Hy shorewall users :)) I have the following config in my shorewall: DNAT net:200.137.193.2 loc:192.168.0.55 udp 135,445 - 200.137.193.38 DNAT net:200.137.193.2 loc:192.168.0.55 udp 137:139 - 200.137.193.38 DNAT net:200.137.193.2 loc:192.168.0.55 tcp 135,139,445 - 200.137.193.38 The IP 192.168.0.55 is one internal machine with mail sender But i need one external access to one share folder in internal machine (see dnat above) But i dont know if shorewall have a protection (many mails sent by local machine), after hours of send emails i loose the connection with mail server and port 25 and this appear a type of protection... i need change the ip local machine and change the rule dnat and reestart the shorewall to work again, but after a moment this lock again.... Any idea? tks
Marcelo Leão Caffaro wrote:> I have the following config in my shorewall: > > DNAT net:200.137.193.2 loc:192.168.0.55 udp > 135,445 - 200.137.193.38 > DNAT net:200.137.193.2 loc:192.168.0.55 udp > 137:139 - 200.137.193.38 > DNAT net:200.137.193.2 loc:192.168.0.55 tcp > 135,139,445 - 200.137.193.38 > > The IP 192.168.0.55 is one internal machine with mail sender > > But i need one external access to one share folder in internal machine > (see dnat above)A truly awful idea -- using VPN is much more secure.> > But i dont know if shorewall have a protection (many mails sent by local > machine), after hours of send emails i loose the connection with mail > server and port 25 and this appear a type of protection...It isn''t.> i need change > the ip local machine and change the rule dnat and reestart the shorewall > to work again, but after a moment this lock again.... > > Any idea?Yes -- submit a real problem report. See http://shorewall.net/support.htm#Guidelines. As a general rule though, problems where connections work for a while then suddenly stop working usually have absolutely to do with Shorewall. You don''t have two interfaces from the Shorewall system connected to the same hub/switch do you? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
2005/5/9, Marcelo Leão Caffaro <leao@employer.com.br>:> Hy shorewall users :)) > > I have the following config in my shorewall: > > DNAT net:200.137.193.2 loc:192.168.0.55 udp > 135,445 - 200.137.193.38 > DNAT net:200.137.193.2 loc:192.168.0.55 udp > 137:139 - 200.137.193.38 > DNAT net:200.137.193.2 loc:192.168.0.55 tcp > 135,139,445 - 200.137.193.38you should use some kind of VPN or IPSEC ,IMHO your setup is "crazy".> > The IP 192.168.0.55 is one internal machine with mail senderThe rules you posted have nothing to do with SMTP. please follow the problem reporting guidelines http://www.shorewall.net/support.htm> But i need one external access to one share folder in internal machine > (see dnat above)use VPN,Webdav,IPSEC or something sane.;)> But i dont know if shorewall have a protection (many mails sent by local > machine), after hours of send emails i loose the connection with mail > server and port 25 and this appear a type of protection... i need change > the ip local machine and change the rule dnat and reestart the shorewall > to work again, but after a moment this lock again.... > > Any idea?no,you dont provide any clue about your setup,sorry we are not magicians.> tks >
Yes, both in the same switch.... But i make one test, i put the valid and invalid ip address in allow exception and dont work..... shorewall allow ip...>As a general rule though, problems where connections work for a while >then suddenly stop working usually have absolutely to do with Shorewall. >You don''t have two interfaces from the Shorewall system connected to the >same hub/switch do you? > >-Tom > >
2005/5/9, Marcelo Leão Caffaro <leao@employer.com.br>:> Yes, both in the same switch.... > But i make one test, i put the valid and invalid ip address in allow > exception and dont work..... > shorewall allow ip... >from the FM: arp_filter (Added in version 1.4.7) - This option causes /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the result that this interface will only answer ARP "who-has" requests from hosts that are routed out of that interface. Setting this option facilitates testing of your firewall where multiple firewall interfaces are connected to the same HUB/Switch (all interface connected to the single HUB/Switch should have this option specified). Note that using such a configuration in a production environment is strongly recommended against. (read carrefully,especially the 2 last lines) ps: fix your conf,allowing netbios traffic over the internet is a terrible,really mad idea,your data and security are in a severe risk. again,no clue about SMTP..
Marcelo Leão Caffaro wrote:> Yes, both in the same switch....Marcelo, A) Every single one of the multi-interface Shorewall Quickstart guides tell you not to do that. B) The troubleshooting guide warns you not to do that. C) COMMON SENSE SHOULD TELL YOU THAT YOU CAN''T HAVE A FIREWALL CABLED LIKE THAT. You have systems on the "inside" of your firewall SENDING BROADCASTS which will go right through the switch to the "outside" of the firewall where systems on that side will receive these broadcasts. This will let the bad guys outside of the firewall know these systems exist. From there, it is child''s play to bypass your "firewall" and attack theses systems directly. Christian''s post tells you how to TEST your firewall cabled that way but you are crazy if you put it in production. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian Rodriguez wrote:> > again,no clue about SMTP..I think that it was because of the cabling problem together with the lack of "arp_filter". If that gets corrected, I think that SMTP traffic will be forwarded reliably. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
2005/5/9, Tom Eastep <teastep@shorewall.net>:> Cristian Rodriguez wrote: > > > > > again,no clue about SMTP.. > > I think that it was because of the cabling problem together with the > lack of "arp_filter". If that gets corrected, I think that SMTP traffic > will be forwarded reliably. >yes,of course until the "firewall" gets bypassed and the internal mail server compromised. :=S
Cristian Rodriguez wrote on 09/05/2005 19:12:13:> 2005/5/9, Tom Eastep <teastep@shorewall.net>: > > Cristian Rodriguez wrote: > > > > > > > > again,no clue about SMTP.. > > > > I think that it was because of the cabling problem together with the > > lack of "arp_filter". If that gets corrected, I think that SMTPtraffic> > will be forwarded reliably. > > > > yes,of course until the "firewall" gets bypassed and the internal mail > server compromised. > :=Sjust for the record, an 8-ports hub costs less than $20 here in Brasil. Not so expensive for the security you get. and you don''t need a specialized (and expensive) switch just to link your fw to your router. abs, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606