Good day,
We are currently running a 3 interface firewall on a Linux Redhat 9.0
system, there is a problem in which computers within the Local zone are
having difficulty with connecting to the Internet. We have a server within
the DMZ Zone that acts as our Internet proxy server for users wishing to
access the Internet. The problem that keeps occuring, is that for some
reason the proxy server loses connectivity to the Internet for no apparent
cause. Then because of the server losing it''s connection, users in the
local
zone are unable to access the Internet through the proxy. Through process of
elimination i was able to find out that the firewall itself still has access
to the Net with no problems at all.
This problem never occurred with our previous firewall running Redhat 7.2
Shorewall version 1.4.6.a. The setup has not changed at all except for us
replacing the firewall with a brand new server running the lastest Linux
operating system 9.0 and Shorewall version 1.4.8. All of the firewall rules
on the new server are completely identical to the way it was on the old
firewall server.
I should also add that there is another machine apart from the Internet
proxy server that acts as our DNS server within the DMZ zone as well. That
server does not experience problems with Internet when the proxy suffers
from problems. Is this an issue with Shorewall that i should be looking at
or possibly the server configuration itself. The only way that i figured out
to "temporarily" fix the problem is to reboot the Proxy server, but
this in
not an option. Any help would greatly be appreciated.
P.S. I am currently "not" subscribed to the Shorewall users mailing
list
Thank you,
James
Shorewall version 1.4.8
Ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:55:d6:04:ff brd ff:ff:ff:ff:ff:ff
inet 65.115.171.251/29 brd 65.115.171.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:4b:c6:f2:8a brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:7c:77:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.184/24 brd 192.168.5.255 scope global eth2
Ip route show:
65.115.171.252 dev eth1 scope link
65.115.171.250 dev eth1 scope link
65.115.171.248/29 dev eth0 scope link
169.254.0.0/16 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 65.115.171.249 dev eth0
shorewall show log:
Shorewall-1.4.8 Log at firewall.ecof.com - Wed Feb 4 14:57:03 EST 2004
Counters reset Wed Feb 4 13:34:44 EST 2004
Feb 4 14:54:27 loc2fw:ACCEPT:IN=eth2 OUT= SRC=192.168.5.205
DST=192.168.5.184 LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=32002 PROTO=TCP
SPT=61614 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 4 14:55:28 newnotsyn:DROP:IN=eth2 OUT=eth1 SRC=192.168.5.195
DST=65.115.171.250 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=14946 DF PROTO=TCP
SPT=3618 DPT=8080 WINDOW=8760 RES=0x00 ACK FIN URGP=0
Feb 4 14:55:38 net2all:DROP:IN=eth0 OUT=eth1 SRC=208.4.0.135
DST=65.115.171.250 LEN=54 TOS=0x00 PREC=0x00 TTL=243 ID=18567 DF PROTO=UDP
SPT=45018 DPT=53 LEN=34
Feb 4 14:55:38 net2all:DROP:IN=eth0 OUT=eth1 SRC=208.4.0.135
DST=65.115.171.250 LEN=54 TOS=0x00 PREC=0x00 TTL=243 ID=18568 DF PROTO=UDP
SPT=45018 DPT=53 LEN=34
Feb 4 14:56:21 net2all:DROP:IN=eth0 OUT=eth1 SRC=151.196.71.5
DST=65.115.171.250 LEN=54 TOS=0x00 PREC=0x00 TTL=238 ID=39035 DF PROTO=UDP
SPT=50744 DPT=53 LEN=34
Feb 4 14:56:24 net2dmz:ACCEPT:IN=eth0 OUT=eth1 SRC=209.40.99.11
DST=65.115.171.252 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=46607 DF PROTO=TCP
SPT=41129 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 4 14:57:02 net2dmz:ACCEPT:IN=eth0 OUT=eth1 SRC=207.166.192.251
DST=65.115.171.252 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=34214 DF PROTO=TCP
SPT=4616 DPT=25 WINDOW=32120 RES=0x00 SYN URGP=0
Shorewall Interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,tcpflags
dmz eth1 detect
loc eth2 detect
Shorewall rules:
# Accept DNS connections from the firewall to the Internet
#
ACCEPT:info loc fw tcp 22,25,10000 -
ACCEPT fw net tcp 53
#
#
# Accept SSH connections from the local network to the firewall and
DMZ
#
ACCEPT fw net udp 53
ACCEPT loc dmz tcp 22
#
# DMZ DNS access to the Internet
#
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#
# Make ping work bi-directionally between the dmz, net, Firewall and
local zone
# (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT dmz fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
DROP net fw icmp 8 -
DROP:info net dmz icmp 8 -
DROP:info net loc icmp 8 -
DNAT loc dmz:65.115.171.250 tcp 80,8080,8003 -
192.168.3.1
DNAT:info net loc:192.168.5.10 tcp 1723 -
65.115.171.251
DNAT:info net loc:192.168.5.10 47 - -
65.115.171.251
DNAT dmz:65.115.171.252 loc:192.168.5.205 tcp 25 -
192.168.3.1
ACCEPT:info net dmz:65.115.171.250 tcp 53,80 -
ACCEPT:info net dmz:65.115.171.252 tcp 25 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Shorewall policies:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
net all DROP info
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
#dmz net ACCEPT
loc net DROP -
# THE FOLLOWING POLICY MUST BE LAST
$FW net ACCEPT -
dmz net ACCEPT -
all all REJECT -
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE