fw-net means that the traffic is from the firewall itself to the net zone. -----Original Message----- From: merc1...@f-m.fm [mailto:merc1...@f-m.fm] Sent: 6. august 2014 18:58 To: Shorewall Users Subject: Re: [Shorewall-users] Suspected Trojan
On Mon, Aug 4, 2014, at 14:32, Tom Eastep wrote: > On 8/4/2014 12:31 PM, merc1...@f-m.fm wrote: > > On Mon, Aug 4, 2014, at 09:48, Tom Eastep wrote: > >> You can allow the connection in the NEW section but DROP the traffic in > >> the ESTABLISHED section. That way, the connection will be made and you > >> will be able to see it with netstat or ss, but no data will be sent. > > > > I'm one of those old-tyme Shorewall users (and in fact live in Shoreline > > as well), > > Hi neighbor :-) > > > so have never needed to mess with this new NEW, ESTABLISHED, > > etc stuff. Apparently it's to do with the rules file. > > > > I sure don't want to make a false move and allow this trojan to get out, > > so can you give me complete instructions? > > In the rules file: > > ?SECTION ESTABLISHED > DROP net fw tcp - 25 > DROP fw net tcp 25 > ?SECTION NEW > ACCEPT fw net tcp 25 Ok I've now studied the new ways of Shorewall and have my systems updated to the ?SECTIONs. But now firewall hits to 25 and 110 have stopped, maybe because there's a keylogger and they know I'm on to them. Now I'm getting firewall blocks on 843 and 8080, with my own user ID. [ 6114.140836] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.1.1 DST=119.81.13.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17453 DF PROTO=TCP SPT=50892 DPT=843 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 [ 6114.143375] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.1.1 DST=119.81.13.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9972 DF PROTO=TCP SPT=42038 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 And eth0 is frantically going in and out of promiscuous, even though I'm not using it. I don't understand what fw-net is. It's not a user or anything in processes. I guess there's no way to troubleshoot this other than to open 8080 new, close it established and # netstat -tnap | fgrep :8080 Surprising that this sort of thing has never been a problem before. I guess most ppl's firewalls are open so they never notice. -- http://www.fastmail.fm - mmm... Fastmail... ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
