shorewall: how to open high port

shorewall: how to open high port

[Fajar Priyanto]

[-- Attachment #1: clearsigned data --]
[-- Type: Text/Plain, Size: 2547 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,
Anyone using shorewall?
I have this strange case. In my notebook, I set the policy and rules like
this:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
net     $FW     DROP    ULOG
$FW     net     ACCEPT  ULOG
loc     net     ACCEPT  ULOG
all     all     DROP    ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT:ULOG     loc     $FW     tcp     110     -
ACCEPT:ULOG     loc     $FW     tcp     25      -
ACCEPT:ULOG     loc     $FW     tcp     22,21   -
ACCEPT:ULOG     $FW     net     tcp     5050    -
ACCEPT:ULOG     $FW     all     all     -       -
DROP:ULOG       net     $FW     all     -       -
ACCEPT:ULOG     net     $FW     tcp     80      -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And in my local server, very similar:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw      net     ACCEPT
net     fw      DROP    info
#net    all     DROP    info
all     all     REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT  net     fw      udp     53      -
ACCEPT  net     fw      tcp
80,443,53,22,20,21,25,109,110,143,783,993,10000 -
ACCEPT  fw      net     all     -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

But the PROBLEM is:
I can't connect to my server using FTP, nor from the server to my notebook. In
/var/log/messages of the server, it drops high port:
Mar 31 21:14:20 server2 kernel: Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234
DST=192.168.0.236 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=29064 DF PROTO=TCP
SPT=20 DPT=32802 WINDOW=5840 RES=0x00 SYN URGP=0

Can anyone give me direction here? Why the setting doesn't work? How do I open
this "high port"? Is it safe to do so?
TIA

- --
Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
20:20:11 up 12:23, Mandrake Linux release 9.2 (FiveStar) for i586
public key: https://www.arinet.org/fajar-pub.key




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAa4jYkp5CsIXuxqURAsxsAKDF2ODM1Kj3qSdduM95kW/STnSU7wCfYq1P
pNiSJWmQtqEU4dPLqfpHPfo=
=Paal
-----END PGP SIGNATURE-----

[-- Attachment #2: message.footer --]
[-- Type: text/plain, Size: 244 bytes --]

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

RE: shorewall: how to open high port

[Rob Sterenborg]

> #SOURCE         DEST            POLICY          LOG LEVEL     
>   LIMIT:BURST
> net     $FW     DROP    ULOG
> $FW     net     ACCEPT  ULOG
> loc     net     ACCEPT  ULOG
> all     all     DROP    ULOG
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> #ACTION  SOURCE         DEST            PROTO   DEST    
> SOURCE     ORIGINAL
> #                                               PORT    
> PORT(S)    DEST
> ACCEPT:ULOG     loc     $FW     tcp     110     -
> ACCEPT:ULOG     loc     $FW     tcp     25      -
> ACCEPT:ULOG     loc     $FW     tcp     22,21   -
> ACCEPT:ULOG     $FW     net     tcp     5050    -
> ACCEPT:ULOG     $FW     all     all     -       -
> DROP:ULOG       net     $FW     all     -       -
> ACCEPT:ULOG     net     $FW     tcp     80      -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> And in my local server, very similar:
> #SOURCE         DEST            POLICY          LOG LEVEL     
>   LIMIT:BURST
> fw      net     ACCEPT
> net     fw      DROP    info
> #net    all     DROP    info
> all     all     REJECT  info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> #ACTION  SOURCE         DEST            PROTO   DEST    
> SOURCE     ORIGINAL
> #                                               PORT    
> PORT(S)    DEST
> ACCEPT  net     fw      udp     53      -
> ACCEPT  net     fw      tcp
> 80,443,53,22,20,21,25,109,110,143,783,993,10000 -
> ACCEPT  fw      net     all     -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> But the PROBLEM is:
> I can't connect to my server using FTP, nor from the server 
> to my notebook. In /var/log/messages of the server, it drops 
> high port:
> Mar 31 21:14:20 server2 kernel: Shorewall:net2fw:DROP:IN=eth0 
> OUT= MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234
> DST=192.168.0.236 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=29064 
> DF PROTO=TCP SPT=20 DPT=32802 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> Can anyone give me direction here? Why the setting doesn't 
> work? How do I open this "high port"? Is it safe to do so?
> TIA

Not familiar with Shorewall and I didn't fully read the rules above but what
I'm not seeing is an entry stating : RELATED,ESTABLISHED or something. My
guess is you need such a rule.
And are you loading the ftp helper module ?


Gr,
Rob

Re: shorewall: how to open high port

[Tom Eastep]

Rob Sterenborg wrote:

> 
> Not familiar with Shorewall and I didn't fully read the rules above but what
> I'm not seeing is an entry stating : RELATED,ESTABLISHED or something. My
> guess is you need such a rule.

Shorewall provides such rules automatically.

> And are you loading the ftp helper module ?

I suspect that is the problem. The OP has also posted on the Shorewall 
list where I've replied as well.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net