Hi, I''m trying to get a Shorewall installation to work with net-host configuration. The shorewall box is running Debian Sarge (Kernel 2.4.27-3-386) OpenSwan 2.2.0-8 Shorewall 3.2.6-2 (From Testing) as you won''t answer questions on v2. I''m trying to replace an IPCop box with a Debian/Shorewall solution. Once I get it working I plan on migrating to OpenVPN :-) At work I currently use an IPCop box allow remote users in from both net-net and net-host configurations. I have replaced my home IPCop box with a net-net Debian/Shorewall solution and this works fine. However, I cannot get the net-host solution working. I have setup an isolated test area at work to use. The VPN tunnel works fine if the firewall isn''t brought up. Once I activate shorewall and try to connect from a host over the vpn to an internal host I get the message in kern.log : Shorewall:rfc1918:DROP:IN=eth2 OUT=eth0 SRC=2.2.2.1 DST=192.168.20.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=802 DP PROTO=TCP SPT=1052 DPT=23 ... If I take the norfc1918 out of the interfaces file I get a similar message but this time caught in the net2loc rule. My question is why the net-net configuration works but the net-host does not. My configuration files are : interfaces:vpn ipsec0 interfaces:net eth2 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians interfaces:loc eth0 detect tcpflags,detectnets,nosmurfs interfaces:dmz eth1 detect masq:eth2 eth0 masq:eth2 eth1 policy:loc vpn ACCEPT policy:vpn loc ACCEPT policy:loc net ACCEPT policy:loc dmz REJECT info policy:loc $FW REJECT info policy:loc all REJECT info policy:$FW net REJECT info policy:$FW dmz REJECT info policy:$FW loc REJECT info policy:$FW all REJECT info policy:dmz net REJECT info policy:dmz $FW REJECT info policy:dmz loc REJECT info policy:dmz all REJECT info policy:net dmz DROP info policy:net $FW DROP info policy:net loc DROP info policy:net all DROP info policy:all all REJECT info routestopped:eth0 - rules:SECTION NEW rules:DNS/ACCEPT $FW net rules:SSH/ACCEPT loc $FW rules:SSH/ACCEPT loc dmz rules:DNS/ACCEPT dmz net rules:Ping/REJECT net $FW rules:Ping/ACCEPT loc $FW rules:Ping/ACCEPT dmz $FW rules:Ping/ACCEPT loc dmz rules:Ping/ACCEPT dmz loc rules:Ping/ACCEPT dmz net rules:ACCEPT $FW net icmp rules:ACCEPT $FW loc icmp rules:ACCEPT $FW dmz icmp tunnels:ipsec net 2.2.2.1 vpn zones:vpn ipv4 zones:fw firewall zones:net ipv4 zones:loc ipv4 zones:dmz ipv4 Many thanks in advance for your time and suggestions. Regards, Simon ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Simon Cruickshank wrote:> > My configuration files are : >In the future, please post the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines. Those guidelines go on to say: Please DO NOT INCLUDE SHOREWALL CONFIGURATION FILES unless you have specifically asked to do so. The output of shorewall dump collected as described above is much more useful. From what little you have told us it appears that your kernel is behaving like a 2.6 kernel that doesn''t include policy match support or the IPSEC-Netfilter patches. I haven''t kept up with 2.4 kernels in general and Debian 2.4 kernels in particular so I don''t know what features have been back-ported from 2.6. Here''s the log entry that you posted:> Shorewall:rfc1918:DROP:IN=eth2 OUT=eth0 SRC=2.2.2.1 DST=192.168.20.1 > LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=802 DP PROTO=TCP SPT=1052 DPT=23 > ...Note that the IN device is eth2, not ipsec0. Is there even an ipsec0 device being created when you establish IPSEC SAs with the remote gateway? I rather doubt it. With a 2.6 kernel with policy match support, decrypted packets like that are not subject to rfc1918 filtration so that ''norfc1918'' may be safely specified on the external interface -- such is not the case without policy match support. You also go on to report that "If I take the norfc1918 out of the interfaces file I get a similar message but this time caught in the net2loc (policy) rule". This again suggests that your kernel has PF_KEY-based ipsec (kernel 2.6) support. Given these hints, I would guess that you need to configure IPSEC as described at http://www.shorewall.net/IPSEC.htm but that you should follow the kernel 2.6 instructions rather than the kernel 2.4 instructions. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> > From what little you have told us...My apologies -- that wasn''t called for. Your report was actually more complete than most. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom, Thanks for looking. I took your suggestions and upgraded the Debian box to Etch with a 2.6.18 kernel. After a little messing with the original config files (hosts & tunnels), it has now started working! Hurrah. Many thanks. Regards, Simon (Now a very happy shorewall user) P.S No apologies necessary, but I was touched by your sentiment. Please accept my humble apologies for missing the shorewall dump suggestion. On 13/02/07, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > > > > From what little you have told us... > > My apologies -- that wasn''t called for. Your report was actually more > complete than most. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV