# "locking down shorewall" question [solved]

## loki99

hi all!

finally, i invested the time to set up a firewall. since i never had to do much networking, i went for shorewall which is a quite simple to set up firewall. i managed to configure my kernel correctly and everything seems to be up and running. 

Sanome pointed out to me in another thread, that i could lock it down, more tightly. here is his post:

 *Sanome wrote:*   

> I write my own IPtables scripts for Gentoo & various other distros, but have used Shorewall on Mandrake - one thing you might want to consider is egress filtering (ie outbound filtering) - the typical way you do it is to set the default outbound policy to DROP in /etc/shorewall/policy - ie:
> 
> ```
> 
> fw net DROP
> ...

 

problem is, when i follow his advice and try to set up rules for firefox and thunderbird, i can not connect to the server. here are the lines i tried in my etc/shorewall/rules.

```
ACCEPT fw net tcp 80

ACCEPT fw net tcp 110
```

any help would be appreciated!Last edited by loki99 on Sat Feb 19, 2005 9:41 am; edited 1 time in total

----------

## Sith_Happens

You probably forgot to add your ethernet interface to the net zone in /etc/shorewall/interfaces.  Just add whatever interface you use to connect to the internet and put net in the zone section of the entry, restart shorewall, and then it should work.  Like this:

```
##############################################################################

#ZONE    INTERFACE      BROADCAST       OPTIONS

#

net      eth0

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

Since your new to shorewall, here is the /etc/shorewall/rules file for my desktop:

```
####################################################################################################

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL 

ACCEPT   fw             net             tcp     5190 #AIM/ICQ

DROP     net            fw              tcp     113 #AUTH/IDENT

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

I added the last line because shorewall wasn't dropping connection requests to port 113, only rejecting them.  Lastly here is my /etc/shorewall/policy file:

```
###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

net             all             DROP            info

#

# THE FOLLOWING POLICY MUST BE LAST

#       

all             all             REJECT          info 

#LAST LINE -- DO NOT REMOVE

```

These three files are really the only ones you need to edit in order to set up an effective and useable firewall for your desktop.  Here is a good site that you can go to to test your firewall.  They just do a portscan and show you the results.  It is more geared towards windows slaves, I mean users  :Razz:  , but it is a really great site.  Check out the rest of it after your done testing your firewall.  Also if you use syslog-ng you can add this to /etc/syslog-ng/syslog-ng.conf to log shorewall messages to a seperate file, in this case /var/log/shorewall/shorewall.log:

```
source src { unix-stream("/dev/log"); internal(); pipe ("/proc/kmsg"); };# You shouldn't need to add this line, 

                                                                         # it's probably already there, however 

                                                                         # I include it because the last line references it.

destination d_shorewall{ file ("/var/log/shorewall/shorewall.log"); };

filter f_shorewall { match ("Shorewall"); };

log { source(src); filter (f_shorewall); destination (d_shorewall); };
```

----------

## loki99

mmh! this is what my /etc/shorewall/interface says:

```
 ##############################################################################

ZONE   INTERFACE       BROADCAST       OPTIONS

net        eth0                     detect                 norfc1918,routefilter,dhcp

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

so i guess it must be something different.

thanks for your /etc/shorewall/rules! this helps quite a bit. :Wink: 

----------

## Sith_Happens

Try enabling both outgoing TCP and UDP connections to port 53.

----------

## loki99

yahooooo! jipie! jipie! eeyh eeeh!  :Shocked:   :Very Happy:   :Very Happy:   :Laughing: 

man,you really just made my day!

it is working! the only thing "shields up" is complaining, is, that my system replied to their ping request. 

you do not happen to know, how to solve this prob also, do you?

either way. - i always had a kind of bad feeling in my stomach, for not having set up a firewall! well thats history now.

thank you soo much! i hope you'll have a wonderful evening tonight!

best wishes, loki99!

----------

## Sith_Happens

Pings are handled by my net2all drop rule in /etc/shorewall/policy.  Here is what occurs when someone tries to ping my computer, taken from my shorewall log (the ip's have been changed to protect the innocent, however that is my card's MAC address  :Razz:  ):

```
Feb 18 17:56:27 BlueBox Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=192.168.1.2 DST=192.168.1.3 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=514 PROTO=ICMP TYPE=8 CODE=0 ID=33810 SEQ=1024 

```

----------

## loki99

well i have the same 

```
###############################################################################

SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

fw              net             DROP

net             all             DROP            info

# The FOLLOWING POLICY MUST BE LAST

all             all             REJECT          info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

```

and i tried adding

```
DROP     net            fw              icmp    8

```

 and 

```
DropPing  net       fw
```

 to my /etc/shorewall/rules but still the same

 *Quote:*   

> Ping Reply: RECEIVED (FAILED)  Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

 

----------

## Sith_Happens

That is wierd.  Try taking the port off of the drop icmp statement.

----------

## loki99

i found the mistake. i had a line in my rules saying 

```
ACCEPT  net    fw   icmp   8
```

edit: it was the first line in my rules so i guess it evened out the other one i set a few lines below.

i changed it to drop, now everything is just fine.

thanks again, for your help, Sith_Happens!  :Very Happy: 

----------

## Sith_Happens

Be sure to append [SOLVED] to the topic of your first post.

----------

## Bob P

 *Sith_Happens wrote:*   

> Pings are handled by my net2all drop rule in /etc/shorewall/policy.  Here is what occurs when someone tries to ping my computer, taken from my shorewall log (the ip's have been changed to protect the innocent, however that is my card's MAC address  ):
> 
> ```
> Feb 18 17:56:27 BlueBox Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=192.168.1.2 DST=192.168.1.3 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=514 PROTO=ICMP TYPE=8 CODE=0 ID=33810 SEQ=1024 
> 
> ...

 

depending upon your system environment, this could be a good thing or a bad thing.  i've set-up shorewall as a single-ended firewall on a gentoo box that sits behind a hardware firewall/router with a bunch of other windows and gentoo boxes.  the rule that you've referenced in the policy table serves to interfere with the normal flow of network maintenance in this sort of environment.  for example, here's an excerpt from my logs.  the actual IP addresses have been "normalized" so that they will seem familiar to everyone:

```
Apr  8 18:53:01 gentoo Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.0.3 DST=192.168.0.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33133 DPT=7741 LEN=24

Apr  8 18:53:02 gentoo Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.0.3 DST=255.255.255.255 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=23 DF PROTO=ICMP TYPE=8 CODE=0 ID=49753 SEQ=0
```

in a situation like this, shorewall is locked down so tight that its interfering with normal network maintenance traffic between the linux box and the DNAT router/firewall.  i'm thinking that it would be a good idea to revise the filter statement so that internal maintenance traffic on lan is permitted;  pings from the outside world are already handled by the firewall/ router.

suggestions?

----------

