Shorewall users - Mar 2002 - Configuration woes

Hello,

I hope someone can help me.

I am trying to configure a frewall using Shorewall and the sample setup
files supplied by the author, which I have found very useful,
being new to iptables.

After sorting out a number of typos, I managed to get Shorewall to start
successfully, but I have the following problem.

I have a configuration similar to the authors, in that I have a single
machine in a dmz, a local network, and an internet interface.

After starting Shorewall I have no www connection from loc to net, which, as
this is a live system, I have to back out of immediately.

I do see ping messages getting rejected in the log, but can see no trace of
the www packets.

If I can resolve this one issue, I feel sure I can resolve any other issues
that may arise.

I have included the output from iptables -L in the hope that it will help
someone give me a pointer.

 iptables o/p ####

Chain INPUT (policy DROP)
target     prot opt source               destination         
rfc1918    all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
net2fw     all  --  0.0.0.0/0            0.0.0.0/0          
loc2fw     all  --  10.0.0.0             0.0.0.0/0          
dmz2fw     all  --  212.19.75.0/24       0.0.0.0/0          
common     all  --  0.0.0.0/0            0.0.0.0/0          
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 
reject     all  --  0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy DROP)
target     prot opt source               destination         
rfc1918    all  --  0.0.0.0/0            0.0.0.0/0          
net2loc    all  --  0.0.0.0/0            10.0.0.0           
net2dmz    all  --  0.0.0.0/0            212.19.75.0/24     
loc2net    all  --  10.0.0.0             0.0.0.0/0          
loc2dmz    all  --  10.0.0.0             212.19.75.0/24     
dmz2net    all  --  212.19.75.0/24       0.0.0.0/0          
dmz2loc    all  --  212.19.75.0/24       10.0.0.0           
common     all  --  0.0.0.0/0            0.0.0.0/0          
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 
reject     all  --  0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
fw2net     all  --  0.0.0.0/0            0.0.0.0/0          
fw2loc     all  --  0.0.0.0/0            10.0.0.0           
fw2dmz     all  --  0.0.0.0/0            212.19.75.0/24     
common     all  --  0.0.0.0/0            0.0.0.0/0          
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 
reject     all  --  0.0.0.0/0            0.0.0.0/0          

Chain all2all (7 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
common     all  --  0.0.0.0/0            0.0.0.0/0          
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 
reject     all  --  0.0.0.0/0            0.0.0.0/0          

Chain common (5 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:0x10/0x10 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:0x04/0x04 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:137:139

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:445
reject-with icmp-port-unreachable 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:135
reject-with icmp-port-unreachable 
DROP       all  --  0.0.0.0/0            255.255.255.255    
DROP       all  --  0.0.0.0/0            224.0.0.0/4        
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp spt:53 state
NEW 
DROP       all  --  0.0.0.0/0            212.19.72.255      
DROP       all  --  0.0.0.0/0            10.0.0.255         
DROP       all  --  0.0.0.0/0            212.19.75.255      

Chain dmz2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain dmz2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain dmz2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:123 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain fw2dmz (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:21 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpts:137:139 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain fw2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain fw2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:123 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:1723 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:43 
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0          state NEW 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain icmpdef (0 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 4 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 12 

Chain loc2dmz (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:110 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain loc2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:901 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:135 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpts:137:139 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:445 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:37 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpts:137:139 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:161 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
all2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain loc2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:6667 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:loc2net:REJECT:'' 
reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:6667 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain logdrop (7 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0
level 6 prefix `Shorewall:rfc1918:DROP:'' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0          

Chain net2all (3 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
common     all  --  0.0.0.0/0            0.0.0.0/0          
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg
10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0          

Chain net2dmz (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:25 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          state NEW udp
dpt:53 
ACCEPT     tcp  --  212.19.64.2          0.0.0.0/0          state NEW tcp
dpt:53 
reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
net2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain net2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:1723 
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0          state NEW 
reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 
net2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain net2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.50          state NEW tcp
dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
dpt:113 
net2all    all  --  0.0.0.0/0            0.0.0.0/0          

Chain reject (8 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0          reject-with
tcp-reset 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with
icmp-port-unreachable 

Chain rfc1918 (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            255.255.255.255    
DROP       all  --  169.254.0.0/16       0.0.0.0/0          
logdrop    all  --  0.0.0.0/8            0.0.0.0/0          
logdrop    all  --  10.0.0.0/8           0.0.0.0/0          
logdrop    all  --  127.0.0.0/8          0.0.0.0/0          
logdrop    all  --  192.0.2.0/24         0.0.0.0/0          
logdrop    all  --  192.168.0.0/16       0.0.0.0/0          
logdrop    all  --  172.16.0.0/12        0.0.0.0/0          
logdrop    all  --  240.0.0.0/4          0.0.0.0/0          

Chain shorewall (0 references)
target     prot opt source               destination         

####

rules file ####
# Local network to Internet - Reject attempts by trojans to call home using
IRC
#
REJECT:info loc	net			tcp	6667
#
# Local network to Firewall 
#
ACCEPT	loc	fw			tcp
ssh,swat,135,137:139,445,time
ACCEPT	loc	fw			udp	137:139,snmp
#
# Local network to DMZ 
#
ACCEPT	loc	dmz			udp	domain	
ACCEPT	loc	dmz			tcp	domain,smtp,ssh,auth	
ACCEPT	loc	dmz			tcp	www,ftp,pop3	
ACCEPT	loc	dmz			icmp	echo-request
#
# Internet to DMZ
#
ACCEPT	net	dmz			tcp	www,ftp,smtp
ACCEPT	net	dmz			udp	domain
ACCEPT	net:212.19.64.2	dmz		tcp	domain
REJECT	net	dmz			tcp	auth
#
# Net to Local
#
ACCEPT	net	loc:10.0.0.50		tcp	www
ACCEPT	net	loc			tcp	auth
#
# DMZ to Internet
#
ACCEPT	dmz	net			icmp	echo-request
ACCEPT	dmz	net			tcp	smtp,auth,domain
ACCEPT	dmz	net			udp	domain
ACCEPT	dmz	net			udp	ntp
#
# DMZ to Firewall
#
REJECT	dmz	fw			tcp	auth
#
# DMZ to Local
#
ACCEPT	dmz	loc			tcp	smtp,auth
ACCEPT	dmz	loc			icmp	echo-request
#
# Internet to Firewall
#
ACCEPT 	net	fw			tcp	ssh,1723
ACCEPT	net	fw			gre
REJECT	net	fw			tcp	auth
#
# Firewall to Internet
#
ACCEPT	fw	net			udp	ntp
ACCEPT	fw	net			udp	domain
ACCEPT	fw	net			tcp	domain,www,ssh,1723,whois
ACCEPT	fw	net			gre
ACCEPT	fw	net			icmp	echo-request
#
# Firewall to DMZ
#
ACCEPT	fw	dmz			tcp	ftp
ACCEPT	fw	dmz			udp	domain
ACCEPT	fw	dmz			udp	137:139
#
# People whine if ping doesn''t work
#
ACCEPT		fw	  loc		icmp	8
ACCEPT		loc	  fw		icmp	8
ACCEPT		loc	  dmz           icmp    8
ACCEPT		dmz	  loc		icmp	8
ACCEPT		dmz	  fw		icmp	8
ACCEPT		fw	  dmz		icmp	8

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

####

interfaces file ###

#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth1		212.19.72.255	routefilter,norfc1918	
loc	eth0		10.0.0.255		
dmz	eth2		212.19.75.255	routestopped	
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE





John Lodge
> John Lodge
> Software Engineer
> Redwood Technologies Limited
> T +[44] (0)1344 304 344
> F +[44] (0)1344 304 345
> M +[44] (0)794 122 1422
> E jml@redwoodtech.com
> W www.redwoodtech.com
> 
Email Disclaimer

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this email are subject to the limitations of
Redwood Technologies Limited''s standard terms and conditions of
contract.

