On 5/6/13 4:31 PM, "Troy Telford" <ttelford.gro...@gmail.com> wrote:
>On 2013-05-05 13:57:10 +0000, cac...@quantum-sci.com said: >> Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING. >> It was like this for a couple of weeks. I found the reason was I'd >> removed 'tor' from the services file and so Shorewall failed to start. >> I've removed tor from the rules file now, and of course it works. >> >> But routestopped has only eth0, which is not connected. (wlan0 is) The >> policy file seems to have everything DENYed. >> >> So I don't understand how this could have happened? > >Startup behavior with Shorewall can be a bit tricky. > >If you happen to run xUbuntu, you need to know that Upstart can't >guarantee that a 'shorewall stop' command is issued (and locks down the >firewall to routestopped) before the network is brought up. > >None of that matters, as you have discovered, with an invalid Shorewall >configuration. > >While I haven't tested this, it's likely that this also applies to >running 'shorewall stop' to lock the firewall to the routestopped >config. > >As I recall, Shorewall checks its configuration, and will not change >*anything* without a valid config. This applies for both adding and >removing of rules, policies, and so on. > >It appears likely you had an invalid config (as stated in your first >paragraph), and had rebooted the machine. > >I'm willing to bet you didn't notice the message that shorewall didn't >start - either because you weren't watching, or because a boot splash >hid the message. > >It doesn't matter what your policy, rules, or anything else is >configured. As I recall, if your configuration isn't valid, shorewall >won't apply any of it. > >The default boot state for the Linux kernel allows any network >connection. It's likely it is also the state shorewall will leave you >with if your configuration is not valid. > >'shorewall check' is very useful; ALWAYS run it after modifying your >shorewall config. Another thing here is to be sure to use 'shorewall show' (or 'iptables -L -n -v') when looking at the Netfilter filter table configuration. You can't tell what the state of the ruleset is by simply issuing 'Iptables -L' -- it's output is almost useless and can make you believe that you are wide open when you are not. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
