Shorewall users - Oct 2010 - martians ?

I''m trying out a setup Basic 2 Interfaces with proxyarp option
with subnetting.
My ''loc'' zone is the bare minimum: a /30 subnet but sufficient
for 1 ''loc''
PC
for testing.

My test ''loc'' PC :
 eth0 IP 143.129.75.237 SM 255.255.255.252 GW 143.129.75.238

My test FW has two inferfaces in use (eth0 and eth2) (eth1 unused):
 eth0 IP 143.129.75.175 SM 255.255.255.0 GW 143.129.75.254
 eth2 IP 143.129.75.238 SM 255.255.255.252 GW 143.129.75.254

My config files are
------ zones ----------
fw      firewall
net     ipv4
loc     ipv4
------ policy ---------
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info
------ interfaces -----
net     eth0    detect          proxyarp,tcpflags,routefilter,nosmurfs
loc     eth2    detect          tcpflags,nosmurfs
------ rules ----------
ACCEPT          loc                     $FW     icmp
ACCEPT          net:143.129.75.1        $FW     icmp
#
ACCEPT          loc                     $FW     tcp     ssh
ACCEPT          net:143.129.75.1        $FW     tcp     ssh
REJECT          net                     $FW     tcp     ssh
#
ACCEPT          $FW                     loc     tcp     ssh
ACCEPT          net:143.129.75.1        loc     tcp     ssh
REJECT          net                     loc     tcp     ssh

Before testing I did
# shorewall clear   (to get rid of any things from previous setups)
# shorewall check
# shorewall start

If I try a ping from the system 143.129.75.1 (in the net zone)
to the firewall:     143.129.75.1> ping 143.129.75.175
I can get some 8 to 13 (varies) successfull echo-replies
  then: Destination Host Unreachable
I can ssh from 143.129.75.1 into the FW, but it''s very slow (30 seconds
to wait after entering password), then commands typed in often get stuck,
then after several seconds are ''released'' etc...

(from a Terminal window on the system, everything is at normal speed)

Also my /var/log/messages is full of
kernel messages about martion source xxx.yyy.zzz.uuu from aaa.bbb.ccc.ddd on
dev eth0
If I do
# shorewall clear
they still keep coming (and ssh respons time remains slow)

What''s wrong??


------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

On 10/20/10 6:01 AM, N dhert wrote:
> 
> What''s wrong??
Have you cabled eth0 and eth1 to the same switch/hub?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/20/10 6:01 AM, N dhert wrote:
> I''m trying out a setup Basic 2 Interfaces with proxyarp option
> with subnetting.
> My ''loc'' zone is the bare minimum: a /30 subnet but
sufficient for 1 ''loc''
> PC
> for testing.
> 
> My test ''loc'' PC :
>  eth0 IP 143.129.75.237 SM 255.255.255.252 GW 143.129.75.238
> 
> My test FW has two inferfaces in use (eth0 and eth2) (eth1 unused):
>  eth0 IP 143.129.75.175 SM 255.255.255.0 GW 143.129.75.254
>  eth2 IP 143.129.75.238 SM 255.255.255.252 GW 143.129.75.254
eth2 should not have a gateway.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

There''s nothing plugged in eth1 since I do no use it yet
In eth2 there is a cable to my 8 port switch, of which another port is used
to connect to my laptop (a ''loc'' PC'') nothing else
plugged in in that switch

when plug out the cable in eth2, /var/log/messages stops reporting about
martian source, when I plug it in again (even with only connected to the
switch (powered-on) en nothing else plugged in in that switch) the martians
come back again ...

power-cycling the switch does not help, the martians keep coming

2010/10/20 Tom Eastep <teastep@shorewall.net>
> On 10/20/10 6:01 AM, N dhert wrote:
>
> >
> > What''s wrong??
>
> Have you cabled eth0 and eth1 to the same switch/hub?
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

also tried with 0.0.0.0 as gateway in eth2, no change
also replaced my switch for a different one (some model D-Link 10/100 8-port
switch), no change (martians keep coming as soon as the connection with the
the switch is established ..

