Hi
I have 2nic firewall . I had to open some ranges of udp and tcp ports . I
faced a problem that although all the ports are open Some functionality was
not working . Any body used shorewall with H323 Voip traffic DNATed . Any
help is appretiated .
Thanks
----- Original Message -----
From: <shorewall-users-request@lists.shorewall.net>
To: <shorewall-users@lists.shorewall.net>
Sent: Wednesday, September 29, 2004 1:44 PM
Subject: Shorewall-users Digest, Vol 22, Issue 65
> Send Shorewall-users mailing list submissions to
> shorewall-users@lists.shorewall.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> or, via email, send a message with subject or body ''help''
to
> shorewall-users-request@lists.shorewall.net
>
> You can reach the person managing the list at
> shorewall-users-owner@lists.shorewall.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Shorewall-users digest..."
>
>
> Today''s Topics:
>
> 1. Shorewall OpenVPN doc error (Jim Buttafuoco)
> 2. Re: Shorewall OpenVPN doc error (Tom Eastep)
> 3. Re: start error] (Tom Eastep)
> 4. SPF screening implemented at shorewall.net (Tom Eastep)
> 5. Re: SPF screening implemented at shorewall.net (Eduardo Ferreira)
> 6. Re: SPF screening implemented at shorewall.net (Tom Eastep)
> 7. Re: SPF screening implemented at shorewall.net (Stephen Carville)
> 8. DNAT + Masq Problem - Yes I read the FAQ I promise
> (Gary Buckmaster)
> 9. Re: SPF screening implemented at shorewall.net (Alan Sparks)
> 10. Re: SPF screening implemented at shorewall.net (Eduardo Ferreira)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 29 Sep 2004 10:06:49 -0400
> From: "Jim Buttafuoco" <jim@contactbda.com>
> Subject: [Shorewall-users] Shorewall OpenVPN doc error
> To: "Shorewall Users" <shorewall-users@lists.shorewall.net>
> Message-ID: <20040929140437.M10233@contactbda.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Tom,
>
> While reading the Shorewall OpenVPN doc, I found that you have to many
"7"
in the example 77777 instead of 7777 in the> text.
>
> Jim
>
>
>
> This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
traffic on the default port 5000/udp will be> accepted to/from the remote gateway. If you change the port used by
OpenVPN to 7777, you can> define /etc/shorewall/tunnels like this:
>
> /etc/shorewall/tunnels with port 7777:
>
> #TYPE ZONE GATEWAY GATEWAY ZONE
> openvpn:77777 net 134.28.54.2
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 29 Sep 2004 07:13:15 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] Shorewall OpenVPN doc error
> To: jim@contactbda.com, Mailing List for Shorewall Users
> <shorewall-users@lists.shorewall.net>
> Message-ID: <415AC2FB.2090002@shorewall.net>
> Content-Type: text/plain; charset=us-ascii
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Buttafuoco wrote:
>
> > While reading the Shorewall OpenVPN doc, I found that you have to many
> "7" in the example 77777 instead of 7777 in the
> > text.
> >
>
> Thanks,
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBWsL6O/MAbZfjDLIRAtQYAJ46NSbcvMkH+ZVw4Fjr4YMmkBWD+wCgmsH2
> R2eQak7k0lr5NaIrbdramKw> =pM90
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 29 Sep 2004 07:36:27 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] start error]
> To: Mailing List for Shorewall Users
> <shorewall-users@lists.shorewall.net>
> Message-ID: <415AC86B.7060300@shorewall.net>
> Content-Type: text/plain; charset=us-ascii
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> rioguia@speakeasy.net wrote:
> > thanks again for your sharp eye and speedy response. i have corrected
> > the typos in the IP in the masq file. I am sorry to have to ask for
> > more help but my pc''s on the local network can''t
reach the dmz
> > webserver using the webserver''s local or Public IP address.
>
> It is not surprising that the local addresses don''t work since you
have
> no rules permitting access from loc->dmz using those addresses; you
> rather are using DNAT rules for the public IP addresses. For the
> 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT;
> with Proxy ARP, the systems in the DMZ are known universally by ONE IP
> address.
>
> What subnet mask have you configured on the servers in the DMZ?
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1
> bpc2vrRod5HwgE70gqtLSLw> =vFmD
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 29 Sep 2004 08:22:33 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: [Shorewall-users] SPF screening implemented at shorewall.net
> To: Shorewall Announcements <shorewall-announce@lists.shorewall.net>,
> Shorewall Users <shorewall-users@lists.shorewall.net>
> Message-ID: <415AD339.8040603@shorewall.net>
> Content-Type: text/plain; charset=us-ascii
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Over the past weekend, I added SPF screening on the MTA at
> shorewall.net. SPF is a mechanism for a domain to use DNS to publish a
> list of those IP addresses that are used to send legitimate email from
> that domain. A receiving MTA can use that published information to
> determine if email from a domain is being sent through an MTA belonging
> to that domain.
