Shorewall users - Jan 2002 - IPSec and VPN Appliance

------------28C51FF2F77828D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Shorewall-users,

I have Shorewall installed as a firewall between our office and the net.
The internal network has an address range of 192.168.1.0/24

We are looking at purchasing a small VPN appliance to install at our
office.  I have two ways to install it.  The first (and preferred)
method is to install it on our local lan, and have the IPSec packets
transparently passed through the firewall directly to the appliance.
The second way is to put it side by side with the firewall, listening
on it''s own address.

I''m not too happy about putting what is essentially a second firewall
in
place, but am concerned about some problems I''ve heard about using
IPSec
through a firewall which does NATing.

Any comments would be appreciated.

Thanks in advance.


JBB

 Jonathan B. Bayer                          mailto:jbayer@bayerfamily.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxANGMACgkQLWek1tt+K52pCACfZSy/hZEGAYx5VYErpF95qxsy
IOgAnijxpFO/8EPN8H0pibiRRER7bXcy
=O34x
-----END PGP SIGNATURE-----
------------28C51FF2F77828D
Content-Type: text/x-vcard; name="vCard.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="vCard.vcf"

BEGIN:VCARD
VERSION:2.1
N:Bayer;Jonathan;B.;Mr.
FN:Jonathan B. Bayer
EMAIL;PREF;INTERNET:jbayer@spamcop.net
ORG:Dynamic Logic, Inc.
TITLE:Director of Technology
TEL;WORK;VOICE:(646) 742-4944
TEL;HOME;VOICE:(732) 283-2615
TEL;CELL;VOICE:(732) 423-3810
ADR;WORK:;;3 Park Ave., 37th Floor;New York;NY;10016;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:3 Park Ave., 37th Floor=0D=0ANew 
York=0D=0ANY=0D=0A10016=0D=0AUSA
ADR;HOME:;;99 Trento St.;Iselin;NJ;08830;USA
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:99 Trento St.=0D=0AIselin=0D=0ANJ
=0D=0A08830=0D=0AUSA
URL;WORK:www.dynamiclogic.com
REV:18991230T050000Z
END:VCARD
------------28C51FF2F77828D--

On Saturday 12 January 2002 05:04 am, Jonathan B. Bayer
wrote:
> Hello Shorewall-users,
>
> I have Shorewall installed as a firewall between our office and the net=2E
> The internal network has an address range of 192.168.1.0/24
>
> We are looking at purchasing a small VPN appliance to install at our
> office.  I have two ways to install it.  The first (and preferred)
> method is to install it on our local lan, and have the IPSec packets
> transparently passed through the firewall directly to the appliance.
> The second way is to put it side by side with the firewall, listening
> on it''s own address.
>
> I''m not too happy about putting what is essentially a second
firewall in
> place, but am concerned about some problems I''ve heard about using
IPSec
> through a firewall which does NATing.
>
> Any comments would be appreciated.
>
Have you considered letting your Shorewall-based firewall be the "VPN=20
Appliance"?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------

At 7:28 AM -0800 1/12/02, Tom Eastep wrote:
>
>Have you considered letting your Shorewall-based firewall be the "VPN
>Appliance"?
   I assume that this is on your hint''s page. I would be interested in 
VPN application to route to a Cisco VPN3000 at work.
-- 
--

Glenn Henshaw                   | Ottawa, Canada
Play: thraxisp@igs.net          | Work: ghenshaw@altera.com

On Saturday 12 January 2002 04:26 pm, Glenn Henshaw
wrote:
> At 7:28 AM -0800 1/12/02, Tom Eastep wrote:
> >Have you considered letting your Shorewall-based firewall be the
"VPN
> >Appliance"?
>
>    I assume that this is on your hint''s page. I would be
interested in
> VPN application to route to a Cisco VPN3000 at work.
If your router does IPSEC then you should be all set -- see=20
http://www.shorewall.net/Documentation.htm#Tunnels.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------

Hi all,

I have been struggling some architectural trade-offs, and I''ve hit a
knowledge
wall. I am trying to design one appliance that will act as a transparent 
router/firewall for a /25 range of legal addresses AND provide FreeS/WAN subnet-
to-subnet tunnels for two remote networks.  Based upon the statement in the 
Shorewall doc warning against using FreeS/WAN in combination with Proxy-ARP, 
that solution seems to be off the table.  

While attempting to configure Shorewall, I can across some things that
didn''t
seem sane.  Like, the fact that eth1 and eth0, while in the same subnet, needed 
to be in different zones.  The DSL router also shares that subnet, but it is 
clearly not in the loc zone.  The syntax for defining zones seems to give the 
ability to define single hosts (or lists thereof) or entire subnets; but not 
the apparent ability to do ranges of IPs.  Based upon my rusting IP networking 
skills, I get the feeling I will need to subnet my subnet further -- but
I''m
just not connecting how to do it in this scenario.  Can anyone sanity check my 
hunch, and possibly give me some pointers, if this is the case?

Any other ideas on how to skin this cat would be most welcome :)

Here''s the layout:

+-------------------+
| 209.36.43.127/128 |   <==== DSL Router
+-------------------+
          |
          |
+-------------------+
| 209.36.43.126/128?|
|                   |
|                   |
| 209.36.43.???/??? |   <==== Variable length subnet mask?
+-------------------+
          |
          |
    ------+-----------+-----------+
          |           |           |
       HOST A      HOST B      HOST C    <=== Legal/Routable IPs
                                              Derivded from
                                              209.36.43.128/128

On Sunday 13 January 2002 10:42 am, dgilleece@optimumnetworks.com
wrote:
> Hi all,
>
> I have been struggling some architectural trade-offs, and I''ve hit
a
> knowledge wall. I am trying to design one appliance that will act as a
> transparent router/firewall for a /25 range of legal addresses AND provide
> FreeS/WAN subnet- to-subnet tunnels for two remote networks.  Based upon
> the statement in the Shorewall doc warning against using FreeS/WAN in
> combination with Proxy-ARP, that solution seems to be off the table.
The problem there is an operational one (as pointed out in the DOCs). If you=20
place the appropriate commands in /etc/shorewall/init and=20
/etc/shorewall/start, you should be able to get it to work. The only downside=20
will be that "shorewall restart" will also stop and start IPSEC.
>
> While attempting to configure Shorewall, I can across some things that
> didn''t seem sane.  Like, the fact that eth1 and eth0, while in the
same
> subnet, needed to be in different zones.
They don''t have to be -- If you want to define firewall rules then
puting=20
them in separate zones makes sense though. If you don''t want to
define=20
firewall rules then you don''t need Shorewall.
> The DSL router also shares that
> subnet, but it is clearly not in the loc zone.  The syntax for defining
> zones seems to give the ability to define single hosts (or lists thereof)
> or entire subnets; but not the apparent ability to do ranges of IPs.
That''s because Netfilter doesn''t give you that option either.

What EXACTLY are your firewall requirements? From those, we can best advise=20
you on how to configure shorewall.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom,

Thanks for the response.  My exact requirements are:

1.  Protecting ~124 hosts behind the device with configurable firewall rules.
2.  Allowing any given host on that protected subnet to access just about any 
given type of VPN system at a variety client sites.  (ruling out NAT, 
necessarily)
3.  Having the gateway/firewall act as the VPN gateway connecting three remote 
office subnets together seamlessly.
4.  Logging intrusion attempts.
5.  Ad hoc configurable rules to allow machines unfiltered access for periodic 
testing activities

If you can guide me on sound configs, or let me know if I''m on the
right track,
I''d much appreciate it.

Thanks,

Dan
Quoting Tom Eastep <teastep@shorewall.net>:
> On Sunday 13 January 2002 10:42 am, dgilleece@optimumnetworks.com
> wrote:
> > Hi all,
> >
> > I have been struggling some architectural trade-offs, and
I''ve hit a
> > knowledge wall. I am trying to design one appliance that will act as
> a
> > transparent router/firewall for a /25 range of legal addresses AND
> provide
> > FreeS/WAN subnet- to-subnet tunnels for two remote networks.  Based
> upon
> > the statement in the Shorewall doc warning against using FreeS/WAN
> in
> > combination with Proxy-ARP, that solution seems to be off the table.
> 
> The problem there is an operational one (as pointed out in the DOCs). If
> you 
> place the appropriate commands in /etc/shorewall/init and 
> /etc/shorewall/start, you should be able to get it to work. The only
> downside 
> will be that "shorewall restart" will also stop and start IPSEC.
> 
> >
> > While attempting to configure Shorewall, I can across some things
> that
> > didn''t seem sane.  Like, the fact that eth1 and eth0, while
in the
> same
> > subnet, needed to be in different zones.
> 
> They don''t have to be -- If you want to define firewall rules then
> puting 
> them in separate zones makes sense though. If you don''t want to
define
> 
> firewall rules then you don''t need Shorewall.
> 
> > The DSL router also shares that
> > subnet, but it is clearly not in the loc zone.  The syntax for
> defining
> > zones seems to give the ability to define single hosts (or lists
> thereof)
> > or entire subnets; but not the apparent ability to do ranges of IPs.
> 
> That''s because Netfilter doesn''t give you that option
either.
> 
> What EXACTLY are your firewall requirements? From those, we can best
> advise 
> you on how to configure shorewall.
> 
> -Tom
> -- 
> Tom Eastep    \ A Firewall for Linux 2.4.*
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Sunday 13 January 2002 12:13 pm, dgilleece@optimumnetworks.com
wrote:
> Tom,
>
> Thanks for the response.  My exact requirements are:
>
> 1.  Protecting ~124 hosts behind the device with configurable firewall
> rules.
Ok -- what function does your DSL router play?

- From your ISP''s point of view, does it act as the gateway to your
/25=20
network?
- Does it physically interface to the phone line or is there a "dsl
modem"=20
outbound of it?

2.  Allowing any given host on that protected subnet to access
just
> about any given type of VPN system at a variety client sites.  (ruling out
> NAT, necessarily)
That''s a routing requirement, not a firewall requirement.
> 3.  Having the gateway/firewall act as the VPN gateway connecting three
> remote office subnets together seamlessly.
Ditto.
> 4.  Logging intrusion attempts.
Ok.
> 5.  Ad hoc configurable rules to allow machines unfiltered access for
> periodic testing activities
Ok.
>
> If you can guide me on sound configs, or let me know if I''m on the
right
> track, I''d much appreciate it.
Let''s answer the questions about the DSL router first then
I''ll give you my=20
thoughts.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Quoting Tom Eastep <teastep@shorewall.net>:
> Ok -- what function does your DSL router play?
The DSL router currently passes all traffic to a network switch, through which 
all hosts currently access the internet directly --- using only local security 
measures (personal firewall, ipchains, etc.)
> - From your ISP''s point of view, does it act as the gateway to
your /25
> 
> network?
Yes. 

 - Does it physically interface to the phone line or is there a
"dsl
> modem" 
> outbound of it?
Not sure what you mean here.  It is a Cisco 678, connected to a dedicated (non-
shared "dry pair") business circuit.  LAN-side, it is attached to a
workgroup
switch.
> 2.  Allowing any given host on that protected subnet to access just
> > about any given type of VPN system at a variety client sites.  (ruling
> out
> > NAT, necessarily)
> 
> That''s a routing requirement, not a firewall requirement.
By "allowing" I mean not interfering with "aggressive" VPN
connections -- which
NAT firewalls hose.
> > 3.  Having the gateway/firewall act as the VPN gateway connecting
> three
> > remote office subnets together seamlessly.
> Ditto.
Given my intent to create an simple (relative term here) appliance that does 
both VPN management and filtering, I am concerned the two applications
don''t
make life difficult for each other -- I wasn''t sure if your comments in
the doc
would be show-stoppers...

> 
> Let''s answer the questions about the DSL router first then
I''ll give you
> my 
> thoughts.
I am looking forward to them :)

