Honeypots mailing list archives

Re: rc.firewall script problems

From: "Aaron G. Wade" <agw8 () cornell edu>
Date: Sun, 27 Mar 2005 21:22:07 -0500 (EST)

Craig,
  After having issues with the cd causing kernel panics(using all
available memory in a system with 1gb ram) I ran in to the same problem
on a box with a 2.6 kernel.  The fix is to replace -i with -m physdev
--physdev-in <interface> on any rule that refers to an interface being
used in the bridge (NOT lo or eth2).
  HTH
-Aaron

Hello everyone,
  My rc.firewall (an exact copy of
http://www.honeynet.org/tools/dcontrol/rc.firewall, except for some
configuration options) does not work properly. The firewall doesn't log
anything or allow any connections outbound. After a lot of tinkering, I
discovered that the -i flag used to specify interface does not seem to be
working at all. If I remove the -i flag then the firewall sort-of works
(the
firewall assumes everything is INBOUND because the inbound lines preceed
the
outbound lines). My kernel is 2.6.11.3 and has every netfilter option
enabled. I have rebuilt iptables several times to no avail.
  Does anyone have any idea what could be causing this? I get the feeling
I am
overlooking something very trivial.

Thanks,
   Craig Holmes

-------
Some extra information:
root@Weltall honeywall # ./rc.firewall

Starting up Bridging mode.
FATAL: Module ipt_LOG not found.
FATAL: Module ip_conntrack_ftp not found.
FATAL: Module ip_conntrack_irc not found.
root@Weltall honeywall # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0080c8f31cdc       no              eth1
                                                        eth0
If I remove all -i interfaces from the script:
Mar 25 15:25:54 Weltall INBOUND OTHER: IN=br0 OUT=br0 PHYSIN=eth0
PHYSOUT=eth1
SRC=xx.xxx.xxx.xxx DST=216.109.118.41 LEN=48 TOS=0x00 PREC=0x00 TTL=128
ID=1467 DF PROTO=TCP SPT=1117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0


--
KMail: 1.7.2
Linux Weltall 2.6.11.3 #3 Thu Mar 17 19:03:09 EST 2005 i686 AMD Athlon(TM)
XP
2500+ AuthenticAMD GNU/Linux

Current thread:

rc.firewall script problems Craig Holmes (Mar 26)
- Re: rc.firewall script problems Lance Spitzner (Mar 27)
- Message not available
  - Re: rc.firewall script problems Craig Holmes (Mar 27)
- Re: rc.firewall script problems Aaron G. Wade (Mar 28)
- <Possible follow-ups>
- Re: rc.firewall script problems Earl Sammons (Mar 26)
  - Re: rc.firewall script problems Jesse Morgan (Mar 27)
- Re: rc.firewall script problems Earl Sammons (Mar 27)
  - Re: rc.firewall script problems Craig Holmes (Mar 28)