+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega International Area (/forum-22.html)
+--- Forum: German Corner (/forum-26.html)
+--- Thread: Zusätzliche Firewall (Shorewall) (/thread-2303.html)
Zusätzliche Firewall (Shorewall) - jmeyerdo - 02-04-2008 09:58 PM
Hallo!
Ich würde gerne wirklich nur bestimmte Ports nach außen hin frei geben und die Firewall nicht nur zum Traffic-Logging verwenden.
Habe dazu jetzt mal die Shorewall installiert. Wenn ich nach dem Start der Shorewall das Skript "ispcp-network" restarte, scheinen auch alle Rules korrekt drin zu sein.
Oder sieht da jemand Überschneidungen/Probleme?
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ISPCP_INPUT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ISPCP_OUTPUT all -- anywhere anywhere
eth0_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain Drop (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports epmap,microsoft-ds
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:ssdp
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain ISPCP_INPUT (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:smtp
tcp -- anywhere anywhere tcp dpt:imap
tcp -- anywhere anywhere tcp dpt:pop3
tcp -- anywhere anywhere tcp dpt:http
RETURN all -- anywhere anywhere
Chain ISPCP_OUTPUT (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp spt:smtp
tcp -- anywhere anywhere tcp spt:imap
tcp -- anywhere anywhere tcp spt:pop3
tcp -- anywhere anywhere tcp spt:http
RETURN all -- anywhere anywhere
Chain Reject (4 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports epmap,microsoft-ds
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:ssdp
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain eth0_out (1 references)
target prot opt source destination
fw2net all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
reject icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0 anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurf
s:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYNViele Grüße, Jens
RE: Zusätzliche Firewall (Shorewall) - joximu - 02-04-2008 10:59 PM
Generell wäre es natürlich besser, die "verbotenen" Ports gar nicht erst nach aussen hin lauschen zu lassen.
Ein Firewall (iptables) ist dann praktisch, wenn der Serverdienst nicht eigene IP basierte Zugriffsregeln kennt...
Aber grundsätzlich sollte das gut zusammenarbeiten... ispcp_network legt ja nur logging/statistik-regeln an, das sollte also keine Probleme verursachen.
Gruss
J
RE: Zusätzliche Firewall (Shorewall) - jmeyerdo - 02-04-2008 11:19 PM
joximu Wrote:Generell wäre es natürlich besser, die "verbotenen" Ports gar nicht erst nach aussen hin lauschen zu lassen.Genau - und eine Firewall kann ja schon auch noch etwas mehr als nur Zugriffe (ggf. auch IP-basiert) auf einem Port zu verbieten...
Ein Firewall (iptables) ist dann praktisch, wenn der Serverdienst nicht eigene IP basierte Zugriffsregeln kennt...
Schön, wenn Du so keine Probleme/Überscheidungen siehst. Dann werde ich das Accounting mal weiter testen.
VG, Jens
RE: Zusätzliche Firewall (Shorewall) - BeNe - 02-04-2008 11:26 PM
Quote:Ich würde gerne wirklich nur bestimmte Ports nach außen hin frei geben und die Firewall nicht nur zum Traffic-Logging verwendenDas macht nur ispCP so. Für den rest bist Du eben selber verantwortlich.
Macht ja auch anderst kein sinn. Aber das hast Du ja erkannt
Quote:Dann werde ich das Accounting mal weiter testen.Würde ich auch mal so machen und sehen wie es sich entwickelt.
Greez BeNe