Hi, I use a setup based on the two interface example, I got DSL over ppp0 and eth0 to the internal network. ppp0: <some dyn ip> eth0: 192.168.2.10 I got a windows client 192.168.2.8 I allowed auth port 113 everywhere as far as I can see, even where I thought it doesnt make sense :-) However I try to connect for example to site which requires ident and It looks like the fw cant connect to the windows machine on port 113? I see this: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.2.10 DST=192.168.2.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16604 PROTO=TCP SPT=39365 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 any ideas ? I wonder if the 192.168.2.10 is beeing seen ass the fw or part of loc ? Best regards, Christophe -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk ??"
On Thursday 31 January 2002 05:31 pm, Christophe Zwecker wrote:> Hi, > > I use a setup based on the two interface example, I got DSL over ppp0 > and eth0 to the internal network. > > ppp0: <some dyn ip> > eth0: 192.168.2.10 > > I got a windows client 192.168.2.8 > > I allowed auth port 113 everywhere as far as I can see, even where I > thought it doesnt make sense :-) > > However I try to connect for example to site which requires ident and It > looks like the fw cant connect to the windows machine on port 113? > > I see this: > > Shorewall:all2all:REJECT:IN=3D OUT=3Deth0 SRC=3D192.168.2.10 DST=3D192=2E168.2.8 > LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D16604 PROTO=3DTCP SPT=3D39365 DPT=3D113 > WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 > > any ideas ?Your firewall is trying to establish an AUTH connection to your local network=20 (IP 192.168.2.8) - add this to your rules: ACCEPT=09fw=09loc=09tcp=09113 -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Christopher, IDENT (or auth) opens a new (non-related) connection who''s source may or may not be coming from the server to which you''re connecting. Understanding that the inbound auth request is a *new* connection request on port 113 (plain vanilla auth) is basically trying to connect to the address where it believes the original connection was made from (your external IP address.) The example you show from the log appears to be an auth request originating on your FW, not from a remote host. If that is indeed an external request, enabling fw -> loc tcp 113 would handle it. What I do at home is run an IDENTD on an internal machine, and forward all auth requests to it. It is set to return a valid, but somewhat fictitious, port pair, which satisfies most IDENT requests. So, if you run an IDENT server on box 1.1.1.1 internally, and your external ip address is 66.66.66.66, your shorewall line would look like: ACCEPT net loc:1.1.1.1 tcp 113 - 66.66.66.66 The inclusion of the external address sets up a port forward. Hope this helps, John S. -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Christophe Zwecker Sent: Thursday, January 31, 2002 5:32 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] auth cant go thru Hi, I use a setup based on the two interface example, I got DSL over ppp0 and eth0 to the internal network. ppp0: <some dyn ip> eth0: 192.168.2.10 I got a windows client 192.168.2.8 I allowed auth port 113 everywhere as far as I can see, even where I thought it doesnt make sense :-) However I try to connect for example to site which requires ident and It looks like the fw cant connect to the windows machine on port 113? I see this: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.2.10 DST=192.168.2.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16604 PROTO=TCP SPT=39365 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 any ideas ? I wonder if the 192.168.2.10 is beeing seen ass the fw or part of loc ? Best regards, Christophe Tracking #: 2B44D972E30CFE4EA9AD629995F41DFEA10B7614 -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk ??" _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Oops, I should have waited five minutes to see if Tom''s was a better solution. It was. <g> Somehow, though, I have a feeling that log clip was testing connections on 113 to the internal net from the fw. Sorry for the spam. John S. -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, January 31, 2002 5:55 PM To: Christophe Zwecker; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] auth cant go thru On Thursday 31 January 2002 05:31 pm, Christophe Zwecker wrote:> Hi, > > I use a setup based on the two interface example, I got DSL over ppp0 > and eth0 to the internal network. > > ppp0: <some dyn ip> > eth0: 192.168.2.10 > > I got a windows client 192.168.2.8 > > I allowed auth port 113 everywhere as far as I can see, even where I > thought it doesnt make sense :-) > > However I try to connect for example to site which requires ident andIt> looks like the fw cant connect to the windows machine on port 113? > > I see this: > > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.2.10DST=192.168.2.8> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16604 PROTO=TCP SPT=39365 DPT=113 > WINDOW=5840 RES=0x00 SYN URGP=0 > > any ideas ?Your firewall is trying to establish an AUTH connection to your local network (IP 192.168.2.8) - add this to your rules: ACCEPT fw loc tcp 113 -Tom Tracking #: E67D16654619234DA63335814A952912F3A0C58B -- Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
On Thursday 31 January 2002 06:03 pm, John Stroud wrote:> Oops, I should have waited five minutes to see if Tom''s was a better > solution. > > It was. <g> Somehow, though, I have a feeling that log clip was > testing connections on 113 to the internal net from the fw. > > Sorry for the spam.Parish the thought -- the usual scenario with auth is that A requests A=20 connection to B and B in turn requests an auth connection back to A to verify=20 the identity of the requesting user at A. It was a good idea back in the days when priv ports could be trusted on the=20 internet; it''s rather quaint now... -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net