Re: [Shorewall-users] Droping ftp conections from net to loc do not work

Jiří Červenka Fri, 19 Jan 2007 11:07:02 -0800


Pieter Ennes napsal(a):
> Hi,
>
> Jiří Červenka wrote:
>   
>> Using black list helped, replacing not. But I want to be able to control 
>> this by rules file.
>>     
>
> Ok, and I left my mind somewhere, the local IP didn't make sense anyhow.
>
>   
>>>>>> policy:
>>>>>> #SOURCE         DEST            POLICY          LOG LEVEL       
>>>>>> LIMIT:BURST
>>>>>> loc             net             ACCEPT
>>>>>> loc             wifio           ACCEPT
>>>>>> loc             loc             ACCEPT
>>>>>> loc             fw              ACCEPT
>>>>>> fw              net             ACCEPT
>>>>>> fw              wifio           ACCEPT
>>>>>> fw              loc             ACCEPT
>>>>>> net             all             DROP
>>>>>> all             all             REJECT
>>>>>> wifio           net             ACCEPT
>>>>>> wifio           loc             ACCEPT
>>>>>> wifio           fw              ACCEPT
>>>>>> road            loc             ACCEPT
>>>>>> #LAST - ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>>>>>             
>
> How come you have a net -> all DROP policy and still you seem to accept
> connections from exactly that yo your ftp server? Based on the policies,
> that traffic should be dropped, even without the additional rule you
> mentioned earlier.
>
> Is there any rule in your rules file that is accepting net -> loc
> traffic? If you want to drop FTP traffic, that rule should be at least
> _above_ any rule accepting it.
>
> Otherwise, please send your rules file, or the information that is
> normally requested at http://www.shorewall.net/support.htm.
>   
My rules file:
#ACCEPT net:147.32.240.25       loc:172.16.0.21


ACCEPT  all             all             icmp    8       -       
-               1/sec:5
ACCEPT  all             all             icmp    0       -       
-               1/sec:5

LOG:info        all             fw      tcp     ssh
DROP    net:202.194.9.3         all     tcp     ssh
DROP    net:163.20.160.25       all     tcp     ssh
DROP    net:211.157.108.19      all     tcp     ssh
DROP    net:218.191.218.143     all     tcp     ssh
DROP    net:80.144.163.152      all
DROP    net:202.156.251.82      all
DROP    net:213.248.65.1        all
DROP    net:217.16.27.121       all
DROP    net:210.148.115.76      all
DROP    net:207.246.138.140     all
DROP    net:207.246.138.137        all
DROP    net:151.204.222.219        all
DROP    net:24.224.234.197        all
DROP    net:64.12.163.139        all
DROP    net:201.17.162.107        all
DROP    net:24.177.122.14        all
DROP    net:86.127.183.96       all
DROP    net:193.171.155.10      loc:195.113.101.221 tcp 21

DROP    net:221.127.10.244        all
DROP    net:218.167.46.142        all

DROP    net     loc:195.113.101.220     tcp     135
DROP    net     loc:195.113.101.220     udp     135
DROP    net     loc:195.113.101.219     tcp     25

DROP    net     loc:172.16.0.25         all

DROP    net             all              udp     161
DROP    net             all              udp     162
DROP    fw              net             tcp     161
DROP    fw              net             tcp     162
DROP    loc:172.16.0.3  loc:195.113.101.218 udp 55  53

