Linode.com Forum

[ronpoz]

Hello out there. I have to admit I am a newbie with firewalls so I decided to try out shorewall as my interface to iptables. I created a set of rules that allow various services, SSH, Web, SMTP, etc... Once I type shorewall start it loads and then when I try to access my site, I am unable to connect. So I then go into LISH and do a shorewall stop. I get the notice that it is stopped (to screen and in /var/log/messages). Ok, here is where it gets goofy. Now when I try to contact my website I still cannot contact it. So I do a ps -ef and see that shorewall nor iptables are running. I do a restart of apache and still nothing. The only way I am able to get back online is to issue a reboot via the Linode members site.

Ok, here is the set of firewall rules I have in play:

Code: ACCEPT   net            loc             icmp    8
ACCEPT   net            loc             tcp     20
ACCEPT   net            loc             tcp     21
ACCEPT   net            loc             tcp     22
ACCEPT   net            loc             tcp     25
ACCEPT   net            loc             tcp     53
ACCEPT   net            loc             udp     53
ACCEPT   net            loc             tcp     80
ACCEPT   net            loc             tcp     110
ACCEPT   net            loc             tcp     143
ACCEPT   net            loc             tcp     443
ACCEPT   net            loc             tcp     465
ACCEPT   net            loc             tcp     993
ACCEPT   net            loc             tcp     995
ACCEPT   net            loc             tcp     79
ACCEPT   net            loc             tcp     2525

Interfaces:

Code: loc   eth0   detect         norfc1918,nobogons,blacklist,nosmurfs

Network zones:

Code: net   Net      Internet
loc   Local      Local networks
dmz   DMZ      Demilitarized zone
Hosts:

Blank

Errors recorded to /var/log/messages when the above rules were enabled:

Code: Jan  7 11:02:42 metrowebworks kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=fe:fd:43:12:5c:79:00:04:dd:e0:23:02:08:00 SRC=160.79.56.5 DST=67.18.92.121 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=9010 DF PROTO=TCP SPT=1972 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan  7 11:17:02 metrowebworks kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=fe:fd:43:12:5c:79:00:04:dd:e0:23:02:08:00 SRC=160.79.56.5 DST=67.18.92.121 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=47809 DF PROTO=TCP SPT=56273 DPT=79 WINDOW=64240 RES=0x00 SYN URGP=0

[dmuench]

In your interfaces file, eth0 should be part of the "net" zone, not "loc".

Also, in your rules file, those should be "ACCEPT net fw ...." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc).

See if that helps. You can even comment loc out of the zones file, it's what I do.

Dave

[sarge]

You can also use easier syntax in your rules file. For example, instead of the two lines you have for tcp ports 80 and 443, you can simply specify one rule:

AllowWeb net fw

There are numerous predefined Allow* rules available such as AllowSSH, AllowSMTP, AllowFTP, and so on.

You can also limit access to specific ip addresses. Like this to allow your firewall to access tcp 80 and 443 only on the specified ip address (there's usually no need to allow your firewall to access every possible website as a client):

AllowWeb fw net:123.123.123.123

[SteveG]

Even easier: no firewall at all.

Now, before you reply that I'm an idiot, consider the circumstance of the typical linode: it's NOT a gateway protecting other machines, and it's NOT a personal use workstation. It's a standalone server. The ONLY ports that should have a process listening to them are ports for which you specifically configured a server, such as a web server, or a mail server. Any other services should simply be disabled. Any port on which you are running a service, you'll pass through the firewall, right? And any port you'd block, there shouldn't be anything listening anyway, right?

Now, of course there are circumstances and uses for a linode where a firewall can make sense. But for many common uses, a firewall is just an unnecessary complication.

[sarge]

Interesting point. But there are a number of issues with that path.

Given that modern firewalls like shorewall can be configured in just a few minutes and the minimal cpu-usage cost, I think the ROI is easily justified in having a firewall on every server.

1. As shown in my previous post, a firewall can block outgoing traffic as well.

IMHO, it isn't a good idea for servers to be allowed to make outgoing connections to any ip address on any port.

For example, a Debian-based server might be allowed to connect to port 80 of a specific Debian mirror site so it can get updates, but not be allowed any other outgoing connection to other websites.

A server that is allowed to make outgoing connections without any restrictions is open to numerous automated attacks that can easily be prevented simply by restricting outbound connections.

2. A firewall can do things such as blocking requests from invalid ip addresses (for example, 127.0.0.1 or other local ip addresses coming in from the internet is obviously spoofed). It can block invalid tcp packets, bogons, etc. It can provide traffic-shaping so one busy service (http) doesn't prevent other services (ssh) from functioning well.

Given this, it is hard to imagine anyone not running a firewall on a server--especially when it is exposed to the public.

[ronpoz]

dmuench wrote: In your interfaces file, eth0 should be part of the "net" zone, not "loc".

Also, in your rules file, those should be "ACCEPT net fw ...." instead of loc again. Unless you actually have some sort of router set up on your linode, you want to tell it to accept traffic destined for your firewall (fw), not your local networks (loc).

See if that helps. You can even comment loc out of the zones file, it's what I do.

Dave

Bingo! That fixed it!

Thanks!!!!