I am now developing Shorewall rules for Amahi. I am starting with the IPv4 and will later add Shorewall6.
So I was given the following a while ago from Carlos on the email list:
the internal services should be:
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
774/tcp open rpasswd
2049/tcp open nfs
3689/tcp open rendezvous
5901/tcp open vnc-1
First is 53 really tcp? Not udp? or both?
Also what about 139 and 2049?
How about 123 for ntp?
only 5901? Not 5901:5903?
Webmin is 10000.
What else should I know about?
Developing Shorewall rules
Re: Developing Shorewall rules
oooo, excellent!I am now developing Shorewall rules for Amahi. I am starting with the IPv4 and will later add Shorewall6.
So I was given the following a while ago from Carlos on the email list:
the internal services should be:
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
774/tcp open rpasswd
2049/tcp open nfs
3689/tcp open rendezvous
5901/tcp open vnc-1
First is 53 really tcp? Not udp? or both?
Also what about 139 and 2049?
How about 123 for ntp?
only 5901? Not 5901:5903?
Webmin is 10000.
What else should I know about?
if you can create the rule in a file or whatever in a form that is regular, we may be able to create a nice front end without much effort!
that would rock!
personally i would start small and grow from there.
you are correct! dns needs both udp & tcp. yea, for vnc you need at least one and one per each simultaneous session i guess, so that depends on the user.
for the rest, i am not sure (not an expert). best may be to start restrictive and add things after a bit of research on each service.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1
Re: Developing Shorewall rules
is shorewall better than iptables?
iptables can be modified very easily, however you can make it very complicated by defining rules more strict.
what I've read from cpg's list open means completely open, which is what you don't want.
iptables has options regarding this with the likes of accept, established, related, drop etc. and portforwarding/bridging/routing built in as well
iptables can be modified very easily, however you can make it very complicated by defining rules more strict.
what I've read from cpg's list open means completely open, which is what you don't want.
iptables has options regarding this with the likes of accept, established, related, drop etc. and portforwarding/bridging/routing built in as well
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D2173656C7572206968616D41snlbxq' | dc
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD
Re: Developing Shorewall rules
You are aware that an Amahi install has iptables disabled?
Shorewall makes iptables easier.
Particularly as I delve into what we need; things I have not done with Shorewall in the past, but many others have.
Simple things like port knocking for SSH.
Then more complex like what range of addresses can access SMB and IPP.
This is going to be interesting....
Shorewall makes iptables easier.
Particularly as I delve into what we need; things I have not done with Shorewall in the past, but many others have.
Simple things like port knocking for SSH.
Then more complex like what range of addresses can access SMB and IPP.
This is going to be interesting....
Re: Developing Shorewall rules
I have shorewall configured. Took a bit of learning, as I am doing things with it I have not done before. Tom (shorewall developer) was a great help.
Assumption: One interface: eth0
I am running shorewall 4.2.4-5, 4.2.6-3 is available from http://www.invoca.ch/pub/packages/shorewall/4.2/
You want shorewall and shorewall-perl. I have not worked on shorewall6 yet. I would recommend that the current shorewall be maintained in the Amahi repo and not make the user figure out how to get the current stable version...
After installing, there is potential need to edit /etc/shorewall/shorewall.conf (all but macros are in /etc/shorewall). For IPv6 support, you need to change DISABLE_IPV6 to No. Otherwise, you can leave this unchanged.
Next you need your interfaces file (I tried to align things up for nice visuals, but it is not working):
Then the zones file:
These zones will make more sense once you see the hosts file:
Loc, Int, and Pub are 'nested zones' I include Int to allow for those that have other networks. Note that the line Loc is the ONLY line in all of this that is specific to an install.
Now you need the policy file:
This last policy is a catch all. As your Amahi box should not be doing routing.
We are almost ready for rules. First I will show you the 3 macros I use. Macros are in /usr/share/shorewall:
macro.SMB:
macro.VNC
macro.Web
Now for the actual rules:
I some commented rules groupings for place holders as we figure out what else is needed. I have not tested everything, but SMB seems to work! I am accessing shares from my Centos laptop from a subnet in zone Int by putting in Nautlius SMB://192.168.1.myamahi Well you get the idea!
PLEASE look these rules over; have I missed any protocol?
Having Amahi as a gateway with two interfaces will take a lot more....
Assumption: One interface: eth0
I am running shorewall 4.2.4-5, 4.2.6-3 is available from http://www.invoca.ch/pub/packages/shorewall/4.2/
You want shorewall and shorewall-perl. I have not worked on shorewall6 yet. I would recommend that the current shorewall be maintained in the Amahi repo and not make the user figure out how to get the current stable version...
After installing, there is potential need to edit /etc/shorewall/shorewall.conf (all but macros are in /etc/shorewall). For IPv6 support, you need to change DISABLE_IPV6 to No. Otherwise, you can leave this unchanged.
