I''m running Shorewall 3.2 on Linux kernel 2.6.18. I''ve set up an IPSec gateway between two of these systems over the internet, as described in the shorewall.net documentation for "IPSec Gateway on the Firewall System". All is well as far as routing traffic between the LAN workstations, I just have one small issue that has been around since I first implemented this config many months ago. Basically, the IPSec gateways themselves do not see the remote LANs. For example, if 192.168.10.10 is on the remote LAN, any machine on the local LAN can ping it, however all pings issued on the local gateway machine time out. It''s clear why, the kernel routing table does not have an entry for the remote LAN. If I manually add one, I can then send traffic from the gateway machine over the VPN. The only problem I have is for some reason it feels like a sloppy solution to be manually adding routes outside of shorewall, which basically controls the rest of the routing/natting/vpn/etc for the machine. Is there a way to add this vpn route within Shorewall, or is my only option doing static routing outside of the application? Thanks- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Cyber Dog wrote:> The only problem I > have is for some reason it feels like a sloppy solution to be manually > adding routes outside of shorewall, which basically controls the rest > of the routing/natting/vpn/etc for the machine. Is there a way to add > this vpn route within Shorewall, or is my only option doing static > routing outside of the application?Repeat after me: "Shorewall does not control routing" Repeat one more time: "Shorewall does not control routing" One more time, please: "Shorewall does not control routing" Ok, that''s not quite true -- if you have entries in /etc/shorewall/providers or /etc/shorewall/route_rules, then Shorewall does get involved in routing; also it can add simple host routes as part of setting up Proxy ARP. But the point is that Shorewall is not responsible for the routing of VPN traffic; it is the responsibility of the VPN software to alter routing where needed. One more point -- if you are running kernel 2.6.18, then you should be using the native IPSEC implementation that is part of kernel 2.6. In that case, routing isn''t involved at all in deciding what traffic is handled by IPSEC (there are no ipsecN interfaces). So I guess I don''t understand your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Cyber Dog wrote:> The only problem I > have is for some reason it feels like a sloppy solution to be manually > adding routes outside of shorewall, which basically controls the rest > of the routing/natting/vpn/etc for the machine. Is there a way to add > this vpn route within Shorewall, or is my only option doing static > routing outside of the application?>Repeat after me: "Shorewall does not control routing" >Repeat one more time: "Shorewall does not control routing" >One more time, please: "Shorewall does not control routing">Ok, that''s not quite true -- if you have entries in/etc/shorewall/providers or /etc/shorewall/route_rules, then Shorewall does get involved in routing; >also it can add simple host routes as part of setting up Proxy ARP. But the point is that Shorewall is not responsible for the routing of VPN traffic; >>it is the responsibility of the VPN software to alter routing where needed.>One more point -- if you are running kernel 2.6.18, then you should beusing the native IPSEC implementation that is part of kernel 2.6. In that case,>routing isn''t involved at all in deciding what traffic is handled by IPSEC(there are no ipsecN interfaces). So I guess I don''t understand your>configuration.Hi Cyber Have you played around ping -I I supect that when you ping from your firewall the src ip for that ping is not in the subnet that you allow in your ipsec conf. Example: If your FW local ip on the lan is 192.168.10.10 Then Ping -I 192.168.10.10 192.168.10.X Regards Jan van der Vyver ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jan van der Vyver wrote:> > Have you played around ping -I > > I supect that when you ping from your firewall the src ip for that ping is > not in the subnet that you allow in your ipsec conf. > > Example: > > If your FW local ip on the lan is 192.168.10.10 > > Then > > Ping -I 192.168.10.10 192.168.10.XThe fact that the firewall''s external IP is not part of the defined Security Policies is often the cause of the problem originally reported. I perfer to define additional SPs to handle that traffic (see http://www.shorewall.net/IPSEC-2.6.html for an example). Disclaimer: I haven''t actually tried either of the following as an alternative. a) Routing Approach Suppose that SPs are defined between 192.168.100.0/24 (the local network) and 192.168.200.0/24 (the remote network). Furthermore suppose that the firewall''s internet interface is eth0 and the local interface is eth1 with IP address 192.168.100.254. The route that is required then is: ip route add 192.168.200.0/24 dev eth0 src 192.168.100.254 Cyber Dog -- is that basically what you did? b) Masq Approach You might also be able to finesse IPSEC with a rule in your /etc/shorewall/masq file: eth0:192.168.200.0/24 <external fw IP> 192.168.100.254 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 11/1/06, Tom Eastep <teastep@shorewall.net> wrote:> > The fact that the firewall''s external IP is not part of the defined Security > Policies is often the cause of the problem originally reported. I perfer to > define additional SPs to handle that traffic (see > http://www.shorewall.net/IPSEC-2.6.html for an example). > > Disclaimer: I haven''t actually tried either of the following as an alternative. > > a) Routing Approach > > Suppose that SPs are defined between 192.168.100.0/24 (the local network) and > 192.168.200.0/24 (the remote network). Furthermore suppose that the firewall''s > internet interface is eth0 and the local interface is eth1 with IP address > 192.168.100.254. > > The route that is required then is: > > ip route add 192.168.200.0/24 dev eth0 src 192.168.100.254 > > Cyber Dog -- is that basically what you did? >Yes, that''s just about exactly the setup/solution. It works fine really, the route can be added automatically via /etc/network/interfaces I asked mostly out of curiosity.> b) Masq Approach > > You might also be able to finesse IPSEC with a rule in your /etc/shorewall/masq > file: > > eth0:192.168.200.0/24 <external fw IP> 192.168.100.254Also cool.> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >Thanks- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Zachary Palmer
2006-Nov-02 07:36 UTC
Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
I am having a most peculiar problem with Shorewall 3.2.4 on a Debian Etch firewall. I upgraded to 3.2.4 to get access to the rule-based matching in tcrules; this has allowed me to quite successfully discriminate between SSH and SCP packets, prioritizing one and not the other. Until today, that is. I opened my firewall configuration and added an entry for a port I wanted to forward. When I ran "shorewall check", it started choking on the rule that I had placed in tcrules: # SSH (with lower priority SCP) 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - - - 8 4 0.0.0.0/0 0.0.0.0/0 tcp - 22 - - - 8 Once again, that was working dandy right up until sometime recently, when I presumably did something stupid and broke it. However, I have not touched my firewall configuration since I added those lines and verified that they worked (and quite successfully, too). So I''m really not sure why it''s not working. The error message produced by shorewall check is: ... TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 110 -" Compiled TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp 22 -" Compiled TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 22 -" Compiled ERROR: Invalid Mark or Mask value: - Terminated I thought there may have been bits of old Shorewall 3.0.7 left about my system, since the message above seems to occur only if I place values in the "LENGTH" or "TOS" columns. So I purged everything Shorewall I could find and reinstalled 3.2.4. Still no luck. Does anyone have any idea what''s wrong? Attached is a gzipped file containing my shorewall dump and my full tcclasses and tcrules files. Thanks for reading! Cheers, Zachary Palmer ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Nov-02 16:14 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
Zachary Palmer wrote:> > # SSH (with lower priority SCP) > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 > 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - > - - 8 > 4 0.0.0.0/0 0.0.0.0/0 tcp - 22 - > - - 8 >Those last two rules have way too many columns. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Nov-02 16:19 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
Tom Eastep wrote:> Zachary Palmer wrote: > >> # SSH (with lower priority SCP) >> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >> 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 >> 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - >> - - 8 >> 4 0.0.0.0/0 0.0.0.0/0 tcp - 22 - >> - - 8 >> > > Those last two rules have way too many columns.Sorry -- please disregard that; I was looking at an earlier version of the file. I''ve reproduced the problem and will look into it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Nov-02 16:28 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
Zachary Palmer wrote:> > Once again, that was working dandy right up until sometime recently, > when I presumably did something stupid and broke it. However, I have > not touched my firewall configuration since I added those lines and > verified that they worked (and quite successfully, too). So I''m really > not sure why it''s not working. The error message produced by shorewall > check is: > > ... > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 110 -" Compiled > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp 22 -" Compiled > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 22 -" Compiled > ERROR: Invalid Mark or Mask value: - > Terminated >Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Nov-02 16:29 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
With patch this time... Zachary Palmer wrote:> > Once again, that was working dandy right up until sometime recently, > when I presumably did something stupid and broke it. However, I have > not touched my firewall configuration since I added those lines and > verified that they worked (and quite successfully, too). So I''m really > not sure why it''s not working. The error message produced by shorewall > check is: > > ... > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 110 -" Compiled > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp 22 -" Compiled > TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 22 -" Compiled > ERROR: Invalid Mark or Mask value: - > Terminated >Attached is a patch for /usr/share/shorewall/compiler that should correct the problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Zachary Palmer
2006-Nov-03 07:38 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
> With patch this time... > > Zachary Palmer wrote: > > >> Once again, that was working dandy right up until sometime recently, >> when I presumably did something stupid and broke it. However, I have >> not touched my firewall configuration since I added those lines and >> verified that they worked (and quite successfully, too). So I''m really >> not sure why it''s not working. The error message produced by shorewall >> check is: >> >> ... >> TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 110 -" Compiled >> TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp 22 -" Compiled >> TC Rule "3 0.0.0.0/0 0.0.0.0/0 tcp - 22 -" Compiled >> ERROR: Invalid Mark or Mask value: - >> Terminated >> >> > > Attached is a patch for /usr/share/shorewall/compiler that should correct the > problem. The patch is against 3.2.5 but applies to 3.2.4 with an offset. > > -Tom > >Shiny! I applied your patch to my copy of Shorewall 3.2.4 and everything seems to be merry and bright. I just have no clue how I got this to work before... and honestly, I did... even tested the shaping ability several times. Oh well. It''s better to know why something was broken than why it wasn''t, I suppose. Thanks! Cheers, Zachary Palmer ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Nov-03 15:20 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
Zachary Palmer wrote:> I just have no clue how I got > this to work before... and honestly, I did... even tested the shaping > ability several times.I don''t either -- the bug was introduced in Shorewall 3.2.3 and you were the first to bring it to my attention. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Zachary Palmer
2006-Nov-03 19:31 UTC
Re: Shorewall 3.2.4 tcrules: SCP/SSH distinction stopped working
Tom Eastep wrote:> Zachary Palmer wrote: > >> I just have no clue how I got >> this to work before... and honestly, I did... even tested the shaping >> ability several times. >> > > I don''t either -- the bug was introduced in Shorewall 3.2.3 and you were the > first to bring it to my attention. > > -Tom >*light bulb* I was using the 3.2.2 Debian package that Prasanna Krishnamoorthy sent me before I realized there was a more formal 3.2.4 package available. So I''m guessing I got confused; I got the modification working under 3.2.2 and then forgot to double-check it when I upgraded it to 3.2.4. :) Thanks again, Zach ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642