|Shorewall issues on Debian Squeeze|
| 1:07 am on Feb 14, 2012 (gmt 0)|
We recently moved to a new server running Debian Squeeze.
a few weeks after putting the server into production, I did a routine apt-get dist-upgrade. Usually there are no surprises.
But we noticed we could not access mail via pop3, and we could not log in to Webmin.
After a bit of research on logs, I discovered the issue related to Shorewall. Up until that point I had never even heard of Shorewall (obviously I'm not s security expert).
As a temporary fix I can issues a "shorewall clear" to gain access to mail, and later issue a "shorewall restart" to block it again.
But I have some questions:
- if this was installed or enabled by the dist-upgrade, then what did it replace? Is it really needed or necessary? (or better, what value does it have?)
- and where and how would I change the shorewall configuration so it doesn't block mail or webmin?
| 10:29 pm on Feb 14, 2012 (gmt 0)|
| 5:03 pm on Feb 25, 2012 (gmt 0)|
Sorry for the delay, I hope that I'm not too late :)
Shorewall is a front end for the standard Linux iptables firewall. You can find the configuration files in the /etc/shorewall directory. The file /etc/shorewall/rules would be the best place to add your exception rules to allow webmin and pop3 traffic.
Shorewall has a website [shorewall.net] with a lot of documentation and examples.
| 5:47 pm on Feb 25, 2012 (gmt 0)|
Thanks for the reply. For the time being I've turned Shorewall off. I still don't know how to set up the rules to allow email traffic and webmin access, and turning it on/off was too much a hassle. (I know where the rules are ... just now what to put there)
And I still don't know what got this started. After we installed the new box, things were OK for several months and then early February, all of a sudden after a regular apt-get dis-upgrade, Shorewall raised it's head.
I know our provider had installed Fail2ban. I don't know what the difference is with that and Shorewall, and as soon as I can, I'll be looking at that as well.
| 6:16 pm on Feb 25, 2012 (gmt 0)|
Shorewall works mainly on the packet level. It inspects source and destination IPs, ports and a few other things on the packet level to decide what to do with it.
Fail2ban on the other hand works on a much higher level. It inspects log files and looks for suspicious patterns. It then creates (temporary) firewall rules to ban specific IPs which behave in a non standard way.
As an example, fail2ban is capable of checking the log files for IPs which access your server over an SSH connection and enter an invalid password a number of times. It then blocks that specific IP. Shorewall can also block access to SSH ports, but it is not capable of making those decisions based on what happens in the application layer, like failed passwords.
| 6:38 pm on Feb 25, 2012 (gmt 0)|
So if I had to choose, which is better? Or do I (or should) choose between them in the first place? Better to run both?
| 4:07 am on Feb 26, 2012 (gmt 0)|
There is no better. Shorewall uses the netfilter system which is part of the Linux kernel. This makes it very efficient to handle large amounts of packets without much CPU overhead. This is the type of protection you want against DDOS attacks, blocking access to your SSH and POP3 ports with the exception of a few trusted IP addresses etc.
Fail2ban checks log files and does high level checks and is as far as I know written in Python. It causes therefore a moderate CPU and disk overhead and you don't want to use it to defend against massive attacks on your server. But it is capable to detect suspicious behavior on ports which you cannot simply block on the IP level like multiple failed password attempts on global FTP accounts, scans for PHPMyAdmin installations on your Apache server etc.