Next you need your interfaces file (I tried to align things up for nice visuals, but it is not working):
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp
Code: Select all
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
Pub IPv4
Int:Pub IPv4
Loc:Int IPv4
Code: Select all
#ZONE HOST(S) OPTIONS
Loc eth0:192.168.1.0/24 routeback
Int eth0:192.168.0.0/16
Pub eth0:0.0.0.0/0
Now you need the policy file:
Code: Select all
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
all fw DROP info
fw all DROP info
all all DROP
We are almost ready for rules. First I will show you the 3 macros I use. Macros are in /usr/share/shorewall:
macro.SMB:
Code: Select all
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
Code: Select all
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 5900:5909
Code: Select all
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
PARAM - - tcp 80 # HTTP (plaintext)
PARAM - - tcp 443 # HTTPS (over SSL)
Code: Select all
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT all all icmp
ACCEPT Loc fw udp domain
ACCEPT Int fw tcp rpcbind,ntp,http,ipp,rpasswd,nfs,daap
ACCEPT Int fw tcp ssh - - 3/min
ACCEPT Int fw tcp 10000 # webmin
Web(ACCEPT) Int fw
SMB(ACCEPT) Int fw
VNC(ACCEPT) Int fw
#ACCEPT Pub fw
#ACCEPT fw Loc
#ACCEPT fw Int
SMB(ACCEPT) fw Int
ACCEPT fw Pub udp domain
ACCEPT fw Pub tcp ntp
Web(ACCEPT) fw Pub
I some commented rules groupings for place holders as we figure out what else is needed. I have not tested everything, but SMB seems to work! I am accessing shares from my Centos laptop from a subnet in zone Int by putting in Nautlius SMB://192.168.1.myamahi Well you get the idea!
PLEASE look these rules over; have I missed any protocol?
Having Amahi as a gateway with two interfaces will take a lot more....
Re: Developing Shorewall rules
I forgot to mention the shorewall commands.
shorewall clear will clear out everything you difined in shorewall.
shorewalll check will do a compile and report. Good for testing new rules.
shorewall start or restart to compile and put rules in force.
shorewall clear will clear out everything you difined in shorewall.
shorewalll check will do a compile and report. Good for testing new rules.
shorewall start or restart to compile and put rules in force.
Re: Developing Shorewall rules
I just had a system hang on an smb access across a router. Got testing to do....
Re: Developing Shorewall rules
thanks for the rules!
what kind of a hang??
actual os hang?
or just the firewall going in between the client and the hda?
what kind of a hang??
actual os hang?
or just the firewall going in between the client and the hda?
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1
Re: Developing Shorewall rules
Nautlius was not responding. It responded to smb://<amahi IP addr> and listed the shares, but when I tried to open Public, it hung. I had to kill Nautlius; this killed every running copy of it. When I tried to restart it, it would not. I then went to reboot the system, and then the system became unresponsive. Had to pull the AC and the battery to get a hard boot going.
There a could different SMB macros with Shorewall. I have to find out what the is difference between them.
There a could different SMB macros with Shorewall. I have to find out what the is difference between them.
Re: Developing Shorewall rules
Stupid mistake.
I had started iptables. Which is another front end to IPTABLES and messed everything up.
As explained in the Shorewall documentation (that I was reminded to read again ), Shorewall replaces the iptables configuration service.
One change I could make is replace the 2 SMB macros with one SMBBI macro. But on review, I like the way the rules file 'looks' with the SMB macro. A reviewer can see what is happening without delving into the macro so much.
So I have a public web server I could put all the files up on if you want, otherwise, let's test away with the various apps and see if there are any other ports needed to be added to the rules file.
**I** feel better now having protection for my Amahi server.
Oh, one point about rate limiting for SSH. I implemented it to limit if ALL connections exceeded 3/min. There is an alternative which shuts down per source IP address, using the action macro:
This approach does not help if you are being attacked by a zombie net, where the connections are coming in from different IP addresses. And given that SSH is not a mainline function for Amahi, I went with the first approach. Actually on MY system, I move SSH to a different port AND rate limit!
So I will now leave working on Shorewall alone for a bit, let others try it out. It may be a while for Shorewall6, depending on a few things. Next is the ntp server stuff I promised.
I had started iptables. Which is another front end to IPTABLES and messed everything up.
As explained in the Shorewall documentation (that I was reminded to read again ), Shorewall replaces the iptables configuration service.
One change I could make is replace the 2 SMB macros with one SMBBI macro. But on review, I like the way the rules file 'looks' with the SMB macro. A reviewer can see what is happening without delving into the macro so much.
So I have a public web server I could put all the files up on if you want, otherwise, let's test away with the various apps and see if there are any other ports needed to be added to the rules file.
**I** feel better now having protection for my Amahi server.
Oh, one point about rate limiting for SSH. I implemented it to limit if ALL connections exceeded 3/min. There is an alternative which shuts down per source IP address, using the action macro:
Code: Select all
Limit:none:SSHA,3,60 Pub fw tcp ssh
So I will now leave working on Shorewall alone for a bit, let others try it out. It may be a while for Shorewall6, depending on a few things. Next is the ntp server stuff I promised.
Who is online
Users browsing this forum: No registered users and 2 guests