What does /etc/asl/firewall/running.fw actually do? When does it get written to? Read from?
The reason I ask is that I had a situation where an IP was shunned, and it was shown as shunned in running.fw as well as in iptables -L. But when I unblocked it in ASL and whitelisted it, both via the Blocking window), the running.fw file (and the data shown in the firewall window) then showed the IP being shunned and allowed at the same time. Manually removing the shun entry from the firewall window in the ASL GUI removed the shun entry in the file.
[[ The circumstances that led to this may not be typical as I was in the middle of switching a system from APF to the ASL firewall which was turned out to be a bit messy on this occasion for some reason ]]
running.fw
running.fw
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: running.fw
faris:
Would you mind posting the general procedure you follow to go from APF to the ASL Firewall?
We have one such box that we've been thinking of moving strictly to the ASL Firewall.
Thanks.
Would you mind posting the general procedure you follow to go from APF to the ASL Firewall?
We have one such box that we've been thinking of moving strictly to the ASL Firewall.
Thanks.
Re: running.fw
i dont think youre supposed to modify that file. it seems like its generated dynamically when you save rules from asl.
If everything was easy, then the world wouldn't need engineers.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: running.fw
The short version is it is a snapshot of the running firewall policy when you are accessing the firewall interface. I don't recommend modifying that file unless you are me.
We are planning conversion tools to automate migrations from other firewall interfaces into the ASL interface. We'll be taking that on after the 4.0 release (which is soon!)
We are planning conversion tools to automate migrations from other firewall interfaces into the ASL interface. We'll be taking that on after the 4.0 release (which is soon!)
Re: running.fw
ok....this is what I *think* I did and is somewhat based on http://www.atomicorp.com/forum/viewtopic.php?f=3&t=6695
1) Add allowed IPs (e.g. your own) to the ASL firewall via the GUI (Firewall, add rule, INPUT chain, INSERT, enter IP in SRC box, jump to ACCEPT)
2) Logout of GUI
3) service iptables stop
4) disabled iptables auto-start (using chkconfig or ntsysv)
5) delete /etc/cron.daily/apf
6) Disable APF auto-start (checkcfg or ntsysv)
7) Check for anything related to "refresh" or "apf" in /etc/cron.hourly or /etc/cron.daily or /etc/cron.d/ and remove or comment out.
Delete apf script itself (wherever it might be). This should not be necessary if you have completely killed off cron jobs that start it.
9) Add allowed ports in ASL GUI (main config, not firewall section)
http://www.atomicorp.com/wiki/index.php/ASL_firewall
WARNING: Read what it says in the GUI for what is default setting for each firewall switch. You will find some are enabled when they should be disabled, and vice versa. DROP_INVALID_LOG, for example, needs to be OFF otherwise you may find IPs get shunned for the wrong reason.
10) Stop APF/Flush rules:
apf -f (YOUR FIREWALL IS DOWN AT THIS POINT)
11) aum -u
12) asl -s -f
13) Check to see if APF has been expunged:
iptables -v -n -L | less
Use service asl-firewall-restart if need be
And it was at this point that things got in a mess for me. On one system I had to delete /etc/asl/firewall/running.fw because it had APF firewall rules in it, and nothing I did could get rid of them - they kept re-appearing. So maybe it was because I was logged in to the GUI and things got confused. I really don't know.
WARNING: You could lock yourself out of your system if anything I have written is in the wrong order or just plain wrong. Be warned.
1) Add allowed IPs (e.g. your own) to the ASL firewall via the GUI (Firewall, add rule, INPUT chain, INSERT, enter IP in SRC box, jump to ACCEPT)
2) Logout of GUI
3) service iptables stop
4) disabled iptables auto-start (using chkconfig or ntsysv)
5) delete /etc/cron.daily/apf
6) Disable APF auto-start (checkcfg or ntsysv)
7) Check for anything related to "refresh" or "apf" in /etc/cron.hourly or /etc/cron.daily or /etc/cron.d/ and remove or comment out.
Delete apf script itself (wherever it might be). This should not be necessary if you have completely killed off cron jobs that start it.
9) Add allowed ports in ASL GUI (main config, not firewall section)
http://www.atomicorp.com/wiki/index.php/ASL_firewall
WARNING: Read what it says in the GUI for what is default setting for each firewall switch. You will find some are enabled when they should be disabled, and vice versa. DROP_INVALID_LOG, for example, needs to be OFF otherwise you may find IPs get shunned for the wrong reason.
10) Stop APF/Flush rules:
apf -f (YOUR FIREWALL IS DOWN AT THIS POINT)
11) aum -u
12) asl -s -f
13) Check to see if APF has been expunged:
iptables -v -n -L | less
Use service asl-firewall-restart if need be
And it was at this point that things got in a mess for me. On one system I had to delete /etc/asl/firewall/running.fw because it had APF firewall rules in it, and nothing I did could get rid of them - they kept re-appearing. So maybe it was because I was logged in to the GUI and things got confused. I really don't know.
WARNING: You could lock yourself out of your system if anything I have written is in the wrong order or just plain wrong. Be warned.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: running.fw
Great, thanks for posting.
Re: running.fw
Oh, one more thing. If you delete running.fw, you are likely to remove all your "allow IP" rules. This is potentially bad and can lock you out. I suggest allowing port 22 temporarily by adding it to your normally open ports in the main asl config.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: running.fw
FYI, we are working on a migration tool to "suck in" existing rules upon install. As soon as its available well let everyone know.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone