While I''m in temporary retirement, I''ve decided spend a little time experimenting with new things and making some updates to the web site. The biggest result of this effort to date has been: http://shorewall.sf.net/Shorewall_Squid_Usage.html This outlines how to use Squid as a transparent proxy running on the firewall, in the DMZ or in the local network. In the latter two cases, policy routing is used rather than Shorewall rules so that no Squid functionality is lost. I have personally tested all three cases in one form or another and I believe that the info on the page is correct. A number of other questions that have been asked lately on the mailing list are now treated on the web site so look around... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Bradley, Sorry about the delay. I was trying whatever you said. "I assume you can ping 66.58.99.84 from the firewall (at least, your routing table looks fine)." Here is what I am getting: #ping 66.58.99.84 PING 66.58.99.84 (66.58.99.84) from 10.10.100.1 : 56(84) bytes of data.>From 10.10.100.1: Destination Host Unreachable >From 10.10.100.1: Destination Host Unreachable >From 10.10.100.1: Destination Host Unreachable(10.10.100.1 is the eth1 - DMZ interface). "Do you have IP_FORWARDING=Off in your shorewall.conf?" No, IP_FORWARDING=Yes "What does "cat /proc/sys/net/ipv4/ip_forward" show?" # cat /proc/sys/net/ipv4/ip_forward 1 "Do you have ALLOW_RELATED=No in shorewall.conf?" # grep ALLOW /etc/shorewall/shorewall.conf ALLOWRELATED="yes" "In the meantime, you can also try temporarily adding a "wan dmz ACCEPT" policy--that''s the big hammer approach." I added, then shorewall clear, shorewall restart. Then from Internet - telnet 66.58.99.84 25 - connection refused. From LAN - telnet 66.58.99.84 25 - the same. What could be? Can I have more than one machine on a DMZ? I have already DNS server which works OK. Just to add more info. The 66.58.99.84 interface is on machine on which the other (eth0) 66.58.99.83 interface is outside the DMZ. They are both in the same box. The routing for this machine is: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 0 eth0 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 0 eth0 I am totally lost. Spend one week without in-comming e-mail. Can someone help? ---------------------------------------------------------------------------------------------------- Hmm--all of the proxy ARP settings look fine. I assume you can ping 66.58.99.84 from the firewall (at least, your routing table looks fine). Your policies file shows that you''re logging every single packet that falls through to a policy, which seems odd, but it shouldn''t affect firewall function. It still looks to me like your firewall can''t route the packets to your mail server for some reason--that ICMP host-unreachable packet is suspicious. Do you have IP_FORWARDING=Off in your shorewall.conf? What does "cat /proc/sys/net/ipv4/ip_forward" show? Do you have ALLOW_RELATED=No in shorewall.conf? The fact that the original packets show RST set seems a bit odd, too--I''ll take another look at it tomorrow. In the meantime, you can also try temporarily adding a "wan dmz ACCEPT" policy--that''s the big hammer approach. - Bradey -----Original Message----- From: Trifon Anguelov [mailto:TAnguelov@kana.com] Sent: Monday, January 06, 2003 7:05 PM To: ''shorewall-users@shorewall.net'' Subject: RE: [Shorewall-users] SMTP traffic gets blocked Sorry about that. Still net to shorewall. So here is the info requested: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.58.99.84 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 66.58.99.82 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 66.58.99.80 0.0.0.0 255.255.255.248 U 0 0 0 eth0 10.10.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.10.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 66.58.99.81 0.0.0.0 UG 0 0 0 eth0 eth0 - WAN eth1 - DMZ eth2 - LAN 66.58.99.81 - my ISP router ------------------------------ # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:D0:B7:0E:CC:61 inet addr:66.58.99.86 Bcast:66.58.99.87 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1237116 errors:0 dropped:0 overruns:0 frame:0 TX packets:1113292 errors:0 dropped:0 overruns:0 carrier:0 collisions:31776 txqueuelen:100 RX bytes:1329865780 (1268.2 Mb) TX bytes:517838824 (493.8 Mb) Interrupt:9 Base address:0xfcc0 eth1 Link encap:Ethernet HWaddr 00:D0:B7:10:37:F0 inet addr:10.10.100.1 Bcast:10.10.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:783 errors:0 dropped:0 overruns:0 frame:0 TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:89283 (87.1 Kb) TX bytes:75673 (73.8 Kb) Interrupt:11 Base address:0xfc80 eth2 Link encap:Ethernet HWaddr 00:60:8C:35:E1:43 inet addr:10.10.200.1 Bcast:10.10.200.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1112066 errors:9938 dropped:0 overruns:9262 frame:9938 TX packets:1230813 errors:0 dropped:0 overruns:0 carrier:0 collisions:3257 txqueuelen:100 RX bytes:521075258 (496.9 Mb) TX bytes:1327157006 (1265.6 Mb) Interrupt:10 Base address:0x300 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ------------------------------- # cat policy # Shorewall /etc/shorewall/policy #client server policy log_level lan lan ACCEPT info lan wan ACCEPT info fw lan ACCEPT info lan fw REJECT info wan wan ACCEPT info wan all DROP info all all REJECT info --------------------------- As far as proxyapr goes, here is my config: # cat proxyarp # Shorewall 1.2.5 /etc/shorewall/proxyarp #address interface external haveroute 66.58.99.82 eth1 eth0 No 66.58.99.84 eth1 eth0 No The two hosts on the DMZ zone, are having proxy APR to the eth0 public interface on the firewall. Thank you for your help. Waiting for your solutions. You are great community. Regards, Trifon Anguelov -----Original Message----- From: Bradey Honsinger [mailto:BradeyH@construx.com] Sent: Monday, January 06, 2003 5:18 PM To: ''shorewall-users@shorewall.net'' Subject: RE: [Shorewall-users] SMTP traffic gets blocked I believe the log messages refer to outgoing packets (that''s what the "IN=<blank>" means). They''re also ICMP type 3, code 1 packets, not SMTP packets, so it''s not a port forwarding issue, and your ISP isn''t blocking incoming SMTP packets. My trusty Stevens says that ICMP type 3, code 1 is "host unreachable", so at the very least the routing table on your firewall is incorrect. It appears that the root cause of the problem is that you either should be using Proxy ARP and aren''t, or are using Proxy ARP but have "Yes" in the "Have Route" column. If so, please go to the Shorewall web site and carefully read the Proxy ARP Quick Start and the proxyarp section of the Reference Manual. It''s all in there--I don''t know how Tom could have made it any clearer. Finally, it''s worth saying yet again: your rules are meaningless without your policies! FAQ 17 tells you that "all2all" log messages are generated by a _policy_, not a rule, so in order to interpret these messages we really need to know your policies. For everyone else out there: never, ever, ever, post your rules without also including your policies. If you''re posting log messages, your interfaces file is useful as well, so that we can match things up. - Bradey -----Original Message----- From: Trifon Anguelov [mailto:TAnguelov@kana.com] Sent: Monday, January 06, 2003 4:37 PM To: ''shorewall-users@shorewall.net'' Subject: FW: [Shorewall-users] SMTP traffic gets blocked Anyone, willing to take a lead on this one, since Tom is taking a rest: " I am hosting all servers by myself. I have five static IP addreses with a DSL line. My DSL router from the ISP provider is configured as bridge, so no traffic is filtered. I checked the logs and getting: Jan 5 23:05:12 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1508 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=55762 DF PROTO=TCP SPT=51131 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:23:21 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1516 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=31260 DF PROTO=TCP SPT=38949 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:28:02 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=204.153.177.10 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=11282 PROTO=ICMP TYPE=3 CODE=1 [SRC=204.153.177.10 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=0 DF PROTO=TCP SPT=36011 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 ] Jan 5 23:28:58 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1524 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=40480 DF PROTO=TCP SPT=45350 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:42:42 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1532 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=12542 DF PROTO=TCP SPT=60986 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] and here are my rules: ACCEPT dmz:66.58.99.84 wan tcp 25 - ACCEPT dmz:66.58.99.84 wan tcp pop3 - ACCEPT lan dmz:66.58.99.84 tcp pop3 - ACCEPT lan dmz:66.58.99.84 tcp 25 - ACCEPT fw dmz:66.58.99.84 tcp 25 - ACCEPT wan dmz:66.58.99.84 tcp pop3 - ACCEPT wan dmz:66.58.99.84 tcp 25 - ACCEPT dmz:66.58.99.84 fw tcp 25 - Unfortunatelly, I already searched and read the whole documentation on shorewall.net site. google.com didn''t help much either. It''s something small, but somehow could not get it. If you need some other files, listings, I am ready to post them here. Regards and thank you for your help, Trifon Anguelov " Trifon Anguelov -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, January 06, 2003 3:34 PM To: Trifon Anguelov; ''shorewall-users@shorewall.net'' Subject: Re: [Shorewall-users] SMTP traffic gets blocked --On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov <TAnguelov@kana.com> wrote:> Hi,>> I am trying to configure the SMTP service on DMZ host. Added the rule:>> ACCEPT wan dmz:66.58.99.84 tcp pop3 -> ACCEPT wan dmz:66.58.99.84 tcp 25 -> ACCEPT dmz:66.58.99.84 wan tcp 25 -> ACCEPT dmz:66.58.99.84 wan tcp pop3 ->> issued shorewall clear, shorewall restart, but still couldn''t telnet to> the mail server on port 25.>> Are mine rules wrong or something else has to be done? I have another> host DNS server which is working fine. The SSH to the mail server on port> 22 is working fine, too.>> Could you please, help me?>Does your ISP block port 25? Many do... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--On Thursday, January 09, 2003 04:38:59 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > Just to add more info. The 66.58.99.84 interface is on machine on which > the other (eth0) 66.58.99.83 interface is outside the DMZ. They are both > in the same box. The routing for this machine is: > > Kernel IP routing table > > Destination Gateway Genmask Flags MSS Window irtt Iface > > 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 > > 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 > > 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 0 eth0 > > 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 > > 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 > > 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo > > 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 0 eth0 > > I am totally lost. Spend one week without in-comming e-mail. Can someone > help? >I can tell you that with that routing table on your mail server, there is NOTHING you can do on your Shorewall box to EVER make this work. Remember, that packets aren''t spawning salmon -- they don''t impart a genetic code to their children (reply packets) telling them how to return. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
I knew it, I should hire someone to do that, and stay in mine Oracle DBA domain. Anyone ready to do that for money? Send me offers at: oracle66@hotmail.com It''s just too much for me, sleepless week, my wife geting crazy. Someone put my out of my misery? I am ready to pay whatever it costs, but finish that once forever. ------------------------------------- Tom Eastep <teastep@shorewall.net> wrote: --On Thursday, January 09, 2003 04:38:59 PM -0800 Trifon Anguelov wrote:> > Just to add more info. The 66.58.99.84 interface is on machine on which > the other (eth0) 66.58.99.83 interface is outside the DMZ. They are both > in the same box. The routing for this machine is: > > Kernel IP routing table > > Destination Gateway Genmask Flags MSS Window irtt Iface > > 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 > > 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 > > 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 0 eth0 > > 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 > > 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 > > 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo > > 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 0 eth0 > > I am totally lost. Spend one week without in-comming e-mail. Can someone > help? >I can tell you that with that routing table on your mail server, there is NOTHING you can do on your Shorewall box to EVER make this work. Remember, that packets aren''t spawning salmon -- they don''t impart a genetic code to their children (reply packets) telling them how to return. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--On Thursday, January 09, 2003 04:59:49 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > I knew it, I should hire someone to do that, and stay in mine Oracle DBA > domain. > > Anyone ready to do that for money? Send me offers at: > oracle66@hotmail.com > > It''s just too much for me, sleepless week, my wife geting crazy. Someone > put my out of my misery? I am ready to pay whatever it costs, but finish > that once forever. >Ok -- this thread has gone on long enough so I''m going to put it out of its misery. There actually is something you can do on the shorewall box but it''s pretty ugly. ACCEPT wan dmz:66.58.99.84 tcp 25 - <your fw external IP address>:<the ip address of your DMZ interface> This will SNAT the requests going to the mail server so it will reply back out eth1 rather than its default route of eth0 To pay your bill, see the Donations link at the Shorewall home page.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Here is what it is; Added ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 in /etc/shorewall/rules. Now the SMTP rules look like: # grep 25 /etc/shorewall/rules ACCEPT dmz:66.58.99.84 wan tcp 25 - ACCEPT lan dmz:66.58.99.84 tcp 25 - ACCEPT fw dmz:66.58.99.84 tcp 25 - ACCEPT wan dmz:66.58.99.84 tcp 25 - ACCEPT dmz:66.58.99.84 lan tcp 25 - ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 Did - shorewall clear, shorewall restart. Got this warrning: "Warning: SNAT will occur on all connections to this server and port - rule "ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1" " , which I guess is OK.>From extrernal IP Internet address did:$ telnet 66.58.99.84 25 Trying 66.58.99.84... telnet: Unable to connect to remote host: Connection timed out (I guess, anyone can try the same).>From the local mail server machine:# telnet 66.58.99.84 25 Trying 66.58.99.84... Connected to mail1.dbaclick.com (66.58.99.84). Escape character is ''^]''. 220 dbaclick.com ESMTP mail server QUIT Connection closed by foreign host. It''s not going to happend, I guess so - Guys, thanks for all your help and replays. You are great. I am calling it quit. As they say - every frog should know its pond. Wish you luck. Tom Eastep <teastep@shorewall.net> wrote: --On Thursday, January 09, 2003 04:59:49 PM -0800 Trifon Anguelov wrote:> > I knew it, I should hire someone to do that, and stay in mine Oracle DBA > domain. > > Anyone ready to do that for money? Send me offers at: > oracle66@hotmail.com > > It''s just too much for me, sleepless week, my wife geting crazy. Someone > put my out of my misery? I am ready to pay whatever it costs, but finish > that once forever. >Ok -- this thread has gone on long enough so I''m going to put it out of its misery. There actually is something you can do on the shorewall box but it''s pretty ugly. ACCEPT wan dmz:66.58.99.84 tcp 25 - :address of your DMZ interface> This will SNAT the requests going to the mail server so it will reply back out eth1 rather than its default route of eth0 To pay your bill, see the Donations link at the Shorewall home page.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--On Thursday, January 09, 2003 06:37:30 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > Here is what it is; > Added ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 in > /etc/shorewall/rules. Now the SMTP rules look like: ># grep 25 /etc/shorewall/rules > > > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT lan dmz:66.58.99.84 tcp 25 - > ACCEPT fw dmz:66.58.99.84 tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 lan tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 >The secret(s) to your failure are right there in the rules above -- THE FIRST RULE THAT MATCHES IS THE ONE THAT IS USED !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! HOW MANY THOUSAND wan->dmz tcp 25 rules do you have????? Sorry I came out of my cave.......
On Thu, 2003-01-09 at 18:57, Tom Eastep wrote:> Sorry I came out of my cave.......Tom, No need to apologize. None of us were able to assist this gentleman. He posted similar messages over a three day span, with little response. I''m glad you jumped in to assist him. -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
I know. Has been pain, but at least I printed out every web page out of the shorewall.net site, read it at least three times, and decided that''s a snap. It turned out, I was wrong. The latest update: Same steps as before. Now the setup looks like: # grep 25 /etc/shorewall/rules ACCEPT dmz:66.58.99.84 wan tcp 25 - ACCEPT lan dmz:66.58.99.84 tcp 25 - ACCEPT fw dmz:66.58.99.84 tcp 25 - ACCEPT dmz:66.58.99.84 lan tcp 25 - ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 0 eth0 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 0 eth0 That''s all on the firewall (three interface firewall setup). # cat /etc/shorewall/policy lan lan ACCEPT info lan wan ACCEPT info fw lan ACCEPT info lan fw REJECT info wan wan ACCEPT info wan all DROP all all REJECT info # cat /etc/shorewall/interfaces #zone interface broadcast options wan eth0 66.58.99.87 norfc1918,routefilter,blacklist dmz eth1 66.58.99.87 lan eth2 10.10.200.255 # cat /etc/shorewall/proxyarp #address interface external haveroute 66.58.99.82 eth1 eth0 No 66.58.99.84 eth1 eth0 No # cat common.def ############################################################################ # Shorewall 1.3 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include # the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ # Drop invalid state TCP packets # run_iptables -A common -m state -p tcp --state INVALID -j DROP ############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP # run_iptables -A common -p udp --dport 1900 -j DROP ############################################################################ # BROADCASTS # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don''t get delayed. # run_iptables -A common -p tcp --dport 113 -j reject And still: $ telnet 66.58.99.84 25 Trying 66.58.99.84... telnet: Unable to connect to remote host: Connection timed out Tom Eastep <teastep@shorewall.net> wrote: --On Thursday, January 09, 2003 06:37:30 PM -0800 Trifon Anguelov wrote:> > Here is what it is; > Added ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 in > /etc/shorewall/rules. Now the SMTP rules look like: ># grep 25 /etc/shorewall/rules > > > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT lan dmz:66.58.99.84 tcp 25 - > ACCEPT fw dmz:66.58.99.84 tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 lan tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 >The secret(s) to your failure are right there in the rules above -- THE FIRST RULE THAT MATCHES IS THE ONE THAT IS USED !