There has been a low continuing level of confusion over the terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all instances of "Static NAT" have been replaced with "One-to-one NAT" on the web site and in the CVS configuration files (Shorewall/ project). The documentation in 1.4.9 will also contain this change. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> There has been a low continuing level of confusion over the terms > "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all > instances of "Static NAT" have been replaced with "One-to-one NAT" on > the web site and in the CVS configuration files (Shorewall/ project). > The documentation in 1.4.9 will also contain this change. >Good move. I don''t know about others, but NEWNOTSYN is the other term that ALWAYS has me reaching for the documentation. May I suggest something analogous to tcpflags. For example: synpackets - This option enables extra control over SYN packets (SYN flag on - ACK flag off) that appear outside of an established connection. When enabled, such SYN packets are logged according to the SYN_PACKET_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according to the SYN_PACKET_DISPOSITION option. When not enabled, such SYN packets are quietly dropped. SYN_PACKET_LOG_LEVEL Determines the syslog level for logging SYN packets that appear outside of an established connection. The value must be a valid syslogd log level. If you don''t want to log these packets, set to the empty value (e.g., SYN_PACKET_LOG_LEVEL=""). SYN_PACKET_DISPOSITION Determines the disposition of SYN packets that appear outside of an established connection and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not set or if set to the empty value (e.g., SYN_PACKET_DISPOSITION="") then SYN_PACKET_DISPOSITION=DROP is assumed. (Does REJECT makes sense in this context?) -- Taso Hatzi
On Tue, 2003-11-25 at 18:08, Taso Hatzi wrote:> > I don''t know about others, but NEWNOTSYN is the other term that ALWAYS > has me reaching for the documentation. May I suggest something analogous > to tcpflags. For example: > > > > synpackets - This option enables extra control over SYN packets (SYN flag on - ACK flag off) > that appear outside of an established connection. When enabled, such SYN packets are logged > according to the SYN_PACKET_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed > of according to the SYN_PACKET_DISPOSITION option. When not enabled, such SYN packets are > quietly dropped. > >One problem -- NEWNOTSYN deals with packets that have the SYN flag *off*. "newnotsyn" is a term that is seen often on the Netfilter lists. It refers to -new- TCP connection requests (packets that do not match any connection currently being tracked) where either SYN is off (-not SYN-) or SYN is on but ACK is also on. If NEWNOTSYN=Yes then these packets are allowed (are processed against the rules and policies); if NEWNOTSYN=No then they are not allowed and are disposed of and optionally logged according to the other two variables. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-11-27 at 15:53, Taso Hatzi wrote:> Tom Eastep wrote: > > > ... It (newnotsyn) > > refers to -new- TCP connection requests (packets that do not match any > > connection currently being tracked) where either SYN is off (-not SYN-) > > or SYN is on but ACK is also on. > > > > If NEWNOTSYN=Yes then these packets are allowed (are processed against > > the rules and policies); if NEWNOTSYN=No then they are not allowed and > > are disposed of and optionally logged according to the other two > > variables. > > > > It''s probably worth slotting your response into shorewall.confHow does this work for everyone? # # NEWNOTSYN # # TCP connections are established using the familiar three-way "handshake": # # CLIENT SERVER # # SYN--------------------> # <------------------SYN,ACK # ACK--------------------> # # The first packet in that exchange (packet with the SYN flag on and the ACK # and RST flags off) is referred to in Netfilter terminology as a "syn" packet. # # The NETNOTSYN option determines the handling of non-SYN packets (those with # SYN off or with ACK or RST on). # # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not # part of an already established connection, it will be dropped by the # firewall. The setting of LOGNEWNOTSYN above determines if these packets are # logged before they are dropped. # # If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be # dropped but will pass through the normal rule/policy processing. # # Users with a High-availability setup with two firewall''s and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the ''newnotsyn'' option in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> How does this work for everyone? > > # > # NEWNOTSYN > # > # TCP connections are established using the familiar three-way > "handshake": > # > # CLIENT SERVER > # > # SYN--------------------> > # <------------------SYN,ACK > # ACK--------------------> > #Looks good. I can already feel the old neurons locking in, "No = throw them away, Yes = let them pass". :) -- Taso Hatzi caesar 17 <<-salad cjbx jc vdwwjar jc xi jc jd salad
why not use NEWNOSYN? I agree with Taso. This terminology confuses me. Maybe the problem is that english is not my native language ;-) cheers, Eduardo Taso Hatzi <taso@soldator.com> Sent by: shorewall-users-bounces+duda=icatu.com.br@lists.shorewall.net 28/11/2003 11:09 Please respond to Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> To Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] New Terminology Tom Eastep wrote:> How does this work for everyone? > > # > # NEWNOTSYN > # > # TCP connections are established using the familiar three-way > "handshake": > # > # CLIENT SERVER > # > # SYN--------------------> > # <------------------SYN,ACK > # ACK--------------------> > #Looks good. I can already feel the old neurons locking in, "No = throw them away, Yes = let them pass". :) -- Taso Hatzi caesar 17 <<-salad cjbx jc vdwwjar jc xi jc jd salad _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
