Shorewall users - Sep 2002 - DNS Errors. Yes I know, not another DNS question...

First I want to say I have been working at this for about 2 weeks now so it 
isn''t like I haven''t tried to figure this out on my own.

I''m going to post this question, but I''m in fear Tom will yell
at me. I''ve
read everything I can, but unfortunately I don''t understand.
I''ve gone
through virtually all mailing list posts and have tried all the different 
options. I''ve seen Tom yell at people left and right regarding this
same
issue I''m about to bring up. I tried all the configurations that Tom 
supplied to all those that he yelled at and none of them seem to work for me 
(yes I''m restarting shorewall).

My problem is regarding syslogs like this (yes I''m up at 2:30am):

<--snip-->

Sep 24 02:31:39 scrubby kernel: Shorewall:all2all:REJECT:IN=eth2 OUT= 
MAC=00:06:
5b:8c:18:20:00:10:7b:b3:02:e7:08:00 SRC=199.105.191.225 DST=64.145.190.254 
LEN74 TOS=0x00 PREC=0x00 TTL=48 ID=58693 PROTO=UDP SPT=18548 DPT=53 LEN=54

Sep 24 02:31:39 karen kernel: Shorewall:all2all:REJECT:IN=eth2 OUT= 
MAC=00:06:
5b:8c:18:20:00:10:7b:b3:02:e7:08:00 SRC=199.105.191.225 DST=64.145.190.254 
LEN74 TOS=0x00 PREC=0x00 TTL=48 ID=58694 PROTO=UDP SPT=18548 DPT=53 LEN=54

<--snip-->

Now before you yell and say it''s right there in the documentation let
me
first say that I''ve tried all that. Here are my configurations as they
have
got to at this point:

1st I will mention that I have created my own common file using your 
common.def. I simply added this line as instructed in other posts I have 
found in this list:

run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

I am currently using two ethernet cards and a total of 3 IPs. With that said 
here is my interfaces:

<--snip-->
/etc/shorewall/interfaces

net eth1 64.145.190.255,192.168.0.255 
routefilter,noping,blacklist,routestopped

loc eth2 64.145.190.255,192.168.0.255 
routefilter,noping,blacklist,routestopped
<--snip-->

Now before you go crazy let me explain why things are configured like they 
are above. My nic cards are configured for failover. If one fails the other 
takes over. So basically eth1 and eth2 are the same. Sometimes one IP will 
respond on eth1 and sometimes on eth2. So why is there a
"192.168.0.255"?
The ONLY reason is that we have a managed switch and we don''t want the 
switch sitting out on the public network for anyone to just try and hack. So 
the switch is configured with the "192.168.0.2" for example. This
allows us
to keep the switch off the net and at the same time allow us to manage it 
internally. Yes it is password protected, but we''re hoping this extra
step
will make it more secure.

<--snip-->
/etc/shorewall/policy

fw  all ACCEPT
loc net ACCEPT
net all DROP info
all all REJECT info

<--snip-->

<--snip-->
/etc/shorewall/rules
ACCEPT   net:64.145.190.248/29  fw    all
ACCEPT   net:63.189.29.144/28   fw    all
ACCEPT   loc:64.145.190.248/29  fw    all
ACCEPT   loc:63.189.29.144/28   fw    all
### I added all the following after reading posts - didn''t help
ACCEPT   fw                     net   udp  53
ACCEPT   fw                     net   tcp  53
ACCEPT   fw                     loc   udp  53
ACCEPT   fw                     loc   tcp  53
ACCEPT   net                    fw    udp  53
ACCEPT   loc                    fw    udp  53
<--snip-->

These are other machines in our network. I added all those "udp" and
port 53
lines based on messages I have read from the mailing list. Believe me
I''ve
tried everything except the "right" thing obviously.

I don''t know why this has to be so difficult. If you''re going
to use DNS I
don''t see why there can''t be some simple rule for DNS like
(accept dns myip)
or (accept dns isp''s-ip) and then all the necessary udp, tcp and
xyz''s will
be handled. I''m completely lost with all these terms, forward, udp,
route
from the fw to the loc back out to the net and so on...

At this moment this machine is not to be accessible by the public except 
were needed like this DNS stuff that seems to log millions of lines a day. 
We are currently testing software for clients (yes we write software). At 
times we will make the server accessible to our clients so we will add those 
rules when needed.

This machine is NOT a masqurading server. It is a standalone.

OK I''m ready to be yelled at Tom,
Karen

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Karen,

Karen Barnes wrote:
> 1st I will mention that I have created my own common file using your 
> common.def. I simply added this line as instructed in other posts I have 
> found in this list:
> 
> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
This rule is for DNS replies -- your problem is DNS requests.
> 
> I am currently using two ethernet cards and a total of 3 IPs. With that 
> said here is my interfaces:
> 
> <--snip-->
> /etc/shorewall/interfaces
> 
> net eth1 64.145.190.255,192.168.0.255 
> routefilter,noping,blacklist,routestopped
> 
> loc eth2 64.145.190.255,192.168.0.255 
> routefilter,noping,blacklist,routestopped
> <--snip-->
> 
> Now before you go crazy let me explain why things are configured like 
> they are above. My nic cards are configured for failover. If one fails 
> the other takes over. So basically eth1 and eth2 are the same.
So both eth1 and eth2 are connected to the same switch/hub? If so, then 
they should be in the same zone since ''net'' and
''loc'' make no sense in
that case.
> Sometimes 
> one IP will respond on eth1 and sometimes on eth2. So why is there a 
> "192.168.0.255"? The ONLY reason is that we have a managed switch
and we
> don''t want the switch sitting out on the public network for anyone
to
> just try and hack. So the switch is configured with the
"192.168.0.2"
> for example. This allows us to keep the switch off the net and at the 
> same time allow us to manage it internally. Yes it is password 
> protected, but we''re hoping this extra step will make it more
secure.
Ok.
> 
> <--snip-->
> /etc/shorewall/policy
> 
> fw  all ACCEPT
> loc net ACCEPT
> net all DROP info
> all all REJECT info
> 
> <--snip-->
> 
> <--snip-->
> /etc/shorewall/rules
> ACCEPT   net:64.145.190.248/29  fw    all
> ACCEPT   net:63.189.29.144/28   fw    all
> ACCEPT   loc:64.145.190.248/29  fw    all
> ACCEPT   loc:63.189.29.144/28   fw    all
> ### I added all the following after reading posts - didn''t help
> ACCEPT   fw                     net   udp  53
> ACCEPT   fw                     net   tcp  53
> ACCEPT   fw                     loc   udp  53
> ACCEPT   fw                     loc   tcp  53
> ACCEPT   net                    fw    udp  53
> ACCEPT   loc                    fw    udp  53
> <--snip-->
> 
> These are other machines in our network. I added all those "udp"
and
> port 53 lines based on messages I have read from the mailing list. 
> Believe me I''ve tried everything except the "right"
thing obviously.
Well, the last rule SHOULD have prevented the messages you are seeing.
> 
> I don''t know why this has to be so difficult. If you''re
going to use DNS
> I don''t see why there can''t be some simple rule for DNS
like (accept dns
> myip) or (accept dns isp''s-ip) and then all the necessary udp, tcp
and
> xyz''s will be handled. I''m completely lost with all these
terms,
> forward, udp, route from the fw to the loc back out to the net and so on...
Possibly you should look at the other firewall scripts available. Some of 
them undoubtedly take that approach since it''s more intuitive (but not 
particularly flexible).
> 
> At this moment this machine is not to be accessible by the public except 
> were needed like this DNS stuff that seems to log millions of lines a 
> day. We are currently testing software for clients (yes we write 
> software). At times we will make the server accessible to our clients so 
> we will add those rules when needed.
> 
> This machine is NOT a masqurading server. It is a standalone.
> 
Please:

a) "shorewall restart"
b) Try to access the DNS server on the system and generate some of the log 
messages as you originally posted.
c) "shorewall status > /tmp/status"
d) Send me the /tmp/status file.

In the long run, if you stay with Shorewall you will want to eliminate one 
of your zones as I mentioned above.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net