2010/10/21 N dhert <ndhert2@gmail.com>
> There''s nothing plugged in eth1 since I do no use it yet
> In eth2 there is a cable to my 8 port switch, of which another port is used
> to connect to my laptop (a ''loc'' PC'') nothing
else plugged in in that switch
>
> when plug out the cable in eth2, /var/log/messages stops reporting about
> martian source, when I plug it in again (even with only connected to the
> switch (powered-on) en nothing else plugged in in that switch) the martians
> come back again ...
>
> power-cycling the switch does not help, the martians keep coming
>
> 2010/10/20 Tom Eastep <teastep@shorewall.net>
>
>>  On 10/20/10 6:01 AM, N dhert wrote:
>>
>> >
>> > What''s wrong??
>>
>> Have you cabled eth0 and eth1 to the same switch/hub?
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Nokia and AT&T present the 2010 Calling All Innovators-North
America
>> contest
>> Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
>> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
>> marketing
>> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi
Store
>> http://p.sf.net/sfu/nokia-dev2dev
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/21/10 1:38 AM, N dhert wrote:
> There''s nothing plugged in eth1 since I do no use it yet
> In eth2 there is a cable to my 8 port switch, of which another port is
> used to connect to my laptop (a ''loc'' PC'')
nothing else plugged in in
> that switch
>  
> when plug out the cable in eth2, /var/log/messages stops reporting about
> martian source, when I plug it in again (even with only connected to the
> switch (powered-on) en nothing else plugged in in that switch) the
> martians come back again ...
>  
> power-cycling the switch does not help, the martians keep coming
Well, martians indicate a routing problem and have nothing to do with
your Shorewall configuration. So until you

a) Show us the output of ip route ls''; and
b) Show us unaltered ''martian'' messages

we are not going to be able to help you. (Note: the unaltered output of
''shorewall dump'' would be better than simply the output of
''ip route ls''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

HI,
the output of ip route ls
143.129.75.236/30 dev eth2  proto kernel  scope link  src 143.129.75.238
metric 1
143.129.75.0/24 dev eth0  proto kernel  scope link  src 143.129.75.175
metric 1
169.254.0.0/16 dev eth2  scope link  metric 1000
default via 143.129.75.254 dev eth0  proto static

the output of shorewall dump is in attachment
the output of /var/log/messages is also in an attachment

2010/10/21 Tom Eastep <teastep@shorewall.net>
> On 10/21/10 1:38 AM, N dhert wrote:
> > There''s nothing plugged in eth1 since I do no use it yet
> > In eth2 there is a cable to my 8 port switch, of which another port is
> > used to connect to my laptop (a ''loc'' PC'')
nothing else plugged in in
> > that switch
> >
> > when plug out the cable in eth2, /var/log/messages stops reporting
about
> > martian source, when I plug it in again (even with only connected to
the
> > switch (powered-on) en nothing else plugged in in that switch) the
> > martians come back again ...
> >
> > power-cycling the switch does not help, the martians keep coming
>
> Well, martians indicate a routing problem and have nothing to do with
> your Shorewall configuration. So until you
>
> a) Show us the output of ip route ls''; and
> b) Show us unaltered ''martian'' messages
>
> we are not going to be able to help you. (Note: the unaltered output of
> ''shorewall dump'' would be better than simply the output
of ''ip route ls''.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/25/10 1:32 AM, N dhert wrote:
> HI,
> the output of ip route ls
> 143.129.75.236/30 dev eth2  proto kernel 
> scope link  src 143.129.75.238  metric 1
> 143.129.75.0/24 dev eth0  proto kernel  scope
> link  src 143.129.75.175  metric 1
> 169.254.0.0/16 dev eth2  scope link  metric 1000
> default via 143.129.75.254 dev eth0  proto static
>  
> the output of shorewall dump is in attachment
   /proc/sys/net/ipv4/ip_forward = 0

This is never going to work until you enable ipv4 forwarding
(IP_FORWARDING=Yes in shorewall.conf). There are also these log messages:

Oct 20 14:41:26 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=143.129.75.57
DST=143.169.254.100 LEN=74 TOS=0x00 PREC=0x00 TTL=254 ID=12911 PROTO=UDP
SPT=63863 DPT=53 LEN=54

Hopefully, those were created when you still had a default gateway
specified for eth2?
> the output of /var/log/messages is also in an attachment
The system is gratuitously adding this route:

  169.254.0.0/16 dev eth2  scope link  metric 1000

So broadcasts received from 169.254.0.0/16 on eth0 are considered
martians. That is why you are seeing these messages.

  martian source 255.255.255.255 from 169.254.34.236, on dev eth0

Either delete the route or disable martian logging.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Hi all,
I''d like to know if somebody find a trick to bypass the DNS resolution 
maid at shorewall start.
According to the documentation, the host name is coded in his IP 
equivalent address in iptables rules
i suppose that the only way to bypass this limitation is to reload or 
restart Shorewall by interval time.

PS: sorry in advance because i m sure that users often ask for this, but 
the documentation just cut off by ''not possible''.
PS2: i m found of Shorewall and wouldn''t look for an other Firewall.

Thanks for your help,

Norbert.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/25/10 6:32 AM, Norbert Penel wrote:
> Hi all,
> I''d like to know if somebody find a trick to bypass the DNS
resolution
> maid at shorewall start.
> According to the documentation, the host name is coded in his IP 
> equivalent address in iptables rules
> i suppose that the only way to bypass this limitation is to reload or 
> restart Shorewall by interval time.
> 
Why do you want to use DNS names in your Shorewall configuration?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Only because my client doesn''t have a static IP address and i don t
    want to open ports for everybody ...

    Am i wrong to try that ?

    Regards, 

    Norbert

    Le 26/10/2010 04:14, Tom Eastep a écrit :

On 10/25/10 6:32 AM, Norbert Penel wrote:

Hi all,
I''d like to know if somebody find a trick to bypass the DNS resolution 
maid at shorewall start.
According to the documentation, the host name is coded in his IP 
equivalent address in iptables rules
i suppose that the only way to bypass this limitation is to reload or 
restart Shorewall by interval time.

Why do you want to use DNS names in your Shorewall configuration?

-Tom

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/26/10 12:13 AM, Norbert Penel wrote:
> Only because my client doesn''t have a static IP address and i don
t want
> to open ports for everybody ...
> Am i wrong to try that ?
Yes. Why don''t you match on MAC address instead?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

never saw that was suported

    Le 26/10/2010 15:58, Tom Eastep a écrit :

On 10/26/10 12:13 AM, Norbert Penel wrote:

Only because my client doesn''t have a static IP address and i don t
want
to open ports for everybody ...
Am i wrong to try that ?

Yes. Why don''t you match on MAC address instead?

-Tom

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Only because my client doesn''t have a static IP address and i don t
want
>> to open ports for everybody ...
>> Am i wrong to try that ?
> Yes. Why don''t you match on MAC address instead?
>
> -Tom
>
I suppose that you want to open ports from the net side of your fw.

In similar cases that I encountered ipsets + some scripting solved the 
problem.
Since you know your clients host name "foo.no-ip.org" or whatever

a dig or host or nslookup will tell you the IP address that you can then 
insert into your ipsets

make this a daemon that wakes up every x minutes.

make sure you flush your particular set before you update to delete 
garbage ips.

So shorewall + ipsets is the thing you have to study now :-)


Harry





------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/26/10 8:11 AM, Harry Lachanas wrote:
>  Only because my client doesn''t have a static IP address and i don
t want
>>> to open ports for everybody ...
>>> Am i wrong to try that ?
>> Yes. Why don''t you match on MAC address instead?
>>
>> -Tom
>>
> I suppose that you want to open ports from the net side of your fw.
I was assuming that the ports were to be opened from the LAN side of the
fw. For the net side, Harry''s approach is the correct one unless all of
the ''clients'' are on the same LAN as the
''net'' fw interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Really thanks gentlemen 

    You re right, i try to open a wan port

    i have investigate mac filtering and i succeed to get that in my
    shorewall dump :

        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
    0.0.0.0/0           MAC 00:XX:XX:XX:XX:XX tcp dpt:22

    unfortunetly it doesn t work ... snif

    Anyway, i''ll have a look on ipsets that seems to fit my need

    Do you know which shorewall service call will update the IP if this
    one have change, reload or restart ?

    Am i the first to ask for dyndns ? on my mind, it should be
    implemented in core ...

    Norbert

    Le 26/10/2010 17:21, Tom Eastep a écrit :

On 10/26/10 8:11 AM, Harry Lachanas wrote:

 Only because my client doesn''t have a static IP address and i don t
want

to open ports for everybody ...
Am i wrong to try that ?

Yes. Why don''t you match on MAC address instead?

-Tom

I suppose that you want to open ports from the net side of your fw.

I was assuming that the ports were to be opened from the LAN side of the
fw. For the net side, Harry''s approach is the correct one unless all of
the ''clients'' are on the same LAN as the
''net'' fw interface.

-Tom

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/26/10 8:41 AM, Norbert Penel wrote:
> Really thanks gentlemen
> You re right, i try to open a wan port
> i have investigate mac filtering and i succeed to get that in my
> shorewall dump :
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0           MAC 00:XX:XX:XX:XX:XX tcp dpt:22
> unfortunetly it doesn t work ... snif
> 
> Anyway, i''ll have a look on ipsets that seems to fit my need
> 
> Do you know which shorewall service call will update the IP if this one
> have change, reload or restart ?
> 
> Am i the first to ask for dyndns ? on my mind, it should be implemented
> in core ...
Shorewall configures Netfilter which is a stateful *packet filter*.
Packet filters are based on the contents of packet protocol headers and
connection state. DNS names are not included in those headers.

If you want to support clients on dynamic IP addresses, then the best
way is to establish a VPN where you authenticate the remote client then
filter the tunneled packets using the protocol headers (i.e., with
Shorewall).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/26/2010 09:53 PM, Tom Eastep wrote:
> On 10/26/10 8:41 AM, Norbert Penel wrote:
>> Really thanks gentlemen
>> You re right, i try to open a wan port
>> i have investigate mac filtering and i succeed to get that in my
>> shorewall dump :
>>      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           MAC 00:XX:XX:XX:XX:XX tcp dpt:22
>> unfortunetly it doesn t work ... snif
>>
>> Anyway, i''ll have a look on ipsets that seems to fit my need
>>
>> Do you know which shorewall service call will update the IP if this one
>> have change, reload or restart ?
>>
>> Am i the first to ask for dyndns ? on my mind, it should be implemented
>> in core ...
> Shorewall configures Netfilter which is a stateful *packet filter*.
> Packet filters are based on the contents of packet protocol headers and
> connection state. DNS names are not included in those headers.
>
> If you want to support clients on dynamic IP addresses, then the best
> way is to establish a VPN where you authenticate the remote client then
> filter the tunneled packets using the protocol headers (i.e., with
> Shorewall).
On the other hand this approach will require some software and setup on 
the remote end.
If service and point A are located in the east coast and B client on the 
West Coast .....
I would say correct but not so "Green" solution :-P , regardless of
the
distance between the points.
Cheers to all.
Harry





------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/26/2010 06:41 PM, Norbert Penel wrote:
> Really thanks gentlemen
> You re right, i try to open a wan port
> i have investigate mac filtering and i succeed to get that in my 
> shorewall dump :
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           MAC 00:XX:XX:XX:XX:XX tcp dpt:22
> unfortunetly it doesn t work ... snif
>
> Anyway, i''ll have a look on ipsets that seems to fit my need
>
> Do you know which shorewall service call will update the IP if this 
> one have change, reload or restart ?
The nice thing about ipsets and ( iptables -> shorewall ) is that after 
updating your ipsets you DON''T have to reload your Firewall rules.
As a matter of fact I guess you can change the whole logic of your FW 
rules with ipsets.
I come think of it as an Object Oriented Approach. You assign attributes 
to your sets in shorewall and clients - client/sets into your ipsets.
Is this Perfect ??? Or Is it Perfect ??
Cheers.
Harry







------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Oki i understood the approach, i m worried on the effects with fail2ban ...
i think i will choose the vpn solution instead ... welcome openvpn, distance
in france are not that huge ... lol

anyway it s a real pleasure to meet gentlemen with a good knowledge on a so
particular subject.


2010/10/27 Harry Lachanas <grharry@freemail.gr>
>  On 10/26/2010 06:41 PM, Norbert Penel wrote:
>
> Really thanks gentlemen
> You re right, i try to open a wan port
> i have investigate mac filtering and i succeed to get that in my shorewall
> dump :
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:XX:XX:XX:XX:XX tcp dpt:22
> unfortunetly it doesn t work ... snif
>
> Anyway, i''ll have a look on ipsets that seems to fit my need
>
> Do you know which shorewall service call will update the IP if this one
> have change, reload or restart ?
>
> The nice thing about ipsets and ( iptables -> shorewall ) is that after
> updating your ipsets you DON''T have to reload your Firewall rules.
> As a matter of fact I guess you can change the whole logic of your FW rules
> with ipsets.
> I come think of it as an Object Oriented Approach. You assign attributes to
> your sets in shorewall and clients - client/sets into your ipsets.
> Is this Perfect ??? Or Is it Perfect ??
> Cheers.
> Harry
>
>
>
>
>
>
>
------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and
Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-- 
Norbert Penel
tel : 06 33 32 32 34


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev