Shorewall users - Nov 2003 - Question about WINS, Shorewall and Freeswan

I have a freeswan server on the wired lan (192.168.1.0/24).  I have a laptop
connecting to this from the wireless lan (192.168.0.0/24).  The vpn tunnel is up
and running.  The laptop is running Windows XP Home.  The freeswan server is
also a samba domain master, local master and wins server.  It is running
Shorewall 1.4.3.  All the other wired hosts point to this wins server.  I want
to be able to browse the smb shares on the wired lan from my laptop.  What I
find is that in order for browsing to work, I have to have a policy in shorewall
of "fw wln ACCEPT".  (wln refers to the wireless lan zone).  All other
connections from the wln zone are dropped with "wln all DROP". 
Without the "fw wln ACCEPT" policy, the laptop is unable to browse
despite the tunnel being up.   Is this expected behavior?   I assume that wins
server communicates via udp and that this is somehow not allowed to go through
the vpn tunnel?

On Sat, 1 Nov 2003 cmisip@insightbb.com wrote:
> I have a freeswan server on the wired lan (192.168.1.0/24).  I have a
> laptop connecting to this from the wireless lan (192.168.0.0/24).  The
> vpn tunnel is up and running.  The laptop is running Windows XP Home.
> The freeswan server is also a samba domain master, local master and wins
> server.  It is running Shorewall 1.4.3.  All the other wired hosts point
> to this wins server.  I want to be able to browse the smb shares on the
> wired lan from my laptop.  What I find is that in order for browsing to
> work, I have to have a policy in shorewall of "fw wln ACCEPT". 
(wln
> refers to the wireless lan zone).  All other connections from the wln
> zone are dropped with "wln all DROP".  Without the "fw wln
ACCEPT"
> policy, the laptop is unable to browse despite the tunnel being up.  Is
> this expected behavior?  I assume that wins server communicates via udp
> and that this is somehow not allowed to go through the vpn tunnel?
Is there a Samba server running on the Firewall?

-Tom

PS -- FWIW, I tried a similar setup with PPTP rather than IPSEC; I soon
gave up. Windoze persisted in wanting to communicate via the firewall
rather than the tunnel even when I had the default route through the
tunnel! This is not to say that it can''t be made to work -- I just
didn''t
care enough one way or the other. If my neighbors are smart enough to get
by my other measures, so be it.
-- 
Tom Eastep   \ Nothing is foolproof to a sufficiently talented fool
Shoreline,    \ http://shorewall.net
Washington USA \ teastep@shorewall.net

On Sat, 2003-11-01 at 20:06, Tom Eastep wrote:
> On Sat, 1 Nov 2003 cmisip@insightbb.com wrote:
> 
> > I have a freeswan server on the wired lan (192.168.1.0/24).  I have a
> > laptop connecting to this from the wireless lan (192.168.0.0/24).  The
> > vpn tunnel is up and running.  The laptop is running Windows XP Home.
> > The freeswan server is also a samba domain master, local master and
wins
> > server.  It is running Shorewall 1.4.3.  All the other wired hosts
point
> > to this wins server.  I want to be able to browse the smb shares on
the
> > wired lan from my laptop.  What I find is that in order for browsing
to
> > work, I have to have a policy in shorewall of "fw wln
ACCEPT".  (wln
> > refers to the wireless lan zone).  All other connections from the wln
> > zone are dropped with "wln all DROP".  Without the "fw
wln ACCEPT"
> > policy, the laptop is unable to browse despite the tunnel being up. 
Is
> > this expected behavior?  I assume that wins server communicates via
udp
> > and that this is somehow not allowed to go through the vpn tunnel?
> 
> Is there a Samba server running on the Firewall?
> 
Yes.  

> -Tom
> 
> PS -- FWIW, I tried a similar setup with PPTP rather than IPSEC; I soon
> gave up. Windoze persisted in wanting to communicate via the firewall
> rather than the tunnel even when I had the default route through the
> tunnel! This is not to say that it can''t be made to work -- I just
didn''t
> care enough one way or the other. If my neighbors are smart enough to get
> by my other measures, so be it.

