Shorewall users - Aug 2004 - misusing shorewall

Hi

I''m misusing shorewall to masquerade one subnet to another on a machine
behind a shorewall firewall.

2 ports eth0 & eth1
eth0 {192.168.90.0/24] this is the LAN behind the real firewall
eth1 [192.168.55.0/24] this is the nested lan.

On the nested Lan there are dual boot machines linux/windows, samba is 
running on both LANs.
I went back from ver 2.01 to 1.4.8 to avoid the preset rules.
but even with policires like
all	all	ACCEPT
I''m still having to add rules
like
ACCEPT	fw	loc	tcp	20:50000	-
etc
Its like using a 10 ton steam hammer to crack a walnut !
Back in the days when I used to use Bastille, I had to be able to add 
lines in iptables to use some different protocols.
But since using Shorewall its so easy to customise the firewall, all 
that in the past is very murky...the price of old age.

Is there a real easy way with shorewall, or better to write a few lines 
in iptables.

Some help would be very welcome

Richard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

richard wrote:

|
| Is there a real easy way with shorewall, or better to write a few lines
| in iptables.
|
| Some help would be very welcome

I''m afraid that from the above description, I have absolutely no idea
what problem you are trying to solve (or even why you feel you need to
masquerade between two different local subnetworks).

A little information about the network topology and routing would
certainly help.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNIdiO/MAbZfjDLIRAosMAJwL4jvoUch3Teea0BwagUy4x0TxKwCeJLjU
rvnE+D1LZqVGJNZc2tWua3U=FTOh
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> I''m afraid that from the above description, I have absolutely no
idea
> what problem you are trying to solve (or even why you feel you need to
> masquerade between two different local subnetworks).
  Ok ,

--------		-------------------			--------
Firewall		eth0	90.13	eth1			lan 2
	----------------		    --------------------
	192.168.90.0/24				192.168.55.0/24


On the 90./24 lan there is all fixed addresses, on the 55./24 lan they 
are dynamic..
The machines on lan2 need to be seen by machines on lan1, and be able to 
  reach the inet. samba is running on both lans.
I''ve tried using shorewall to masquerade lan2 to lan1, with marginal 
success..
Sggestions ?/

Richard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

richard wrote:
| Tom Eastep wrote:
|
|> I''m afraid that from the above description, I have absolutely no
idea
|> what problem you are trying to solve (or even why you feel you need to
|> masquerade between two different local subnetworks).
|
|  Ok ,
|
| --------        -------------------            --------
| Firewall        eth0    90.13    eth1            lan 2
|     ----------------            --------------------
|     192.168.90.0/24                192.168.55.0/24
|

That made it clear as mud....

I think this is want you have:

~                fw
~       --------------------
~   eth0                  eth1
192.168.90.13/24   192.168.55.x/24

And you want the two segments to be able to communicate and access the
internet. Presumably, your internet interface is eth2 (or ppp0 or ...).

Is that right?

Or is there another router involved?

|
| On the 90./24 lan there is all fixed addresses, on the 55./24 lan they
| are dynamic..
| The machines on lan2 need to be seen by machines on lan1, and be able to
|  reach the inet. samba is running on both lans.
| I''ve tried using shorewall to masquerade lan2 to lan1, with marginal
| success..
| Sggestions ?/

Yes -- don''t masquerade. Simply route between the two networks. Again,
I
don''t understand the masquerade requirement.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNJS1O/MAbZfjDLIRAgFcAJwJD2A958iPxq+GoI0wh8Jfo7zfIACeIOba
s3KqujCWUM+15ceKgR/bcA8=KduR
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| richard wrote:
| | Tom Eastep wrote:
| |
| |> I''m afraid that from the above description, I have absolutely
no idea
| |> what problem you are trying to solve (or even why you feel you need to
| |> masquerade between two different local subnetworks).
| |
| |  Ok ,
| |
| | --------        -------------------            --------
| | Firewall        eth0    90.13    eth1            lan 2
| |     ----------------            --------------------
| |     192.168.90.0/24                192.168.55.0/24
| |
|
| That made it clear as mud....
|
| I think this is want you have:
|
| ~                fw
| ~       --------------------
| ~   eth0                  eth1
| 192.168.90.13/24   192.168.55.x/24
|
| And you want the two segments to be able to communicate and access the
| internet. Presumably, your internet interface is eth2 (or ppp0 or ...).
|
| Is that right?
|
| Or is there another router involved?

Ok -- I went back and read your original post and looked at the above
diagram and now I think I understand.

There are *two* Shorewall boxes:

a) The firewall.
b) 192.168.90.13/192.168.55.x

Your question concerns (b) -- you are choosing to masquerade the
192.168.55.0/24 network on (b) rather than set up your routing correctly
on the firewall (a).

If all you want to do on (b) is masquerade, get rid of Shorewall and
arrange for this command to be executed during boot:

	iptables -t nat -A POSTROUTING -o eth0 -s 192.168.55.0/24 -j SNAT
- --to-source 192.168.90.13

If you want to do this right, then don''t configure iptables/Shorewall
on
(b) at all and set up the routing on (a) as described at:

	http://shorewall.net/Multiple_Zones.html

Hope this helps.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNJfaO/MAbZfjDLIRAsY3AJ0UEyIvEj7zZliFNcZckMfByByuMgCfeaRL
4FRSmtZn/GNav7gK1G1nu9w=6JyD
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | richard wrote:
> | | Tom Eastep wrote:
> | |
> | |> I''m afraid that from the above description, I have
absolutely no idea
> | |> what problem you are trying to solve (or even why you feel you need
to
> | |> masquerade between two different local subnetworks).
> | |
> | |  Ok ,
> | |
> | | --------        -------------------            --------
> | | Firewall        eth0    90.13    eth1            lan 2
> | |     ----------------            --------------------
> | |     192.168.90.0/24                192.168.55.0/24
> | |
> |
> | That made it clear as mud....
> |
> | I think this is want you have:
> |
> | ~                fw
> | ~       --------------------
> | ~   eth0                  eth1
> | 192.168.90.13/24   192.168.55.x/24
> |
> | And you want the two segments to be able to communicate and access the
> | internet. Presumably, your internet interface is eth2 (or ppp0 or ...).
> |
> | Is that right?
> |
> | Or is there another router involved?
> 
> Ok -- I went back and read your original post and looked at the above
> diagram and now I think I understand.
> 
> There are *two* Shorewall boxes:
> 
> a) The firewall.
> b) 192.168.90.13/192.168.55.x
> 
> Your question concerns (b) -- you are choosing to masquerade the
> 192.168.55.0/24 network on (b) rather than set up your routing correctly
> on the firewall (a).
> 
> If all you want to do on (b) is masquerade, get rid of Shorewall and
> arrange for this command to be executed during boot:
> 
>     iptables -t nat -A POSTROUTING -o eth0 -s 192.168.55.0/24 -j SNAT
> - --to-source 192.168.90.13
> 
> If you want to do this right, then don''t configure
iptables/Shorewall on
> (b) at all and set up the routing on (a) as described at:
> 
>     http://shorewall.net/Multiple_Zones.html
> 
> Hope this helps.
> 
Yes it does Tom, some time you cant see the wood for the trees

Thanks
Richard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

richard wrote:

|>
| Yes it does Tom, some time you cant see the wood for the trees
|
| Thanks

You''re welcome -- sorry I was so slow to catch on to what you were
doing.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNJuxO/MAbZfjDLIRAlEVAJ9G2AiKvEIp8QrWN/Ggyhz/LTpuZwCdFFg8
RUiC7VKZhO0egJH1LHZKQGk=GGH9
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> richard wrote:
> 
> |>
> | Yes it does Tom, some time you cant see the wood for the trees
> |
> | Thanks
> 
> You''re welcome -- sorry I was so slow to catch on to what you were
doing.
Tom, i can''t believe you put so much effort into trying to understand
such a poorly described problem.

Seriously, folks, Tom seems to spend most of his life trying to work
out what people are talking about on this list.  Have a bit of mercy
on the guy!

Some suggestions:

1.  This list is now supposed to be for experienced shorewall users.
There is a separate list for newbies, and i would suggest that it
should be used not only for newbie people but newbie questions (which
i think this thread was).

2.  Shorewall is one of the most well-documented free software
projects in existence.  Tom and others have put a lot of effort into
ensuring that the most important concepts are thoroughly documented
and have reasonable examples.  I would venture to suggest that for the
experienced shorewall users list, 20 minutes of searching of the list
archives and reading of the relevant documentation before posting any
problem should be considered a minimum.

3.  Please consider using one of the various freely-available tools to
describe your network layout.  I personally prefer dia - you can find
a working example diagram in my shoregen documentation at
http://paulgear.webhop.net/linux if you prefer not to start from
scratch.  You can export in PNG format from dia, and this is quite
efficient while providing a much-needed boost in comprehension.

4.  In conjunction with that, setting the context by clearly
describing the problem the first time greatly assists Tom and the rest
of us.  I realise some people may be in a hurry for answers, but you
can usually get them more quickly by taking the time to plan your
questions.  I often find that by spending 30 minutes writing and
rewriting my email, i gain a lot of ground towards solving the problem
even before i hit the send button.  (And besides, testing produces
character!  ;-)

Please don''t take this as an attack on the original poster.  I am just
concerned about Tom, and i think his sterling efforts in supporting a
product from  which he makes no money need to be acknowledged (kudos
also to his understanding employer!), and we should make every effort
to reduce his load.

I also realise that i''m preaching to the converted in many instances
here also.  Please forgive me if you feel insulted.  I''m placing this
here mainly for the list archives so hopefully people who are tempted
to just shoot off questions might think before they ask.

Regards,
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

In my opinion shorewall is not for newbies. Being a newbie myself, I use
this mailing list to get pointers, which help solving my issues in Network
security and functionality.
Networking and subnetworking is a study on its own and when you add IPTABLES
to the picture, it becomes "black magic".
All I have to say; thanks Tom for being brief and to the point and
preventing confusion.

Andrew Nady.




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.745 / Virus Database: 497 - Release Date: 8/27/2004

Andrew N. wrote:
> In my opinion shorewall is not for newbies. Being a newbie myself, I use
> this mailing list to get pointers, which help solving my issues in Network
> security and functionality.
> Networking and subnetworking is a study on its own and when you add
IPTABLES
> to the picture, it becomes "black magic".
> All I have to say; thanks Tom for being brief and to the point and
> preventing confusion.
If thats the opinion of you all I''ll unsubscribe from the list.
FYI I''m using Mandrake, and I don''t consider my self a linux
newbie either.
Mandrakes'' security package ,msec, can make it very difficult to route 
across the kernel, its not just a case of setting ipv4_forwarding to on.
misusing shorewall was an attempt at negating the effect of msec by 
masquerading one subnet to the other.
I''ve always found Tom to be very helpful and non critical, unless the 
word Mandrake is used.
I would also point out that not all of us as are as mentally quick as 
they use to be, especially if recovering from a breakdown earlier in the 
year, and still drugged to the gunnels

Richard

please don''t start a flame war on this list.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Gear wrote:

|
| 1.  This list is now supposed to be for experienced shorewall users.
| There is a separate list for newbies, and i would suggest that it
| should be used not only for newbie people but newbie questions (which
| i think this thread was).

There is only one Shorewall support list now -- I terminated the newbie
list several months ago.

I don''t know what to do about the issue of problem description;
I''ve
given up adding more information to the Shorewall Support Guide since
it''s pretty clear that almost no one reads that article before posting
(or if they do, they dismiss it as the product of a typing exercise by
the author). That''s one reason why I terminated the Newbie list --
people seemed confused about which list to post on even though the
guidelines were in the Support Guide.

|
| 4.  In conjunction with that, setting the context by clearly
| describing the problem the first time greatly assists Tom and the rest
| of us.  I realise some people may be in a hurry for answers, but you
| can usually get them more quickly by taking the time to plan your
| questions.  I often find that by spending 30 minutes writing and
| rewriting my email, i gain a lot of ground towards solving the problem
| even before i hit the send button.  (And besides, testing produces
| character!  ;-)

I''ve often found that when I can''t solve a problem,
formulating the
problem in the form of a question to ask someone else often clarifies my
thinking and the answer becomes obvious.
|
| I also realise that i''m preaching to the converted in many instances
| here also.  Please forgive me if you feel insulted.  I''m placing this
| here mainly for the list archives so hopefully people who are tempted
| to just shoot off questions might think before they ask.
|

Thanks Paul for your continued support.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNda5O/MAbZfjDLIRAmhXAJ9K7PY/VQdl1mZmYIzMErcne4RMkwCZAbfq
hwuliEOqlK331zYyHbxDjhI=kQv/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew N. wrote:
| In my opinion shorewall is not for newbies. Being a newbie myself, I use
| this mailing list to get pointers, which help solving my issues in Network
| security and functionality.
| Networking and subnetworking is a study on its own and when you add
IPTABLES
| to the picture, it becomes "black magic".

I think therein lies one of the key problems -- if posters see routing
and firewalling as "black magic", then it is very difficult for them
to
articulate the problem they are having in terms that are helpful toward
a solution.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNdk+O/MAbZfjDLIRApvxAJ9RhwTgCiCWJFlMWIJ0bd6b3g+xAgCfaMh+
trvksR9aIrk5Mi4TbtegMyg=SlhF
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

richard wrote:
| Andrew N. wrote:
|
|> In my opinion shorewall is not for newbies. Being a newbie myself, I use
|> this mailing list to get pointers, which help solving my issues in
|> Network
|> security and functionality.
|> Networking and subnetworking is a study on its own and when you add
|> IPTABLES
|> to the picture, it becomes "black magic".
|> All I have to say; thanks Tom for being brief and to the point and
|> preventing confusion.
|
|
| If thats the opinion of you all I''ll unsubscribe from the list.

Richard, I don''t think that either Paul''s or Andrew''s
remarks were aimed
at you. I believe that Andrew was simply stating the *he* subscribes to
this list in order to try to learn more -- that''s cool.

| I''ve always found Tom to be very helpful and non critical, unless the
| word Mandrake is used.

Actually, I''m grateful to Mandrake for including Shorewall in their
products. But that is a two-edged sword. By preinstalling Shorewall (and
until recently, configuring Shorewall in a non-standard manner),
Mandrake short-circuits the key educational experience of installing and
configuring Shorewall using one of the QuickStart Guides. This has the
effect of increasing my support load because all Mandrake users see is a
GUI and what is behind it is more "black magic".

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNdvcO/MAbZfjDLIRAoI1AKC81gBvZRhAlMfYpYm9gmKTbI9vNwCgrMeG
rMqFMyyYbPRCZdyhKcsvgVQ=UfqK
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Andrew N. wrote:
| | In my opinion shorewall is not for newbies. Being a newbie myself, I use
| | this mailing list to get pointers, which help solving my issues in
| Network
| | security and functionality.
| | Networking and subnetworking is a study on its own and when you add
| IPTABLES
| | to the picture, it becomes "black magic".
|
| I think therein lies one of the key problems -- if posters see routing
| and firewalling as "black magic", then it is very difficult for them
to
| articulate the problem they are having in terms that are helpful toward
| a solution.
|

Please don''t misunderstand me -- I''m not blaming anyone here;
I''m just
saying that I understand why the problem descriptions I receive are
often less than clear.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNdzEO/MAbZfjDLIRAtClAKDF2LL4XEH9PfsX9OFedtKEm7YJPACgofYN
l8CQl2GrNpn+h9SV9ysX3XM=OzDS
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> ...
> Richard, I don''t think that either Paul''s or
Andrew''s remarks were aimed
> at you.
I certainly did not intend them as a personal attack, and i''m sorry if
that''s how they were viewed.  That said, my remarks were targeted at
getting everyone (including Richard, myself, and anyone else reading
this thread) to think more before they post.
> ...
> There is only one Shorewall support list now -- I terminated the newbie
> list several months ago.
Sorry - my mistake.  I haven''t checked since then (i read this list
via gmane.org - highly recommended, BTW).
> ...
> I don''t know what to do about the issue of problem description;
I''ve
> given up adding more information to the Shorewall Support Guide since
> it''s pretty clear that almost no one reads that article before
posting
> (or if they do, they dismiss it as the product of a typing exercise by
> the author). That''s one reason why I terminated the Newbie list --
> people seemed confused about which list to post on even though the
> guidelines were in the Support Guide.
My suggestion has always been that you should make *less* effort in
responding to unclear questions.  Perhaps simply posting a link to
ESR''s "How to ask questions the smart way"
<http://www.catb.org/~esr/faqs/smart-questions.html> in response to
some of them would be useful.

-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.