| Linode Forum https://forum.linode.com/ |
|
| Shorewall locks me out (even when stopped) NEWBIE ALERT https://forum.linode.com/viewtopic.php?f=19&t=1385 |
Page 1 of 1 |
| Author: | ronpoz [ Fri Jan 07, 2005 12:27 pm ] |
| Post subject: | Shorewall locks me out (even when stopped) NEWBIE ALERT |
Hello out there. I have to admit I am a newbie with firewalls so I decided to try out shorewall as my interface to iptables. I created a set of rules that allow various services, SSH, Web, SMTP, etc... Once I type shorewall start it loads and then when I try to access my site, I am unable to connect. So I then go into LISH and do a shorewall stop. I get the notice that it is stopped (to screen and in /var/log/messages). Ok, here is where it gets goofy. Now when I try to contact my website I still cannot contact it. So I do a ps -ef and see that shorewall nor iptables are running. I do a restart of apache and still nothing. The only way I am able to get back online is to issue a reboot via the Linode members site. Ok, here is the set of firewall rules I have in play: Code: ACCEPT net loc icmp 8 Interfaces: Code: loc eth0 detect norfc1918,nobogons,blacklist,nosmurfs Network zones: Code: net Net Internet Hosts: Blank Errors recorded to /var/log/messages when the above rules were enabled: Code: Jan 7 11:02:42 metrowebworks kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=fe:fd:43:12:5c:79:00:04:dd:e0:23:02:08:00 SRC=160.79.56.5 DST=67.18.92.121 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=9010 DF PROTO=TCP SPT=1972 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 |
|
| Author: | dmuench [ Fri Jan 07, 2005 3:04 pm ] |
| Post subject: | |
In your interfaces file, eth0 should be part of the "net" zone, not "loc". Also, in your rules file, those should be "ACCEPT net fw ...." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc). See if that helps. You can even comment loc out of the zones file, it's what I do. Dave |
|
| Author: | sarge [ Sat Jan 08, 2005 4:27 am ] |
| Post subject: | |
You can also use easier syntax in your rules file. For example, instead of the two lines you have for tcp ports 80 and 443, you can simply specify one rule: AllowWeb net fw There are numerous predefined Allow* rules available such as AllowSSH, AllowSMTP, AllowFTP, and so on. You can also limit access to specific ip addresses. Like this to allow your firewall to access tcp 80 and 443 only on the specified ip address (there's usually no need to allow your firewall to access every possible website as a client): AllowWeb fw net:123.123.123.123 |
|
| Author: | SteveG [ Mon Jan 10, 2005 12:11 pm ] |
| Post subject: | |
Even easier: no firewall at all. Now, before you reply that I'm an idiot, consider the circumstance of the typical linode: it's NOT a gateway protecting other machines, and it's NOT a personal use workstation. It's a standalone server. The ONLY ports that should have a process listening to them are ports for which you specifically configured a server, such as a web server, or a mail server. Any other services should simply be disabled. Any port on which you are running a service, you'll pass through the firewall, right? And any port you'd block, there shouldn't be anything listening anyway, right? Now, of course there are circumstances and uses for a linode where a firewall can make sense. But for many common uses, a firewall is just an unnecessary complication. |
|
| Author: | sarge [ Fri Jan 14, 2005 11:10 am ] |
| Post subject: | |
Interesting point. But there are a number of issues with that path. Given that modern firewalls like shorewall can be configured in just a few minutes and the minimal cpu-usage cost, I think the ROI is easily justified in having a firewall on every server. 1. As shown in my previous post, a firewall can block outgoing traffic as well. IMHO, it isn't a good idea for servers to be allowed to make outgoing connections to any ip address on any port. For example, a Debian-based server might be allowed to connect to port 80 of a specific Debian mirror site so it can get updates, but not be allowed any other outgoing connection to other websites. A server that is allowed to make outgoing connections without any restrictions is open to numerous automated attacks that can easily be prevented simply by restricting outbound connections. 2. A firewall can do things such as blocking requests from invalid ip addresses (for example, 127.0.0.1 or other local ip addresses coming in from the internet is obviously spoofed). It can block invalid tcp packets, bogons, etc. It can provide traffic-shaping so one busy service (http) doesn't prevent other services (ssh) from functioning well. Given this, it is hard to imagine anyone not running a firewall on a server--especially when it is exposed to the public. |
|
| Author: | ronpoz [ Thu Jan 27, 2005 11:06 pm ] |
| Post subject: | |
dmuench wrote: In your interfaces file, eth0 should be part of the "net" zone, not "loc".
Also, in your rules file, those should be "ACCEPT net fw ...." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc). See if that helps. You can even comment loc out of the zones file, it's what I do. Dave Bingo! That fixed it! Thanks!!!! |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|