Shorewall users - Dec 2002 - Shorewall & X-Window - Revisited

Tom,

After our last exchange, I added the gateway route to the VMS boxes and
everything worked perfectly using the simple rules:

ACCEPT pc scada tcp 512
ACCEPT scada pc tcp 6000:6010

Of course, I do have to add a static network route to the PC''s in order
to
get to the SCADA boxes since that PC LAN already has a default gateway to
the Internet via our SonicWall box.  This isn''t a problem because I
only
have 5 - 10 PC''s that will be accessing the SCADA servers so there is
little
extra work involved in setting the routes.  However, for education purposes
and to eliminate the need for a static route on the PC''s, I have
attemped,
without success, to make the connections to the SCADA servers using DNAT.
For reasons that I''m sure you can explain, I can''t seem to get
it to work.
I have no problem doing so with DNAT and Telnet into the VMS box but not
with X-Window.  I suppose it has to do with the way that X-Window creates a
connection along with how connection tracking works.  My rules are:

DNAT        pc        scada:129.102.82.6    tcp    23
DNAT        pc        scada:129.102.82.6    tcp    512
ACCEPT    scada   pc                              tcp    6000:6010
ACCEPT   pc        fw                               tcp     22

As I mentioned earlier, telnet works but X-Window doesn''t.  The
connection
is made from the PC to the VMS box on port 512  but the connection from the
VMS box back to the PC port 6000 doesn''t.

Any thoughts?


Regards,
Mitch

> -----Original Message-----
> From: Mitchell Martin 
> Sent: Thursday, December 12, 2002 6:03 PM
> Subject: [Shorewall-users] Shorewall & X-Window - Revisited
> 
> 
> Tom,
> 
> After our last exchange, I added the gateway route to the VMS 
> boxes and everything worked perfectly using the simple rules:
> 
> ACCEPT pc scada tcp 512
> ACCEPT scada pc tcp 6000:6010
> 
> Of course, I do have to add a static network route to the 
> PC''s in order to get to the SCADA boxes since that PC LAN
> already has a default gateway to the Internet via our
> SonicWall box.  This isn''t a problem because I only
> have 5 - 10 PC''s that will be accessing the SCADA servers
> so there is little extra work involved in setting the routes.
First, I have not followed this thread so I may not have a complete picture
of your network, but I have installed dozens of SonicWall''s. So far,
every
model that I have installed has the capability of adding static routes to
its tables. By doing so, it should send an icmp redirect back to the PC
which would then add a dynamic route to its tables (SCADA). Thus eliminating
the sonicwall as a hop for that network.

BTW: These are the rules I use to run X from my loc->dmz zones. 
ACCEPT          loc             dmz             udp     xdmcp
ACCEPT          dmz             loc             tcp     6000:6002

Steve Cowles

----- Original Message -----
From: "Cowles, Steve" <Steve@SteveCowles.com>
To: <shorewall-users@shorewall.net>
Sent: Thursday, December 12, 2002 10:51 PM
Subject: RE: [Shorewall-users] Shorewall & X-Window - Revisited

> > -----Original Message-----
> > From: Mitchell Martin
> > Sent: Thursday, December 12, 2002 6:03 PM
> > Subject: [Shorewall-users] Shorewall & X-Window - Revisited
> >
> >
> > Tom,
> >
> > After our last exchange, I added the gateway route to the VMS
> > boxes and everything worked perfectly using the simple rules:
> >
> > ACCEPT pc scada tcp 512
> > ACCEPT scada pc tcp 6000:6010
> >
> > Of course, I do have to add a static network route to the
> > PC''s in order to get to the SCADA boxes since that PC LAN
> > already has a default gateway to the Internet via our
> > SonicWall box.  This isn''t a problem because I only
> > have 5 - 10 PC''s that will be accessing the SCADA servers
> > so there is little extra work involved in setting the routes.
>
> First, I have not followed this thread so I may not have a complete
picture
> of your network, but I have installed dozens of SonicWall''s. So
far, every
> model that I have installed has the capability of adding static routes to
> its tables. By doing so, it should send an icmp redirect back to the PC
> which would then add a dynamic route to its tables (SCADA). Thus
eliminating
> the sonicwall as a hop for that network.
>
> BTW: These are the rules I use to run X from my loc->dmz zones.
> ACCEPT          loc             dmz             udp     xdmcp
> ACCEPT          dmz             loc             tcp     6000:6002
>
> Steve Cowles

Steve,

Thanks for the reply.  I wan''t involved with the purchase and
installation
of the Sonicwall and didn''t realize that it had that feature.  Frankly,
I
don''t much experience in routers at all.  I tried your suggesstion
today and
it works just as you stated.  It does eliminate the need to add routes to my
PC''s.  Thanks!

The X application on my PC''s (eXcursion) doesn''t use XDMCP
broadcast to
establish a connection but rather by using the EXEC port 512.  My ACCEPT
rules, the same as your''s except using tcp 512 instead of udp xdmcp,
worked
great as long as I had a route on the PC''s.  Even better now that you
have
introduced me to the Sonicwall static route redirect! ;)

I was mostly experimenting with the DNAT rules in order to gain a better
understanding of the EXEC and X protocol and how iptables was handling the
connection - hoping to increase my knowledge through reading,
experimentation and the occasional nudge in the right direction from those
more expericenced such as yourself.  You have my sincere appreciation for
your contribution to my education!  Hopefully, as I learn more about
Shorewall, I can be of help to someone in the future.


Sincerely,
Mitch