I have defined a Home zone and placed it before the Net zone. Defined a host 192.168.174.242 as a trusted host. Now if I ping from 242 to my fw it works just fine (also tweaked the norfc1918 file). Thing I do not understand is why if I try pinging or FTPing from FW to 242 I hit the all2all reject rule ! I tried reading the rules and from the INPUT chain I see a eth0_in chain which in turn refers to the home2fw chain accepting all protocols with source 242 ... What am I doing wrong ? No hurry for the reply ... please rest a little, it''s Xmas :) Bob PS Here are segments of the shorewall show command output Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 20393 1704K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16607 23M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 16605 23M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 home2fw all -- * * 192.168.174.242 0.0.0.0/0 16607 23M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain home2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
On Sat, 2004-12-25 at 17:46 +0100, Bob Alexander wrote:> I have defined a Home zone and placed it before the Net zone. Defined a > host 192.168.174.242 as a trusted host. Now if I ping from 242 to my fw > it works just fine (also tweaked the norfc1918 file). > > Thing I do not understand is why if I try pinging or FTPing from FW to > 242 I hit the all2all reject rule ! > > I tried reading the rules and from the INPUT chain I see a eth0_in chain > which in turn refers to the home2fw chain accepting all protocols with > source 242 ... > > What am I doing wrong ? >If you are going FROM the firewall TO 242 then you want to look at eth0_out, not eth0_in!!!!! What is your policy from fw->home? If that isn''t ACCEPT then do you have fw->home ACCEPT rules for FTP and PING? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> If you are going FROM the firewall TO 242 then you want to look at > eth0_out, not eth0_in!!!!! > > What is your policy from fw->home? > If that isn''t ACCEPT then do you have fw->home ACCEPT rules for FTP and > PING? >Tom, will you ever get tired of correcting such obvious mistakes :) :) ? (I cowardly hope not). Was Santa Klaus generous with you ? :) I hope so ! Take care, Bob
On Sat, 2004-12-25 at 18:09 +0100, Bob Alexander wrote:> Was Santa Klaus generous with you ? :)Dunno -- the family is just getting up :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Stephen Carville
2004-Dec-25 19:35 UTC
Re: Thick head still having problems with subnets (?)
On Saturday 25 December 2004 8:46 am, Bob Alexander wrote:> I have defined a Home zone and placed it before the Net zone. Defined a > host 192.168.174.242 as a trusted host. Now if I ping from 242 to my fw > it works just fine (also tweaked the norfc1918 file). > > Thing I do not understand is why if I try pinging or FTPing from FW to > 242 I hit the all2all reject rule ! > > I tried reading the rules and from the INPUT chain I see a eth0_in chain > which in turn refers to the home2fw chain accepting all protocols with > source 242 ... > > What am I doing wrong ?Remember a firewall is a zone too. You have a home to fw policy but no fw to home policy so fw2home falls thru to all2all. Add to /etc/shorewall/policy fw home Accept - Restart shorewall and you should be OK> No hurry for the reply ... please rest a little, it''s Xmas :) > > Bob > > PS Here are segments of the shorewall show command output > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 20393 1704K ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 16607 23M eth0_in all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain all2all (3 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain eth0_in (1 references) > pkts bytes target prot opt in out source > destination > 0 0 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > 0 0 norfc1918 all -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW > 16605 23M tcpflags tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 home2fw all -- * * 192.168.174.242 > 0.0.0.0/0 > 16607 23M net2fw all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain home2fw (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Stephen Carville Systems and Network Administrator 310-342-3602 stephen@totalflood.com
Stephen Carville wrote:> Remember a firewall is a zone too. You have a home to fw policy but no fw to > home policy so fw2home falls thru to all2all. > > Add to /etc/shorewall/policy > > fw home Accept - > > Restart shorewall and you should be OKThank you very much Stephen. Problem solved. Quite obvious when pointed out :) Bob