>
> I am seeing some email that appears to be from list subscribers being
> rejected. I suspect that this is because people are running their owm
> MTAs and outbound email bypasses their ISP''s MTA even though the
sender
> address is in the ISP''s domain.
>
> Example:
>
> Your ISP is foo.com and you are sending email from me@foo.com
> directly through your own mail server. Your IP address is not one of the
> one''s published by foo.com as being a legitimate email source for
foo.com.
>
> If this is the case with you, please configure your MTA to route mail to
> shorewall.net through your ISP. Do not ask me to make an exception for
> you at this end.
>
> - -Tom
>
> PS -- All outgoing email from shorewall.net is routed through my ISP;
> it''s too much of a hassle for me to try to run the mailing lists
otherwise.>
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBWtM5O/MAbZfjDLIRAqPSAKC3T63iD8WFSElj+SVUb/vf8zNiBwCfWOQV
> srohhTpIJXCiFzZFRi1+wbk> =smTO
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 29 Sep 2004 13:24:14 -0300
> From: "Eduardo Ferreira" <duda@icatu.com.br>
> Subject: Re: [Shorewall-users] SPF screening implemented at
> shorewall.net
> To: Mailing List for Shorewall Users
> <shorewall-users@lists.shorewall.net>
> Message-ID:
>
<OFDA468BE9.48FBE6F8-ON83256F1E.005A03B8-83256F1E.005A5156@icatu.com.br>
>
> Content-Type: text/plain; charset="US-ASCII"
>
> Tom Eastep wrote on 29/09/2004 12:22:33:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Over the past weekend, I added SPF screening on the MTA at
> > shorewall.net. SPF is a mechanism for a domain to use DNS to publish a
> > list of those IP addresses that are used to send legitimate email from
> > that domain. A receiving MTA can use that published information to
> > determine if email from a domain is being sent through an MTA
belonging
> > to that domain.
> >
> more information on SPF at http://spf.pobox.com/
> there is a utility there that helps creating the SPF DNS Record.
>
> hope it helps,
>
> ________________________
> Eduardo Ferreira
> Icatu Holding S.A.
> Supervisor de TI
> (5521) 3804-8606
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 29 Sep 2004 09:58:02 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] SPF screening implemented at
> shorewall.net
> To: Mailing List for Shorewall Users
> <shorewall-users@lists.shorewall.net>
> Message-ID: <415AE99A.2090708@shorewall.net>
> Content-Type: text/plain; charset=us-ascii
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Eduardo Ferreira wrote:
> > Tom Eastep wrote on 29/09/2004 12:22:33:
> >
> >
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Over the past weekend, I added SPF screening on the MTA at
> >>shorewall.net. SPF is a mechanism for a domain to use DNS to
publish a
> >>list of those IP addresses that are used to send legitimate email
from
> >>that domain. A receiving MTA can use that published information to
> >>determine if email from a domain is being sent through an MTA
belonging
> >>to that domain.
> >>
> >
> > more information on SPF at http://spf.pobox.com/
> > there is a utility there that helps creating the SPF DNS Record.
> >
>
> In fact, I used that utility to generate the shorewall.net SPF DNS record.
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBWumaO/MAbZfjDLIRAgy3AKCcIAr+FP//OWL2FXW5ofp2zugw/gCguc6s
> 1xifI89Jg2R5FasY3Z6/exo> =+iOE
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 29 Sep 2004 10:04:13 -0700 (PDT)
> From: "Stephen Carville" <stephen@totalflood.com>
> Subject: Re: [Shorewall-users] SPF screening implemented at
> shorewall.net
> To: "Mailing List for Shorewall Users"
> <shorewall-users@lists.shorewall.net>
> Message-ID:
> <46189.192.168.124.249.1096477453.squirrel@192.168.124.249>
> Content-Type: text/plain;charset=iso-8859-1
>
> > In fact, I used that utility to generate the shorewall.net SPF DNS
record.>
> This gives me a chance to see if my SPF record is working....
>
> --
> Stephen Carville
> Unix and Network Adminstrator
> DPSI
> 6033 W.Century Blvd.
> Los Angeles, CA 90045
> 310-342-3602
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 29 Sep 2004 12:21:42 -0500
> From: Gary Buckmaster <inherently.evil@gmail.com>
> Subject: [Shorewall-users] DNAT + Masq Problem - Yes I read the FAQ I
> promise
> To: shorewall-users@lists.shorewall.net
> Message-ID: <b1284f4b04092910211283bbc6@mail.gmail.com>
> Content-Type: text/plain; charset=US-ASCII
>
> I have a debian woody machine acting as a firewall for a small
> network. I am trying to do a simple DNAT to port 80 on the protected
> webserver and masquerade all traffic from the protect subnet outbound.
> After having read the FAQ and various posts regarding problems with
> DNAT I''m afraid I''m no closer to a solution. Based on
the output from
> "shorewall show nat" I believe that my masq rules are completely
wrong
> (although I believe they are correct based on examples and everything
> I''ve read), and I''m led to believe that my DNAT rules are
working.
> However, a tcpdump of the affected interfaces shows the traffic coming
> into the appropriate card, but never traversing the firewall. I
> apologize in advance if I''ve missed something obvious or dumb and
I
> appreciate any insight you folks can provide.
>
> gateway:/etc/shorewall# cat masq
> #INTERFACE SUBNET ADDRESS PROTO PORT(S)
> eth0 192.168.25.0/24
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> gateway:/etc/shorewall# cat rules
> #ACTION SOURCE DEST PROTO DEST SOURCE
> ORIGINAL RATE USER/
> # PORT PORT(S)
> DEST LIMIT GROUP
> ACCEPT net fw tcp 22
> DNAT net loc:192.168.25.2 tcp 80
> ACCEPT net fw tcp 25
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> gateway:/etc/shorewall# cat policy
> #SOURCE DEST POLICY LOG
LIMIT:BURST> # LEVEL
> loc net ACCEPT
> net all DROP info
> fw all ACCEPT info
> #
> # THE FOLLOWING POLICY MUST BE LAST
> #
> all all REJECT info
> #LAST LINE -- DO NOT REMOVE
>
> gateway:/etc/shorewall# shorewall show nat
> Shorewall-2.0.3a NAT at gateway - Wed Sep 29 12:19:43 CDT 2004
>
> Counters reset Wed Sep 29 11:56:40 CDT 2004
>
> Chain PREROUTING (policy ACCEPT 1197 packets, 100K bytes)
> pkts bytes target prot opt in out source
destination> 658 54981 net_dnat all -- eth0 * 0.0.0.0/0
0.0.0.0/0>
> Chain POSTROUTING (policy ACCEPT 24 packets, 1862 bytes)
> pkts bytes target prot opt in out source
destination> 21 1682 eth0_masq all -- * eth0 0.0.0.0/0
0.0.0.0/0>
> Chain OUTPUT (policy ACCEPT 24 packets, 1862 bytes)
> pkts bytes target prot opt in out source
destination>
> Chain eth0_masq (1 references)
> pkts bytes target prot opt in out source
destination> 0 0 MASQUERADE all -- * * 192.168.25.0/24
0.0.0.0/0>
> Chain net_dnat (1 references)
> pkts bytes target prot opt in out source
destination> 3 144 DNAT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 to:192.168.25.2
>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 29 Sep 2004 11:30:35 -0600 (MDT)
> From: "Alan Sparks" <asparks@doublesparks.net>
> Subject: Re: [Shorewall-users] SPF screening implemented at
> shorewall.net
> To: "Mailing List for Shorewall Users"
> <shorewall-users@lists.shorewall.net>
> Cc: "Mailing List for Shorewall Users"
> <shorewall-users@lists.shorewall.net>
> Message-ID: <33179.216.150.62.80.1096479035.squirrel@216.150.62.80>
> Content-Type: text/plain;charset=iso-8859-1
>
> Tom Eastep said:
> >> there is a utility there that helps creating the SPF DNS Record.
> >>
> >
> > In fact, I used that utility to generate the shorewall.net SPF DNS
record.> >
> > - -Tom
>
> Guess it hasn''t made it out yet, no TXT record resolves yet for
> shorewall.net or lists.shorewall.net...
> -Alan
>
> ==========> Alan Sparks, UNIX/Linux Systems Administrator
<asparks@doublesparks.net>>
>
>
> ------------------------------
>
> Message: 10
> Date: Wed, 29 Sep 2004 14:30:35 -0300
> From: "Eduardo Ferreira" <duda@icatu.com.br>
> Subject: Re: [Shorewall-users] SPF screening implemented at
> shorewall.net
> To: Mailing List for Shorewall Users
> <shorewall-users@lists.shorewall.net>
> Message-ID:
>
<OF7869FBF9.ADD78617-ON83256F1E.0060177A-83256F1E.00606454@icatu.com.br>
>
> Content-Type: text/plain; charset="US-ASCII"
>
> Alan wrote on 29/09/2004 14:30:35:
>
> > Tom Eastep said:
> > >> there is a utility there that helps creating the SPF DNS
Record.
> > >>
> > >
> > > In fact, I used that utility to generate the shorewall.net SPF
DNS
> record.
> > >
> > > - -Tom
> >
> > Guess it hasn''t made it out yet, no TXT record resolves yet
for
> > shorewall.net or lists.shorewall.net...
>
> yep. dnsreport.com didn''t find any SPF records there.
>
> --Eduardo
>
> ------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
> End of Shorewall-users Digest, Vol 22, Issue 65
> ***********************************************
>
