Shorewall users - Sep 2005 - Just a simple question (I think)

Hi all,

How do I put a rule in to allow all ports on a single IP..
I''m not masq my network as the firewall is on the router.

I have another firewall internally that I will be removing sometime soon, 
but just wish to forward all ports to this firewall (until I can 
decommission it).

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:81:2f:a5:fa brd ff:ff:ff:ff:ff:ff
    inet 203.94.130.158/30 brd 203.94.130.159 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:81:2f:a5:fb brd ff:ff:ff:ff:ff:ff
    inet 203.94.147.1/24 brd 203.94.147.255 scope global eth1
    inet 203.8.109.1/24 brd 203.8.109.255 scope global eth1

I wish to allow ALL ports open to 203.94.147.101 (thats the internal 
firewall IP) just not sure/where how to do this....
I thought I could add another zone and include just the IP in it, then use a 
policy but couldn''t quite figure it out.

Cheers
Ad

Adam Niedzwiedzki wrote:
> Hi all,
>
> How do I put a rule in to allow all ports on a single IP..
> I''m not masq my network as the firewall is on the router.
>
> I have another firewall internally that I will be removing sometime
> soon, but just wish to forward all ports to this firewall (until I can
> decommission it).
>
> 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:e0:81:2f:a5:fa brd ff:ff:ff:ff:ff:ff
>    inet 203.94.130.158/30 brd 203.94.130.159 scope global eth0
> 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:e0:81:2f:a5:fb brd ff:ff:ff:ff:ff:ff
>    inet 203.94.147.1/24 brd 203.94.147.255 scope global eth1
>    inet 203.8.109.1/24 brd 203.8.109.255 scope global eth1
>
> I wish to allow ALL ports open to 203.94.147.101 (thats the internal
> firewall IP) just not sure/where how to do this....
> I thought I could add another zone and include just the IP in it, then
> use a policy but couldn''t quite figure it out.
>
> Cheers
> Ad
>
Sorry Adam, I understand _nothing_ about your post.
be more precise, PLEASE.

submit a proper problem report

http://www.shorewall.net/support.htm#Guidelines








--
Cristian Rodriguez R.
perl -e
''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''

On Sunday 18 September 2005 17:58, Cristian Rodriguez
wrote:
> Adam Niedzwiedzki wrote:
> > Hi all,
> >
> > How do I put a rule in to allow all ports on a single IP..
> > I''m not masq my network as the firewall is on the router.
> >
> > I have another firewall internally that I will be removing sometime
> > soon, but just wish to forward all ports to this firewall (until I can
> > decommission it).
> >
> > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >    link/ether 00:e0:81:2f:a5:fa brd ff:ff:ff:ff:ff:ff
> >    inet 203.94.130.158/30 brd 203.94.130.159 scope global eth0
> > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >    link/ether 00:e0:81:2f:a5:fb brd ff:ff:ff:ff:ff:ff
> >    inet 203.94.147.1/24 brd 203.94.147.255 scope global eth1
> >    inet 203.8.109.1/24 brd 203.8.109.255 scope global eth1
> >
> > I wish to allow ALL ports open to 203.94.147.101 (thats the internal
> > firewall IP) just not sure/where how to do this....
> > I thought I could add another zone and include just the IP in it, then
> > use a policy but couldn''t quite figure it out.
> >
> > Cheers
> > Ad
>
> Sorry Adam, I understand _nothing_ about your post.
> be more precise, PLEASE.
>
> submit a proper problem report
>
> http://www.shorewall.net/support.htm#Guidelines
Let me see if I can give Adam some hints about Cristian''s confusion:

a) You talk about adding a rule but all you give us are:

	- An IP address - 203.94.147.101
	- What appears to be the output of ''ip addr ls''

With no Shorewall configuration information, it''s tough for us to give
you ''a
rule''.

b) You say "I''m not masq my network as the firewall is on the
router". While
that breaks new syntactic ground, I''m guessing that it means that your 
network is routed -- is your ISP routing the /24 on eth1 through 
203.94.130.158 or are you using Proxy ARP? Or are you clueless about what to 
do and want help?

c) We are having to ask these rather obvious questions because you left out 
silly details like which interface on your firewall is the external interface 
and which interface is the external interface. We''re guessing that eth0
is
the external interface, only because you seem to want to allow traffic *to* 
203.94.147.101 which, assuming a normal routing setup, would be connected to 
eth1. But you haven''t told us anything about the routing either (see
the
previous point).

d) I''ll make some wild assumptions here:

	1) Your ISP is routing your /24 through 203.94.130.158 or you are using Proxy 
ARP (in which case, I sure hope you have just specified the
''proxyarp'' option
on both interfaces in /etc/shorewall/interfaces). 
	2) You have defined eth0 to interface to ''net''
	3) You have defined eth1 to interface to ''loc''
	4) Your wish to "allow ALL ports" really means you want to
"allow ALL
*traffic*" since ''ports'' are only relevant to TCP and UDP
and you are going
to need ICMP too whether you realize it or not. And if you do any VPN work, 
you''ll need those protocols as well.
	5) All of the traffic that you want to allow is addressed to 203.94.147.101 
(in other words, we don''t have to rewrite the destination IP address in
the
packets).

If all of these assumptions hold then, the rule you want is:

	ACCEPT	net	loc:203.94.147.101

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sunday 18 September 2005 18:32, Tom Eastep wrote:
>
> c) We are having to ask these rather obvious questions because you left out
> silly details like which interface on your firewall is the external
> interface and which interface is the external interface.
s/external/internal/

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Ohh dear.... *blushes* (Mental NOTE, don''t post until at least 1 cup of
coffee consumed in the morning). So sorry guys, one of those "Monday 
Mornings"

I''ll try again.. (but you have answered my question).
I have a new LEAF bering machine setup as a firewall on my network.
I''m running Shorewall version 2.4.2
I''m running in a routed setup.
eth0 is connected to my ISP via a fibre connection.
I"m running zebra for the routing (as this machine will soon have to handle
an additional ISP and I will be setting up BGP).
eth1 is connected to my internal network.
I have the class C''s 203.94.147/24 and 203.8.109/24 routed from my ISP
and
setup on eth1

I also have another bering/shorewall machine on my internal network that is 
firewalling a couple of servers. (it has the IP''s 203.94.147.5 and .101
and
.102) on it''s eth0. As I haven''t had time to migrate the
config from this
firewall I wish to just allow ALL traffic from the new firewall to the old 
firewall on my internal network on  the IP''s I listed above.

I was a little confused when reading the help on rules, I was thinking of 
doing
ACCEPT     net    loc:203.94.147.5    all
(it was the all bit that was confusing me), but as Tom has pointed out below 
I only have to put in

ACCEPT     net    loc:203.94.147.5 and that will accept ALL traffic from net 
to loc destined for the IP listed.

Again very sorry for the vague post.  :o|
Thanks guys.

On Sunday 18 September 2005 17:58, Cristian Rodriguez
wrote:
> Adam Niedzwiedzki wrote:
> > Hi all,
> >
> > How do I put a rule in to allow all ports on a single IP..
> > I''m not masq my network as the firewall is on the router.
> >
> > I have another firewall internally that I will be removing sometime
> > soon, but just wish to forward all ports to this firewall (until I can
> > decommission it).
> >
> > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >    link/ether 00:e0:81:2f:a5:fa brd ff:ff:ff:ff:ff:ff
> >    inet 203.94.130.158/30 brd 203.94.130.159 scope global eth0
> > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >    link/ether 00:e0:81:2f:a5:fb brd ff:ff:ff:ff:ff:ff
> >    inet 203.94.147.1/24 brd 203.94.147.255 scope global eth1
> >    inet 203.8.109.1/24 brd 203.8.109.255 scope global eth1
> >
> > I wish to allow ALL ports open to 203.94.147.101 (thats the internal
> > firewall IP) just not sure/where how to do this....
> > I thought I could add another zone and include just the IP in it, then
> > use a policy but couldn''t quite figure it out.
> >
> > Cheers
> > Ad
>
> Sorry Adam, I understand _nothing_ about your post.
> be more precise, PLEASE.
>
> submit a proper problem report
>
> http://www.shorewall.net/support.htm#Guidelines
Let me see if I can give Adam some hints about Cristian''s confusion:

a) You talk about adding a rule but all you give us are:

 - An IP address - 203.94.147.101
 - What appears to be the output of ''ip addr ls''

With no Shorewall configuration information, it''s tough for us to give
you
''a
rule''.

b) You say "I''m not masq my network as the firewall is on the
router". While
that breaks new syntactic ground, I''m guessing that it means that your
network is routed -- is your ISP routing the /24 on eth1 through
203.94.130.158 or are you using Proxy ARP? Or are you clueless about what to
do and want help?

c) We are having to ask these rather obvious questions because you left out
silly details like which interface on your firewall is the external 
interface
and which interface is the external interface. We''re guessing that eth0
is
the external interface, only because you seem to want to allow traffic *to*
203.94.147.101 which, assuming a normal routing setup, would be connected to
eth1. But you haven''t told us anything about the routing either (see
the
previous point).

d) I''ll make some wild assumptions here:

 1) Your ISP is routing your /24 through 203.94.130.158 or you are using 
Proxy
ARP (in which case, I sure hope you have just specified the
''proxyarp''
option
on both interfaces in /etc/shorewall/interfaces).
 2) You have defined eth0 to interface to ''net''
 3) You have defined eth1 to interface to ''loc''
 4) Your wish to "allow ALL ports" really means you want to
"allow ALL
*traffic*" since ''ports'' are only relevant to TCP and UDP
and you are going
to need ICMP too whether you realize it or not. And if you do any VPN work,
you''ll need those protocols as well.
 5) All of the traffic that you want to allow is addressed to 203.94.147.101
(in other words, we don''t have to rewrite the destination IP address in
the
packets).

If all of these assumptions hold then, the rule you want is:

 ACCEPT net loc:203.94.147.101

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key