Shorewall users - Mar 2002 - Basic question

Jens wrote:
> 
> Sorry if this entirely too stupid to ask ..... alas, I am having problems
> wrapping my head around this.
> I have set up a basic 3 zone shorewall configuration using the example
files
> given on the shorewall site. I was under the impression that this should
work
> for basic configurations but I seem to have some problems:
> I can ping between the firewall box and an internal machine as well as
> between fw and an external box on the internet. From the firewall machine I
> can ping a host name (say xyz.com).
> >From the internal machine I can ping the fw as well as an outside box
using
> an ip number but I can not ping a host name.
> ping xyz.com will not work but ping 123.456.789.1 (hypothetical ip of
> xyz.com) will work just fine.
> 
> I am apparently missing a rule that allows name translation ???
> A pointer in the right direction would be appreciated.
Not knowing how your DNS is set and the type of machines in your LAN you
can start by looking in your firewall''s /etc/resolv.conf and see which
IP''s are residing there. Probably your ISP''s numbers. You will
have to
have rules like this, roughly:

ACCEPT          net:ISP''s ip	loc       tcp     domain
ACCEPT          net:ISP''s ip    loc       udp     domain

if you are using the default policies that come with Shorewall.
Connections from the LAN to the Internet are allowed by default but the
policy for Internet to All is DROP so you have to allow those DNS
packets through to the LAN. I use djbdns that features dnscache, a local
caching DNS server on the firewall box, runs on a slim Slackware 8.0 and
LEAF floppy disk, too: http://cr.yp.to/djbdns.html The rules look like
this:

# Accept outgoing connections from the firewall
#
ACCEPT          fw        net           tcp     $FW_TCP_OUT_PORTS
ACCEPT          fw        net           udp     $FW_UDP_OUT_PORTS

# Accept incoming connections from the internet to the firewall
#
ACCEPT          net       fw            tcp     $FW_TCP_IN_PORTS
ACCEPT          net       fw            udp     $FW_UDP_IN_PORTS

# Accept connections from the local network to the firewall
#
ACCEPT          loc       fw            udp     $LOC_FW_UDP_PORTS

The PORTS variable is configured as 53. Since dnscache is running on the
firewall the traffic is self-explanatory. DNS works very fast when done
locally and you don''t have to bother with going to your ISP for DNS
queries all the time.


-- 
Patrick Benson
Stockholm, Sweden

Jens,

----- Original Message -----
From: "Jens" <jens@pacificsun.ca>
To: <shorewall-users@shorewall.net>
Sent: Wednesday, March 06, 2002 10:10 AM
Subject: [Shorewall-users] Basic question

> From the internal machine I can ping the fw as well as an outside box
using
> an ip number but I can not ping a host name.
> ping xyz.com will not work but ping 123.456.789.1 (hypothetical ip of
> xyz.com) will work just fine.
>
> I am apparently missing a rule that allows name translation ???
> A pointer in the right direction would be appreciated.
If you have not disturbed the original policy for loc->net, then this
isn''t
a rule problem. The original /etc/shorewall/policy file has:

loc    net    ACCEPT

That means that any request from the local zone to the internet is allowed.

So where are the DNS servers that your local systems are configured to use?
Do your local systems use a DNS server in your DMZ? Then perhaps you are
missing a rule of the form:

ACCEPT    loc    dmz    udp    domain

Have you looked at the output of "shorewall log" after you have tried
pinging by name? If so, have you looked at
http://www.shorewall.net/troubleshoot.htm to try to decode the log messages
to help understand the problem?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

One addition --

After I sent this response, I noticed that you are using the 3-interface
sample. Rather than having a missing rule, you may be missing "domain"
(or
"53") from LOC_DMZ_UDP_PORTS (I think that''s the name of the
variable -- I''m
on a business trip and don''t have access to the code).

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net


----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: <jens@pacificsun.ca>; <shorewall-users@shorewall.net>
Sent: Wednesday, March 06, 2002 7:30 PM
Subject: Re: [Shorewall-users] Basic question

> Jens,
>
> ----- Original Message -----
> From: "Jens" <jens@pacificsun.ca>
> To: <shorewall-users@shorewall.net>
> Sent: Wednesday, March 06, 2002 10:10 AM
> Subject: [Shorewall-users] Basic question
>
>
> > From the internal machine I can ping the fw as well as an outside box
> using
> > an ip number but I can not ping a host name.
> > ping xyz.com will not work but ping 123.456.789.1 (hypothetical ip of
> > xyz.com) will work just fine.
> >
> > I am apparently missing a rule that allows name translation ???
> > A pointer in the right direction would be appreciated.
>
> If you have not disturbed the original policy for loc->net, then this
isn''t
> a rule problem. The original /etc/shorewall/policy file has:
>
> loc    net    ACCEPT
>
> That means that any request from the local zone to the internet is
allowed.
>
> So where are the DNS servers that your local systems are configured to
use?
> Do your local systems use a DNS server in your DMZ? Then perhaps you are
> missing a rule of the form:
>
> ACCEPT    loc    dmz    udp    domain
>
> Have you looked at the output of "shorewall log" after you have
tried
> pinging by name? If so, have you looked at
> http://www.shorewall.net/troubleshoot.htm to try to decode the log
messages
> to help understand the problem?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

