On Wed, Aug 6, 2014, at 10:54, Tom Eastep wrote: > Did you specify logging on your ACCEPT rule -- I'm guessing not. For > 'info' level logging: > > ACCEPT:info net fw ...
You guess right. Now it's set. I now see why this is necessary even though I have info set in policy; it hits rules first. ACCEPT:info(uid) $FW net tcp 843,8080 > > Now I'm getting firewall > > blocks on 843 and 8080, with my own user ID. > > [ 6114.140836] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.1.1 > > DST=119.81.13.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17453 DF PROTO=TCP > > SPT=50892 DPT=843 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > [ 6114.143375] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.1.1 > > DST=119.81.13.84 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9972 DF PROTO=TCP > > SPT=42038 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1000 GID=1000 > > It is interesting that the SOURCE IP address is an RFC-1918 address; is > that the IP address of a local interface? If so, what is that interface > used for? How is it defined to Shorewall? Yes the source IP is on my workstation's only operating interface. It communicates with other machines in the LAN through the router, as well as the internet through the router's WAN port. Interfaces: - lo ignore net all physical=+,routeback,optional Policy: $FW all REJECT info(uid) net all DROP info(uid) local all REJECT info(uid) all all REJECT info(uid) Stoppedrules: #ACCEPT wlan0 - #ACCEPT - wlan0 #ACCEPT eth0 - #ACCEPT - eth0 Zones: fw firewall net ipv4 local ipv4 As I've just reconfigured Shorewall to the new methods, these are my only config files, besides shorewall.conf and rules. > > And eth0 is frantically going in and out of promiscuous, even though I'm > > not using it. > > I think I would be considering re-imaging this box at the earliest > opportunity. Two reasons I can't right now: - I don't know how this happened so I can't prevent it happening again; - My backups server is full, so I can't take backups - the zfs array is full, and the drive cage is full. I have larger drives on order. > > I guess there's no way to troubleshoot this other than to open 8080 new, > > close it established and > > # netstat -tnap | fgrep :8080 > > > > Surprising that this sort of thing has never been a problem before. I > > guess most ppl's firewalls are open so they never notice. > > Most people's firewalls are nailed down to the point that a acquiring a > Trojan is extremely improbable. They run the minimum set of services > necessary with SSH being the only service open to the net. That's how I'm set, although my SSH is limited to the LAN: ACCEPT net:192.168.1.0/28 $FW tcp ssh - ACCEPT $FW net:192.168.1.0/28 tcp ssh - As I say, I've always had absolutely everything nailed shut in and out except what I specifically need. This is why I'm concerned. I always ID phishing emails and junk them. Running TorBirdy on TBird. Run NoScript in my main browser (TorBrowser), as well as TorButton. Whups, there's another one: [ 8715.287331] Shorewall:fw-net:REJECT:IN= OUT=wlan0 SRC=192.168.1.1 DST=141.0.173.173 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3145 DF PROTO=TCP SPT=41774 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=1004 GID=999 This time it's user ossec, group ossec. This is enlightening. I haven't actually set up ossec yet, although the daemon is running: # ps aux |grep ossec ossecm 1749 0.0 0.0 19620 1244 ? S 07:35 0:00 /var/ossec/bin/ossec-maild root 1753 0.0 0.0 12688 504 ? S 07:35 0:00 /var/ossec/bin/ossec-execd ossec 1757 0.0 0.0 17604 2508 ? S 07:35 0:05 /var/ossec/bin/ossec-analysisd root 1761 0.0 0.0 4424 548 ? S 07:35 0:00 /var/ossec/bin/ossec-logcollector root 1772 0.1 0.0 5816 2272 ? S 07:36 0:18 /var/ossec/bin/ossec-syscheckd ossec 1776 0.0 0.0 12940 528 ? S 07:36 0:00 /var/ossec/bin/ossec-monitord root 2124 0.0 0.0 12684 964 pts/9 S+ 11:46 0:00 grep --color=auto ossec I was planning to use it for an IDS, but now plan on using the SecurityOnion suite when/if I figure out how to adapt it like I want it. I'd installed ossec-hids from the Debian package management system. Maybe this port 25 knocking is innocuous, although what are they doing frickin' phoning home? -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
