1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • [gentoo-user] Shorewall configuration

    From Peter Humphrey@21:1/5 to All on Tue Mar 1 13:40:01 2022
    Hello list,

    I use net-firewall/shorewall to protect my machines; it's served me well for many years. My ISP gave me a FritzBox modem-router recently, in the hope of better media streaming, but it's spamming my LAN server with HTTP requests (port 80). The other machines are left alone; just this one is affected.

    The many log entries are not a serious problem, just a nuisance, but I'd
    rather not have to put up with them.

    AVM, the modem's maker, says I should set shorewall up on this machine to accept either port-80 requests or unsolicited packets of type 0x88e1. That
    type is HomePlug Management, apparently, and the FritzBox is looking for any such devices on the LAN. I don't know why it's picked on this one machine to query, unless it's because it has the lowest IP address.

    Questions:
    1. Will I be opening myself to external HTTP attacks if I open that port to the modem-router? I assume I will, though no such service is running - at the moment.
    2. As far as I can see, shorewall filters only on ports, not packet types. If so, how can I specify a packet type to it?
    3. Does anyone here know how to specify HomePlug in shorewall?

    Google hasn't helped much, nor has the Shorewall website, so I hope someone here has experience of this.

    --
    Regards,
    Peter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael@21:1/5 to All on Tue Mar 1 14:54:24 2022
    On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote:
    Hello list,

    I use net-firewall/shorewall to protect my machines; it's served me well for many years. My ISP gave me a FritzBox modem-router recently, in the hope of better media streaming, but it's spamming my LAN server with HTTP requests (port 80). The other machines are left alone; just this one is affected.

    The many log entries are not a serious problem, just a nuisance, but I'd rather not have to put up with them.

    AVM, the modem's maker, says I should set shorewall up on this machine to accept either port-80 requests or unsolicited packets of type 0x88e1. That type is HomePlug Management, apparently, and the FritzBox is looking for any such devices on the LAN. I don't know why it's picked on this one machine
    to query, unless it's because it has the lowest IP address.

    Questions:
    1. Will I be opening myself to external HTTP attacks if I open that port to the modem-router? I assume I will, though no such service is running - at
    the moment.
    2. As far as I can see, shorewall filters only on ports, not packet types. If so, how can I specify a packet type to it?
    3. Does anyone here know how to specify HomePlug in shorewall?

    Google hasn't helped much, nor has the Shorewall website, so I hope someone here has experience of this.

    Have you seen this regarding the specific ethertypes:

    https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box

    Sadly I don't know anything about Shorewall, but you can look at configuring netfilter with some additional hand-crafted rules to drop the above ethertypes without logging them.

    However, what I would prefer to do in your circumstances is find if your router is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage
    bufferbloat. I expect this should improve your streaming better than whatever AVM have configured in the box.
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmIeM6AACgkQseqq9sKV Zxljtw/+LC1KmaaxGHeVkxuVTlCEEPncXyna8uIUx2/KA4td1PWf6n65OpeSvLNn E1kLeNNe5u7UwYFPwM7lO7kcsZlIATKyY6C2pnIbTHBfd7XTgcy9GzargjkeqM1O GRKzjo0NK3S6ZX6uF2dAFgJ+piAOiV5s1jcVvb0t3+Ck6WzMX5qqntOkhZUlZa0y NuxConl13+EkiXIGuY5qXRhT1puA7sGn8AzbTGaHIvxxpfLPK+KKTcOnc+ftlubU brHGtCQ4DZMbB1JtFpLWn5CWz6gtxtKL9CATJCVX44yn+QRzO+msz37NzNW3jnwk XhJmp/c6JSesV9I8xmDgOt5vCWAYs9rlD0QQtJGbKcDm6kAQ0Gr85Gh51EvC2/RR n0cWENbrpYUkLm08J/IweTEp59aLzwwXGY5kFD94NN76vA1rHQAbh1hbXzn1oOyv 4Y8rSZ6f736EBM5Ladh5dy9u8JtKt+xz250ERBdrm8cA+CjOUMeP8qsjH6AEPOb2 DVrpbpzKZLUe/xHn/Y8Ivogon1I0AnszG4xMlzcNdiyLtHaO/1fut2UMDjR+nL3o oElz/ZvikmoNHu9J5M98JXIwWncT2Wx6I4B2cNZ6JKpOnw210cy2shyIxUJeFvCS 8gpH6yTRv7+9tMAONSb3Xpkx0/4oORekoEkrcbVYj/gmIvdrvMs=
    =hf3k
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Humphrey@21:1/5 to All on Tue Mar 1 17:50:01 2022
    On Tuesday, 1 March 2022 14:54:24 GMT Michael wrote:

    Have you seen this regarding the specific ethertypes:

    https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912 -from-my-fritz-box

    Yes, it's from that site and friends that I've learned what little I have
    about Home Plug.

    Sadly I don't know anything about Shorewall, but you can look at configuring netfilter with some additional hand-crafted rules to drop the above ethertypes without logging them.

    Hm. Shorewall seems to be a complete subsystem to accept broad intentions and craft iptables rules accordingly. I'll see if it's possible to slip something in upstream of it.

    However, what I would prefer to do in your circumstances is find if your router is supported by OpenWRT firmware and configure SQM with FQ-Codel in
    it to manage bufferbloat. I expect this should improve your streaming
    better than whatever AVM have configured in the box.

    That route's unlikely to be open to me, though I'll check.

    I hope I'm not facing a complete rehash of firewall config. If so, I may return the old modem-router to service instead.

    --
    Regards,
    Peter.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael@21:1/5 to All on Tue Mar 1 16:55:07 2022
    On Tuesday, 1 March 2022 16:40:30 GMT Peter Humphrey wrote:

    I hope I'm not facing a complete rehash of firewall config. If so, I may return the old modem-router to service instead.

    This page suggests it is simple to achieve, by adding it to your /etc/ nftables.conf file, assuming one is available. Alternatively, it should be a case of finding the right place to add something appropriate in Shorewall's configuration or script file, so that Shorewall itself creates the required ethertype filter.

    https://serverfault.com/questions/1015896/linux-server-dropping-rx-packets-in-netif-receive-skb-core/1016113#1016113
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmIeT+sACgkQseqq9sKV ZxlivQ/+K+ufnToTcU9wq03VtLXrqHVY1JlwcyGGC5IKUdDIj53fn4T/LHHqoNzQ IYFYyfRnrocXnKBzDe3ex9PYOoy+RX/nTgdl3gmGrszwMAVe6e+f574f+/tlXeDq 1s3vS4vdNEFnSDXBqCpGTsCHZsWdfkTrOJjRwlCqzrLQfazm2pg5FnSAxk3KCx8q ahLps8O4yaOA2XFG6GyzLzLLaRwN+N2hEFqR5OWkFYZe8rRiJR1EOCtcjfTn0HKO CkmmnVMZ/PwFjuo3e6bs9TwScNSnJ39DKJJhH3H3QzMkiaXSE+sv/X51rskUjyt9 vOh6IVH8tUBl2tX4U0yRJbPSKJCOqFsRYbJL0ZxR5EP3l16a2s8oMT1svJTkiHvG I75eTNknL0E/5uTf8B7rudMV6X7iE1a1VjPmmWdCvrVYVMwY83O7ZAIwe63J5xuw ncYxsfEo3Ud61IBhLkhdskvpxlJSp3cMu45pFjO3OLD2/DXii4WplHCPZ3DQOS3A kHAVDOy3HuWU0B+BQF0yPHEjG9uu/ABNSPPjP6HAfXGSEvt6/7h2l5Nvl+ZmLWk7 wIgHRvB/X++iPNkMsqdSJtBlzA2OCJBktFNEXLjFfH+f67+cgZ1JqE5KdUwiWGrE NLW1A0rqwkkJEvSAKmLGMh/evPGNx1wQD/WqvXA0wGsFRmWrDlI=
    =ehUY
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)