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! HOW MANY THOUSAND wan->dmz tcp 25 rules do you have????? Sorry I came out of my cave....... _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Maybe someone else has the energy to sort this out -- I don''t.... --On Thursday, January 09, 2003 07:28:37 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > I know. Has been pain, but at least I printed out every web page out of > the shorewall.net site, read it at least three times, and decided that''s > a snap. It turned out, I was wrong. The latest update: > Same steps as before. Now the setup looks like: ># grep 25 /etc/shorewall/rules > > > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT lan dmz:66.58.99.84 tcp 25 - > ACCEPT fw dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 lan tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 > > > ># netstat -rn > > > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 > 0 eth1 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 > 0 eth1 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 > 0 eth0 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 > 0 eth1 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 > 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 > 0 lo 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 > 0 eth0 > > That''s all on the firewall (three interface firewall setup). > ># cat /etc/shorewall/policy > lan lan ACCEPT info > lan wan ACCEPT info > fw lan ACCEPT info > lan fw REJECT info > wan wan ACCEPT info > wan all DROP > all all REJECT info > > ># cat /etc/shorewall/interfaces > ># zone interface broadcast options > wan eth0 66.58.99.87 norfc1918,routefilter,blacklist > dmz eth1 66.58.99.87 > lan eth2 10.10.200.255 > > > ># cat /etc/shorewall/proxyarp > ># address interface external haveroute > 66.58.99.82 eth1 eth0 No > 66.58.99.84 eth1 eth0 No > > > ># cat common.def >############################################################################># Shorewall 1.3 -- /etc/shorewall/common.def ># ># This file defines the rules that are applied before a policy of ># DROP or REJECT is applied. In addition to the rules defined in this file, ># the firewall will also define a DROP rule for each subnet broadcast ># address defined in /etc/shorewall/interfaces (including "detect"). ># ># Do not modify this file -- if you wish to change these rules, create ># /etc/shorewall/common to replace it. It is suggested that you include ># the command ". /etc/shorewall/common.def" in your ># /etc/shorewall/common file so that you will continue to get the ># advantage of new releases of this file. ># > run_iptables -A common -p icmp -j icmpdef >############################################################################># Drop invalid state TCP packets ># > run_iptables -A common -m state -p tcp --state INVALID -j DROP >############################################################################># NETBIOS chatter ># > run_iptables -A common -p udp --dport 137:139 -j REJECT > run_iptables -A common -p udp --dport 445 -j REJECT > run_iptables -A common -p tcp --dport 135 -j reject >############################################################################># UPnP ># > run_iptables -A common -p udp --dport 1900 -j DROP >############################################################################># BROADCASTS ># > run_iptables -A common -d 255.255.255.255 -j DROP > run_iptables -A common -d 224.0.0.0/4 -j DROP >############################################################################># AUTH -- Silently reject it so that connections don''t get delayed. ># > run_iptables -A common -p tcp --dport 113 -j reject > > > And still: > > $ telnet 66.58.99.84 25 > Trying 66.58.99.84... > telnet: Unable to connect to remote host: Connection timed out > > > > > > > > Tom Eastep <teastep@shorewall.net> wrote: > > --On Thursday, January 09, 2003 06:37:30 PM -0800 Trifon Anguelov > wrote: > >> >> Here is what it is; >> Added ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 in >> /etc/shorewall/rules. Now the SMTP rules look like: >># grep 25 /etc/shorewall/rules >> >> >> ACCEPT dmz:66.58.99.84 wan tcp 25 - >> ACCEPT lan dmz:66.58.99.84 tcp 25 - >> ACCEPT fw dmz:66.58.99.84 tcp 25 - >> ACCEPT wan dmz:66.58.99.84 tcp 25 - >> ACCEPT dmz:66.58.99.84 lan tcp 25 - >> ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 >> > > The secret(s) to your failure are right there in the rules above -- THE > FIRST RULE THAT MATCHES IS THE ONE THAT IS USED > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > HOW MANY THOUSAND wan->dmz tcp 25 rules do you have????? > > Sorry I came out of my cave....... > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users > > Visit my Web Site: http://www.dbaclick.com > > Tons of Oracle DBA''s scripts, articles, manuals and documents > > > My profile: http://profiles.yahoo.com/clio_usa > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Trifon,
Tom and others have tried to assist you with your SMTP server on a DMZ
problem. From what I was able to discover in the list archive, you have
been discussing this problem off-list. This makes it very difficult for
anyone else to assist you.
Note: the information Tom provided to you is definitive where
Shorewall is concerned.
If you want to give this another shot. I suggest you start from scratch,
and move forward one step at a time. After you get everything setup,
please follow the suggestions on the following pages to submit a support
request. Also, take a look at the FAQs and troubleshooting instructions.
Thanks.
http://shorewall.net/support.htm
http://shorewall.net/FAQ.htm
http://shorewall.net/troubleshoot.htm
--
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
On 9/01/2003 7:33 PM -0800 Tom Eastep wrote:>># cat /etc/shorewall/interfaces >> >># zone interface broadcast options >> wan eth0 66.58.99.87 norfc1918,routefilter,blacklist >> dmz eth1 66.58.99.87 >> lan eth2 10.10.200.255"wan" and "dmz" interfaces have the same IP but different interfaces. That might be your first problem. :) Best regards, ------------------------------------------------------------------------- W E B T A S T I C | Gonzalo Servat \\ \\ . // // | Director of WEBTASTIC \\ \\/|\// // | Mob: 0404 880 304 \\\//''\\/// | URL: http://www.webtastic.com.au . c o m . a u | Web hosting, web design, domain name regos & more!
--On Friday, January 10, 2003 02:42:56 AM +1100 Gonzalo Servat <gservat@webtastic.com.au> wrote:> On 9/01/2003 7:33 PM -0800 Tom Eastep wrote: > >>># cat /etc/shorewall/interfaces >>> >>># zone interface broadcast options >>> wan eth0 66.58.99.87 norfc1918,routefilter,blacklist >>> dmz eth1 66.58.99.87 >>> lan eth2 10.10.200.255The addresses that you see here are simply the broadcast addresses for each lan segment -- under ProxyARP, it is perfectly reasonable to have the same broadcast address for two different interfaces.
--On Thursday, January 09, 2003 7:28 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > I know. Has been pain, but at least I printed out every web page out of > the shorewall.net site, read it at least three times, and decided that''s > a snap. It turned out, I was wrong. The latest update: > Same steps as before. Now the setup looks like: ># grep 25 /etc/shorewall/rules > > > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT lan dmz:66.58.99.84 tcp 25 - > ACCEPT fw dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 lan tcp 25 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - 66.58.99.86:10.10.100.1 >Ok -- four things occur to me: a) This probably won''t work. You need to pick an SNAT address that your mail server will route back out through the Shorewall box (10.10.100.1 probably isn''t routed that way). b) I''ve inadvertently gotten you doing DNAT -- your ORIGINAL DEST IP address should be 66:58:99:84 and not the external IP of your firewall. c) Even if we get is working this way, it will suck because all incoming mail traffic will appear to come from the Shorewall box. While I mentioned that earlier, it will break things like RBL checking in your MTA. d) This won''t work really well until the default route on the mail server goes out through the Shorewall box.> > ># netstat -rn > > > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface 66.58.99.84 0.0.0.0 255.255.255.255 UH 40 0 > 0 eth1 66.58.99.82 0.0.0.0 255.255.255.255 UH 40 0 > 0 eth1 66.58.99.80 0.0.0.0 255.255.255.248 U 40 0 > 0 eth0 10.10.100.0 0.0.0.0 255.255.255.0 U 40 0 > 0 eth1 10.10.200.0 0.0.0.0 255.255.255.0 U 40 0 > 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 > 0 lo 0.0.0.0 66.58.99.81 0.0.0.0 UG 40 0 > 0 eth0 >Now I''m confused -- that looks like the routing table that you posted a while ago that I thought you said was from your mail server.> And still: > > $ telnet 66.58.99.84 25 > Trying 66.58.99.84... > telnet: Unable to connect to remote host: Connection timed outIf you make the changes that I mention above it should work (although poorly) If it DOESN''T work then you will also need to post the routing table from the mail server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> The biggest result of this effort to date has been: > > http://shorewall.sf.net/Shorewall_Squid_Usage.htmlMany Tanks Tom, this is another great contribution to the community ....> > This outlines how to use Squid as a transparent proxy running on the > firewall, in the DMZ or in the local network. In the latter two cases, > .....A simple question: In the latter two case, change somethings if it use proxyarp for the zone? Thanks ------- Dario Lesca (d.lesca@ivrea.osra.it)
