Shorewall users - Feb 2006 - Local Network Can't Get Past Shorewall to the Internet

Greetings all,

I have just install Shorewall on a Debian system and
I''m using it as a firewall on an internal network. 
The specifics of the system are as follows:

firewall:/var/log# shorewall version
3.0.4
firewall:/var/log# uname -a
Linux firewall 2.6.12-1-386 #1 Tue Sep 27 12:41:08 JST
2005 i586 GNU/Linux

Shorewall start successfully and $FW can connect to
the Internet for upgrading the system.  However
''nothing'' on ''loc'' can get out.

The interfaces look like:
firewall:/var/log# grep -v ''#''
/etc/shorewall/interfaces
net     eth0            detect          dhcp
loc     eth1            detect


The zones look like this:
firewall:/var/log# grep -v ''#'' /etc/shorewall/zones
fw      firewall
net     ipv4
loc     ipv4


The policy file looks like this:
firewall:/var/log# grep -v ''#'' /etc/shorewall/policy
loc             net             ACCEPT
$FW             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

Here is what appears in the /var/logs/messages logs
when I try to get to the internet from insaide the
firewall:

Feb 11 12:24:02 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38322
DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0
Feb 11 12:24:03 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38323
DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0
Feb 11 12:24:03 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38324
DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0
Feb 11 12:24:06 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38335
DF PROTO=TCP SPT=2256 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0
Feb 11 12:24:06 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38336
DF PROTO=TCP SPT=2256 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0
Feb 11 12:24:06 firewall kernel:
Shorewall:all2all:REJECT:IN=eth1
OUTMAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
SRC=192.168.77.10 DST=192
.168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38337
DF PROTO=TCP SPT=2256 DPT=8080 WINDOW=65535 RES=0x00
SYN URGP=0


It seems to me that the first urle in
/etc/shorewall/policy isn''t being implemented.  If
someone can help me debug this problem, I''d really
appreciate it.

Lee

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Saturday 11 February 2006 16:57, Lee Zelyck wrote:
>
> Feb 11 12:24:02 firewall kernel:
> Shorewall:all2all:REJECT:IN=eth1 OUT>
MAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
> SRC=192.168.77.10 DST=192
> .168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38322
> DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
> SYN URGP=0
You are running a proxy on the firewall.
That proxy is listening on port 8080.
You have not taken the steps necessary to enable this manual proxy.
For instructions, please see 
http://www1.shorewall.net/Shorewall_Squid_Usage.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello Mr. Eastep!

Thank you for pointing me in the direction of the
squid configuration page.  I had somehow surfed past
that one.

Anyway, I followed the steps at the bottom of the
page, and made the appropriate changes to my
/etc/shorewall/rules.  The result is that ''rules'' no
looks like:

firewall:/etc/shorewall# more rules.short
ACCEPT  loc             $FW             tcp     8080
ACCEPT  $FW             net             tcp     80,443
SECTION NEW

However, when I try to start shorewall with these new
rules I get errors:

firewall:/etc/shorewall# /etc/init.d/shorewall stop
Stopping "Shorewall firewall": done.
firewall:/etc/shorewall# /etc/init.d/shorewall start
Starting "Shorewall firewall": /etc/init.d/shorewall:
line 77: 23697 Terminated              $SRWL start
>>$INITLOG 2>&1
not done (check /var/log/shorewall-init.log).
firewall:/etc/shorewall#

The messages in /var/log/shorewall-init.log say:

Processing /etc/shorewall/rules...
   Rule "ACCEPT loc fw tcp 8080    " added.
   Rule "ACCEPT fw net tcp 80,443    " added.
   ERROR: Duplicate or out of order SECTION NEW
Disabling IPV6...

I''m not certain I know what is duplicated or out of
order here?

