http://blog.gmane.org/gmane.comp.security.shorewall hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.security.shorewall/21057 This is an excellent question, and has relevance beyond just troubleshooting and maintenance. I don't know how many times an auditor has asked the pointed audit question, "What controls (tools and processes) do you use to verify the technology in place is configured correctly to support policy...". The fact that the Shorewall config files are further "compiled", before loading to firewall, really says that unless you are reviewing the output from iptables directly, you really have no good answer to that question. You may have already found this, but take a look at ITVal on Sourceforge (http://sourceforge.net/projects/itval/). It doesn't give you a "picture" of the firewall, but probably better, it lets you formulate queries against the table rules. I have been playing with it a bit (mostly reading docs) and it is something I plan on looking into deeper at later date. I liked what I have seen so far, especially that you can create scripts so that testing runs are repeatable, and can be built to answer specific questions. Don -----Original Message----- From: Christian Vieser [mailto:vieser< at >opti-serv.de] Sent: Thursday, November 27, 2008 6:28 AM To: shorewall-users< at >lists.sourceforge.net Subject: [Shorewall-users] firewall analysis Hi all, my officemate asked me recently, if there is any tool available to analyze the shorewall policies and rules to get a "picture" of the allowed connections, or to get a list of allowed connections for a given IP. Since firewall rules tend to get more complex and confusing over the time :-) I don't think it's a dumb question, especially if the main work is done by one person and the other person is only envolved in holiday times, like it often is practice in small businesses. There are a few projects out there which try to analyze the output of iptables, but I didn't find anything really useful. So, before I try to develop something by myself, just the question: Does anybody here know of a working tool for analyzing or visualizing the firewall ruleset (based on the shorewall configuration or output of iptables)? Has anybody here developed some scripts I could take as base, so I don't need to invent the wheel a second time? Thanks for any hints, Christian ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Don Drohman 2008-12-01T21:53:44 http://permalink.gmane.org/gmane.comp.security.shorewall/21056 One thing you might try is to set the 'loose' option on both providers. Note that doing so will prevent you from being able to pick a provider by having a firewall-resident application bind to a particular external address. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-01T18:54:17 http://permalink.gmane.org/gmane.comp.security.shorewall/21055 Hi anyone can help me to create a TC Rules on my shorewall 3.2.X ? Shorewall are on my linux gateway (eth0: Net and Eth1:Lan) I have a link: eth0 2048kbits 2048kbits (Sdsl) I want create a tc for: eth1 and fw to eth0: All protocol are limited at 1792kbits (a ftp or web download can't get more 1792 kbits of BP) a exeption: port UDP 4639 with in source: eth1:192.168.20.1 can use the reserved 256 Kbits (2048 - 1792) and more if necessary but have in minimum 256 Kbs .. i don't have understand the documentation sorry ;=) Thanks for your help jerome ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phibee Network Operation Center 2008-12-01T16:26:28 http://permalink.gmane.org/gmane.comp.security.shorewall/21054 Shorewall itself has nothing to do with ISP selection. Once 'shorewall start' completes, there is no Shorewall code running in your system at all. I couldn't follow that at all. If you are using balancing, both ISPs have a part of the default route. But the Multi-ISP documentation clearly states that there is no failover capability in what Shorewall configures and if a connection fails, 'shorewall restart' is required (assuming that both connections are marked as 'optional'). That is necessary -- you can't have a single connection ping-ponging packets between the two ISPs! It *was* supposed to solve that problem but it didn't work -- it prevented balancing from working at all. It is even mentioned in the Shorewall Multi-ISP doc. Almost certainly. CONFIG_IP_ROUTE_MULTIPATH_CACHED has been de-implemented because it was broken. Forget about it! Hard to say. Multi-ISP works differently for connections originating on the firewall itself which is what occurs when you run a Proxy on the firewall. See http://www.shorewall.net/MultiISP.html#Local. Please see http://www.shorewall.net/support.htm#Guidelines -- we need to see the output of 'shorewall dump' in order to be able to help you further. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-01T16:11:24 http://permalink.gmane.org/gmane.comp.security.shorewall/21053 But your goal should be to get them to that skill level, right? I disagree. If you try to account for policy routing (multi-ISP), packet marking, NAT, Proxy ARP, ... the tool will be quite complex. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-12-01T15:52:57 http://permalink.gmane.org/gmane.comp.security.shorewall/21052 Ok, just putting a few answers together. Karsten Bräckelmann wrote: > To put it in other words: Isn't the shorewall configuration sufficient > to get a picture of allowed traffic? > > Since you specifically mentioned "small businesses", how large and > complicated are your policies and rules? The rules file has nearly 1000 lines (a third of them are comments or blank lines), we have about twenty zones and interfaces defined (and yes, we really need them). Of course the shorewall configuration is much pretty readable, but you have to arrange your rules in one or the other way. And there are rules applying to groups of destinations. So it's nearly impossible to arrange the rules in such a manner that all lines affecting a distinct host or zone are grouped together. Shorewall Geek wrote: And this is the point. Not all employees are at the same high skill level. So there is the wish to have a little command line tool (perhaps it could even be embedded in an apache service), where you put in a host name or ip address, and you get out a compact listing of allowed connections to/from this host. I don't think that it's very much work to write such a tool. I just wondered, if or how someone else solved this problem. Perhaps there are other ways to enable a compact view on the firewall rules I don't think of. Thank you for your attention, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Christian Vieser 2008-12-01T13:10:32 http://permalink.gmane.org/gmane.comp.security.shorewall/21051 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Hinrich Fraemcke 2008-12-01T12:52:57 http://permalink.gmane.org/gmane.comp.security.shorewall/21050 Adrian Chapela escribió: I had a connectivity problem. Now this problem is solved. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-12-01T11:00:08 http://permalink.gmane.org/gmane.comp.security.shorewall/21049 Hello, I have configured a Multi ISP recently but It didn't start, it shown me the error: ERROR: Unable to determine the MAC address of 192.168.22.254 through interface eth0 ip addr show output: inet 192.168.21.219/24 brd 192.168.21.255 scope global eth0 (real Ip) inet 192.168.22.220/24 brd 192.168.22.255 scope global eth0 (Virtual Ip) inet 192.168.21.220/24 brd 192.168.21.255 scope global secondary eth0 (Virtual Ip) configuration: ISP1 2 2 main eth0:192.168.21.220 192.168.21.254 track lan,lan2 ISP2 3 3 main eth0:192.168.22.220 192.168.22.254 track lan,lan2 The first provider is installed OK. What could be the error ? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-12-01T08:30:13 http://permalink.gmane.org/gmane.comp.security.shorewall/21047 As clearly described in the shorewall.conf man page, USE_ACTIONS=No allows the disk (and RAM) footprint of Shorewall-shell to be reduced in embedded applications. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T15:47:34 http://permalink.gmane.org/gmane.comp.security.shorewall/21046 That is not an error message. You should include no configuration for the loopback interface. The default intra-zone ACCEPT policy is automatically applied to fw->fw traffic. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T15:39:16 http://permalink.gmane.org/gmane.comp.security.shorewall/21045 Excellent! I thought USE_ACTIONS was a previous implementation and macros are the favored method. So I'm not sure why USE_ACTIONS=No is not supported. Maybe I'm reading too much into this? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T15:19:04 http://permalink.gmane.org/gmane.comp.security.shorewall/21044 Found an error I didn't expect on bind starting. "command channel listening on 127.0.0.1#953" So.... I should be setting up an interface for 'lo' as well? Haven't found anyone mentioning the lo interface. I just assumed that lo would have been given a default ACCEPT policy. Just checking before I start trying to configure all this into the files. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T15:10:54 http://permalink.gmane.org/gmane.comp.security.shorewall/21043 Yes. http://www.shorewall.net/Shorewall-perl.html#Incompatibilities ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T15:09:29 http://permalink.gmane.org/gmane.comp.security.shorewall/21042 This should be a large red label on the beginning of the README (or at least the Debian install). I see this mentioned in the docs, but I missed it. Sounds like the shell is deprecated. Should people think if migrating? OK, now that I've already gotten it implemented in the shell version I have to re-do this for perl. I know that there are some command differences in there, but I wasn't paying attention to them thinking that I wasn't going to be required to migrate. I don't suppose there is a short list of what to check? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T13:13:17 http://permalink.gmane.org/gmane.comp.security.shorewall/21041 The output of 'shorewall dump' tells you everything you ever need to know about your Shorewall configuration. Of course, you have to understand IP networking, Linux Networking and Netfilter in order to interpret the output. But you don't have to know anything about Shorewall! So I think that qualifies as "independent". ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Shorewall Geek 2008-11-30T02:45:44 http://permalink.gmane.org/gmane.comp.security.shorewall/21040 Maybe. Honestly, I don't think so, though, given in his original post Christian asked for a > > > tool for analyzing or visualizing the firewall ruleset (based on the So he would be happy with something visualizing his shorewall conf. That will only show a tiny window, even of a rather trivial network. Karsten Bräckelmann 2008-11-30T02:31:28 http://permalink.gmane.org/gmane.comp.security.shorewall/21039 a) The shell implementation hasn't had any active development in two years. So all new features introduced in the last year and a half are only available in the perl version. b) The perl implementation is an order of magnitude faster compiling the firewall configuration. c) The perl implementation is an order of magnitude faster instantiating the firewall configuration. d) The perl implementation doesn't disable new connections during start/restart. e) The perl diagnostics are much better and the perl implementation catches many more configuration errors at compile time. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T02:30:12 http://permalink.gmane.org/gmane.comp.security.shorewall/21038 a) yup. b) testing has 4.0 so I'm running that. c) don't know if I need that if I'm running testing but I can look into it. d) This intrigues me. Why Shorewall-perl? debugging support? This is the first I heard someone promoting the perl implimentation. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T01:55:43 http://permalink.gmane.org/gmane.comp.security.shorewall/21037 A few hints: a) Be sure that you are following one of the HOWTOs at shorewall.net b) You are running Debian; the version of Shorewall that is included with Etch is 3.2.6 which *isn't even supported anymore*. c) There is a repository (maintained by the Debian Shorewall maintainer) that has Shorewall 4 packages; see the Shorewall download page. d) No Shorewall newbie should be running anything but Shorewall-perl which isn't even available in Shorewall 3.2.6. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Shorewall Geek 2008-11-30T01:50:58 http://permalink.gmane.org/gmane.comp.security.shorewall/21036 Maybe I forgot to restart it... Anyways, shorewall seems to be doing it's job. Now it's back to DHCP, DNS and all the rest of the network "stuff". Thank you. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T01:41:43 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.shorewall