Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

moblock not blocking with firehol (??)

bighornram
2007-11-07
2012-11-11
  • bighornram
    bighornram
    2007-11-07

    I'm using firehol with moblock in debian lenny with a recompiled kernel 2.6.23. Moblock test blocks when firehol is not enabled but fails with firehol. Here is my firehol.conf file. Any tips how to fix this?
    -------------------------------------------------

    #!/sbin/firehol
    # ------------------------------------------------------------------------------
    # This feature is under construction -- use it with care.
    # *** NEVER USE THIS CONFIG AS-IS ***
    #
    # : firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
    # (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
    # FireHOL is distributed under GPL.
    # Home Page: http://firehol.sourceforge.net
    #
    # ------------------------------------------------------------------------------
    # FireHOL controls your firewall. You should want to get updates quickly.
    # Subscribe (at the home page) to get notified of new releases.
    # ------------------------------------------------------------------------------
    #
    # This config will have the same effect as NO PROTECTION!
    # Everything that found to be running, is allowed.
    #
    # Date: Sun Nov 4 14:06:52 MST 2007 on host debian-gw
    #
    # The TODOs bellow, are YOUR to-dos!

    \# Added for moblock configuration
    iptables --new PEERGUARDIAN
    iptables -I PEERGUARDIAN -p all -m state --state NEW -j QUEUE
    iptables -I PEERGUARDIAN -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I PEERGUARDIAN -p tcp --dport http -j ACCEPT
    iptables -I PEERGUARDIAN -p tcp --dport https -j ACCEPT
    

    ### DEBUG: Processing interface 'eth0'

    # Ignoring interface 'eth0' because does not have an IP or route.

    ### DEBUG: Processing interface 'wlan0'
    ### DEBUG: Processing IP 172.16.1.101 of interface 'wlan0'
    ### DEBUG: Is 172.16.1.101 part of network 172.16.1.0/24? yes

    # Interface No 1.
    # The purpose of this interface is to control the traffic
    # on the wlan0 interface with IP 172.16.1.101 (net: "172.16.1.0/24").
    # TODO: Change "interface1" to something with meaning to you.
    # TODO: Check the optional rule parameters (src/dst).
    # TODO: Remove 'dst 172.16.1.101' if this is dynamically assigned.
    # interface wlan0 interface1 src "172.16.1.0/24" dst 172.16.1.101
    interface wlan0 LAN src "172.16.1.0/24" dst 172.16.1.101

    \# The default policy is DROP. You can be more polite with REJECT.
    \# Prefer to be polite on your own clients to prevent timeouts.
    policy drop
    
    \# If you don't trust the clients behind wlan0 \(net &quot;172.16.1.0/24&quot;\),
    \# add something like this.
    \# &gt; protection strong
    
    \# Here are the services listening on wlan0.
    \# TODO: Normally, you will have to remove those not needed.
    client dhcp accept
    server &quot;cups ICMP jabber&quot; PEERGUARDIAN
    
    \# The following wlan0 server ports are not known by FireHOL:
    \#  tcp/8010 udp/8010 
    \# TODO: If you need any of them, you should define new services.
    \#       \(see Adding Services at the web site - http://firehol.sf.net\).
    
    \# The following means that this machine can REQUEST anything via wlan0.
    \# TODO: On production servers, avoid this and allow only the
    \#       client services you really need.
    client all PEERGUARDIAN
    

    ### DEBUG: Is 172.16.1.1 part of network 172.16.1.0/24? yes
    ### DEBUG: Default gateway 172.16.1.1 is part of network 172.16.1.0/24

    # Interface No 2.
    # The purpose of this interface is to control the traffic
    # from/to unknown networks behind the default gateway 172.16.1.1 .
    # TODO: Change "interface2" to something with meaning to you.
    # TODO: Check the optional rule parameters (src/dst).
    # TODO: Remove 'dst 172.16.1.101' if this is dynamically assigned.
    # interface wlan0 interface2 src not "${UNROUTABLE_IPS} 172.16.1.0/24" dst 172.16.1.101
    interface wlan0 INTERNET src not "${UNROUTABLE_IPS} 172.16.1.0/24" dst 172.16.1.101

    \# The default policy is DROP. You can be more polite with REJECT.
    \# Prefer to be polite on your own clients to prevent timeouts.
    policy drop
    
    \# If you don't trust the clients behind wlan0 \(net not &quot;$\{UNROUTABLE\_IPS\} 172.16.1.0/24&quot;\),
    \# add something like this.
    protection strong
    
    \# Here are the services listening on wlan0.
    \# TODO: Normally, you will have to remove those not needed.
    
    server\_torrent\_ports=&quot;tcp/6881:6999&quot;
    client\_torrent\_ports=&quot;default&quot;
    
    server &quot;torrent&quot; PEERGUARDIAN
    
    \# The following wlan0 server ports are not known by FireHOL:
    \#  tcp/8010 udp/8010 
    \# TODO: If you need any of them, you should define new services.
    \#       \(see Adding Services at the web site - http://firehol.sf.net\).
    
    \# The following means that this machine can REQUEST anything via wlan0.
    \# TODO: On production servers, avoid this and allow only the
    \#       client services you really need.
    client &quot;dhcp http https ftp ssh jabber imap torrent webcache&quot; PEERGUARDIAN
    

    # Interface No 3.
    # The purpose of this interface is to control the traffic
    # on the wlan0 interface with IP 172.16.1.101 (net: "172.16.1.0/24").
    # TODO: Change "interface1" to something with meaning to you.
    # TODO: Check the optional rule parameters (src/dst).
    # TODO: Remove 'dst 172.16.1.101' if this is dynamically assigned.
    # interface wlan0 interface1 src "172.16.1.0/24" dst 172.16.1.101
    interface wlan0 DMZ src "192.168.10.0/24" dst 172.16.1.101

    \# The default policy is DROP. You can be more polite with REJECT.
    \# Prefer to be polite on your own clients to prevent timeouts.
    policy drop
    
    \# If you don't trust the clients behind wlan0 \(net &quot;172.16.1.0/24&quot;\),
    \# add something like this.
    \# &gt; protection strong
    
    \# Here are the services listening on wlan0.
    \# TODO: Normally, you will have to remove those not needed.
    server &quot;jabber&quot; PEERGUARDIAN
    
    \# The following wlan0 server ports are not known by FireHOL:
    \#  tcp/8010 udp/8010 
    \# TODO: If you need any of them, you should define new services.
    \#       \(see Adding Services at the web site - http://firehol.sf.net\).
    
    \# The following means that this machine can REQUEST anything via wlan0.
    \# TODO: On production servers, avoid this and allow only the
    \#       client services you really need.
    client &quot;https http jabber ssh&quot; PEERGUARDIAN
    

    # Interface No 4.
    # The purpose of this interface is to control the traffic
    # on the wlan0 interface with IP 172.16.1.101 (net: "172.16.1.0/24").
    # TODO: Change "interface1" to something with meaning to you.
    # TODO: Check the optional rule parameters (src/dst).
    # TODO: Remove 'dst 172.16.1.101' if this is dynamically assigned.
    # interface wlan0 interface1 src "172.16.1.0/24" dst 172.16.1.101
    interface wlan0 WEATHERCHANNEL src "172.16.1.0/24" dst 63.111.24.33

    \# The default policy is DROP. You can be more polite with REJECT.
    \# Prefer to be polite on your own clients to prevent timeouts.
    policy drop
    
    \# If you don't trust the clients behind wlan0 \(net &quot;172.16.1.0/24&quot;\),
    \# add something like this.
    protection strong
    
    \# Here are the services listening on wlan0.
    \# TODO: Normally, you will have to remove those not needed.
    
    \# The following wlan0 server ports are not known by FireHOL:
    \#  tcp/8010 udp/8010 
    \# TODO: If you need any of them, you should define new services.
    \#       \(see Adding Services at the web site - http://firehol.sf.net\).
    
    \# The following means that this machine can REQUEST anything via wlan0.
    \# TODO: On production servers, avoid this and allow only the
    \#       client services you really need.
    
    \# Here are the services listening on wlan0.
    \# TODO: Normally, you will have to remove those not needed.
    client http PEERGUARDIAN
    

    ### DEBUG: Processing interface 'wmaster0'

    # Ignoring interface 'wmaster0' because does not have an IP or route.

    # The above 2 interfaces were found active at this moment.
    # Add more interfaces that can potentially be activated in the future.
    # FireHOL will not complain if you setup a firewall on an interface that is
    # not active when you activate the firewall.
    # If you don't setup an interface, FireHOL will drop all traffic from or to
    # this interface, if and when it becomes available.
    # Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
    # you can use the plus (+) character to match all of them (i.e. ppp+).

    # No router statements have been produced, because your server
    # is not configured for forwarding traffic.

     
    • Costa Tsaousis
      Costa Tsaousis
      2007-11-08

      Hi,

      I don't say anything wrong.

      Did you try NFQUEUE instead of QUEUE?
      Are the required kernel modules loaded (ip_queue for QUEUE, ipt_NFQUEUE for NFQUEUE, ipt_state for both)?

      If you run 'firehol status' it will show you byte and packet counters next to each rule. Do you see the packet counters in PEERGUARDIAN chain increasing? In the QUEUE statement?

      Do you have any iptables logs?

      Costa

       
    • bighornram
      bighornram
      2007-11-08

      Chain PEERGUARDIAN (30 references)
      pkts bytes target prot opt in out source destination
      0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
      324 48989 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
      362 355710 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
      2 120 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

      Chain in_INTERNET_http_c3 (1 references)
      pkts bytes target prot opt in out source destination
      326 351863 PEERGUARDIAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:32768:61000 state ESTABLISHED

      Chain out_INTERNET_http_c3 (1 references)
      pkts bytes target prot opt in out source destination
      324 48989 PEERGUARDIAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:61000 dpt:80 state NEW,ESTABLISHED

      debian-gw:/home/jeff# moblock-control test
      Testing MoBlock: trying to ping 4.18.162.101 from /etc/moblock/guarding.p2p ...
      * MoBlock did not block the IP. Test failed.
      * Have a look at "/usr/bin/moblock-control status"

      Nov 8 08:30:20 debian-gw kernel: ''OUT-INTERNET':'IN= OUT=wlan0 SRC=172.16.1.101 DST=4.18.162.102 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=42257 SEQ=1

       
    • bighornram
      bighornram
      2007-11-11

      Adding icmp to the client list on interface 2 "internet" solved the problem. Now moblock-control test returns a successful blocked response.