UTM Firewall - Beta

308 views
Skip to first unread message

Giacomo Sanchietti

unread,
Jun 12, 2014, 11:43:49 AM6/12/14
to neths...@googlegroups.com
It's been a long journey, but at the end UTM firewall modules are
available as public beta:

http://www.nethserver.org/utm-firewall-beta/

Try it, break it, but then report issues!


Giacomo

Filippo Carletti

unread,
Jun 12, 2014, 12:30:39 PM6/12/14
to Giacomo Sanchietti, neths...@googlegroups.com
> http://www.nethserver.org/utm-firewall-beta/

For those wanting to experiment with Snort IPS, I can share my custom
config, including reputation pre-processor (blacklists), drop rules,
etc.
Ask here if you feel adventurous. :-)


--
Ciao,
Filippo

Juan Pablo

unread,
Jan 7, 2015, 7:45:15 PM1/7/15
to neths...@googlegroups.com

hey guys, thanks for adding ips to nethserver!!! .but,  unfortunately I cant make IPS to work. I have set  config setprop firewall nfqueue enabled and the firewall signal adjustment also but its not dumping any alert on the logs. also ps -aux showns no process around. 

any ideas?
 Pablo

Filippo Carletti

unread,
Jan 8, 2015, 4:30:06 AM1/8/15
to Juan Pablo, neths...@googlegroups.com
> logs. also ps -aux showns no process around.

I've seen this: snort dies after some rule update.

Last time it happened I had to add:

portvar FTP_PORTS [21]

to /etc/snort/snort.conf.
Then:
service snortd start

To really drop connections you'd need to select whichj rules to drop
adjusting /etc/snort/dropsid.conf.
Here's mine:
pcre:balanced-ips\ drop
pcre:onficker
emerging-compromised

Please, let me know how it goes.


--
Ciao,
Filippo

Juan Pablo

unread,
Jan 8, 2015, 10:49:40 AM1/8/15
to Filippo Carletti, neths...@googlegroups.com
great, now Im getting the following:
nfq DAQ configured to inline.
FATAL ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue creation failed#012

info:
Package daq-2.0.1-1.x86_64
Package nethserver-pulledpork-1.0.0-1.ns6.noarch
Package nethserver-snort-1.0.0-1.ns6.noarch
Package snortalog-0.0.1-1.ns6.noarch
Package 1:snort-2.9.6.2-1.x86_64
Package pulledpork-0.7.0-2.noarch
---
nfqueue=enabled
tc=Simple

fw rules are default.

thanks for your help, sir!

Filippo Carletti

unread,
Jan 8, 2015, 11:54:05 AM1/8/15
to Juan Pablo, neths...@googlegroups.com
> nfq DAQ configured to inline.
> FATAL ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue
> creation failed#012

Mmh, I have the same versions except:
daq-2.0.2-1.x86_64

I installed from nethserver-testing, but I can't find the package in
the repo: mistery! :-)

yum history package-info daq
...
Transaction ID : 92
Begin time : Thu Jun 12 15:54:05 2014
Package : daq-2.0.2-1.x86_64
State : Update
Size : 661,727
Build host : giacomo.nethesis.it
Build time : Tue Jun 3 17:34:22 2014
Vendor : Nethesis
License : GNU General Public License
URL : http://www.snort.org/
Source RPM : daq-2.0.2-1.src.rpm
Commit Time : Tue Jun 3 17:34:22 2014
Reason : user
Command Line : --enablerepo=nethserver-testing update
From repo : nethserver-testing
Changed by : root <root>


I've requested to upload the rpm to the repo.

Please run:

yum --enablerepo=nethserver-testing update daq

Let me know, thank you.


--
Ciao,
Filippo

Juan Pablo

unread,
Jan 9, 2015, 3:05:05 PM1/9/15
to Filippo Carletti, neths...@googlegroups.com
ok, I see the update now, thanks for pushing that!
service snortd restart throw the following:
PID path stat checked out ok, PID path set to /var/run/
Writing PID "4334" to file "/var/run//snort_.pid"
 WARNING: cannot set uid and gid - nfq DAQ does not support unprivileged operation.
--== Initialization Complete ==--
Commencing packet processing (pid=4334)
Decoding Raw IP4
!!! nice now its starting \!!. do you get the same warning on your deploy? I dont see it on other machines so far. but its not a biggie. I will try to troubleshoot it from here now.

I appreciate a lot your help, do you want me to fill a bug report? in fact, is it a 'bug'? or just an enhancement/fix?
=)
regards!

Filippo Carletti

unread,
Jan 10, 2015, 6:36:08 AM1/10/15
to Juan Pablo, neths...@googlegroups.com
> WARNING: cannot set uid and gid - nfq DAQ does not support unprivileged
> operation.

AFAIK daq can't be used as non-root. Do you use daq where you don't
see the warning?

No need to file an issue, it was a bug in the release process, but
it's now fixed.
Thank you again.


--
Ciao,
Filippo

Juan Pablo

unread,
Jan 12, 2015, 8:42:28 AM1/12/15
to Filippo Carletti, neths...@googlegroups.com
Filippo, still no luck. the log is not showing anything on any of the modes. do you have it working on your install by stock or have you tuned it somehow?

regards,
Pablo

Filippo Carletti

unread,
Jan 12, 2015, 8:45:57 AM1/12/15
to Juan Pablo, neths...@googlegroups.com
I use custom mode and an heavily modified config.
I can shre it here if you would like to try it.
--
Ciao,
Filippo

Juan Pablo

unread,
Jan 12, 2015, 8:49:45 AM1/12/15
to Filippo Carletti, neths...@googlegroups.com
sure, that would be nice! what about pushing a patch to the repo  with working defaults for future folks who might want to try it? do you guys have a git repo for the configs somewhere?

thanks!

Filippo Carletti

unread,
Jan 12, 2015, 9:03:21 AM1/12/15
to Juan Pablo, neths...@googlegroups.com
My config files are attached. Beware: the config is tailored to my
testing needs, it is used in produciton, but is big (more than 10000
rules) and uses more 256 M of ram. Remember to set snort Rule policy
to Expert.
You need to run pulledpork after installing config files:
/usr/bin/pulledpork.pl -c /etc/snort/pulledpork.conf
--
Ciao,
Filippo
snort_config.tar.gz
Reply all
Reply to author
Forward
0 new messages