have no critical services that can be too badly abused... Apache is not running, proftpd, mysql and so on are all stopped until I get myself sorted.
I would appreciate the support Steve.
Fully appreciate the time zone implications. thanks for the efforts so far.
Will
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Sep 27, 2008 7:48 am Post subject: |
|
|
Okay. I see. The iLO is non existent for Shorewall since it is sitting on a different system. I know that the iLO is inside the server but it is not running under the control of Shorewall. So forget the iLO for a moment.
Since you only have eth0 and that interface is connected directly to the internet: you only have zone fw (the firewall it self which is anyway nothing more then eth0 but for Shorewall it is the fw zone) and you have zone net (this is everything outside. Any address from the internet).
So in your case you need in zones: | Code: | fw firewall
net ipv4 |
In your interfaces you probably have: | Code: | | net eth0 detect arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians |
In policy you probably have: | Code: | net all DROP
fw net ACCEPT
all all REJECT |
And since you only want SSH to be open you have in rules (under the section new): | Code: | SSH/ACCEPT net fw
SSH/ACCEPT fw net |
Is that +/- what you want?
// Steve |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Sep 27, 2008 7:52 am Post subject: |
|
|
yup - +/-/== what I need 
tHanks steve!
Will
I'll report my success - that makes sense - the fw/net zones - I don't need/have a loc unless I use it to route too right?>
Anyway I won't do anything until they get my iLO IP available outside the facility - for some reason I can get the "It Works" from apache to the eth0 IP from anywhere; but the iLO https connects on the correct IP from the localhost (checking with Lynx) but not from outside. And having locked myself out several times and having to resort to iLO I won't touch *anything* till it is working 100% - no exceptions. I have a ticket open - must be a range or vlan thingo.
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Sep 27, 2008 7:56 am Post subject: |
|
|
To get Apache to work, you need to add: | Code: | Web/ACCEPT net fw
Web/ACCEPT fw net |
Maybe adding DNS is as well needed (however... we have set fw -> net to ACCEPT so no rule for "fw net" is really needed but anyway...):
// SteveB |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Sep 27, 2008 7:59 am Post subject: |
|
|
| stardotstar wrote: | | ... for some reason I can get the "It Works" from apache to the eth0 IP from anywhere; but the iLO https connects on the correct IP from the localhost (checking with Lynx) but not from outside. And having locked myself out several times and having to resort to iLO I won't touch *anything* till it is working 100% - no exceptions. I have a ticket open - must be a range or vlan thingo. |
If you can get only from Lynx the connection while connected to the iLO (I assume you do it from the console applet) then this is anyway a local connection. With iLO you are 1 to 1 connected on the local system. If you can't get Apache's "It Works" from outside and you are 100% sure it is not Shorewall blocking you, then it is something wrong with routing or as you wrote with your VLAN setup. Have you looked at the routing configuration from your Gentoo box? Is everything the way you expect it? Do you see the connection attempt in Apaches access_log?
// SteveB |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Sep 27, 2008 8:10 am Post subject: |
|
|
you misunderstand me steveb;
I cant reach iLO from remote; from remote I can reach apache "It Works"
BUT I can connect to iLO from lynx in an ssh session on the server...
ya?
_________________
]8P |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Sep 27, 2008 8:15 am Post subject: |
|
|
mtr google.com
| Code: | My traceroute [v0.73]
helios (0.0.0.0) Sat Sep 27 18:15:15 2008
Resolver error: No error returned but no answers given. of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. corertr1-eqx.sau.net.au 0.0% 21 0.3 0.3 0.3 0.6 0.1
2. 125.168.255.97 0.0% 21 0.7 0.7 0.6 1.1 0.1
3. if-6-1.core1.M3H-Sydney.as6453.n 0.0% 21 0.7 0.7 0.6 0.9 0.1
4. if-3-0.core1.TV2-Tokyo.as6453.ne 0.0% 21 104.2 104.3 104.1 105.0 0.3
5. if-5-0-0.core3.HK2-HongKong.as64 0.0% 20 158.0 158.1 157.9 158.6 0.2
6. Vlan31.icore1.HK2-HongKong.as645 0.0% 20 158.0 161.0 158.0 171.0 3.9
7. ???
8. ???
9. ???
10. 64.233.175.207 0.0% 20 232.9 234.7 232.0 280.1 10.7
11. 209.85.252.105 0.0% 20 244.4 249.5 244.2 282.4 10.4
12. 209.85.248.131 0.0% 20 236.6 245.1 234.7 272.7 12.6
13. 216.239.43.193 0.0% 20 247.9 257.7 237.4 271.3 9.5
66.249.95.208
14. 66.249.95.210 0.0% 20 239.8 244.9 237.5 270.0 10.0
72.14.232.137
15. 209.85.242.255 0.0% 20 300.7 301.2 300.3 303.7 0.9
16. 72.14.239.21 0.0% 20 302.7 303.0 302.4 307.9 1.2
72.14.236.1517. 216.239.43.189 0.0% 20 310.5 310.9 310.5 312.0 0.4
|
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sat Sep 27, 2008 6:53 pm Post subject: |
|
|
| stardotstar wrote: | | BUT I can connect to iLO from lynx in an ssh session on the server... |
Aha! Okay. I see. First of all: Lynx is not good enough for iLO. The reason for that is that iLO requires Java and Lynx can not work with Java.
But beside that: I see your problem now.
Can you ping the iLO address from the SSH session?
// SteveB |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sun Sep 28, 2008 9:57 pm Post subject: |
|
|
Yes, I can ping iLO interface from the ssh session and I just used lynx to confirm that I could see something on port 443 on that IP... So still waiting for support to get the physical connections outside the localhost sorted and I should be ok to play.
Kind of not wanting to have the box live on the internet for too long without a fully functioning firewall. Even though the services are stopped.
Thanks for the ongoing interest steveb.
\\'
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Sun Sep 28, 2008 10:44 pm Post subject: |
|
|
Then it is the Java requirement which is giving you problems. You can not access iLO from within Lynx. Lynx can not display the graphical login done as a Java applet. That's your problem. What system is that where you have the iLO? Is it one of the old iLO interfaces or is it already one of the new ones where you could use SSH to connect to iLO?
// SteveB |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Tue Sep 30, 2008 1:57 am Post subject: |
|
|
I understand that Lynx won't actually allow me to use the iLO but it confirms that the iLO is responding to browser requests on https://iLOIPaddr from the localhost ...
Unfortunately I can't get any connection from the outside world - times out.
Clearly the iLO is up and running but not accessible from the OSW so its of no use to me...
The support is reporting that the vlan is correctly connected and all ports are live. They believe that I have a wrong subnet or gateway programmed into my iLO - which I can't get to from an ssh shell as far as I know - though I haven't explored the dedicated hp toolset I have just installed. I would have thought that if I could "see" it from the Lynx browser (even if not actually use it due to the java constraints) that would confirm that the subnet mask was ok. I suppose that I therefore have incorrectly configured the gateway - but wouldn't that just mean that the iLO interface be unable to send out by itself - surely the outside gateway will make a connection from my remote host to the iLO IP without the need for the default gateway to be set on the iLO>>>?>
\\'
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Tue Sep 30, 2008 6:50 am Post subject: |
|
|
How have you configured your iLO? Manual IP address or have you set it to use DHCP? If you have manual setup, then you should (/must) set the gateway as well. Else iLO will have problem to talk back.
You have mentioned, that you have access to the iLO. If you have that access, then you can easy verify what network setup you have configured into iLO. And you can change it there.
// SteveB |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Wed Oct 01, 2008 11:24 am Post subject: |
|
|
All sorted, basically I couldn't get to the ilo via a java enabled browser since I didn't have X on my server and only way into ilo was from the local subnet - ie the ssh/console - anyway - its sorted.
So I am about to start up the firewall.
_________________
]8P |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Wed Oct 01, 2008 11:34 am Post subject: |
|
|
she still won't play:
| Code: | helios shorewall # vi interfaces
helios shorewall # /etc/init.d/shorewall start
* Starting firewall ...
iptables v1.4.0: bad rate `Yes'
Try `iptables -h' or 'iptables --help' for more information.
/sbin/shorewall: line 375: 4706 Terminated ${VARDIR}/.start $debugging start [ !! ]
helios shorewall #
|
we are exactly where you recommended:
| Code: | helios shorewall # cat zones interfaces policy rules
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#loc ipv4
#dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net all DROP
fw net ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINALRATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
SSH/ACCEPT net fw
SSH/ACCEPT fw net
#ACCEPT net $FW tcp ssh #SSH to the
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
Hmmm?>
\\'
_________________
]8P |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Oct 01, 2008 10:56 pm Post subject: |
|
|
Looks okay to me. But could you post the other config files as well? Can you execute this command and post the output: | Code: | | for foo in /etc/shorewall/*;do echo -ne "\n=[$(basename ${foo})]===================================\n";cat ${foo};echo -ne "============================================\n";done |
// Steve |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Oct 04, 2008 6:27 am Post subject: |
|
|
Hi Steve - thanks for staying with me on this!
Here is the result of your neat script:
| Code: | helios stardotstar # for foo in /etc/shorewall/*;do echo -ne "\n=[$(basename ${foo})]===================================\n";cat ${foo};echo -ne "============================================\n";done
