Since both your lan and wan subnets are private, you're not going to receive
any unsolicited traffic from the internet unless you port forward to your
machine
in your wireless router. I don't see a gaping hole.
If you're worried about internal traffic, adjust your policy and rules files to
only
allow the traffic you want. Really only you can decide that.
Bill
On 12/13/2017 11:33 AM, jamby wrote:
Bill
My only worry now is I left a gaping hole in the firewall with some of the changes I made wildly trying to get shorewall
working. I am hoping that you can see in the previous post with the "shorewall_dump.txt" if I did.
Thanks for yours and Tom's help
Jim
On 12/13/2017 08:08 AM, Bill Shirley wrote:
Glad it's working.
That was just an example of how to log to BOTH /var/log/shorewall.log and
/var/log/messages. Use the 'notice' level to log both places. You don't need
it in your config. "I don't like Bob @ 192.168.2.44" is just my little bit of
humor.
The '?COMMENT' in Shorewall flags the entry in iptables. Is doesn't output
anything to the log file. An example of what it does: I have in my rules:
?COMMENT ntp redirect
REDIRECT lan4,wifi ntp tcp,udp ntp
So when I look at the actual iptables ('iptables -vnL | less') I see:
Chain lan4-fw (1 references)
pkts bytes target prot opt in out source destination
556K 41M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
dpt:123 ctorigdstport 123 /* ntp redirect */
6542 497K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp
dpt:123 ctorigdstport 123 /* ntp redirect */
Notice the /* ntp redirect */ comment for the two entries.
If you want to tailor your log file, see
http://www.shorewall.org/shorewall_logging.html
specifically the section:
Customizing the Content of Shorewall Log Messages
Bill
On 12/13/2017 10:40 AM, jamby wrote:
Bill
Attached is a corrected snat file and it is now working..! Yeah.
I added the 00-shorewall.log
Not sure how to use
rules:
?COMMENT I don't like Bob @ 192.168.2.44
REJECT:notice lan:192.168.2.44 wan tcp all
Should the line ?COMMENT I don't like Bob @ 192.168.2.44 be added to the
"rules" file to get the output into the shorewall.log file???
Thanks for you help
Jim
On 12/12/2017 08:53 PM, Bill Shirley wrote:
If you want a cleaner log file, create this file
/etc/rsyslog.d/00-shorewall.conf :
if $msg contains 'Shorewall' then {
action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop # notice
if ($syslogfacility == 0 and $syslogseverity >= 6) then stop # info
}
Now restart rsyslog 'systemctl restart rsyslog.service'. All Shorewall messages
will now be in /var/log/shorewall.log. Log at 'notice' level or higher for the
message
to be in /var/log/messages (Debian: /var/log/syslog) AND /var/log/shorewall.log.
rules:
?COMMENT I don't like Bob @ 192.168.2.44
REJECT:notice lan:192.168.2.44 wan tcp all
For rotating log files (logrotate), add the new log file
(/var/log/shorewall.log) to:
Debian: /etc/logrotate.d/rsyslog above /var/log/syslog
Fedora: /etc/logrotate.d/syslog above /var/log/messages
Tom,
You might want to change http://www.shorewall.org/shorewall_logging.html
at the bottom 'One final note' to the above more modular approach. Also, add
a note that if this is used shorewall.conf should be changed to:
LOGFILE=/var/log/shorewall.log
Jim,
You don't have anything in your nat table. It should have one entry:
#ACTION SOURCE DEST
MASQUERADE 192.168.2.0/24 enp4s0
This will allow the lan to be routed to the wan.
Bill
On 12/12/2017 7:07 PM, jamby wrote:
Tom
I attempted to follow the instructions below. But I failed the gzip test.
Jim
On 12/12/2017 03:27 PM, Tom Eastep wrote:
On 12/12/2017 03:07 PM, jamby wrote:
Tom
On my system I get a file "shorewall-init.log" is that the dump you
referring to? Otherwise most messages get dumped into the
/var/log/messages log file.
Here are the instructions from the URL I posted:
If Shorewall is starting successfully and your problem is that some set
of connections to/from or through your firewall isn't working (examples:
local systems can't access the Internet, you can't send email through
the firewall, you can't surf the web from the firewall, connections that
you are certain should be rejected are mysteriously accepted, etc.) or
you are having problems with traffic shaping then please perform the
following six steps:
Be sure that the LOGFILE setting in /etc/shorewall/shorewall.conf is
correct (that it names the file where 'Shorewall' messages are being
logged). See shorewall.conf (5) and the Shorewall Logging Article.
If your problem has anything to do with IPSEC, be sure that the
ipsec-tools package is installed.
If Shorewall isn't started then /sbin/shorewall start. Otherwise
/sbin/shorewall reset.
Try making the connection that is failing.
/sbin/shorewall dump > /tmp/shorewall_dump.txt
Post the /tmp/shorewall_dump.txt file as an attachment compressed
with gzip or bzip2.
Describe where you are trying to make the connection from (IP
address) and what host (IP address) you are trying to connect to.
-Tom
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
