# Help with Shorewall

## lamekain

Help with a strange problem!  :Shocked: 

I started using shorewall instead of firestarter, and ran into a problem.  I did a one-interface setup for my box(using the files available from www.shorewall.net). I reconfigured the rules-file to DROP all connections from the internet, including ICMP. But still the ShieldsUP! - security test at http://grc.com/default.htm tells me that Port 113 (IDENT) is closed (so it is rejecting packets not dropping)! So I unmerged fakeidentd, ran iptables --flush and started shorewall again... still the same problem: port 113 shows as closed on the internet. This is the end of my rules-file (if it helps):  

```
##############################################################################

#ACTION      SOURCE   DEST   PROTO   DEST   SOURCE   ORIGINAL   RATE   USER               

#               PORT   PORT(S)   DEST      LIMIT   SET

#ACCEPT      net   fw   icmp   8

#####  SSH

#ACCEPT          net     fw      tcp     22

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

 The policy file just drops everything net->fw, and allows all fw->net.. Thanks for any help!

----------

## TheCoop

is there some reason why ident should be stealthed and not closed? fyi, ports 21, 25, 113, 135, 139, 143 and 445 are closed and not stealthed on my firewall, but as long as anyone can't connect to it I dont worry about it

----------

## gonna

Hi,

 *lamekain wrote:*   

> 
> 
> ```
> ##############################################################################
> 
> ...

 

Both ACCEPT statements are commented out.  You will need to remove the hash for each one.  

I am using shorewall on my Debian firewall, am very impressed with it so far.  It seems more robust than firestarter.

Greg

----------

## lamekain

 *TheCoop wrote:*   

> is there some reason why ident should be stealthed and not closed?

 

By having all my ports stealthed, I make my box more secure: nobody can see my computer from the Internet. If the port is closed, then people can see that a computer exists at my ip, thus I'm no longer invisible.

I'm probably going to run a SSH-server anyway, but first I want to know WHY the 113 is CLOSED, even when I don't have anything open in my rules-file and the policy is DROP.

----------

## lamekain

 *Quote:*   

> Both ACCEPT statements are commented out. You will need to remove the hash for each one.

 

But doesn't that open the ports?? The problem is that I want a COMPLETELY STEALTHED box. That means all ports use the DROP -action for packets from net->fw. Any ideas still on the guestion why is the 113-port REJECTING packets, not DROPPING?   :Question: 

----------

## gonna

 *lamekain wrote:*   

>  *Quote:*   Both ACCEPT statements are commented out. You will need to remove the hash for each one. 
> 
> But doesn't that open the ports?? The problem is that I want a COMPLETELY STEALTHED box. That means all ports use the DROP -action for packets from net->fw. Any ideas still on the guestion why is the 113-port REJECTING packets, not DROPPING?  

 

Misunderstood, I now understand what you are saying but don't know why it isn't stealthed.   :Sad: 

I don't think mine is either, will check when I get home.

----------

## lamekain

I had my box completely stealthed with firestarter, but I can't figure out why it isn't anymore, now that I use shorewall. The rules are quite clear: DROP all from the net....   :Sad: 

----------

## skion

 *lamekain wrote:*   

>  *TheCoop wrote:*   is there some reason why ident should be stealthed and not closed? 
> 
> By having all my ports stealthed, I make my box more secure: nobody can see my computer from the Internet. If the port is closed, then people can see that a computer exists at my ip, thus I'm no longer invisible.
> 
> I'm probably going to run a SSH-server anyway, but first I want to know WHY the 113 is CLOSED, even when I don't have anything open in my rules-file and the policy is DROP.

 

It's because some (mail)servers are trying to connect back to that port, and if it's stealthed, they will hang for a while. If you really want it to be stealthed, read the comment in /etc/shorewall/common.def.

In there you can also see how it's closed:

```
############################################################################

# AUTH -- Silently reject it so that connections don't get delayed.

#

run_iptables -A common -p tcp --dport 113 -j reject
```

HTH,

----------

## lamekain

Thank you. Now I understand... it's weird they don't mention that in the how-to. for a moment I was afraid of a trojan   :Rolling Eyes: 

Thank you everyone!

----------

## TheCoop

btw, it doesnt matter if they can see if a computers there. if they can't connect to anything then whats the problem?

----------

## lamekain

It is possible to get inside someones computer even if the box doesn't have open ports. I'm no security-expert, but I've studied the basics and read a few articles. 

 :Shocked:  This is a very paranoid theory(but paranoia is good in security, isn't it   :Laughing:  ) . Let's say a hacker sees my box after portscanning. Now he knows there is a computer there, and he knows port 113 is available. He then uses some security-breach to get a trojan into my box. For example he sends me email, which has a worm in it(remember Outlook in window$....remember Blasterworm...). The worm then starts a service that takes commands from port 113 and voilá, he/she/it is inside my box. 

Of course I'm using linux and an email-client, which I'm sure doesn't have many worms. But the main point of starting this whole post, was that I wanted to know WHY my port is closed, even when I want it to be stealthed. Now I know    :Cool: 

----------

## think4urs11

even if your box is 100% 'stealth' by itself it IS possible to tell if it is there or not.

If you really want to be invisible you'd have to do this on the gateway BEFORE the 'stealth' box.

BTW: according to the RFCs you should not drop ident. It should be rejected!

----------

## jaska

Think4UrS11 is right, if a hacker watches logs of apache or whatever you have been to, they know there is a pc behind that ip even if you drop every single port connect attempt.

----------

## think4urs11

even better...

it is perfectly possible to tell whether an ip address is up and running whether or not it ever connects to my site.

The gateway in front of the 'stealth' box will tell you this via ICMP.

(as long as the box did at least one connect to anywhere since boot, so just by getting a DHCP address from the gateway - which is pretty usual for dialup lines - it knows you are there)

----------

## lamekain

Yes. True. No system is safe. But having a totally stealthed box is more secure than having a box, which is visible to the Internet, isn't it? 

But (theoretically), if I start my box and make no connections to the Internet(no logs show my ip) and I don't use DHCP(which I actually don't). Then there shouldn't be a way to find my box (except by asking the isp  :Very Happy:  )?    :Rolling Eyes: 

----------

## TheCoop

in that case what would be the point of having it connected to the internet?

----------

## lamekain

it was only a theory.. nothing to do with practical use. (this post has really taken a turn to the wrong direction)   :Confused: 

----------

## think4urs11

mhh

more secure or more interesting for hackers?  :Wink: 

as long as your box is

a) physically connected to the network

b) powered up

it IS possible by analyzing the answers from the gateway in front whether you are there or not! Now way around this except heavy reconfigurations on that gateway.

Don't believe in marketing which (also) tells everybody that those famous windows personal firewalls are good/needed/whatever...    :Twisted Evil: 

----------

## mirko_3

 *lamekain wrote:*   

> Yes. True. No system is safe. But having a totally stealthed box is more secure than having a box, which is visible to the Internet, isn't it? 
> 
> But (theoretically), if I start my box and make no connections to the Internet(no logs show my ip) and I don't use DHCP(which I actually don't). Then there shouldn't be a way to find my box (except by asking the isp  )?   

 

Script kiddies can scan blocks of ip-addresses...

----------

## lamekain

 *Quote:*   

> Script kiddies can scan blocks of ip-addresses...

 

Yes they can. And if all my ports are dropping the incoming packets, then they can't discover me by simply scanning, because my computer doesn't reply to them. But if my box, for example, replies to all ICMP(ping) requests then it is possible to find me by simply scanning my ip-address. Or am I wrong  :Question: 

----------

## To

There's a small diference between security and paranoia  :Laughing: 

You don't need to stealth the ports really just drop. If you reject a packet a rejection message will be sent back ( there are several types or rejection you can even specify them ), and the other side will know that your computer is there. But if you drop the packet it will look like, to the other computer, that you aren't there. 

The only thing you can do with drop is log the packets, I still don't get your point on this.

Other thing, about rejecting all icmps, if you think that you may be vulnerable to any kind of ICMP atack, you can allways set a limit of maximum icmp's per s, that will be suficent...

Like was said here, to be attacked you only need to be connected to the internet.

Tó

----------

## jaska

There is always the real paranoia mode, unplug networking and unplug the power, no hacking security risk there   :Wink: 

Seriously though, all you can really do is reject any port connects, limit the amount of icmp/ping/whatever from any ip, not run anything that you don't need, etc.

----------

## lamekain

 *Quote:*   

> I still don't get your point on this.

  The original point of this post was to explain why shorewall has port 113 on reject and not on drop(as specified in rules).  *Quote:*   

> But if you drop the packet it will look like, to the other computer, that you aren't there. 

  My (other)point exactly  :Smile:  !  (see my previous post...)

----------

## mog

Hi, I also have just installed a gateway/router linux box using shorewall and functioning as a proxy for http traffic as well as providing NAT services.

I went to the web port scan site linked in on of the above posts. The scan told me that it could find the private address of my machine behind the NAT box. I would like this to not happen.

What could be a reason/misconfiguration that caused this problem?

Any help is appreciated.

----------

## mog

just to add to the question ... would the http header of requests forwarded by a proxy give away the internal ip addresses of the actual hosts? someone told me that for example the host header in an http request could do such thing ... is that correct?

----------

