Shoreline Firewall (Shorewall)

John McMonagle wrote:

> Considerations:
> Do not want to stop lookups of advocap.org
> Don't want to stop transfers to/from slaves. Isn't that via tcp anyway?

Yes, it is.

> 
> advocap.org doesn't have that much to lookup. Only about a dozen entries 
> and  suspect most are for mail.advocap.org http://www.advocap.org and for spf text.
> 
> Any idea what good limits would be?

I'm using "Limit:none:5,60" and it has slowed the bogus queries reaching
my DNS server down to a trickle.

Legitimate DNS servers should cache any response and since I only have a
few hosts, this seemed like a reasonable setting to me. YYMV.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep wrote:
>   
>> advocap.org doesn't have that much to lookup. Only about a dozen entries 
>> and  suspect most are for mail.advocap.org http://www.advocap.org and for spf text.
>>
>> Any idea what good limits would be?
>>     
>
> I'm using "Limit:none:5,60" and it has slowed the bogus queries reaching
> my DNS server down to a trickle.
>
> Legitimate DNS servers should cache any response and since I only have a
> few hosts, this seemed like a reasonable setting to me. YYMV.
>
> -Tom
>   
Thanks

Seems to help.
I'll try your settings.

I tried a count of 20 and got an error on shorewall restart.
Less than that is OK.

No reason to go that high just figure I should mention it.

Is there a way to test what ips are being blocked?

John

John McMonagle wrote:
> Tom Eastep wrote:
>>   
>>> advocap.org doesn't have that much to lookup. Only about a dozen entries 
>>> and  suspect most are for mail.advocap.org http://www.advocap.org and for spf text.
>>>
>>> Any idea what good limits would be?
>>>     
>> I'm using "Limit:none:5,60" and it has slowed the bogus queries reaching
>> my DNS server down to a trickle.
>>
>> Legitimate DNS servers should cache any response and since I only have a
>> few hosts, this seemed like a reasonable setting to me. YYMV.
>>
>> -Tom
>>   
> Thanks
> 
> Seems to help.
> I'll try your settings.
> 
> I tried a count of 20 and got an error on shorewall restart.
> Less than that is OK.
> 
> No reason to go that high just figure I should mention it.

No reason to mention it unless you include details -
http://www.shorewall.net/support.htm#Guidelines.

> 
> Is there a way to test what ips are being blocked?

You have to look at (and interpret) /proc/net/ipt_recent. Basically,
those with lots of entries are being blocked.

I've been experimenting and think that I have a much better approach.
Its only drawback is that it requires that you install the xtables
addons; but that's easy. And you must be using Shorewall-perl

Add this to /etc/shorewall/actions:

	DNSDDOS

Create /etc/shorewall/action.DDNSDOS:

	# This file is intentionally left empty

Create /etc/shorewall/DDNSDOS as:

	use Shorewall::Chains;

	add_rule $chainref, q(-m string --algo kmp --from 2 --hex-string
		"|010000010000000000000000020001|" -j DROP)


The add_rule call should all be on one line.

In /etc/shorewall/rules:

	DNSDDOS		net	z:<dns server ip>	udp	domain
	ACCEPT		net	z:<dns server ip>	udp	domain

That detects NS queries against "." and simply drops them. 'z' is the
zone where your DNS server lives. Specifying you dns server ip address
is of course optional.

Here it is in operation:

Chain net2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
  554 25376 DNSDDOS    udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:53
   18  1256 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:53

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep wrote:

> I've been experimenting and think that I have a much better approach.
> Its only drawback is that it requires that you install the xtables
> addons; but that's easy. And you must be using Shorewall-perl

Actually, you do *not* need to install the xtables addons. Most
distribution kernels alreay include string match.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep wrote:

> 	add_rule $chainref, q(-m string --algo kmp --from 2 --hex-string
> 		"|010000010000000000000000020001|" -j DROP)

I misunderstood how string match works. The following rule restricts the
match to exactly the place in the message where the tell-tale pattern
occurs:

	add_rule $chainref, q(-m string --algo bm --from 29 --to 30
	  --hex-string "|010000010000000000000000020001|" -j DROP);

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Moses Truong wrote:
> I am trying to set up traffic shaping for incoming traffic by using the 
> IFB to give SSH traffic priority. However, there seems to be no traffic 
> going through the IFB.
> 
> Are there anything I'm missing in the settings?
> 

There is no way to tell from the information that you sent. AFAIK, there
is no way to determine if traffic entering on one interface is being
sent through an IFB at all! If anyone knows a wayu, please tell us the
secret.

Moses: You can send us the /var/lib/shorewall/.restore file so we can
see what commands were executed at the last 'shorewall start/restart'.
But that won't be definitive.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Tom Eastep wrote:

> 
> Moses: You can send us the /var/lib/shorewall/.restore file so we can
> see what commands were executed at the last 'shorewall start/restart'.
> But that won't be definitive.
> 

Wouldn't hurt to include the output of "shorewall dump" as an
attachment; and be sure that you have generated traffic that you believe
will go through the IFB.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________