Martin, First I'd like to thank you for your patience.
One of the things that is confusing to me is related to outbound traffic. Figuring out the inbound traffic is easy, since I know all the services provided. But determining the outbound to me I see it as a lot more complicated, certainly because I may be missing some of the picture. Let me try to explain what I mean. If I look at netstat output, I can see things like this: tcp 0 0 ::ffff:192.168.1.245:25 ::ffff:202.63.164.4:53400 ESTABLISHED tcp 0 0 ::ffff:192.168.1.245:25 ::ffff:8.12.43.34:2616 TIME_WAIT tcp 12 0 ::ffff:192.168.1.245:25 ::ffff:200.198.4.21:58613 ESTABLISHED I have a hard time understanding how I should determine the outbound ports to allow, since my smtp server has connections established to strange port numbers yet I'm assuming here that these are valid smtp transactions. Similarly, tcp 0 0 ::ffff:192.168.1.245:143 ::ffff:206.53.151.202:40866 ESTABLISHED I have no reason to doubt this isn't a valid imap connection, but again would this imap connection be blocked if I configured "dmz net REJECT" and didn't open the destination port 40866? And then I have a number of http connections which I don't know how to determine whether they're rogue or not. Something like, tcp 0 0 ::ffff:192.168.1.245:80 ::ffff:189.60.234.251:62473 TIME_WAIT tcp 0 0 ::ffff:192.168.1.245:80 ::ffff:201.29.103.98:13725 ESTABLISHED So my concern is once I block everything with the "dmz net REJECT" how do I determine which outbound ports are to be opened, maybe it's a lot simpler than I think. Ricardo ----- Original Message ----- From: "Martin Leben" <[EMAIL PROTECTED]> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, September 09, 2008 9:01 AM Subject: Re: [Shorewall-users] Please help in rule setup > Hi Ricardo, > > (Trying to offload Tom a bit.) > > The single most important thing I have to say is this: > From your original mail it seems like at least one of > your machines is infected/pwned/trojaned/rooted. In > that situation the first and most important thing to > do is to identify WHICH machine(s) and pull the plug > on them. > > You should NOT fiddle with firewall rules just yet. > > And, as Tom already said, make sure that all software on all your machines > is up > to date. That cannot be stressed enough. Bite the bullet. > > When it comes to configure the firewall(s), please read up a bit. Really. > Below > I will try to "codify" some of what Tom said. > > 1) Make a list of all hosts which should be exposed to the internet. > 2) Make a list of all services on host in 1) that should be accessible > from the > internet and on which host. > 3) Make a list of which services the hosts in 1) need on the internet. > 4) Place the hosts in 1) in a separate zone "dmz" in > "/etc/shorewall/zones". > 5) Use policy "dmz net REJECT" policy in "/etc/shorewall/policy". > 6) Use policy "net dmz DROP" policy in "/etc/shorewall/policy". > 7) Add rules in "/etc/shorewall/rules" for necessary inbound traffic. > 8) Add rules in "/etc/shorewall/rules" for necessary outbound traffic. > > We are here to help you, but since this is not a paid support line you are > also > expected to have made your homework first. > <http://shorewall.net/Introduction.html> should be a good starting point. > > Good luck and don't hesitate to get back in case of trouble. But first you > should read <http://shorewall.net/support.htm>. > > Best regards, > /Martin > > > Ricardo Kleemann wrote: >> Sorry for so many questions, but also for example, I can see valid smtp >> sessions in netstat like this: >> >> tcp 0 0 server1.americasnet.co:smtp 89.165.43.31:17761 >> SYN_RECV >> >> Would this traffic be blocked since it has a random destination port of >> 17761? >> >> >> On Mon, 2008-09-08 at 20:56 -0700, Ricardo Kleemann wrote: >>> I apologize for my lack of knowledge. >>> >>> Ok, but I have some doubts as far as how I would go about first blocking >>> all traffic "anywhere" from the servers lan except for the few ports >>> allowed. >>> >>> For example, won't dns requests use random source ports when queries are >>> made? Something like (from lsof on the server), I have some named >>> entries like this: >>> >>> named 1620 named 29u IPv4 102898568 TCP >>> server1.americasnet.com:32858->cpe-24-24-238-161.socal.res.rr.com:domain >>> (SYN_SENT) >>> named 1620 named 30u IPv4 102906041 TCP >>> server1.americasnet.com:57631->cpe-24-24-213-189.socal.res.rr.com:domain >>> (SYN_SENT) >>> >>> >>> If I REJECT all traffic, would random source ports like this be blocked, >>> or would opening up domain take care of that? >>> >>> >>> Another question, should the REJECT rule be at the end of the rules file >>> so that it picks up only after all the ACCEPT rules? > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
