Brian J. Murrell
2008-Feb-03 14:29 UTC
typo in shorewall-perl/Actions.pm and macro not working
My perl-fu is getting less and less every day, but I think this is a
typo at line 392 of shorewall-perl-4.0.6/Shorewall/Actions.pm:
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate,
$muser ) = split_line 1, 8, ''macro file'';
--------------------------------------------------------------------------^
Now, why am I poking around in here? Seems my OSPF macro is not being
expanded correctly. I believe my macro conforms to the documentation at
http://www.shorewall.net/Macros.html:
PARAM DEST SOURCE ospf
PARAM DEST 224.0.0.22 igmp
PARAM 1.2.3.4 5.6.7.8 ospf
PARAM SOURCE DEST ospf
PARAM - 224.0.0.5 ospf
PARAM - 224.0.0.6 ospf
And I invoke with the following rule:
OSPF/ACCEPT loc fw
However what I get in my loc2fw chain is:
0 0 ACCEPT 89 -- * * 1.2.3.4 5.6.7.8
138 10996 ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 89 -- * * 0.0.0.0/0 224.0.0.5
0 0 ACCEPT 89 -- * * 0.0.0.0/0 224.0.0.6
So it seems that lines 1, 2 are not included at all. line 4 is
included, but SOURCE and DEST are replaced with "any". So in summary,
any lines in my macro with SOURCE and/or DEST are not being handled
correctly. This is shorewall[-perl] 4.0.6.
Cheers,
b.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-03 16:49 UTC
Re: typo in shorewall-perl/Actions.pm and macro not working
Brian J. Murrell wrote:> My perl-fu is getting less and less every day, but I think this is a > typo at line 392 of shorewall-perl-4.0.6/Shorewall/Actions.pm: > > my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 1, 8, ''macro file''; > --------------------------------------------------------------------------^ >Perl is tolerant of extraneous whitespace after the leading special character. teastep@wifiursa:~/shorewall/branches/4.0/Shorewall-perl> perl -e ''($foo, $ bar) = (1,2); print "$bar\n"'' 2 teastep@wifiursa:~/shorewall/branches/4.0/Shorewall-perl>> Now, why am I poking around in here? Seems my OSPF macro is not being > expanded correctly. I believe my macro conforms to the documentation at > http://www.shorewall.net/Macros.html: > > PARAM DEST SOURCE ospf > PARAM DEST 224.0.0.22 igmp > PARAM 1.2.3.4 5.6.7.8 ospf > PARAM SOURCE DEST ospf > PARAM - 224.0.0.5 ospf > PARAM - 224.0.0.6 ospf > > And I invoke with the following rule: > > OSPF/ACCEPT loc fw > > However what I get in my loc2fw chain is: > > 0 0 ACCEPT 89 -- * * 1.2.3.4 5.6.7.8 > 138 10996 ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT 89 -- * * 0.0.0.0/0 224.0.0.5 > 0 0 ACCEPT 89 -- * * 0.0.0.0/0 224.0.0.6 > > So it seems that lines 1, 2 are not included at all. line 4 is > included, but SOURCE and DEST are replaced with "any". So in summary, > any lines in my macro with SOURCE and/or DEST are not being handled > correctly. This is shorewall[-perl] 4.0.6.The SOURCE in the first two rules in ''fw''. The first rule will appear in the ''fw2loc'' chain while the second will appear in the ''fw2fw'' chain, which is not what you want. Change that one to: PARAM DEST SOURCE:224.0.0.22 igmp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-03 16:51 UTC
Re: typo in shorewall-perl/Actions.pm and macro not working
Tom Eastep wrote:> Brian J. Murrell wrote: > > > The SOURCE in the first two rules in ''fw''. The first rule will appear in > the ''fw2loc'' chain while the second will appear in the ''fw2fw'' chain, > which is not what you want. Change that one to: > > PARAM DEST SOURCE:224.0.0.22 igmp >Oops -- just tried that and it generated an error (interpreting SOURCE as an interface name). I''ll have to hack up a fix for that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Brian J. Murrell
2008-Feb-03 22:27 UTC
Re: typo in shorewall-perl/Actions.pm and macro not working
On Sun, 2008-02-03 at 08:49 -0800, Tom Eastep wrote:> > Perl is tolerant of extraneous whitespace after the leading special character. > > teastep@wifiursa:~/shorewall/branches/4.0/Shorewall-perl> perl -e ''($foo, $ bar) = (1,2); print "$bar\n"'' > 2 > teastep@wifiursa:~/shorewall/branches/4.0/Shorewall-perl>Interesting. I didn''t know this.> > PARAM DEST SOURCE ospf > > PARAM DEST 224.0.0.22 igmp > > PARAM 1.2.3.4 5.6.7.8 ospf > > PARAM SOURCE DEST ospf > > PARAM - 224.0.0.5 ospf > > PARAM - 224.0.0.6 ospf> The SOURCE in the first two rules in ''fw''./me smacks forehead Doh! Of course.> The first rule will appear in > the ''fw2loc'' chain while the second will appear in the ''fw2fw'' chain, > which is not what you want.In fact, the second rule does appear in the fw2loc chain: 3159 229K ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.22 But I still wonder why the PARAM SOURCE DEST ospf rule translates into: 6431 509K ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 b. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-04 04:53 UTC
Re: typo in shorewall-perl/Actions.pm and macro not working
Brian J. Murrell wrote:> But I still wonder why the > > PARAM SOURCE DEST ospf > > rule translates into: > > 6431 509K ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 >What would you expect it to translate to, if not that? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shorewall 4.0.8 3 Interface eth0: 192.168.1.1 255.255.255.0 #connected to Modem eth1: 10.10.1.3 255.0.0.0 #loc eth2: 10.10.2.3 255.255.254.0 #DMZ In the POLICY File, all is set to REJECT INTERFACES: net ppp0 detect routefilter,norfc1918,tcpflags,blacklistmodem eth0 detectloc eth1 10.10.1.255 tcpflags,dhcpdmz eth2 10.10.2.255 tcpflags,dhcp MASQ: ppp0 eth1eth0 eth1eth0 eth2 ROUTESTOPPED: eth1 -eth2 - ZONES: fw firewallnet ipv4loc ipv4dmz ipv4modem ipv4 RULES: SSH/ACCEPT dmz $FW SSH/ACCEPT dmz loc SSH/ACCEPT loc $FW I can''t get the DMZ to connect to the Firewall or LOC by SSH. Am I missing something in the above setup LOC to the Firewall is fine. Thanks, Patrick. _________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:>Shorewall 4.0.8 >3 Interface > >eth0: 192.168.1.1 255.255.255.0 #connected to Modem >eth1: 10.10.1.3 255.0.0.0 #loc >eth2: 10.10.2.3 255.255.254.0 #DMZ > >In the POLICY File, all is set to REJECT > >INTERFACES: >net ppp0 detect >routefilter,norfc1918,tcpflags,blacklist >modem eth0 detect >loc eth1 10.10.1.255 tcpflags,dhcp >dmz eth2 10.10.2.255 tcpflags,dhcp>Am I missing something in the above setupYes, your IP config is invalid. 10.10.2.0/23 is a subset of 10.0.0.0/8 - therefore eth1 and eth2 have overlapping IP addresses. Your broadcast addresses are also wrong in the interfaces file: 10.0.0.0/8 has a broadcast of 10.255.255.255 10.10.2.0/23 has a broadcast of 10.10.3.255 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Feb 04, 2008 at 11:28:14AM +0000, Simon Hobson wrote:> 10.10.2.0/23 is a subset of 10.0.0.0/8 - therefore eth1 and eth2 have > overlapping IP addresses.That''s not necessarily wrong - but in this case, you''re probably right, since I doubt he''s done the necessary evil routing magic to make such weird configurations work. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, If you don''t mind, could you tell me what IP & netmask I should set eth2: to, please.> Date: Mon, 4 Feb 2008 11:28:14 +0000> To: shorewall-users@lists.sourceforge.net> From: linux@thehobsons.co.uk> Subject: Re: [Shorewall-users] Can''t SSH from DMZ to $FW, or to LOC> > P Hennessy wrote:> > >Shorewall 4.0.8> >3 Interface> >> >eth0: 192.168.1.1 255.255.255.0 #connected to Modem> >eth1: 10.10.1.3 255.0.0.0 #loc> >eth2: 10.10.2.3 255.255.254.0 #DMZ> >> >In the POLICY File, all is set to REJECT> >> >INTERFACES:> >net ppp0 detect > >routefilter,norfc1918,tcpflags,blacklist> >modem eth0 detect> >loc eth1 10.10.1.255 tcpflags,dhcp> >dmz eth2 10.10.2.255 tcpflags,dhcp> > > >Am I missing something in the above setup> > Yes, your IP config is invalid.> > > 10.10.2.0/23 is a subset of 10.0.0.0/8 - therefore eth1 and eth2 have > overlapping IP addresses.> > Your broadcast addresses are also wrong in the interfaces file:> 10.0.0.0/8 has a broadcast of 10.255.255.255> 10.10.2.0/23 has a broadcast of 10.10.3.255> > > -------------------------------------------------------------------------> This SF.net email is sponsored by: Microsoft> Defy all challenges. Microsoft(R) Visual Studio 2008.> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________> Shorewall-users mailing list> Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:>If you don''t mind, could you tell me what IP & netmask I should set >eth2: to, please.That''s up to you as the network designer. However, based on what you are using at the moment, simply changing the subnet mask on eth1 to 255.255.255.0 (ie a /24) would fix the problem. You could use 255.255.254.0 (ie /23) which would give you a bigger range to play with. Whatever you choose, make sure all devices in a network are using the same value, and make sure you specify the right broadcast value (or simply use detect). As the risk of sounding patronising, the fact that you have to ask suggests that you do not understand the basics of IP and subnet masks. I would strongly recommend you find yourself a primer as it is fundamental required knowledge if you are going to use advanced tools like firewalls. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Brian J. Murrell
2008-Feb-04 13:58 UTC
Re: typo in shorewall-perl/Actions.pm and macro not working
On Sun, 2008-02-03 at 20:53 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > > But I still wonder why the > > > > PARAM SOURCE DEST ospf > > > > rule translates into: > > > > 6431 509K ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 > > > > What would you expect it to translate to, if not that?I guess I was expecting to see the actual addresses of "loc" and "fw" rather than the "any" address. But upon reflection, in consideration of the fact that Shorewall uses direction and location rather than specific host addressing, I guess the above makes sense. Cheers, b. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thank you.> Date: Mon, 4 Feb 2008 13:02:07 +0000> To: shorewall-users@lists.sourceforge.net> From: linux@thehobsons.co.uk> Subject: Re: [Shorewall-users] Can''t SSH from DMZ to $FW, or to LOC> > P Hennessy wrote:> > >If you don''t mind, could you tell me what IP & netmask I should set > >eth2: to, please.> > That''s up to you as the network designer.> > However, based on what you are using at the moment, simply changing > the subnet mask on eth1 to 255.255.255.0 (ie a /24) would fix the > problem. You could use 255.255.254.0 (ie /23) which would give you a > bigger range to play with.> > Whatever you choose, make sure all devices in a network are using the > same value, and make sure you specify the right broadcast value (or > simply use detect).> > > As the risk of sounding patronising, the fact that you have to ask > suggests that you do not understand the basics of IP and subnet > masks. I would strongly recommend you find yourself a primer as it is > fundamental required knowledge if you are going to use advanced tools > like firewalls.> > -------------------------------------------------------------------------> This SF.net email is sponsored by: Microsoft> Defy all challenges. Microsoft(R) Visual Studio 2008.> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________> Shorewall-users mailing list> Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users_________________________________________________________________ Get the next generation of Free Windows Live Services http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shorewall 4.0.8 3 Interface I have setup Traffic Shaping TCCLASSES: eth2 1 80kbit 150kbit 1 defaulteth2 2 80kbit 1500kbit 2 TCDEVICES: eth2 0 100mbps TCRULES: 1 eth2 0.0.0.0/0 tcp 802 eth2 0.0.0.0/0 tcp 21 The traffic shaping in restricting all eth2 traffic to 150kbit on port 80 and 21. Why isn''t port 21 downloading at 1500kbit. _________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:> Shorewall 4.0.8 > 3 Interface > > I have setup Traffic Shaping > > TCCLASSES: > eth2 1 80kbit 150kbit 1 default > eth2 2 80kbit 1500kbit 2 > > TCDEVICES: > eth2 0 100mbps > > TCRULES: > 1 eth2 0.0.0.0/0 tcp 80 > 2 eth2 0.0.0.0/0 tcp 21 > > The traffic shaping in restricting all eth2 traffic to 150kbit on port > 80 and 21. > Why isn''t port 21 downloading at 1500kbit.a) You haven''t told us whether eth2 is an external interface or an internal one. b) Traffic shaping only deals with _outgoing_ traffic on eth2. c) Port 21 is never used for FTP data transfer (see http://www.shorewall.net/FTP.html). d) Generally, ''download'' via HTTP has SOURCE port = 80; your rule has DEST port = 80. e) The output of "shorewall show tc" is useful in understanding what is happening with the various classes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry, eth2: is an internal interface. I want to restrict the download rate from the net, on this interface, for everything except windows file transfer on the network.> Date: Mon, 4 Feb 2008 09:09:51 -0800> From: teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Traffic Shaping> > P Hennessy wrote:> > Shorewall 4.0.8> > 3 Interface> > > > I have setup Traffic Shaping> > > > TCCLASSES:> > eth2 1 80kbit 150kbit 1 default> > eth2 2 80kbit 1500kbit 2> > > > TCDEVICES:> > eth2 0 100mbps> > > > TCRULES:> > 1 eth2 0.0.0.0/0 tcp 80> > 2 eth2 0.0.0.0/0 tcp 21> > > > The traffic shaping in restricting all eth2 traffic to 150kbit on port > > 80 and 21.> > Why isn''t port 21 downloading at 1500kbit.> > a) You haven''t told us whether eth2 is an external interface or an > internal one.> > b) Traffic shaping only deals with _outgoing_ traffic on eth2.> > c) Port 21 is never used for FTP data transfer (see > http://www.shorewall.net/FTP.html).> > d) Generally, ''download'' via HTTP has SOURCE port = 80; your rule has > DEST port = 80.> > e) The output of "shorewall show tc" is useful in understanding what is > happening with the various classes.> > -Tom> -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool> Shoreline, \ http://shorewall.net> Washington USA \ teastep@shorewall.net> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key>_________________________________________________________________ Windows Vista + Windows Live. Open up your digital life. Get Windows Live free. http://get.live.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
P Hennessy wrote:>I want to restrict the download rate from the net, on this >interface, for everything except windows file transfer on the >network.You CANNOT do this. Traffic shaping works ONLY on egress. You can get an **approximation** by shaping traffic on egress from the internal interfaces, but in your case you have two internal interfaces so that''s two totally separate instances of traffic control. To ''shape'' the combined traffic, I think you''d have to use an Intermediate Routing Device, but to be honest, I have to say I think you will be out of your depth - these are very advanced topics and I think you''ll have problems getting them to work. See also the thread titled "QoS Sample config ?" from about a week ago - that''s a question about doing near enough what you are asking for. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/