Hi Ricardo,
(Trying to offload Tom a bit.)
The single most important thing I have to say is this:
From your original mail it seems like at least one of
your machines is infected/pwned/trojaned/rooted. In
that situation the first and most important thing to
do is to identify WHICH machine(s) and pull the plug
on them.
You should NOT fiddle with firewall rules just yet.
And, as Tom already said, make sure that all software on all your machines is
up
to date. That cannot be stressed enough. Bite the bullet.
When it comes to configure the firewall(s), please read up a bit. Really. Below
I will try to "codify" some of what Tom said.
1) Make a list of all hosts which should be exposed to the internet.
2) Make a list of all services on host in 1) that should be accessible from the
internet and on which host.
3) Make a list of which services the hosts in 1) need on the internet.
4) Place the hosts in 1) in a separate zone "dmz" in "/etc/shorewall/zones".
5) Use policy "dmz net REJECT" policy in "/etc/shorewall/policy".
6) Use policy "net dmz DROP" policy in "/etc/shorewall/policy".
7) Add rules in "/etc/shorewall/rules" for necessary inbound traffic.
8) Add rules in "/etc/shorewall/rules" for necessary outbound traffic.
We are here to help you, but since this is not a paid support line you are also
expected to have made your homework first.
<http://shorewall.net/Introduction.html> should be a good starting point.
Good luck and don't hesitate to get back in case of trouble. But first you
should read <http://shorewall.net/support.htm>.
Best regards,
/Martin
Ricardo Kleemann wrote:
> Sorry for so many questions, but also for example, I can see valid smtp
> sessions in netstat like this:
>
> tcp 0 0 server1.americasnet.co:smtp 89.165.43.31:17761
> SYN_RECV
>
> Would this traffic be blocked since it has a random destination port of
> 17761?
>
>
> On Mon, 2008-09-08 at 20:56 -0700, Ricardo Kleemann wrote:
>> I apologize for my lack of knowledge.
>>
>> Ok, but I have some doubts as far as how I would go about first blocking
>> all traffic "anywhere" from the servers lan except for the few ports
>> allowed.
>>
>> For example, won't dns requests use random source ports when queries are
>> made? Something like (from lsof on the server), I have some named
>> entries like this:
>>
>> named 1620 named 29u IPv4 102898568 TCP
>> server1.americasnet.com:32858->cpe-24-24-238-161.socal.res.rr.com:domain
>> (SYN_SENT)
>> named 1620 named 30u IPv4 102906041 TCP
>> server1.americasnet.com:57631->cpe-24-24-213-189.socal.res.rr.com:domain
>> (SYN_SENT)
>>
>>
>> If I REJECT all traffic, would random source ports like this be blocked,
>> or would opening up domain take care of that?
>>
>>
>> Another question, should the REJECT rule be at the end of the rules file
>> so that it picks up only after all the ACCEPT rules?
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