=[Makefile]===================================
# Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \
if \
/sbin/shorewall -q restart >/dev/null 2>&1; \
then \
/sbin/shorewall -q save >/dev/null; \
else \
/sbin/shorewall -q restart 2>&1 | tail >&2; \
fi
# EOF
============================================
=[accounting]===================================
#
# Shorewall version 3.4 - Accounting File
#
# For information about entries in this file, type "man shorewall-accounting"
#
# Please see http://www.shorewall.net/3.0/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
# PORT(S) PORT(S) GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[actions]===================================
#
# Shorewall version 3.4 - Actions File
#
# /etc/shorewall/actions
#
# For information about entries in this file, type "man shorewall-actions"
#
# Please see http://www.shorewall.net/3.0/Actions.html for additional information.
#
###############################################################################
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[blacklist]===================================
#
# Shorewall version 3.4 - Blacklist File
#
# For information about entries in this file, type "man shorewall-blacklist"
#
# Please see http://www.shorewall.net/3.0/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[continue]===================================
#
# Shorewall version 3.4 - Continue File
#
# /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see
# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[ecn]===================================
#
# Shorewall version 3.4 - Ecn File
#
# For information about entries in this file, type "man shorewall-ecn"
#
# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#ECN
#
###############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[hosts]===================================
#
# Shorewall version 3.4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Hosts
#
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
============================================
=[init]===================================
#
# Shorewall version 3.4 - Init File
#
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see
# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[initdone]===================================
#
# Shorewall version 3.4 - Initdone File
#
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see
# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[interfaces]===================================
#
# Shorewall version 3.4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://www.shorewall.net/3.0/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[ipsec]===================================
#
# The /etc/shorewall/ipsec file is obsolete -- the information
# previously contained in this file is now placed in the
# /etc/shorewall/zones file.
#
# See the IPSECFILE option in shorewall.conf for further information.
#
============================================
=[maclist]===================================
#
# Shorewall version 3.4 - Maclist file
#
# For information about entries in this file, type "man shorewall-maclist"
#
# For additional information, see http://www.shorewall.net/3.0/MAC_Validation.html
#
###############################################################################
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============================================
=[masq]===================================
#
# Shorewall version 3.4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============================================
=[nat]===================================
#
# Shorewall version 3.4 - Nat File
#
# For information about entries in this file, type "man shorewall-nat"
#
# For additional information, see http://www.shorewall.net/3.0/NAT.htm
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============================================
=[netmap]===================================
#
# Shorewall version 3.4 - Netmap File
#
# For information about entries in this file, type "man shorewall-netmap"
#
# See http://www.shorewall.net/3.0/netmap.html for an example and usage
# information.
#
###############################################################################
#TYPE NET1 INTERFACE NET2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============================================
=[params]===================================
#
# Shorewall version 3.4 - Params File
#
# /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[policy]===================================
#
# Shorewall version 3.4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net all DROP
fw net ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE
============================================
=[providers]===================================
#
# Shorewall version 3.4 - Providers File
#
# For information about entries in this file, type "man shorewall-providers"
#
# For additional information, see http://www.shorewall.net/3.0/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============================================
=[proxyarp]===================================
#
# Shorewall version 3.4 - Proxyarp File
#
# For information about entries in this file, type "man shorewall-proxyarp"
#
# See http://www.shorewall.net/3.0/ProxyARP.htm for additional information.
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[route_rules]===================================
#
# Shorewall version 3.4 - route_rules File
#
# For information about entries in this file, type "man shorewall-route_rules"
#
# For additional information, see http://www.shorewall.net/3.0/MultiISP.html
##############################################################################
#SOURCE DEST PROVIDER PRIORITY
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[routestopped]===================================
#
# Shorewall version 3.4 - Routestopped File
#
# For information about entries in this file, type "man shorewall-routestopped"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped and
# http://www.shorewall.net/3.0/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[rules]===================================
#
# Shorewall version 3.4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
SSH/ACCEPT net fw
SSH/ACCEPT fw net
#ACCEPT net $FW tcp ssh #SSH to the
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[shorewall.conf]===================================
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL
# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/3.0/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=shell
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/shorewall
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=Yes
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=Off
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
============================================
=[start]===================================
#
# Shorewall version 3.4 - Start File
#
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[started]===================================
#
# Shorewall version 3.4 - Started File
#
# /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[stop]===================================
#
# Shorewall version 3.4 - Stop File
#
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[stopped]===================================
#
# Shorewall version 3.4 - Stopped File
#
# /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
=[tcclasses]===================================
#
# Shorewall version 3.4 - Tcclasses File
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.
#
###############################################################################
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[tcdevices]===================================
#
# Shorewall version 3.4 - Tcdevices File
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.
#
###############################################################################
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[tcrules]===================================
#
# Shorewall version 3.4 - Tcrules File
#
# For information about entries in this file, type "man shorewall-tcrules"
#
# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://www.shorewall.net/3.0/MultiISP.html
#
# See http://www.shorewall.net/3.0/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
###############################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS
# PORT(S) PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[tos]===================================
#
# Shorewall version 3.4 - Tos File
#
# For information about entries in this file, type "man shorewall-tos"
#
###############################################################################
#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK
# PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE
============================================
=[tunnels]===================================
#
# Shorewall version 3.4 - Tunnels File
#
# For information about entries in this file, type "man shorewall-tunnels"
#
# See http://www.shorewall.net/3.0/Documentation.htm#Tunnels for additional
# information.
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============================================
=[zones]===================================
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#loc ipv4
#dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
============================================
|
_________________
]8P |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Sat Oct 11, 2008 1:05 am Post subject: |
|
|
OK I have unmasked (~x86) shorewall-common and shorewall-shell and reconfigured everything and it is working fine - so it looks like the unmasked portage version is incompatible with the current IPTables??
Anyway - on with the show.
\\'
thanks for all the guidance Steve.
_________________
]8P |
|
| Back to top |
|
|
|
Networking & Security