Thanks for helping,

Dan

On Sunday 13 January 2002 12:29 pm, dgilleece@optimumnetworks.com
wrote:
> Quoting Tom Eastep <teastep@shorewall.net>:
> > Ok -- what function does your DSL router play?
>
> The DSL router currently passes all traffic to a network switch, through
> which all hosts currently access the internet directly --- using only local
> security measures (personal firewall, ipchains, etc.)
>
> > - From your ISP''s point of view, does it act as the gateway
to your /25
> >
> > network?
>
> Yes.
>
>  - Does it physically interface to the phone line or is there a "dsl
>
> > modem"
> > outbound of it?
>
> Not sure what you mean here.  It is a Cisco 678, connected to a dedicated
> (non- shared "dry pair") business circuit.  LAN-side, it is
attached to a
> workgroup switch.
Ok -- It''s unfortunate that you have a router rather than just a
"DSL Modem"=20
since your Linux box is perfectly capable of acting as a router and the=20
router is just getting in the way.
>
> > 2.  Allowing any given host on that protected subnet to access just
> >
> > > about any given type of VPN system at a variety client sites. 
(ruling
> >
> > out
> >
> > > NAT, necessarily)
> >
> > That''s a routing requirement, not a firewall requirement.
>
> By "allowing" I mean not interfering with "aggressive"
VPN connections --
> which NAT firewalls hose.
>
> > > 3.  Having the gateway/firewall act as the VPN gateway connecting
> >
> > three
> >
> > > remote office subnets together seamlessly.
> >
> > Ditto.
>
> Given my intent to create an simple (relative term here) appliance that
> does both VPN management and filtering, I am concerned the two applications
> don''t make life difficult for each other -- I wasn''t sure
if your comments
> in the doc would be show-stoppers...
>
> > Let''s answer the questions about the DSL router first then
I''ll give you
> > my
> > thoughts.
>
> I am looking forward to them :)
>
Ok. I''m assuming that eth0 is your interface to the DSL router -- if
not,=20
reverse eth0 and eth1.

------------------------------------

/etc/shorewall/zones

net=09Internet=09The internet including your DSL router
loc=09Local=09=09Local including the subnetworks accessed via IPSEC VPN

/etc/shorewall/interfaces:

net=09eth0=09=09norfc1918,...
loc=09eth1=09=09routestopped
loc=09ipsec+=09=09multi

/etc/shorewall/policy

loc=09loc=09=09ACCEPT
loc=09net=09=09ACCEPT
net=09all=09=09DROP
all=09all=09=09REJECT:info

/etc/shorewall/proxyarp

<124 entries> with "Yes" in the HAVEROUTE column

------------------------------

The firewall will let traffic pass freely between all IPSEC interfaces and=20
your local network (the "multi" allows traffic between the IPSEC
interfaces).=20
All hosts in the local zone have unlimited access to the internet. No access=20
from internet to anything.=20

You will have to code /etc/shorewall/rules to specify what connections to=20
allow to/from your firewall.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Monday 28 January 2002 04:51 pm, dgilleece@optimumnetworks.com
wrote:
> Regarding Shorewall for proxy arp subnet:
>
>
> Tom,
>
> Finally got the time to look into this more closely, and I''m
having some
> difficulty.
>
> I have a basic install of Red Hat 7.2, configured using the
> "Firewall/Router" option in Red Hat setup.
>
> Any help appreciated,
>
Looks like unprintable garbage in the file. Have you looked at a trace?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Monday 28 January 2002 11:58 am, Tom Eastep wrote:
> On Monday 28 January 2002 04:51 pm, dgilleece@optimumnetworks.com wrote:
> > Regarding Shorewall for proxy arp subnet:
> >
> >
> > Tom,
> >
> > Finally got the time to look into this more closely, and I''m
having some
> > difficulty.
> >
> > I have a basic install of Red Hat 7.2, configured using the
> > "Firewall/Router" option in Red Hat setup.
> >
> > Any help appreciated,
>
> Looks like unprintable garbage in the file. Have you looked at a trace?
In fact, it looks like you edited the file on a Windoze machine and have=20
carriage returns at the end of each line -- use dos2unix on the proxyarp file=20
and it should work.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Regarding Shorewall for proxy arp subnet:


Tom,

Finally got the time to look into this more closely, and I''m having
some
difficulty. 

I have a basic install of Red Hat 7.2, configured using the
"Firewall/Router"
option in Red Hat setup.

Any help appreciated,

Dan

Quoting Tom Eastep <teastep@shorewall.net>:

> Ok. I''m assuming that eth0 is your interface to the DSL router --
if
> not, 
> reverse eth0 and eth1.
My setup matches this...
> 
> /etc/shorewall/zones
> 
> net	Internet	The internet including your DSL router
> loc	Local		Local including the subnetworks accessed via IPSEC VPN
Done
> /etc/shorewall/interfaces:
> 
> net	eth0		norfc1918,...
> loc	eth1		routestopped
> loc	ipsec+		multi
Done
> /etc/shorewall/policy
> 
> loc	loc		ACCEPT
> loc	net		ACCEPT
> net	all		DROP
> all	all		REJECT:info
Done
 
> /etc/shorewall/proxyarp
> 
> <124 entries> with "Yes" in the HAVEROUTE column
I have this done, but I get the following errors when starting Shorewall:

Copied from console:

)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.45 eth1 eth0 Yes
)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.46 eth1 eth0 Yes
)nvalid value for HAVEROUTE - (Yes
" ignored9.98.36.47 eth1 eth0 Yes  

for all 124 IP addresses...

..and in /var/log/messages

Jan 27 20:25:17 localhost shorewall: )
Jan 27 20:25:17 localhost shorewall: " ignored
Jan 27 20:25:17 localhost shorewall: '' not found
Jan 27 20:25:17 localhost shorewall: Try `iptables -h'' or
''iptables --help'' for
more information.
Jan 27 20:25:17 localhost rc: Starting shorewall:  failed


Files:

Interfaces
##############################################################################
#ZONE	 INTERFACE	BROADCAST	OPTIONS
net	eth0				norfc1918
loc	eth1				routestopped
loc	ipsec+			multi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy
###############################################################################
#CLIENT		SERVER		POLICY		LOG LEVEL
loc		loc		ACCEPT
loc		net		ACCEPT
net		all		DROP			info
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


Proxyarp
#			#ADDRESS	INTERFACE	EXTERNAL   HAVEROUTE
#			155.186.235.6	eth1		eth0       No
##############################################################################
#ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
219.98.36.1		eth1		eth0			Yes
219.98.36.2		eth1		eth0			Yes
219.98.36.3		eth1		eth0			Yes
219.98.36.4		eth1		eth0			Yes
219.98.36.5		eth1		eth0			Yes
219.98.36.6		eth1		eth0			Yes
219.98.36.7		eth1		eth0			Yes

....to 219.98.36.124

Zones
#ZONE	DISPLAY		COMMENTS
net	Internet		Internet 
loc	Localnet		Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

On Monday 28 January 2002 05:30 pm, FancyLad wrote:
>
> It''s apparent that it''s being dropped because
it''s matching the all2all
> chain, but shouldn''t it match the loc2fw chain?  10.0.0.2 is my
win box
> and 10.0.0.1 is my shorewall box.
>
Please send me the output from "shorewall status".

Thanks,
-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Quoting Tom Eastep <teastep@shorewall.net>:
> Looks like unprintable garbage in the file. Have you looked at a
> trace?
> 
> In fact, it looks like you edited the file on a Windoze machine and have
> 
> carriage returns at the end of each line -- use dos2unix on the proxyarp
> file 
> and it should work.
> 
> -Tom
> -- 

I should have known better :)  dos2unix worked perfectly.

Thanks again!

Dan

Greetings,
	I was having problems with my Shorewall setup and I was 
wondering if it''s because Shorewall is not properly identifying packets
that are destined for the fw.  Long story short, my shorewall is my 
main linux box that I use for most of my day to day stuff (can''t afford
another box for dedicated firewall I''m afraid, so this is better than 
nothing).  I have a usb adsl modem that I have connected on ppp0.  My 
windows box (used for TFC and StarCraft <grin>) can''t connect to
my
firewall (ssh, telnet, ftp, dns, etc...)  Likewise my firewall can''t 
smbclient to my windows box because the return packets are being 
dropped in the all2all chain.  Below are some files:

./zones
net     Net             Internet loc     Local           Local networks
dmz     DMZ             Demilitarized zone


./policy
loc             all             ACCEPT
fw              all             ACCEPT
net             all             DROP            info
all             all             REJECT          info

./rules
ACCEPT          net       fw            tcp     ssh,auth

./interfaces
net     ppp0    detect  norfc1918,dhcp
loc     eth0    detect

./masq
ppp0    eth0

./tos
default

./hosts ./nat ./params ./proxyarp ./tcrules ./tunnels
all empty


When I try to do a dns request from my windows box to my shorewall 
machine (which is running a dns proxy) I get the following in:
Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24278 PROTO=UDP SPT=3864 DPT=53 
LEN=42 Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 
OUT= MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 
DST=10.0.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24279 PROTO=UDP 
SPT=3864 DPT=53 LEN=42 Jan 28 20:17:49 rand kernel: 
Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24280 PROTO=UDP SPT=3864 DPT=53 
LEN=42 Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 
OUT= MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 
DST=10.0.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24281 PROTO=UDP 
SPT=3864 DPT=53 LEN=42 Jan 28 20:17:49 rand kernel: 
Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24282 PROTO=UDP SPT=3864 DPT=53 
LEN=42
/var/log/messages

It''s apparent that it''s being dropped because it''s
matching the all2all
chain, but shouldn''t it match the loc2fw chain?  10.0.0.2 is my win box
and 10.0.0.1 is my shorewall box.

Thanks for any help on this, and I hope I didn''t include too much of my
config files (gotta strike that delicate balance between giving enough 
info for ppl to help, but at the same time you don''t want to do 
something like include your entire sendmail.cf--although I''ve no idea 
why I''d want to send that one to this list <grin>)

Thanks everyone!

OK, I changed the IP addresses of my test setup, so I could connect to my 
actual internet connection, rather than trying to simulate a client''s 
connection in a "lab."  All the config problems with Shorewall appear
to be
solved -- everything comes up as expected, and does what it should -- other 
than route :/

Here it the routing table generated when using the Shorewall configs below, and 
with a gateway defined in /etc/sysconfig/network-scripts/ifcfg-eth0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.98.58.246   *               255.255.255.255 UH    0      0        0 eth1
209.98.58.240   *               255.255.255.248 U     0      0        0 eth1
209.98.58.240   *               255.255.255.248 U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         209.98.58.241   0.0.0.0         UG    0      0        0 eth0

The strange part is the duplicate routes to 209.98.58.240/29 --- what generates 
this?  With routing table above, nothing moves.

If I do ''route add -host 209.98.58.241/29 dev eth0'' it add
this to the table:
209.98.58.241   *               255.255.255.255 UH    0      0        0 eth0

... and everything flows.  I have looked throught the proxyarp, interfaces, 
zones, et al, and how the routes are created (or not created) is still escaping 
me.

Will I need to establish that device route via eth0 manually, or have I missed 
something in the configs?  If I do need to establish that route manually, how 
can I do this so it is automatic at startup.

Thanks again for all the help,

Dan
> Quoting Tom Eastep <teastep@shorewall.net>:
> 
> 
> > Ok. I''m assuming that eth0 is your interface to the DSL
router -- if
> > not, 
> > reverse eth0 and eth1.
> 
> My setup matches this...
> 
> > 
> > /etc/shorewall/zones
> > 
> > net	Internet	The internet including your DSL router
> > loc	Local		Local including the subnetworks accessed via IPSEC VPN
> Done
> 
> > /etc/shorewall/interfaces:
> > 
> > net	eth0		norfc1918,...
> > loc	eth1		routestopped
> > loc	ipsec+		multi
> 
> Done
> 
> > /etc/shorewall/policy
> > 
> > loc	loc		ACCEPT
> > loc	net		ACCEPT
> > net	all		DROP
> > all	all		REJECT:info
> 
> Done
>  
> > /etc/shorewall/proxyarp
> > 
> > <124 entries> with "Yes" in the HAVEROUTE column
> 
> 
> Interfaces
>
##############################################################################
> #ZONE	 INTERFACE	BROADCAST	OPTIONS
> net	eth0				norfc1918
> loc	eth1				routestopped
> loc	ipsec+			multi
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Policy
> 
###############################################################################
> #CLIENT		SERVER		POLICY		LOG LEVEL
> loc		loc		ACCEPT
> loc		net		ACCEPT
> net		all		DROP			info
> all		all		REJECT		info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> Proxyarp
> #			#ADDRESS	INTERFACE	EXTERNAL   HAVEROUTE
> #			155.186.235.6	eth1		eth0       No
>
##############################################################################
> #ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
> 219.98.36.1		eth1		eth0			Yes
> 219.98.36.2		eth1		eth0			Yes
> 219.98.36.3		eth1		eth0			Yes
> 219.98.36.4		eth1		eth0			Yes
> 219.98.36.5		eth1		eth0			Yes
> 219.98.36.6		eth1		eth0			Yes
> 219.98.36.7		eth1		eth0			Yes
> 
> ....to 219.98.36.124
> 
> Zones
> #ZONE	DISPLAY		COMMENTS
> net	Internet		Internet 
> loc	Localnet		Local networks
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of FancyLad
> Sent: Monday, January 28, 2002 8:30 PM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Shorewall not recognizing
''fw''?
> 
> 
> ./zones
> net     Net             Internet loc     Local           Local networks
> dmz     DMZ             Demilitarized zone
> 
> 
> ./policy
> loc             all             ACCEPT
> fw              all             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
> It''s apparent that it''s being dropped because
it''s matching the all2all
> chain, but shouldn''t it match the loc2fw chain?  10.0.0.2 is my
win box
> and 10.0.0.1 is my shorewall box.
Maybe I''m wrong here, but don''t you need the loc zone defined
in ./zones?

Jim Hubbard
jimh@dyersinc.com

On Tuesday 29 January 2002 12:59 am, dgilleece@optimumnetworks.com
wrote:
> OK, I changed the IP addresses of my test setup, so I could connect to my
> actual internet connection, rather than trying to simulate a
client''s
> connection in a "lab."  All the config problems with Shorewall
appear to be
> solved -- everything comes up as expected, and does what it should -- other
> than route :/
Since you have "Yes" in the HAVEROUTE column in
/etc/shorewall/proxy,=20
Shorewall does NOTHING with respect to routes.
>
> Here it the routing table generated when using the Shorewall configs below,
> and with a gateway defined in /etc/sysconfig/network-scripts/ifcfg-eth0
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface 209.98.58.246   *               255.255.255.255 UH    0      0     
=20
> 0 eth1 209.98.58.240   *               255.255.255.248 U     0      0    
=20
>  0 eth1 209.98.58.240   *               255.255.255.248 U     0      0   
=20
>   0 eth1 127.0.0.0       *               255.0.0.0       U     0      0  
=20
>    0 lo default         209.98.58.241   0.0.0.0         UG    0      0   
=20
>   0 eth0
>
> The strange part is the duplicate routes to 209.98.58.240/29 --- what
> generates this?  With routing table above, nothing moves.
>
> If I do ''route add -host 209.98.58.241/29 dev eth0'' it
add this to the
> table: 209.98.58.241   *               255.255.255.255 UH    0      0    
=20
>  0 eth0
>
> ... and everything flows.  I have looked throught the proxyarp, interfaces,
> zones, et al, and how the routes are created (or not created) is still
> escaping me.
Since you have eth0 defined with netmask 255.255.255.255 you must manually=20
add ALL routes needed on that interface, including one to your default=20
gateway.
>
> Will I need to establish that device route via eth0 manually
Yes.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Tuesday 29 January 2002 04:28 am, Jim Hubbard wrote:
> > -----Original Message-----
> > From: shorewall-users-admin@shorewall.net
> > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of FancyLad
> > Sent: Monday, January 28, 2002 8:30 PM
> > To: shorewall-users@shorewall.net
> > Subject: [Shorewall-users] Shorewall not recognizing
''fw''?
> >
> >
> > ./zones
> > net     Net             Internet loc     Local           Local
networks
> > dmz     DMZ             Demilitarized zone
> >
> >
> > ./policy
> > loc             all             ACCEPT
> > fw              all             ACCEPT
> > net             all             DROP            info
> > all             all             REJECT          info
> >
> > It''s apparent that it''s being dropped because
it''s matching the all2all
> > chain, but shouldn''t it match the loc2fw chain?  10.0.0.2 is
my win box
> > and 10.0.0.1 is my shorewall box.
>
> Maybe I''m wrong here, but don''t you need the loc zone
defined in ./zones?
The problem here turned out to be that the original poster misunderstood the=20
way that install.sh works on upgrade. He thought it would overwrite existing=20
config files which it does not.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net