DROP    loc             net             tcp     25

ACCEPT  loc             fw                      tcp     1201      
-       -       2/sec:5 # SSH
ACCEPT  net             fw:195.113.101.210      tcp     1201      
-       -    2/sec:5  # SSH (docasne)
ACCEPT  net             fw:195.113.101.210      tcp     25      -       
-      2/sec:5      # SMTP
ACCEPT  net             fw:195.113.101.217      tcp     25      -       
-      2/sec:5
ACCEPT  net             fw:195.113.101.210      tcp     110     # POP3
ACCEPT  net             fw:195.113.101.210      tcp     80     # POP3
ACCEPT  fw              all                     tcp     3128
ACCEPT  loc             fw                      tcp     21
ACCEPT  loc             loc:195.113.101.221
ACCEPT  net             fw:195.113.101.217      tcp     21
ACCEPT  net             fw:172.16.0.1           tcp     21
ACCEPT  net:88.146.126.102 fw                   tcp     3306
ACCEPT  loc:172.16.22.5         fw                      tcp 3306
ACCEPT  net             loc:172.16.26.2         tcp     25      #durci posta

ACCEPT  net             fw:195.113.101.217      tcp     1202      # FTP
ACCEPT  net             fw:195.113.101.217      tcp     80      # HTTP
ACCEPT  net             fw:195.113.101.217      tcp     443     # HTTPS
ACCEPT  loc             fw:195.113.101.217      tcp     80      # HTTP
ACCEPT  loc             fw:172.16.0.1           tcp     80      # HTTP
#ACCEPT net:192.168.10.2 fw:195.113.101.217     tcp     80
#ACCEPT fw:195.113.101.217              net:192.168.10.2

ACCEPT loc      fw              tcp     3306

ACCEPT  loc     net:195.39.14.220               tcp 15001

#ACCEPT  net             loc:195.113.101.210     tcp     25      # SMTP
ACCEPT  net             loc:195.113.101.219     tcp     110     # POP3
ACCEPT  loc:172.16.0.2  fw:172.16.0.1           tcp     25
ACCEPT  loc:195.113.101.219 fw                  tcp     25
ACCEPT  fw              loc:172.16.0.2          tcp     25
ACCEPT  fw              loc:195.113.101.219     tcp     25

ACCEPT  all             loc:195.113.101.218     tcp     21      #ftp

ACCEPT  net             loc:195.113.101.220     tcp     3389
ACCEPT  net             loc:195.113.101.221     tcp     3389
ACCEPT loc:195.113.101.220      net             all
ACCEPT loc:195.113.101.221      net             all
ACCEPT  net             loc:195.113.101.221     tcp     8081
ACCEPT  net             loc:195.113.101.221     tcp     21
ACCEPT  net             loc:195.113.101.221     tcp     8888

ACCEPT fw:195.113.101.210       net:195.113.101.209     tcp     161
ACCEPT fw:195.113.101.210       net:195.113.101.209     udp     161

ACCEPT  fw      loc                                     tcp 161
ACCEPT  fw      loc                                     udp 161

REDIRECT    loc           3128            tcp     80      -       
!172.16.0.1

DNAT    net     loc:172.16.0.25  tcp     12345   -       195.113.101.210
DNAT    net     loc:172.16.0.19  tcp     3389    -       195.113.101.210
DNAT    net     loc:172.16.0.18  tcp     12001   -       195.113.101.217
DNAT    net     loc:172.16.0.18  udp     12001   -       195.113.101.217
#DNAT    net     loc:172.16.0.14  tcp     12002  -       195.113.101.206
#DNAT    net     loc:172.16.0.14  udp     12002  -       195.113.101.206
DNAT    net     loc:172.16.11.10 tcp     80      -       195.113.101.210
#DNAT   net     loc:172.16.0.4   tcp      2100   -       195.113.101.206
DNAT    net     loc:172.16.0.18  udp     7001   -       195.113.101.210
DNAT    loc     loc:172.16.0.18  tcp     7001   -       195.113.101.210
DNAT    net     loc:172.16.0.18  udp     9221   -       195.113.101.210
DNAT    net     loc:172.16.0.18  tcp     9221   -       195.113.101.210
DNAT    net     loc:172.16.0.14  tcp     7000   -       195.113.101.210
DNAT    net     loc:172.16.0.14  udp     7000   -       195.113.101.210


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Droping ftp conections from net to loc do not work

Reply via email to