One more thought -- you are using the three-interface sample yet you have
only two interfaces; what does your entire /etc/shoreawll/params file look
like and what does "shorewall status" show.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net


----- Original Message -----
From: "Jens" <jens@pacificsun.ca>
To: <shorewall-users@shorewall.net>
Sent: Thursday, March 07, 2002 12:16 AM
Subject: Re: [Shorewall-users] Basic question

> Looks like the computer is winning  :(
> I have only one additional weirdness I can throw into the equation ....
> A ping with a host name is now generating the expected activity on the
local
> interface. What I see is 192.168.0.2 (the computer on loc) asking
192.168.0.1
> (eth1, the loc interface card, on the firewall) for stuff over port 53. I
> don''t seem to see a corresponding output to the internet with the
translated
> IP information. I am not sure I see this correctly as I don''t know
what I
> ''should'' be seeing.
> Re the configuration of the loc computer - I am pretty sure that the
> configuration is correct there since I can take the cable from the
Shorewall
> firewall and plug it into the Smoothwall firewall and everything works
(plus
> the fact that ping with an IP number works which seems to indicate that
the
> gateway is configured correctly)
> Anyway, it''s time to sleep over it and tackle it again tomorrow.
>
> Thanks again for all the input !
>
> Jens
>
>
>
> On March 6, 2002 10:37 pm, you wrote:
> > ----- Original Message -----
> > From: "Jens" <jens@pacificsun.ca>
> > To: <shorewall-users@shorewall.net>
> > Sent: Wednesday, March 06, 2002 10:05 PM
> > Subject: Re: [Shorewall-users] Basic question
> >
> > > In my flailing around with this problem, I have done a major hack
and
> >
> > slash
> >
> > > to the Shorewall configuration setup.
> >
> > So now you may have two problems:
> >
> > a) Your original DNS problem.
> > b) The havoc caused by your hacking and slashing
> >
> > > Rules file: commented out completely. If I understand the flow of
things
> > > correctly, this would mean that the policy file is what directs
the
> >
> > firewall
> >
> > > action. Since loc2net is ACCEPTED, I would expect everything from
loc
to
> >
> > pass
> >
> > > thru to the internet.
> >
> > Yep -- same as it did before you started hacking.
> >
> > > The log output shows a proper loc to net transaction
> > > when using an IP number but SHOWS NO ENTRY when using a site name
rather
> >
> > than
> >
> > > an IP when attempting to ping out.
> >
> > Under the assumption that you have followed the troubleshooting
> > instructions and disabled iptables log rate limiting, this is an
important
> > clue -- it means that your test system isn''t routing DNS
lookup requests
> > through the firewall. Carefully review the IP and resolv.conf settings
on
> > your internal machine then if they look correct, you will have to drag
out
> > tcpdump on your firewall system and see where the packets are
(aren''t)
> > going.
> >
> > > Do I maybe need a LOC_NET_TCP_PORTS = 53 ????
> >
> > No (and even if you did, you''ve hacked out all of the rules
that deal
with
> > the opening of ports).
> >
> > -Tom
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

----- Original Message -----
From: "Jens" <jens@pacificsun.ca>
To: <shorewall-users@shorewall.net>
Sent: Thursday, March 07, 2002 12:16 AM
Subject: Re: [Shorewall-users] Basic question

> I have only one additional weirdness I can throw into the equation ....
> A ping with a host name is now generating the expected activity on the
local
> interface. What I see is 192.168.0.2 (the computer on loc) asking
192.168.0.1
> (eth1, the loc interface card, on the firewall) for stuff over port 53.
So your firewall runs a DNS server? I thought you were using your ISP''s
servers in which case 192.168.0.2 should be asking one of those servers for
"stuff over port 53".

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Okay, here''s a basic addressing question

(/etc/shorewall/params)

NET_LOC_TCP_PORTS1=none
NET_LOC_UDP_PORTS1=none
DMZ_LOC_TCP_PORTS1=25
DMZ_LOC_UDP_PORTS1=514
FW_LOC_TCP_PORTS1=25
FW_LOC_UDP_PORTS1=514
LOC_SERVER1=192.168.100.11
#
NET_DMZ_TCP_PORTS1=21
NET_DMZ_UDP_PORTS1=none
LOC_DMZ_TCP_PORTS1=21,22,53
LOC_DMZ_UDP_PORTS1=53
FW_DMZ_TCP_PORTS1=none
FW_DMZ_UDP_PORTS1=none
DMZ_SERVER1=192.168.200.10
#

The firewall eth0 is 204.228.188.6
             eth1 is 192.168.100.1
             eth2 is 192.168.200.1

When I''m on the net, and I want to reach the ftp server on the dmz, I
use the address of eth0 and it gets transfered out eth2 to dmz_server1
even though I don''t know the actual ip to dmz_server1 (from outside on
the net)

So here''s the question, when I''m on the fw, or the dmz, what
address do
I use to get to loc_server1 using udp port 514? Using its real ip
address doesn''t seem to make it. Should I be using the outside address
for the firewall to get to loc_server1?

Its a wee tad confusing. <s>

Gar

Gar Nelson wrote:
> 
> Okay, here''s a basic addressing question
> 
> (/etc/shorewall/params)
> 
> NET_LOC_TCP_PORTS1=none
> NET_LOC_UDP_PORTS1=none
> DMZ_LOC_TCP_PORTS1=25
> DMZ_LOC_UDP_PORTS1=514
> FW_LOC_TCP_PORTS1=25
> FW_LOC_UDP_PORTS1=514
> LOC_SERVER1=192.168.100.11
And a related question, "shorewall show log" outputs the following
because I neglected to change NET_LOC_UDP_PORTS1 to "514" rather then
"none", correct? Hope so, since that''s what I just changed
and restarted
shorewall. Hopefully I''ll be getting yet more information in my local
syslog.



Mar  7 16:53:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=260 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 16:58:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=261 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:03:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=262 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:08:19 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=263 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:18:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=265 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:23:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=266 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:28:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=267 PROTO=UDP
SPT=6116 DPT=514 LEN=129
Mar  7 17:33:20 net2all:DROP:IN=eth0 OUT= SRC=204.228.188.1
DST=204.228.188.6 LEN=149 TOS=0x00 PREC=0x00 TTL=255 ID=268 PROTO=UDP
SPT=6116 DPT=514 LEN=129

Gar,
----- Original Message ----- 
From: "Gar Nelson" <gar.nelson@noaa.gov>
To: <shorewall-users@shorewall.net>
Sent: Thursday, March 07, 2002 9:13 AM
Subject: [Shorewall-users] Another basic question on addressing

> Okay, here''s a basic addressing question
> 
> (/etc/shorewall/params)
> 
> NET_LOC_TCP_PORTS1=none
> NET_LOC_UDP_PORTS1=none
> DMZ_LOC_TCP_PORTS1=25
> DMZ_LOC_UDP_PORTS1=514
> FW_LOC_TCP_PORTS1=25
> FW_LOC_UDP_PORTS1=514
> LOC_SERVER1=192.168.100.11
> #
> NET_DMZ_TCP_PORTS1=21
> NET_DMZ_UDP_PORTS1=none
> LOC_DMZ_TCP_PORTS1=21,22,53
> LOC_DMZ_UDP_PORTS1=53
> FW_DMZ_TCP_PORTS1=none
> FW_DMZ_UDP_PORTS1=none
> DMZ_SERVER1=192.168.200.10
> #
> 
> The firewall eth0 is 204.228.188.6
>              eth1 is 192.168.100.1
>              eth2 is 192.168.200.1
> 
> When I''m on the net, and I want to reach the ftp server on the
dmz, I
> use the address of eth0 and it gets transfered out eth2 to dmz_server1
> even though I don''t know the actual ip to dmz_server1 (from
outside on
> the net)
> 
> So here''s the question, when I''m on the fw, or the dmz,
what address do
> I use to get to loc_server1 using udp port 514? Using its real ip
> address doesn''t seem to make it. Should I be using the outside
address
> for the firewall to get to loc_server1?
> 
> Its a wee tad confusing. <s>
And it''s also FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Gar,

----- Original Message ----- 
From: "Gar Nelson" <gar.nelson@noaa.gov>
To: <shorewall-users@shorewall.net>
Sent: Thursday, March 07, 2002 9:54 AM
Subject: Re: [Shorewall-users] Another basic question on addressing

> Gar Nelson wrote:
> > 
> > Okay, here''s a basic addressing question
> > 
> > (/etc/shorewall/params)
> > 
> > NET_LOC_TCP_PORTS1=none
> > NET_LOC_UDP_PORTS1=none
> > DMZ_LOC_TCP_PORTS1=25
> > DMZ_LOC_UDP_PORTS1=514
> > FW_LOC_TCP_PORTS1=25
> > FW_LOC_UDP_PORTS1=514
> > LOC_SERVER1=192.168.100.11
> 
> And a related question, "shorewall show log" outputs the
following
> because I neglected to change NET_LOC_UDP_PORTS1 to "514" rather
then
> "none", correct? Hope so, since that''s what I just
changed and restarted
> shorewall. Hopefully I''ll be getting yet more information in my
local
> syslog.
> 
Adding 514 to NET_LOC_UDP_PORTS1 would eliminate these messages, yes.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Gar Nelson" <gar.nelson@noaa.gov>;
<shorewall-users@shorewall.net>
Sent: Thursday, March 07, 2002 4:59 PM
Subject: Re: [Shorewall-users] Another basic question on addressing

> 
> And it''s also FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1
> 
Sorry -- make that FAQ #2 -- http://www.shorewall.net/FAQ.htm#faq2

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net