Thanks!
Lee

--- Tom Eastep <teastep@shorewall.net> wrote:
> On Saturday 11 February 2006 16:57, Lee Zelyck
> wrote:
> 
> >
> > Feb 11 12:24:02 firewall kernel:
> > Shorewall:all2all:REJECT:IN=eth1 OUT> >
MAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
> > SRC=192.168.77.10 DST=192
> > .168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128
> ID=38322
> > DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535
> RES=0x00
> > SYN URGP=0
> 
> You are running a proxy on the firewall.
> That proxy is listening on port 8080.
> You have not taken the steps necessary to enable
> this manual proxy.
> For instructions, please see 
>
http://www1.shorewall.net/Shorewall_Squid_Usage.html.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Saturday 11 February 2006 17:45, Lee Zelyck wrote:
> Hello Mr. Eastep!
>
> Thank you for pointing me in the direction of the
> squid configuration page.  I had somehow surfed past
> that one.
>
> Anyway, I followed the steps at the bottom of the
> page, and made the appropriate changes to my
> /etc/shorewall/rules.  The result is that ''rules'' no
> looks like:
>
> firewall:/etc/shorewall# more rules.short
> ACCEPT  loc             $FW             tcp     8080
> ACCEPT  $FW             net             tcp     80,443
> SECTION NEW
Didn''t you wonder what that SECTION thingy was? HINT: PUT YOUR RULES
AFTER IT.

Also, if you haven''t configured your firewall using one of the Guides
at
http://www.shorewall.net/shorewall_quickstart_guide.htm then please do so 
before posting again.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi again Mr. Eastep,
> > firewall:/etc/shorewall# more rules.short
> > ACCEPT  loc             $FW             tcp    
> 8080
> > ACCEPT  $FW             net             tcp    
> 80,443
> > SECTION NEW
> 
> Didn''t you wonder what that SECTION thingy was?
> HINT: PUT YOUR RULES AFTER IT.
Well, I did wonder, but I guess it just didn''t occurr
to me that ''SECTION NEW'' meant ''PLACE NEW RULES
HERE''.
 Now that I know, I can certainly appreciate its
inclussion, and for your pointing it out.
 
> Also, if you haven''t configured your firewall using
> one of the Guides at 
>
http://www.shorewall.net/shorewall_quickstart_guide.htm
> then please do so 
> before posting again.
Thank you.  I have been using this one
http://www.shorewall.net/two-interface.htm.

Thanks again,
Lee

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Saturday 11 February 2006 19:06, Lee Zelyck wrote:
> >
> > Didn''t you wonder what that SECTION thingy was?
> > HINT: PUT YOUR RULES AFTER IT.
>
> Well, I did wonder, but I guess it just didn''t occurr
> to me that ''SECTION NEW'' meant ''PLACE NEW RULES
HERE''.
>  Now that I know, I can certainly appreciate its
> inclussion, and for your pointing it out.
>
1. All of the rules that Shorewall had provided for you were after "SECTION
NEW"
2. You wondered about it but still added your rules BEFORE the "SECTION
NEW".
3. When you saw an error message that said


-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Saturday 11 February 2006 19:18, Tom Eastep wrote:
> On Saturday 11 February 2006 19:06, Lee Zelyck wrote:
> > > Didn''t you wonder what that SECTION thingy was?
> > > HINT: PUT YOUR RULES AFTER IT.
> >
> > Well, I did wonder, but I guess it just didn''t occurr
> > to me that ''SECTION NEW'' meant ''PLACE NEW
RULES HERE''.
> >  Now that I know, I can certainly appreciate its
> > inclussion, and for your pointing it out.
>
> 1. All of the rules that Shorewall had provided for you were after
"SECTION
> NEW"
> 2. You wondered about it but still added your rules BEFORE the
"SECTION
> NEW".
> 3. When you saw an error message that said 
   ERROR: Duplicate or out of order SECTION NEW

then you didn''t connect the two?

Ok....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Saturday 11 February 2006 19:21, Tom Eastep wrote:
> On Saturday 11 February 2006 19:18, Tom Eastep wrote:
> > On Saturday 11 February 2006 19:06, Lee Zelyck wrote:
> > > > Didn''t you wonder what that SECTION thingy was?
> > > > HINT: PUT YOUR RULES AFTER IT.
> > >
> > > Well, I did wonder, but I guess it just didn''t occurr
> > > to me that ''SECTION NEW'' meant ''PLACE
NEW RULES HERE''.
> > >  Now that I know, I can certainly appreciate its
> > > inclussion, and for your pointing it out.
> >
> > 1. All of the rules that Shorewall had provided for you were after
> > "SECTION NEW"
> > 2. You wondered about it but still added your rules BEFORE the
"SECTION
> > NEW".
> > 3. When you saw an error message that said
>
>    ERROR: Duplicate or out of order SECTION NEW
>
> then you didn''t connect the two?
>
> Ok....
I''ve added the following instructions to the rules file in both the 3.0
and
3.1 threads...

# NOTE: If you don''t understand the above description of SECTIONS then
just
#       PUT YOUR RULES AFTER THE "SECTION NEW" BELOW.

Hopefully that will help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi again Mr. Eastep,
> > > 1. All of the rules that Shorewall had provided
> for you were after
> > > "SECTION NEW"
Well, perhaps I''m thick, but I just didn''t see all of
the ''rules that shorewall had provided prior to the
"SECTION NEW" line.  There was quite an excellent list
of examples, but no ''rules'' in the the actual
''rules''
file like like the one I subsequently added. 
> > > 2. You wondered about it but still added your
> rules BEFORE the "SECTION
> > > NEW".
Umm.. yeah.  Sorry. I just saw the line "#LAST LINE --
ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" and
though that anywhere above it was fine.  Perhaps I
thought the line was commented out the same as the
preceding sections: ''#SECTION ESTABLISHED'' and
''#SECTION RELATED''.
> > > 3. When you saw an error message that said
> > � �ERROR: Duplicate or out of order SECTION
NEW
> > then you didn''t connect the two?
> >
> > Ok....
Well, please understand that this is my first time
setting up a shorewall system. I thought of a lot
potential problems for this.  I just didn''t recognize
the importance of those 2 words ''SECTION NEW'' in the
rules.  It has been made abundantly clear now. 
> I''ve added the following instructions to the rules
> file in both the 3.0 and 
> 3.1 threads...
> # NOTE: If you don''t understand the above
> description of SECTIONS then just 
> #       PUT YOUR RULES AFTER THE "SECTION NEW"
> BELOW.
> 
> Hopefully that will help.
I''m certain it will.

Thanks for all your patience, understanding and help.

Lee


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Sunday 12 February 2006 09:59, Lee Zelyck wrote:
>
> > I''ve added the following instructions to the rules
> > file in both the 3.0 and
> > 3.1 threads...
> >
> > # NOTE: If you don''t understand the above
> > description of SECTIONS then just
> > #       PUT YOUR RULES AFTER THE "SECTION NEW"
> > BELOW.
> >
> > Hopefully that will help.
>
> I''m certain it will.
>
I''ve also added a warning to each of the QuickStart Guides, cautioning
folks
to add their rules after the line that reads SECTION NEW. 

Sorry for the unclear instructions,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Mr. Eastep,
> I''ve also added a warning to each of the QuickStart
> Guides, cautioning folks 
> to add their rules after the line that reads SECTION
> NEW. 
I think that will also hepl.
 
> Sorry for the unclear instructions,
I certainly wouldn''t call the instructions or comments
unclear.  I think its just a new lingo.  Thank you
very much for all your help clarifying it to me.

Sincerely,
Lee
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Lee Zelyck wrote:
> ...
> Here is what appears in the /var/logs/messages logs
> when I try to get to the internet from insaide the
> firewall:
> 
> Feb 11 12:24:02 firewall kernel:
> Shorewall:all2all:REJECT:IN=eth1 OUT>
MAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
> SRC=192.168.77.10 DST=192
> ..168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38322
> DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
> SYN URGP=0
Now that you''ve had your baptism of fire with Tom (don''t
worry, he''s a
softie on the inside ;-) i''ll offer my logging tips (we''ve
been debating
about whether these need to be in the FAQ or web site somewhere):

1.  Define all of the combinations of zones in your policy file, and set
them to log at info level.  e.g. in the 2 interface example, use
something like this:

loc	net	ACCEPT
loc	fw	REJECT	info
loc	all	REJECT	info

fw	net	REJECT	info
fw	loc	REJECT	info
fw	all	REJECT	info

net	loc	DROP	info
net	fw	DROP	info
net	all	DROP	info

This produces the same results as the current CVS version of the
two-interface guide policy (which i don''t think has changed for some
time), but gives much more specific logging information.

2.  If you have a complicated setup (like some of us do ;-), define
*all* of your zones in the hosts file, not the interfaces file.  Keeping
them in the one place makes it less likely that you''ll make mistakes in
host/zone placement.

Tom, perhaps we should think about setting up the samples like the above
to give us more info the first time people come with a question and give
us all2all log entries.

Regards,
Paul



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642