Shorewall users - Mar 2006 - Rule: Accept not Accepting

Ok so I am havening an interesting problem.
    All of the rules in the /etc/shorewall/rules files seem to be 
getting ignored.

For instance
    Neither
       ACCEPT   net      fw              tcp     22
    NOR
       SSH/ACCEPT      net             fw
result in being able to accept ssh connections, but if I do shorewall 
clear then I can ssh in so the ssh server is working.

    another interresting note is that the first rule does create the 
following entry in the iptables
       ACCEPT     tcp  --  anywhere        anywhere            tcp dpt:ssh

I have also had the same problems when useing DNAT commands.
    please note that all of my config files were direct copies from an 
old 700mhz machine and it worked when it was on that box.

    I attempted to open various ports via DNAT, but after I did they 
still resulted in a filtered result from nmap.

Thanks
    Ben G

System Information
    shorewall version = 3.0.5

    1.7ghz (Fast for a router)
    Debian Linux (Unstable Branch) Installed this morning.
    2.6.15 Kernel (Debian Build)
    eth0 --> Internet/Comcast via (DHCP)
    eth1 --> Wired Lan
    eth2 --> Netgear Router --> Wireless Lan


/etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
net      eth0           detect          dhcp,norfc1918,blacklist
loc      eth1           192.168.2.255   dhcp
wifi     eth2           192.168.3.255   dhcp,tcpflags,maclist
#EOF

/etc/shorewall/zones
net     Net             Internet
loc     Local           Local networks
wifi    Wifi            Wireless Zone
#EOF

/etc/shorewall/policy
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             all             ACCEPT
fw              all             ACCEPT
wifi            net             ACCEPT
wifi            fw              DROP
wifi            loc             DROP
net             all             DROP            info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE
#EOF

/etc/shorewall/masq
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1
eth0                    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#EOF


And the output after a hostname# shorewall restart
Loading /usr/share/shorewall/functions...terfaces~
Processing /etc/shorewall/params ...erfaces
Processing /etc/shorewall/shorewall.conf...
Loading Modules.../etc/shorewall/policy
Restarting Shorewall...shorewall/masq
Initializing...-w /etc/shorewall/rules
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available
Determining Zones...
   IPv4 Zones: net loc wifi
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: eth0:0.0.0.0/0
   loc Zone: eth1:0.0.0.0/0
   wifi Zone: eth2:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Setting up Blacklisting...
   Blacklisting enabled on eth0:0.0.0.0/0
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
IP Forwarding Enabled
Processing ipsec...
Setting up MAC Verification on eth2...
Processing /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.SSH...
   Rule "ACCEPT net fw tcp 22 - - - -" added.
..End Macro
Processing /etc/shorewall/tunnels...
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  -" added.
   Rule "DROP - - udp 137:139 -  -" added.
   Rule "DROP - - udp 1024: 137  -" added.
   Rule "DROP - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  -" added.
   Rule "REJECT - - udp 137:139 -  -" added.
   Rule "REJECT - - udp 1024: 137  -" added.
   Rule "REJECT - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /etc/shorewall/policy...
   Policy DROP for net to fw using chain net2all
   Policy DROP for wifi to fw using chain wifi2fw
   Policy ACCEPT for wifi to net using chain wifi2net
   Policy DROP for wifi to loc using chain wifi2loc
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.2.0/24 through eth0
   To 0.0.0.0/0 (all) from 192.168.3.0/24 through eth0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Ben G wrote:
> Ok so I am havening an interesting problem.
>    All of the rules in the /etc/shorewall/rules files seem to be getting
> ignored.
> 
> For instance
>    Neither
>       ACCEPT   net      fw              tcp     22
>    NOR
>       SSH/ACCEPT      net             fw
> result in being able to accept ssh connections, but if I do shorewall
> clear then I can ssh in so the ssh server is working.
> ...
Please show us the relevant Shorewall messages from your log, and a
shorewall dump.

Also have a read of:
- http://shorewall.net/support.htm (for shorewall dump)
- http://www.shorewall.net/FAQ.htm#faq17 (for logging issues)
- http://sourceforge.net/mailarchive/message.php?msg_id=14807387 (for my
suggestions on logging best practices if you''re seeing all2all log
messages)

Paul



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

ok so I was trying to find a log hit showing where the message was 
dropped and was havening little success until I looked at dmesg.

Shorewall:rfc1918:DROP:IN=eth0 OUT= 
MAC=00:a0:cc:76:55:fd:00:01:5c:22:6c:02:08:00 SRC=xxx.xxx.86.249 
DST=xxx.xxx.166.65 LEN=60 TOS=0x10 PREC=0x20 TTL=47 ID=36367 DF 
PROTO=TCP SPT=56078 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

It seems the norfc1918 was causeing me to drop information that I would 
have otherwise wanted to accept.

I have removed this for the time being and as such my connection is 
working properly again

Paul Gear wrote:
> Ben G wrote:
>  
>> Ok so I am havening an interesting problem.
>>    All of the rules in the /etc/shorewall/rules files seem to be
getting
>> ignored.
>>
>> For instance
>>    Neither
>>       ACCEPT   net      fw              tcp     22
>>    NOR
>>       SSH/ACCEPT      net             fw
>> result in being able to accept ssh connections, but if I do shorewall
>> clear then I can ssh in so the ssh server is working.
>> ...
>>     
>
> Please show us the relevant Shorewall messages from your log, and a
> shorewall dump.
>
> Also have a read of:
> - http://shorewall.net/support.htm (for shorewall dump)
> - http://www.shorewall.net/FAQ.htm#faq17 (for logging issues)
> - http://sourceforge.net/mailarchive/message.php?msg_id=14807387 (for my
> suggestions on logging best practices if you''re seeing all2all log
> messages)
>
> Paul
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting 
> language
> that extends applications into web and mobile media. Attend the live 
> webcast
> and join the prime developer group breaking into this new coding 
> territory!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Ben G wrote:
> ok so I was trying to find a log hit showing where the message was
> dropped and was havening little success until I looked at dmesg.
dmesg (or your appropriate kernel syslog file) should be the first place
you look when trying to troubleshoot issues like this.  :-)

Paul



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642