On Sat, 1 Nov 2003, cmisip wrote:
> >
> > Is there a Samba server running on the Firewall?
> >
> Yes.
Then did you try setting up SMB between the wireless zone and the firewall
using the instructions at http://shorewall.net/samba.htm?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I have a policy of "vpn fw ACCEPT" and "fw vpn ACCEPT". 
Communication
to and from the laptop (wireless zone) and freeswan server(wired zone)
is all through the vpn tunnel.  All network services available on the
freeswan server (samba, rsync, ftp, smtp, etc.) are accessible from the
laptop when the tunnel is up.  No service can be accessed when the
tunnel is down.  This is sort of my replacement for WEP.  The only
communication that cannot get through the tunnel is netbios as I am not
able to see the samba servers on the wired lan.  If I add the policy of
"fw wln ACCEPT", then I can see those samba servers.  I
didn''t think I
needed to open specific ports between the wired and wireless zones (all
ports open because vpn already made sure that they trust each other).


On Sat, 2003-11-01 at 21:06, Tom Eastep wrote:
> On Sat, 1 Nov 2003, cmisip wrote:
> 
> > >
> > > Is there a Samba server running on the Firewall?
> > >
> > Yes.
> 
> Then did you try setting up SMB between the wireless zone and the firewall
> using the instructions at http://shorewall.net/samba.htm?
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 1 Nov 2003, cmisip wrote:
> I have a policy of "vpn fw ACCEPT" and "fw vpn ACCEPT".
Communication
> to and from the laptop (wireless zone) and freeswan server(wired zone)
> is all through the vpn tunnel.  All network services available on the
> freeswan server (samba, rsync, ftp, smtp, etc.) are accessible from the
> laptop when the tunnel is up.  No service can be accessed when the
> tunnel is down.  This is sort of my replacement for WEP.  The only
> communication that cannot get through the tunnel is netbios as I am not
> able to see the samba servers on the wired lan.  If I add the policy of
> "fw wln ACCEPT", then I can see those samba servers.  I
didn''t think I
> needed to open specific ports between the wired and wireless zones (all
> ports open because vpn already made sure that they trust each other).
>
>
I sympathize -- when you understand what is happening, please let us know.
You might want to have a look at my setup
(http://shorewall.net/myfiles.htm) -- I''m relying on WEP and MAC
validation between my wireless and wired networks because I just didn''t
have the time or energy to try to understand why Windows worked the way it
did when I tried to replace that Combo with a Windoze PPTP tunnel.

On a related topic, I have the following rules:

DROP	loc:192.168.1.0/24	fw
DROP	loc:!192.168.1.0/24	net
DROP	loc:!192.168.1.0/24	dmz

These rules are there because my idiotic Windows XP system that I use for
work:

a) Is connected to my employer''s 16.0.0.0/8 network via PPTP
(that''t the
Digital Equipment class A for you Internet historians).

b) Continuously blasts my firewall, DMZ and the net with packets with a
source address in 16.0.0.0/24 (assigned by the PPTP server) even though
that is totally idiotic (consider how replies will be returned to these
packets!!!).

What you are trying to do would work well with a well-behaved OS -- it
seems to fail with Windows.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks for your insight.  I will try to research this further.  If I
find an explanation I will post back.


On Sat, 2003-11-01 at 21:47, Tom Eastep wrote:
> On Sat, 1 Nov 2003, cmisip wrote:
> 
> > I have a policy of "vpn fw ACCEPT" and "fw vpn
ACCEPT".  Communication
> > to and from the laptop (wireless zone) and freeswan server(wired zone)
> > is all through the vpn tunnel.  All network services available on the
> > freeswan server (samba, rsync, ftp, smtp, etc.) are accessible from
the
> > laptop when the tunnel is up.  No service can be accessed when the
> > tunnel is down.  This is sort of my replacement for WEP.  The only
> > communication that cannot get through the tunnel is netbios as I am
not
> > able to see the samba servers on the wired lan.  If I add the policy
of
> > "fw wln ACCEPT", then I can see those samba servers.  I
didn''t think I
> > needed to open specific ports between the wired and wireless zones
(all
> > ports open because vpn already made sure that they trust each other).
> >
> >
> 
> I sympathize -- when you understand what is happening, please let us know.
> You might want to have a look at my setup
> (http://shorewall.net/myfiles.htm) -- I''m relying on WEP and MAC
> validation between my wireless and wired networks because I just
didn''t
> have the time or energy to try to understand why Windows worked the way it
> did when I tried to replace that Combo with a Windoze PPTP tunnel.
> 
> On a related topic, I have the following rules:
> 
> DROP	loc:192.168.1.0/24	fw
> DROP	loc:!192.168.1.0/24	net
> DROP	loc:!192.168.1.0/24	dmz
> 
> These rules are there because my idiotic Windows XP system that I use for
> work:
> 
> a) Is connected to my employer''s 16.0.0.0/8 network via PPTP
(that''t the
> Digital Equipment class A for you Internet historians).
> 
> b) Continuously blasts my firewall, DMZ and the net with packets with a
> source address in 16.0.0.0/24 (assigned by the PPTP server) even though
> that is totally idiotic (consider how replies will be returned to these
> packets!!!).
> 
> What you are trying to do would work well with a well-behaved OS -- it
> seems to fail with Windows.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 1 Nov 2003, cmisip wrote:
> Thanks for your insight.  I will try to research this further.  If I
> find an explanation I will post back.
>
Thanks!!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

You mentioned that your laptop was running XP Home, and the Samba server is
a Domain Master. ASFAIK, XP Home will not participate in a Windows Domain.
Maybe that''s your problem?
> -----Original Message-----
> From: cmisip [mailto:cmisip@insightbb.com]
> Sent: Sunday, November 02, 2003 5:10 AM
> To: Shorewall Users Mailing List
> Subject: Re: [Shorewall-users] Question about WINS, Shorewall and
> Freeswan
> 
> 
> Thanks for your insight.  I will try to research this further.  If I
> find an explanation I will post back.
> 
> 
> On Sat, 2003-11-01 at 21:47, Tom Eastep wrote:
> > On Sat, 1 Nov 2003, cmisip wrote:
> > 
> > > I have a policy of "vpn fw ACCEPT" and "fw vpn
ACCEPT".
> Communication
> > > to and from the laptop (wireless zone) and freeswan 
> server(wired zone)
> > > is all through the vpn tunnel.  All network services 
> available on the
> > > freeswan server (samba, rsync, ftp, smtp, etc.) are 
> accessible from the
> > > laptop when the tunnel is up.  No service can be accessed when
the
> > > tunnel is down.  This is sort of my replacement for WEP.  The
only
> > > communication that cannot get through the tunnel is 
> netbios as I am not
> > > able to see the samba servers on the wired lan.  If I add 
> the policy of
> > > "fw wln ACCEPT", then I can see those samba servers.  I
> didn''t think I
> > > needed to open specific ports between the wired and 
> wireless zones (all
> > > ports open because vpn already made sure that they trust 
> each other).
> > >
> > >
> > 
> > I sympathize -- when you understand what is happening, 
> please let us know.
> > You might want to have a look at my setup
> > (http://shorewall.net/myfiles.htm) -- I''m relying on WEP and
MAC
> > validation between my wireless and wired networks because I 
> just didn''t
> > have the time or energy to try to understand why Windows 
> worked the way it
> > did when I tried to replace that Combo with a Windoze PPTP tunnel.
> > 
> > On a related topic, I have the following rules:
> > 
> > DROP	loc:192.168.1.0/24	fw
> > DROP	loc:!192.168.1.0/24	net
> > DROP	loc:!192.168.1.0/24	dmz
> > 
> > These rules are there because my idiotic Windows XP system 
> that I use for
> > work:
> > 
> > a) Is connected to my employer''s 16.0.0.0/8 network via 
> PPTP (that''t the
> > Digital Equipment class A for you Internet historians).
> > 
> > b) Continuously blasts my firewall, DMZ and the net with 
> packets with a
> > source address in 16.0.0.0/24 (assigned by the PPTP server) 
> even though
> > that is totally idiotic (consider how replies will be 
> returned to these
> > packets!!!).
> > 
> > What you are trying to do would work well with a 
> well-behaved OS -- it
> > seems to fail with Windows.
> > 
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

I think I read somewhere about this, but the way I understood it is that:
1) Windows xp home must always authenticate each time it accessess a network
resource (I think this is being done transparently now, I had to
authenticate only once when I connected to a smb share and now have access
to it just by clicking on share - printer shares are different though, I had
to use the nobody user for this.);

2) Windows xp home uses only share level authentication for its local smb
shares - no user authentication at all.

Browsing the linux smb shares works fine from the Windows XP Home laptop, if
I have the "fw wln ACCEPT" policy despite having established a vpn
tunnel
between the laptop and the gateway to the home lan.




----- Original Message ----- 
From: "Micha Silver" <Micha@arava.co.il>
To: "''Shorewall Users Mailing List''"
<shorewall-users@lists.shorewall.net>
Sent: Sunday, November 02, 2003 2:33 AM
Subject: RE: [Shorewall-users] Question about WINS, Shorewall and Freeswan

> You mentioned that your laptop was running XP Home, and the Samba server
is
> a Domain Master. ASFAIK, XP Home will not participate in a Windows Domain.
> Maybe that''s your problem?
>
> > -----Original Message-----
> > From: cmisip [mailto:cmisip@insightbb.com]
> > Sent: Sunday, November 02, 2003 5:10 AM
> > To: Shorewall Users Mailing List
> > Subject: Re: [Shorewall-users] Question about WINS, Shorewall and
> > Freeswan
> >
> >
> > Thanks for your insight.  I will try to research this further.  If I
> > find an explanation I will post back.
> >
> >
> > On Sat, 2003-11-01 at 21:47, Tom Eastep wrote:
> > > On Sat, 1 Nov 2003, cmisip wrote:
> > >
> > > > I have a policy of "vpn fw ACCEPT" and "fw
vpn ACCEPT".
> > Communication
> > > > to and from the laptop (wireless zone) and freeswan
> > server(wired zone)
> > > > is all through the vpn tunnel.  All network services
> > available on the
> > > > freeswan server (samba, rsync, ftp, smtp, etc.) are
> > accessible from the
> > > > laptop when the tunnel is up.  No service can be accessed
when the
> > > > tunnel is down.  This is sort of my replacement for WEP. 
The only
> > > > communication that cannot get through the tunnel is
> > netbios as I am not
> > > > able to see the samba servers on the wired lan.  If I add
> > the policy of
> > > > "fw wln ACCEPT", then I can see those samba
servers.  I
> > didn''t think I
> > > > needed to open specific ports between the wired and
> > wireless zones (all
> > > > ports open because vpn already made sure that they trust
> > each other).
> > > >
> > > >
> > >
> > > I sympathize -- when you understand what is happening,
> > please let us know.
> > > You might want to have a look at my setup
> > > (http://shorewall.net/myfiles.htm) -- I''m relying on WEP
and MAC
> > > validation between my wireless and wired networks because I
> > just didn''t
> > > have the time or energy to try to understand why Windows
> > worked the way it
> > > did when I tried to replace that Combo with a Windoze PPTP
tunnel.
> > >
> > > On a related topic, I have the following rules:
> > >
> > > DROP loc:192.168.1.0/24 fw
> > > DROP loc:!192.168.1.0/24 net
> > > DROP loc:!192.168.1.0/24 dmz
> > >
> > > These rules are there because my idiotic Windows XP system
> > that I use for
> > > work:
> > >
> > > a) Is connected to my employer''s 16.0.0.0/8 network via
> > PPTP (that''t the
> > > Digital Equipment class A for you Internet historians).
> > >
> > > b) Continuously blasts my firewall, DMZ and the net with
> > packets with a
> > > source address in 16.0.0.0/24 (assigned by the PPTP server)
> > even though
> > > that is totally idiotic (consider how replies will be
> > returned to these
> > > packets!!!).
> > >
> > > What you are trying to do would work well with a
> > well-behaved OS -- it
> > > seems to fail with Windows.
> > >
> > > -Tom
> > > --
> > > Tom Eastep    \ Nothing is foolproof to a sufficiently talented
fool
> > > Shoreline,     \ http://shorewall.net
> > > Washington USA  \ teastep@shorewall.net
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Post: Shorewall-users@lists.shorewall.net
> > > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > Support: http://www.shorewall.net/support.htm
> > > FAQ: http://www.shorewall.net/FAQ.htm
> > >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>