[NCLUG] Shorewall and webmin

Chris Funk chris at us-reports.com
Mon Nov 8 09:22:46 MST 2004


Thanks John and Bob.

I'll just use ssh and edit the files by hand.  I guess I didn't think about
security by ip address as being bad, but that does make sense.  I just
figured it was better make the port(s) appear closed then allow only certain
ip's.  But I can see how with spoofing or the addresses changing it could be
a problem.

Thanks again.
Chris



-----Original Message-----
From: nclug-bounces at nclug.org [mailto:nclug-bounces at nclug.org] On Behalf Of
Bob Proulx
Sent: Sunday, November 07, 2004 1:14 AM
To: nclug at nclug.org
Subject: Re: [NCLUG] Shorewall and webmin

Chris Funk wrote:
> I am using shorewall 2.0.10

Me too.

> and webmin to administer it.

I just use the plain text config files.  They are simple and
straight-forward.  I don't use webmin and so can't comment there.

> I have multiple rules setup to allow my home machine as well as
> several others into the network.

Things were not particularly clear, but let me extrapolate.  You have
remove machines at one site and allow different remote machines, your
home machines, at another site in based upon IP addresses?

If so let me say that using IP addresses for security is not a good
thing.  Don't count on it.  Instead you should use security methods
like ssh that rely upon cryptographic means to authenticate and secure
the connection.  IP based security is not considered very secure by
those skilled in the art.

> Most of the home machines get ip's via dhcp, so whenever they
> change I have to go in and change all the rules.

Is the DHCP server local on some network as John guess?  Or is this a
dynamic address assigned by the comcast cable company?

If by the cable company then you are just going to have a difficult
time making that work with IP level security.  Better not to use it
that way.

> I have "fixed" this using the params file in shorewall, setting up shell
> vars, "CHRIS=wan:67.176.xxx.xxx" however when I add new rules to shorewall
> via webmin it wipes those out.

Can you have webmin write a different file and then script a filter to
update the real file?

If you are trying to track a dynamic cable modem address I think that
is the wrong way to do security.  Instead use ssh to authenticate the
connection.

If you say that you are using both ssh and IP level security then my
response is that you don't need the second if you have the first.

If you really, really want to do it anyway then use a lilypad machine
that has a known static address.  Log in there first and then hop to
your end target machine.  That avoids the dynamic IP problem.

> I have tried playing with the Hosts and Zones in shorewall, but I'm not
> really sure if that is what that is for or not.

Hmm...  That is not really how it is designed to be used.  But any
port in a storm.

> ACCEPT	Zone DMZ	Firewall	Tcp		Any
> 22

[Ugly word wrapping here.  Examples should be verbatim.]

SSH on port 22, fine.

> ACCEPT	Zone $CHRIS	Firewall	Tcp		Any
> 22
> ACCEPT	Zone $JACK	Firewall	Tcp		Any
> 25

Okay.

> ACCEPT	Zone $CARI	Firewall	Tcp		Any
> ftp

You are allowing incoming ftp?  Even if that is only for anonymous ftp
it opens up such a can of worms that I would avoid it entirely.  Use
sftp if you need an ftp like interface but at least sftp uses ssh
which is a secure protocol.  As you know ftp passes passwords in the
clear.  And anonymous ftp requires allowing multiple inbound ports.

> right. :-)  and I would, but I have another person who occasionally  has
to
> add rules, and editing by hand isn't an option for them.

How often do you really need to add rules to your firewall?  I rarely,
rarely change them.  Only when adding a service such as rsync or some
other fundamental change.

Bob
_______________________________________________
NCLUG mailing list       NCLUG at nclug.org

To unsubscribe, subscribe, or modify
your settings, go to:
http://www.nclug.org/mailman/listinfo/nclug






More information about the NCLUG mailing list