I am trying to run Windows Update on the machines protected by the firewall. Windows Update stops when it tries to scan the machine. I can browse the web just fine, including other MS sites. What do I need to open to get this to work? What rules do I need? Microsoft''s web site said to "disable the firewall." I''m not kidding. Register your team online today! BOWL FOR KIDS''SAKE 2004 Saturday, March 6, 2004 www.bfkscentralohio.org You''ll be "bowled over" when our brochure "strikes" your mailbox at the end of January.sorry.we couldn''t help ourselves! If you do not receive one, please contact me! =============================================================Chris Baker -- technical specialist 614-839-2447x108 -- cbaker@bbbscentralohio.org www.bbbscentralohio.org -- Big Brothers Big Sisters of Central Ohio Opinions expressed in this e-mail are solely my own. The document(s) accompanying or within this email transmission may contain confidential information belonging to Big Brothers Big Sisters of Central Ohio, which is legally privileged for the entity named above. If you are not the intended recipient, you are hereby cautioned that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this email information is strictly prohibited. If you receive this email in error, please notify us immediately by fax (614-839-5437) or phone (614-839-2447) to advise of the error. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Taso Hatzi Sent: Tuesday, November 25, 2003 9:09 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] New Terminology Tom Eastep wrote:> There has been a low continuing level of confusion over the terms > "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all > instances of "Static NAT" have been replaced with "One-to-one NAT" on > the web site and in the CVS configuration files (Shorewall/ project). > The documentation in 1.4.9 will also contain this change. >Good move. I don''t know about others, but NEWNOTSYN is the other term that ALWAYS has me reaching for the documentation. May I suggest something analogous to tcpflags. For example: synpackets - This option enables extra control over SYN packets (SYN flag on - ACK flag off) that appear outside of an established connection. When enabled, such SYN packets are logged according to the SYN_PACKET_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according to the SYN_PACKET_DISPOSITION option. When not enabled, such SYN packets are quietly dropped. SYN_PACKET_LOG_LEVEL Determines the syslog level for logging SYN packets that appear outside of an established connection. The value must be a valid syslogd log level. If you don''t want to log these packets, set to the empty value (e.g., SYN_PACKET_LOG_LEVEL=""). SYN_PACKET_DISPOSITION Determines the disposition of SYN packets that appear outside of an established connection and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not set or if set to the empty value (e.g., SYN_PACKET_DISPOSITION="") then SYN_PACKET_DISPOSITION=DROP is assumed. (Does REJECT makes sense in this context?) -- Taso Hatzi _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Tuesday 10 February 2004 10:15 am, Chris Baker wrote:> I am trying to run Windows Update on the machines protected by the > firewall. Windows Update stops when it tries to scan the machine. I can > browse the web just fine, including other MS sites. What do I need to open > to get this to work? What rules do I need? > > Microsoft''s web site said to "disable the firewall." I''m not kidding.I''ve been running Windows Update from behind my Shorewall firewall since before I released Shorewall 1.0.0 with no special rules -- just the loc->net ACCEPT policy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 10 February 2004 10:15 am, Chris Baker wrote:> I am trying to run Windows Update on the machines protected by the > firewall. Windows Update stops when it tries to scan the machine. I can > browse the web just fine, including other MS sites. What do I need to open > to get this to work? What rules do I need? > > Microsoft''s web site said to "disable the firewall." I''m not kidding.And PLEASE don''t hijack another poster''s thread by replying to it and changing the subject -- START A NEW ONE! Gosh, you were too lazy to even delete any of quotes from the prior thread. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 10 February 2004 10:23 am, Tom Eastep wrote:> On Tuesday 10 February 2004 10:15 am, Chris Baker wrote: > > I am trying to run Windows Update on the machines protected by the > > firewall. Windows Update stops when it tries to scan the machine. I can > > browse the web just fine, including other MS sites. What do I need to > > open to get this to work? What rules do I need? > > > > Microsoft''s web site said to "disable the firewall." I''m not kidding. > > I''ve been running Windows Update from behind my Shorewall firewall since > before I released Shorewall 1.0.0 with no special rules -- just the > loc->net ACCEPT policy. >If the Shorewall-generated netfilter ruleset *is* blocking something needed by Windows Update, it should be showing up in the log. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue Feb 02/10/04, 2004 at 10:23:50AM -0800, Tom Eastep wrote:> On Tuesday 10 February 2004 10:15 am, Chris Baker wrote: > > I am trying to run Windows Update on the machines protected by the > > firewall. Windows Update stops when it tries to scan the machine. I can > > browse the web just fine, including other MS sites. What do I need to open > > to get this to work? What rules do I need? > > > > Microsoft''s web site said to "disable the firewall." I''m not kidding. > > I''ve been running Windows Update from behind my Shorewall firewall since > before I released Shorewall 1.0.0 with no special rules -- just the loc->net > ACCEPT policy.And I''ve been running Windows Update from behind a pretty restrictive Sentry + Shorewall firewall for client machines in a break-fix shop (to allow virus signature updates, Windows updates, and simple network testing, but block all the stupid viruses out there lately) with zero issues using Windows Update. There are only two loc->net rules: ACCEPT loc net udp 53 - ACCEPT loc net tcp 20,21,22,53,80,443,1494,3389 - I''d be willing to bet anyone that if it were _just_ Windows Update I needed, I could take out everything but port 80 in that list and it would still work. Methinks Shorewall rules are not your problem.... -- Greg White
On Tuesday 10 February 2004 09:01 pm, Greg White wrote:> And I''ve been running Windows Update from behind a pretty restrictive > Sentry + Shorewall firewall for client machines in a break-fix shop (to > allow virus signature updates, Windows updates, and simple network > testing, but block all the stupid viruses out there lately) with zero > issues using Windows Update. There are only two loc->net rules: > > ACCEPT loc net udp 53 - > ACCEPT loc net tcp 20,21,22,53,80,443,1494,3389 - > > I''d be willing to bet anyone that if it were _just_ Windows Update I > needed, I could take out everything but port 80 in that list and it > would still work. Methinks Shorewall rules are not your problem....My experience shows that 443 (HTTPS) is also required for WindowsUpdate. Our firewall rejects outgoing _everything_ from the DMZ hosts, so we periodically uncomment a rule that allows HTTP and HTTPS outbound, run WindowsUpdate, and then comment the rule out again.
Thanks for all the suggestions. I am beginning to think that this is a Squid issue. It''s been an interesting challenge. Register your team online today! BOWL FOR KIDS''SAKE 2004 Saturday, March 6, 2004 www.bfkscentralohio.org You''ll be "bowled over" when our brochure "strikes" your mailbox at the end of January.sorry.we couldn''t help ourselves! If you do not receive one, please contact me! =============================================================Chris Baker -- technical specialist 614-839-2447x108 -- cbaker@bbbscentralohio.org www.bbbscentralohio.org -- Big Brothers Big Sisters of Central Ohio Opinions expressed in this e-mail are solely my own. The document(s) accompanying or within this email transmission may contain confidential information belonging to Big Brothers Big Sisters of Central Ohio, which is legally privileged for the entity named above. If you are not the intended recipient, you are hereby cautioned that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this email information is strictly prohibited. If you receive this email in error, please notify us immediately by fax (614-839-5437) or phone (614-839-2447) to advise of the error.
On Wed Feb 02/11/04, 2004 at 02:33:30PM -0500, Chris Baker wrote:> Thanks for all the suggestions. I am beginning to think that this is a Squid > issue. It''s been an interesting challenge.Ahh, Squid is involved, is it? Are you, by chance, mangling the User-Agent header? That''ll break Windows Update every time... -- Greg White
Actually this was a Squid issue. Squid had a listing of banned web applications. I removed a couple of them, and now Windows Update is working. It wasn''t the firewall at all. Register your team online today! BOWL FOR KIDS''SAKE 2004 Saturday, March 6, 2004 www.bfkscentralohio.org You''ll be "bowled over" when our brochure "strikes" your mailbox at the end of January.sorry.we couldn''t help ourselves! If you do not receive one, please contact me! =============================================================Chris Baker -- technical specialist 614-839-2447x108 -- cbaker@bbbscentralohio.org www.bbbscentralohio.org -- Big Brothers Big Sisters of Central Ohio Opinions expressed in this e-mail are solely my own. The document(s) accompanying or within this email transmission may contain confidential information belonging to Big Brothers Big Sisters of Central Ohio, which is legally privileged for the entity named above. If you are not the intended recipient, you are hereby cautioned that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this email information is strictly prohibited. If you receive this email in error, please notify us immediately by fax (614-839-5437) or phone (614-839-2447) to advise of the error. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Greg White Sent: Wednesday, February 11, 2004 2:57 PM To: ''Mailing List for Experienced Shorewall Users'' Subject: Re: [Shorewall-users] Windows Update through firewall On Wed Feb 02/11/04, 2004 at 02:33:30PM -0500, Chris Baker wrote:> Thanks for all the suggestions. I am beginning to think that this is aSquid> issue. It''s been an interesting challenge.Ahh, Squid is involved, is it? Are you, by chance, mangling the User-Agent header? That''ll break Windows Update every time... -- Greg White _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm