From: lists_shorewall <lis...@bi...> - 2008-06-29 20:16:04
|
Tom Eastep wrote: > lists_shorewall wrote: > >> Has anyone used the Snort inline functionality with Shorewall? > > I haven't > >> >> How do I modify that rule to pass the packets to Snort inline for >> inspection prior to being passed on to the webserver? Do I need two >> rules? One to send to Snort inline and then another subsequent rule to >> forward to the webserver? I'm not clear on how packets are sent to >> Snort inline for inspection and then passed back to Shorewall in order >> (in my example) to be forwarded on to a webserver. > > That question is a bit troubling as it implies that you think that > Shorewall > handles packets. Shorewall (whether Shorewall-perl or Shorewall-shell) > results in a SHELL PROGRAM that configures your kernel; Shorewall itself > never touches a packet. I'm well aware that Shorewall creates a set of iptables rules. In fact, prior to sending my original email to this list I had been looking at the rules created by Shorewall-perl by issuing the command iptables -L. Forgive my slip of the tongue/fingers. > > But back to your question... > > A DNAT rule in Shorewall results it two equivalent rules. The > following are > equivalent: > > DNAT net dmz:10.100.0.4 TCP 80 - 206.124.146.180 > > DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > ACCEPT net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > > Notes: > > 1) your original rule is a little silly -- HTTP/<anything> implies > 'tcp 80' so it is redundant to repeat those elements) True and duly noted. > 2) in Shorewall-perl 4.2, you may omit the zone (dmz:) before the > destination DEST address in the DNAT- rule; in fact, the above DNAT- > rule will generate a warning. > > So if you want to send the accepted packets to the QUEUE target, you just > code this: > > DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > QUEUE net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > > BUT.... that pair of rules only determines what happens to THE FIRST > PACKET > IN A CONNECTION to port 80. If you want to pass all incoming packets in a > connection to Snort Inline (high latency?) then you need to add the > second rule to the ESTABLISHED section of the rules file in addition > to the NEW section. That is required in order for Snort-inline to > notice that the remote criminals are trying to access > 206.124.146.180/php.exe... > Thanks for the explanation. I assume there's no way to preserve any iptables rules created by snort inline across reboots of the router or restarts of Shorewall? I haven't looked at Snort inline in a great level of detail so maybe there's a way to capture the IP addresses that Snort inline determines should be blocked and incorporate them into a blacklist file. That's not a feature request, just thinking out loud... Regards, Steve. |