Good work. I was starting a howto yesterday on the squid subject as I''ve seen the question arise so many times and I''ve got experiance setting it up many times where I work. Anyhow, I look forward to your return. Have a good rest! Your longtime friend by software use, Paul On Thu, 09 Jan 2003 15:02:35 -0800 Tom Eastep <teastep@shorewall.net> opened up to us and said:> While I''m in temporary retirement, I''ve decided spend a little time > experimenting with new things and making some updates to the web site. > The biggest result of this effort to date has been: > > http://shorewall.sf.net/Shorewall_Squid_Usage.html > > This outlines how to use Squid as a transparent proxy running on the > firewall, in the DMZ or in the local network. In the latter two cases, > policy routing is used rather than Shorewall rules so that no Squid > functionality is lost. I have personally tested all three cases in one > form or another and I believe that the info on the page is correct. > > A number of other questions that have been asked lately on the mailing > list are now treated on the web site so look around... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
--On Friday, January 10, 2003 08:56:54 AM -0500 Paul Slinski <pauls@globaliqx.com> wrote:> Good work. I was starting a howto yesterday on the squid subject as I''ve > seen the question arise so many times and I''ve got experiance setting it > up many times where I work.Are you using a similar technique to what I describe? If so, I would really appreciate it if you would take a close look at what I''ve written to ensure correctness.> > Anyhow, I look forward to your return. Have a good rest! >Thanks, Paul -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Friday, January 10, 2003 11:14:56 AM +0100 Dario Lesca <d.lesca@ivrea.osra.it> wrote:> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > > >> The biggest result of this effort to date has been: >> >> http://shorewall.sf.net/Shorewall_Squid_Usage.html > > Many Tanks Tom, this is another great contribution to the community .... > >> >> This outlines how to use Squid as a transparent proxy running on the >> firewall, in the DMZ or in the local network. In the latter two cases, >> ..... > > A simple question: In the latter two case, change somethings if it use > proxyarp for the zone? >No -- I use Proxy ARP in my DMZ and the setup on the web page is just like mine (except I mark my packets with the value 1 rather than 202 :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom, I only use the config mentioned in the ''Squid Running on the Firewall'' section. Although I''d be willing to try the ''Squid Running on the Local Network'' section, but I''m sure you''d just like to get to resting and alleviate the burnout you''re having...looks like you''re making work for yourself, just go get some rest! :) -Paul On Fri, 10 Jan 2003 07:48:34 -0800 Tom Eastep <teastep@shorewall.net> opened up to us and said:> > > --On Friday, January 10, 2003 08:56:54 AM -0500 Paul Slinski > <pauls@globaliqx.com> wrote: > > > Good work. I was starting a howto yesterday on the squid subject as > > I''ve seen the question arise so many times and I''ve got experiance > > setting it up many times where I work. > > Are you using a similar technique to what I describe? If so, I would > really appreciate it if you would take a close look at what I''ve > written to ensure correctness. > > > > > Anyhow, I look forward to your return. Have a good rest! > > > > Thanks, Paul > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
--On Friday, January 10, 2003 10:55:48 AM -0500 Paul Slinski <pauls@globaliqx.com> wrote:> Tom, > > I only use the config mentioned in the ''Squid Running on the Firewall'' > section. Although I''d be willing to try the ''Squid Running on the Local > Network'' section, but I''m sure you''d just like to get to resting and > alleviate the burnout you''re having...looks like you''re making work for > yourself, just go get some rest! :) >Playing with new "stuff" is relaxing for me. I just updated the "Squid Running on the Firewall" section to include either a loc->loc rule or policy. I didn''t have to add that since it was already in place but others will probably have to make such a change. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net