thr3ads.net - Shorewall users - [Shorewall-users] Local2local? [Apr 2002]

If this information is useful, please help other people find it:
Share via:

Andy.Geraerts@pi.be

2002-Apr-03 22:16 UTC

[Shorewall-users] Local2local?

This is a multipart message in MIME format.
--=_alternative 007A66E5C1256B90_Content-Type: text/plain;
charset="US-ASCII"

Hello All!

My situation :

Firewall : 3 nics, LOC, DMZ, NET
LOC has ip 192.168.7.254
In the LOC network there is a WAN router 192.168.7.253 wich connects to 
network 192.168.1.x
The clients have the firewall as default gateway.

I get these erros when I try to access a host in 192.168.1.x from 
192.168.7.x :

Apr  4 00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 
SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE
C=0x00 TTL=127 ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192 
RES=0x00 SYN URGP=0

I have no idea where I can enable this? Why are these packets blocked?

Here are my configs :

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth2    detect          routefilter,dhcp
loc     eth0    detect          routestopped,multi
dmz     eth1    10.0.0.255      routestopped

masq:
#INTERFACE              SUBNET          ADDRESS
eth2                    eth0
eth2                    eth1

policy:
#CLIENT         SERVER          POLICY          LOG LEVEL
loc             fw              ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

rules:
##############################################################################
#RESULT         CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) 
ADDRESS
#
# Allow SSH from the local network
#
ACCEPT          loc       fw            tcp     ssh,1352
#
# Allow SSH and Auth from the internet
#
ACCEPT          net       fw            tcp     ssh,auth
#
# Allow Lotus Notes from the internet
#
ACCEPT          net       loc:192.168.7.2       tcp     1352    - all
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT          fw        net           udp     ntp
#
# Redirect all www requests from the local network to a squid server 
running on the
# firewall and listening on port 8080.
#
ACCEPT          loc       fw::8080      tcp     www     -       all
ACCEPT          fw        net           tcp     www
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Thanks for your help!

Andy...


--=_alternative 007A66E5C1256B90_Content-Type: text/html;
charset="US-ASCII"


