I know the shorewall question can be resolved, but as KevinO points out it shouldn't be resolved by someone who's not fully aware of the issues at stake.
In the last five days I've gotten nearly a thousand denied attempts to relay spam mail through my server clogging up my logs right now in chunks of thirty messages per server, mostly coming from home Windows boxes on cable and DSL networks. This is clearly a worm, and the few boxes that I've bothered to nmap all have IIS on them and ports 137-139 wide open to the world, allowing anonymous SMB browsing. Since the worm only sends 30 messages at a time, it will probably go unnoticed for months or years because it isn't going to have a big effect on bandwidth or CPU -- the only way these ditzes are ever going to know that they are hosting a spam worm is if someone gets annoyed enough to track them down and slap them upside their pointy little heads. When you don't secure your home box with nothing important on it, there is a chance that your neighbor's snot-nosed brat will go delete your files that you don't care about. However, the odds are much higher that the snot-nosed brat will use your box to download and serve up porn and warez that are illegal to possess in your state, and in the current USA climate this is likely to earn you a visit from the Feds. When uncapping your cable modem can earn you this (http://slashdot.org/article.pl?sid=02/11/22/013226&mode=nested&tid=123) do you want to find out what they do when you're mirroring kiddie porn and copies of .Net Server? An even higher probability exists that your box will be nailed by a worm and turned into a zombie node for the next big DoS or spam flood attack. So, if you're not able to figure out how to get shorewall to do what you need to do (and it is not an easy package), try removing it and working with one of the others, like MonMotha, and if you can't get that to do what you want then for goodness sake go spend $100 on a commercial firewall appliance. My mail logs will thank you for it. Jack On Fri, 2002-11-29 at 11:30, Jim C wrote: > Yes it is a poort security practice IF you have something to protect. > My system is a simple home system and of course I have limited > resources that dictate weather or not I even get a firewall or > fileserver. Perhaps someday when I have an old box I can use as a > firewall I will set things up that way. Ya work with whatcha got. ;-) > > So given the above, the problem is still a problem. > > > KevinO wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >This probably isn't what you want to hear but... > > > >A firewall should be a firewall and NOT a file server. It is poor security > >practice to put anything on a firewall box that is not absolutely required. > > > >Use your existing box as a file server and get another, smaller box and use it > >as your firewall, NAT (connection sharing) box. > > > >My $.02 > > > >KevinO > > > >Jim C wrote: > > > > > >>HAaaAAAaaalp! ;-) > >> > >>Background: Server is Mdk 9.0 and my two clients are XP boxes. > >>I can't get Samba, shorewall and Connection Shareing to play nice on the > >>same box. If two of them work then the third does not. The shorewall > >>website says to add these rules to /etc/shorewall/rules: > >> > >> > >> > >>>[]# cat rules.sav > >>>ACCEPT fw loc udp 137:139 > >>>ACCEPT fw loc tcp 137,139 > >>>ACCEPT fw loc udp 1024: 137 > >>>ACCEPT loc fw udp 137:139 ACCEPT loc fw > >>>tcp 137,139 ACCEPT loc fw udp 1024: 137 > >>>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >>> > >>> > >>Unfortunatley this does not help. What I get is a really slow refresh > >>of My Network Places and then clicking on the box with shorewall and ICS > >>on it causes the error message: "//enigma is not accessible. You might > >>not have permission to use the network resource. Contact your > >>Adminstrator..." yata, yata, yata. Now samba should be set up right > >>because I've been able to access it once or twice while fiddleing. Only > >>at the expense of something else, however. Is there a port I am missing > >>or something? The rest of the rules file currently looks like this: > >> > >> > >> > >>>############################################################################## > >>> > >>>#ACTION SOURCE DEST PROTO DEST SOURCE > >>>ORIGINAL > >>># PORT PORT(S) DEST > >>>ACCEPT net fw udp 53 - > >>>ACCEPT net fw tcp 53,22,20,21 - > >>>ACCEPT masq fw udp 53 - > >>>ACCEPT masq fw tcp 53,22,20,21 - > >>>ACCEPT loc fw udp 53 - > >>>ACCEPT loc fw tcp 53,22,20,21 - > >>>ACCEPT masq fw tcp > >>>domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > >>>ACCEPT masq fw udp > >>>domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > >>>ACCEPT fw masq tcp 631,137,138,139 - > >>>ACCEPT fw masq udp 631,137,138,139 - > >>>ACCEPT fw loc udp 137:139 > >>>ACCEPT fw loc tcp 137,139 > >>>ACCEPT fw loc udp 1024: 137 > >>>ACCEPT loc fw udp 137:139 ACCEPT loc fw > >>>tcp 137,139 ACCEPT loc fw udp 1024: 137 > >>>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >>> > >>> > >> > >> > >> > >> > >>------------------------------------------------------------------------ > >> > >>Want to buy your Pack or Services from MandrakeSoft? > >>Go to http://www.mandrakestore.com > >> > >> > > > > > >- -- > >KevinO > > > >Matz's Law: > > A conclusion is the place where you got tired of thinking. > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.6 (GNU/Linux) > >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > >iD8DBQE95m6AjBS1mMJB+bQRAq/xAKC5YAIytfq2QmU5+7Jd+/1dI0W4JACeIYDs > >DO8rxKvNrhbwquT9NsgshJk= > >=ZoZ4 > >-----END PGP SIGNATURE----- > > > > > > > > > >------------------------------------------------------------------------ > > > >Want to buy your Pack or Services from MandrakeSoft? > >Go to http://www.mandrakestore.com > > > > > -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
