Shorewall announce - Jan 2004 - Usersets

Is anyone using user sets? I''m considering dropping support for them in
2.0 in
favor of just listing individual user/groups in the rules file.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I have Proxy ARP for 2 IP''s and NAT for a local net using a different
IP going
through a single interface (all internal machines are on eth0, all external 
on eth1). It looks like traffic from the Proxy ARP''s box is getting
NAT''d as
well (requests from that machine are seen as the NAT IP). Do I need to add 
rules for the Proxy ARP as well? 

This is on a Mandrake MNF box with kernel 2.4.19-37, shorewall 1.4.9 and 
iproute2-2.2.4-13mdk.

--- ifcfg-eth1 ---
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=68.109.228.26
NETMASK=255.255.255.224
NETWORK=68.109.228.0
BROADCAST=68.109.228.31

--- ifcfg-eth0 ---
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255

--- proxyarp ----
68.109.228.7    eth0    eth1    No
68.109.228.3    eth0    eth1    No

--- masq ---
eth1:0.0.0.0/0  192.168.0.0/0

--- interfaces ---
lan     eth0            detect
wan     eth1            detect

--- zones ---
lan     LAN     lan
dmz     DMZ     dmz
wan     NET     wan

--- policy ---
lan     all     REJECT  info
dmz     all     REJECT  info
fw      all     ACCEPT
wan     all     DROP    info
all     all     REJECT  info

--- rules ---
ACCEPT  fw      wan     tcp     53      -
ACCEPT  fw      wan     udp     53      -
ACCEPT  dmz     wan     udp     53      -
ACCEPT  lan     wan     udp     53      -
REJECT  wan     fw      tcp     113     -
ACCEPT  lan     fw      tcp     22      -
ACCEPT  lan     fw      tcp     8443    -
ACCEPT  fw      lan     icmp    8       -
ACCEPT  lan     fw      icmp    8       -
ACCEPT  lan     dmz     icmp    8       -
ACCEPT  dmz     lan     icmp    8       -
ACCEPT  dmz     fw      icmp    8       -
ACCEPT  fw      dmz     icmp    8       -
ACCEPT  lan     wan     tcp     pop3    -
ACCEPT  lan     wan     tcp     smtp    -
ACCEPT  lan     wan     tcp     http    -
ACCEPT  lan     wan     tcp     https   -
ACCEPT  lan     wan     tcp     ssh     -
ACCEPT  lan     wan     tcp     ftp     -
ACCEPT  lan     wan     tcp     nntp    -
ACCEPT  fw      wan     udp     ntp     -
ACCEPT  lan     wan     tcp     imap    -
ACCEPT  fw      wan:20022       tcp     ftp     -
ACCEPT  lan     fw      udp     53      -
ACCEPT  lan     wan     icmp    8       -
ACCEPT  lan     wan     tcp     5190    -
ACCEPT  lan     wan     udp     5190    -
ACCEPT  fw      wan     tcp     ftp     -
ACCEPT  lan     wan     tcp     ntp     -

On Monday 26 January 2004 12:46 pm, Gavin Thomas Nicol
wrote:
> I have Proxy ARP for 2 IP''s and NAT for a local net using a
different IP
> going through a single interface (all internal machines are on eth0, all
> external on eth1).
Yuck...
> It looks like traffic from the Proxy ARP''s box is 
> getting NAT''d as well (requests from that machine are seen as the
NAT IP).
> Do I need to add rules for the Proxy ARP as well?
>
> This is on a Mandrake MNF box with kernel 2.4.19-37, shorewall 1.4.9 and
> iproute2-2.2.4-13mdk.
>
> --- ifcfg-eth1 ---
> DEVICE=eth1
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=68.109.228.26
> NETMASK=255.255.255.224
> NETWORK=68.109.228.0
> BROADCAST=68.109.228.31
>
> --- ifcfg-eth0 ---
> DEVICE=eth0
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=192.168.0.1
> NETMASK=255.255.255.0
> NETWORK=192.168.0.0
> BROADCAST=192.168.0.255
>
> --- proxyarp ----
> 68.109.228.7    eth0    eth1    No
> 68.109.228.3    eth0    eth1    No
>
> --- masq ---
> eth1:0.0.0.0/0  192.168.0.0/0
Should be:

eth1:0.0.0.0/0	192.168.0.0/24
                           ---

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Monday 26 January 2004 12:53 pm, Tom Eastep wrote:
> > 68.109.228.3    eth0    eth1    No
> >
> > --- masq ---
> > eth1:0.0.0.0/0  192.168.0.0/0
>
> Should be:
>
> eth1:0.0.0.0/0	192.168.0.0/24
>                            ---
Also, please start a new thread when you introduce a new topic rather than 
reply to someone else''s post. When you reply to another post, it
becomes
confusing for those of us who like to use a threading email client. The 
archives "threaded" view is also messed up by this type of thread
hijacking.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Monday 26 January 2004 03:53 pm, Tom Eastep wrote:
> Should be:
>
> eth1:0.0.0.0/0	192.168.0.0/24
Changed this... same thing. Here''s what route says:

% ip route
68.109.228.7 dev eth0  scope link
68.109.228.3 dev eth0  scope link
68.109.228.0/27 dev eth1  scope link
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 68.109.228.1 dev eth1

% route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
wsip-68-109-228 *               255.255.255.255 UH    0      0        0 eth0
wsip-68-109-228 *               255.255.255.255 UH    0      0        0 eth0
68.109.228.0    *               255.255.255.224 U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         wsip-68-109-228 0.0.0.0         UG    0      0        0 eth1

On Monday 26 January 2004 01:34 pm, Gavin Thomas Nicol
wrote:
> On Monday 26 January 2004 03:53 pm, Tom Eastep wrote:
> > Should be:
> >
> > eth1:0.0.0.0/0	192.168.0.0/24
>
> Changed this... same thing.
I don''t believe it. Did you create any new connections or did you use
existing
connections that were already messed up.
> Here''s what route says: 
>
> % ip route
> 68.109.228.7 dev eth0  scope link
> 68.109.228.3 dev eth0  scope link
> 68.109.228.0/27 dev eth1  scope link
> 192.168.0.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 68.109.228.1 dev eth1
>
> % route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface wsip-68-109-228 *               255.255.255.255 UH    0      0       
> 0 eth0 wsip-68-109-228 *               255.255.255.255 UH    0      0      
>  0 eth0 68.109.228.0    *               255.255.255.224 U     0      0     
>   0 eth1 192.168.0.0     *               255.255.255.0   U     0      0    
>    0 eth0 127.0.0.0       *               255.0.0.0       U     0      0   
>     0 lo default         wsip-68-109-228 0.0.0.0         UG    0      0    
>    0 eth1
So long as you explicitly list a network in the second column of your 
/etc/shorewall/masq file, your routing table is irrelevant. Also, *please* 
use ''route -n'' when you post a routing table.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Monday 26 January 2004 01:40 pm, Tom Eastep wrote:
> On Monday 26 January 2004 01:34 pm, Gavin Thomas Nicol wrote:
> > On Monday 26 January 2004 03:53 pm, Tom Eastep wrote:
> > > Should be:
> > >
> > > eth1:0.0.0.0/0	192.168.0.0/24
> >
> > Changed this... same thing.
>
> I don''t believe it. Did you create any new connections or did you
use
> existing connections that were already messed up.
If you are still having problems after assuring yourself that new connections 
from the Proxy ARP systems are still being masqueraded, please post the 
output of "shorewall show nat" as a text attachment.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net