----- Original Message ----- From: Tom Eastep <teas...@shorewall.net> > Configure ipset-based dynamic blacklisting: > DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info > then put this at the bottom of your rules:
> ADD(SW_DBL4,src) net $FW I seem to have a few issues with the ipset-based solution. The first is really not that important: # grep IPSET /etc/shorewall/shorewall.conf IPSET= IPSET_WARNINGS=Yes SAVE_IPSETS=No After a shorewall restart I can list the ipset and it has hundreds of entries: # ipset list SW_DBL4 Shouldn't it have been cleared out? I actually prefer to set SAVE_IPSETS=Yes and then manually flush the ipset whenever I want to. I'm just wondering if this config variable applies to SW_* ipsets. The second issue is described below. The policy file contains: net3 $FW DROP info net3 loc DROP info net2 $FW DROP info net2 loc DROP info net1 $FW DROP info net3 loc DROP info shorewall.conf has: DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info rules file contains among many other entries: [...] DNAT net1 loc:10.215.144.91 tcp 25 - - 3/sec:10 DNAT net2 loc:10.215.144.91 tcp 25 - - 3/sec:10 ACCEPT net3 $FW tcp 25 - - 3/sec:10 [...] ACCEPT net2 $FW tcp <some_other_port> [...] ADD(SW_DBL4:src) net1 $FW ADD(SW_DBL4:src) net2 $FW ADD(SW_DBL4:src) net3 $FW In the shorewall log I can see DROP messages concerning port 25 such as: Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=IP1 DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=28878 DF PROTO=TCP SPT=7309 DPT=25 WINDOW=0 RES=0 x00 RST URGP=0 MARK=0x2 # ipset list SW_DBL4 | grep IP1 IP1 timeout 3541 packets 1 bytes 48 Since 192.168.100.2 is net2's NIC address on $FW, I'm guessing IP1 was blacklisted because there's no explicit rule for traffic from net2 to $FW on port 25 so it reaches ADD(SW_DBL4:src) net2 $FW. However, I'm not really sure about this. If the host at IP1 tried to connect for the first time to the net2 external interface, it should have succeeded and established an SMTP link to an internal server (DNAT). As I see it, it never should have reached the ADD action at the bottom of my rules file. My third issue is that I see these entries in the log: Nov 30 09:12:27 Shorewall:loc-net3:ACCEPT:IN=enp0s9 OUT=enp0s13 SRC=10.215.144.31 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=29724 PROTO=UDP SPT=54141 DPT=53 LEN=40 Nov 30 09:12:28 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=8.8.8.8 DST=192.168.101.2 LEN=76 TOS=0x00 PREC=0x00 TTL=56 ID=53866 PROTO=UDP SPT=53 DPT=20938 LEN=56 MARK=0x3 where enp0s13 is net3's interface and 192.168.101.2 its IP address. So now Google DNS (8.8.8.8) is in the SW_DBL4 ipset. I don't care if Google can connect or not but then I also see messages like these: Nov 30 09:31:10 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx1 DST=192.168.101.2 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=80 DPT=14686 WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x3 Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx2 DST=192.168.101.2 LEN=75 TOS=0x00 PREC=0x00 TTL=50 ID=27302 DF PROTO=TCP SPT=443 DPT=53313 WINDOW=514 RES=0x00 ACK PSH FIN URGP=0 MARK=0x3 Nov 30 09:49:33 Shorewall:dbl_log:DROP:IN=enp0s13 OUT= SRC=xxx.xxx.xxx.xx3 DST=192.168.101.2 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=61483 DF PROTO=TCP SPT=443 DPT=28519 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x3 They're usually ACK FIN, ACK SYN, ACK PSH or RST so I guess each time a client in my loc zone surfs the web, the web servers' IP addresses are bound to get blacklisted. Another example when a client in the loc zone accesses a web server (note that there are several internet providers with load balancing): Nov 30 09:58:03 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=2734 DF PROTO=TCP SPT=64178 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 30 09:58:04 Shorewall:loc-net1:ACCEPT:IN=enp0s9 OUT=enp0s11 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3027 DF PROTO=TCP SPT=64180 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 30 09:58:05 Shorewall:loc-net2:ACCEPT:IN=enp0s9 OUT=enp0s12 SRC=10.215.248.190 DST=xxx.xxx.xxx.xx4 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=3087 DF PROTO=TCP SPT=64183 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Nov 30 09:58:05 Shorewall:dbl_log:DROP:IN=enp0s12 OUT= SRC=xxx.xxx.xxx.xx4 DST=192.168.100.2 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=64183 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x2 (192.168.100.2 is on net2) So I'm wondering if I can avoid false positives in the dynamic blacklist. I'm also looking at PSAD as suggested by Mark but the conf file is so long I'm still figuring out how to do the above... I believe PSAD scans log messages in order to take action so that implies enabling logging in shorewall and I was actually hoping to remove logging as much as possible to reduce I/O. That's why the shorewall ipset solution is attractive. Vieri ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