<br><font size=2 face="Courier New">Hello
All!</font>
<br>
<br><font size=2 face="Courier New">My situation
:</font>
<br>
<br><font size=2 face="Courier New">Firewall : 3 nics,
LOC, DMZ, NET</font>
<br><font size=2 face="Courier New">LOC has ip
192.168.7.254</font>
<br><font size=2 face="Courier New">In the LOC network
there is a WAN router 192.168.7.253 wich connects to network
192.168.1.x</font>
<br><font size=2 face="Courier New">The clients have the
firewall as default gateway.</font>
<br>
<br><font size=2 face="Courier New">I get these erros when
I try to access a host in 192.168.1.x from 192.168.7.x :</font>
<br>
<br><font size=2 face="Courier New">Apr &nbsp;4
00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0
SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE</font>
<br><font size=2 face="Courier New">C=0x00 TTL=127
ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192 RES=0x00 SYN
URGP=0<br>
<br>
I have no idea where I can enable this? Why are these packets
blocked?</font>
<br>
<br><font size=2 face="Courier New">Here are my configs
:</font>
<br>
<br><font size=2 face="Courier
New">interfaces:</font>
<br><font size=2 face="Courier New">#ZONE &nbsp;
&nbsp;INTERFACE &nbsp; &nbsp; &nbsp;BROADCAST &nbsp;
&nbsp; &nbsp; OPTIONS</font>
<br><font size=2 face="Courier New">net &nbsp;
&nbsp; eth2 &nbsp; &nbsp;detect &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;routefilter,dhcp</font>
<br><font size=2 face="Courier New">loc &nbsp;
&nbsp; eth0 &nbsp; &nbsp;detect &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;routestopped,multi</font>
<br><font size=2 face="Courier New">dmz &nbsp;
&nbsp; eth1 &nbsp; &nbsp;10.0.0.255 &nbsp; &nbsp;
&nbsp;routestopped</font>
<br>
<br><font size=2 face="Courier New">masq:</font>
<br><font size=2 face="Courier New">#INTERFACE &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SUBNET
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ADDRESS</font>
<br><font size=2 face="Courier New">eth2 &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;eth0</font>
<br><font size=2 face="Courier New">eth2 &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;eth1</font>
<br>
<br><font size=2 face="Courier New">policy:</font>
<br><font size=2 face="Courier New">#CLIENT &nbsp;
&nbsp; &nbsp; &nbsp; SERVER &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp;POLICY &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp;LOG LEVEL</font>
<br><font size=2 face="Courier New">loc &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fw &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ACCEPT</font>
<br><font size=2 face="Courier New">fw &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">fw &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">loc &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; net &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">net &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; all &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; DROP &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;info</font>
<br><font size=2 face="Courier New">all &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; all &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp;info</font>
<br>
<br><font size=2 face="Courier New">rules:</font>
<br><font size=2 face="Courier
New">##############################################################################</font>
<br><font size=2 face="Courier New">#RESULT &nbsp;
&nbsp; &nbsp; &nbsp; CLIENT(S) SERVER(S) &nbsp; &nbsp; PROTO
&nbsp; PORT(S) CLIENT PORT(S) ADDRESS</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow SSH from the
local network</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp; &nbsp; &nbsp;
fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tcp
&nbsp; &nbsp; ssh,1352</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow SSH and Auth
from the internet</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp;
fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tcp
&nbsp; &nbsp; ssh,auth</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow Lotus Notes
from the internet</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp;
loc:192.168.7.2 &nbsp; &nbsp; &nbsp; tcp &nbsp; &nbsp; 1352
&nbsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Run an NTP daemon on
the firewall that is synced with outside sources</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;fw &nbsp; &nbsp; &nbsp;
&nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; udp
&nbsp; &nbsp; ntp</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Redirect all www
requests from the local network to a squid server running on the</font>
<br><font size=2 face="Courier New"># firewall and
listening on port 8080.</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp; &nbsp; &nbsp;
fw::8080 &nbsp; &nbsp; &nbsp;tcp &nbsp; &nbsp; www
&nbsp; &nbsp; - &nbsp; &nbsp; &nbsp; all</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;fw &nbsp; &nbsp; &nbsp;
&nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp
&nbsp; &nbsp; www</font>
<br><font size=2 face="Courier New">#LAST LINE -- ADD YOUR
ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thanks for your
help!</font>
<br>
<br><font size=2 face="sans-serif">Andy...<br>
<br>
</font>
--=_alternative 007A66E5C1256B90_=--

Tom Eastep

2002-Apr-03 22:26 UTC

head link

[Shorewall-users] Local2local?

On Thu, 4 Apr 2002, Andy.Geraerts@pi.be wrote:
> Hello All!
>
> My situation :
>
> Firewall : 3 nics, LOC, DMZ, NET
> LOC has ip 192.168.7.254
> In the LOC network there is a WAN router 192.168.7.253 wich connects to
> network 192.168.1.x
> The clients have the firewall as default gateway.
>
> I get these erros when I try to access a host in 192.168.1.x from
> 192.168.7.x :
>
> Apr  4 00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0
> SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE
> C=0x00 TTL=127 ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192
> RES=0x00 SYN URGP=0
>
> I have no idea where I can enable this? Why are these packets blocked?
>
The firewall is doing exactly what you are telling it to do -- see your
policies below. What happens to loc->loc connection requests? -- they fall
through to the all->all policy.
> Here are my configs :
>
> policy:
> #CLIENT         SERVER          POLICY          LOG LEVEL
> loc             fw              ACCEPT
> fw              loc             ACCEPT
> fw              net             ACCEPT
> loc             net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
I personally would add

loc		loc		ACCEPT

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep

2002-Apr-03 22:28 UTC

head link

[Shorewall-users] Local2local?

On Wed, 3 Apr 2002, Tom Eastep wrote:
>
> > Here are my configs :
> >
> > policy:
> > #CLIENT         SERVER          POLICY          LOG LEVEL
> > loc             fw              ACCEPT
> > fw              loc             ACCEPT
> > fw              net             ACCEPT
> > loc             net             ACCEPT
> > net             all             DROP            info
> > all             all             REJECT          info
> >
>
> I personally would add
>
> loc		loc		ACCEPT
>
But be sure that you add it BEFORE the all->all policy :-)

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Shorewall users - Apr 2002 - Local2local?

[Shorewall-users] Local2local?

[Shorewall-users] Local2local?

[Shorewall-users] Local2local?