John Lodge wrote:
> ...
> After starting Shorewall I have no www connection from loc to net, which,
as
> this is a live system, I have to back out of immediately.
> ...
> I have included the output from iptables -L in the hope that it will help
> someone give me a pointer.
Try ''shorewall status'' next time.  It shows the interfaces as
well as the IP
addresses.
>  iptables o/p ####
> ...
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ...
> loc2net    all  --  10.0.0.0             0.0.0.0/0
I suspect this is the problem.  I''m not 100% sure, but i think if the
address
mask is not specified, it defaults to 32, which means only that address.  (Tom,
can you confirm?)  What i don''t know is how you got this here.  On my
system,
the forward chain has this for the loc2net rule:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

...
    0     0 loc2net    all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0

As you can see, the address is not specified.  Maybe it has something to do
with the broadcast addresses in your interfaces file?  (Again, Tom is the best
person to answer this.)  I suggest using ''detect'' as the
broadcast address on
all your interfaces.
> ...
> Chain loc2net (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
> dpt:6667 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
> `Shorewall:loc2net:REJECT:''
> reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
> dpt:6667
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ...
> rules file ####
> # Local network to Internet - Reject attempts by trojans to call home using
> IRC
> # REJECT:info loc net                     tcp     6667
> #
You can see in the loc2net chain above how it this rule is being added
correctly.  Your accept policy is also getting set up correctly (the ACCEPT at
the end).  It all looks pretty good to me (as far as i can tell without the
interfaces).  If the interfaces change i suggested doesn''t work, why
not try
logging in your loc->net policy so that you can see the packets going out.
Capture for a few seconds while attempting a web access and then turn it off
again.
> ...
> # Local network to Firewall
> #
> ACCEPT  loc     fw                      tcp    
ssh,swat,135,137:139,445,time
Good grief!  Why would you be using time protocol?  :-)
> ...
> interfaces file ###
>
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            212.19.72.255   routefilter,norfc1918
> loc     eth0            10.0.0.255
> dmz     eth2            212.19.75.255   routestopped
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
All looks well here, although i would recommend routefilter and log/dropunclean
(if your kernel supports it) being on for all interfaces (and
''detect'' as
mentioned above).  You don''t want people on your internal or DMZ LANs
spoofing
IPs to the rest of the world (although it''s pretty unlikely the
internal LAN
could do it).

Paul
http://paulgear.webhop.net

Paul,

Thankyou for your quick reply. You were spot on with the analysis. There was
an incorrect
mask specified in the hosts file.

I am now running the new Shorewall software and this mail will go out
through that firewall.

Regards

John Lodge

-----Original Message-----
From: Paul Gear [mailto:paulgear@bigfoot.com]
Sent: Monday, March 04, 2002 11:36 AM
To: ''shorewall-users@shorewall.net''
Subject: Re: [Shorewall-users] Configuration woes


John Lodge wrote:
> ...
> After starting Shorewall I have no www connection from loc to net, which,
as
> this is a live system, I have to back out of immediately.
> ...
> I have included the output from iptables -L in the hope that it will help
> someone give me a pointer.
Try ''shorewall status'' next time.  It shows the interfaces as
well as the IP
addresses.
>  iptables o/p ####
> ...
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ...
> loc2net    all  --  10.0.0.0             0.0.0.0/0
I suspect this is the problem.  I''m not 100% sure, but i think if the
address
mask is not specified, it defaults to 32, which means only that address.
(Tom,
can you confirm?)  What i don''t know is how you got this here.  On my
system,
the forward chain has this for the loc2net rule:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

...
    0     0 loc2net    all  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0

As you can see, the address is not specified.  Maybe it has something to do
with the broadcast addresses in your interfaces file?  (Again, Tom is the
best
person to answer this.)  I suggest using ''detect'' as the
broadcast address
on
all your interfaces.
> ...
> Chain loc2net (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
> dpt:6667 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
> `Shorewall:loc2net:REJECT:''
> reject     tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp
> dpt:6667
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ...
> rules file ####
> # Local network to Internet - Reject attempts by trojans to call home
using
> IRC
> # REJECT:info loc net                     tcp     6667
> #
You can see in the loc2net chain above how it this rule is being added
correctly.  Your accept policy is also getting set up correctly (the ACCEPT
at
the end).  It all looks pretty good to me (as far as i can tell without the
interfaces).  If the interfaces change i suggested doesn''t work, why
not try
logging in your loc->net policy so that you can see the packets going out.
Capture for a few seconds while attempting a web access and then turn it off
again.
> ...
> # Local network to Firewall
> #
> ACCEPT  loc     fw                      tcp
ssh,swat,135,137:139,445,time

Good grief!  Why would you be using time protocol?  :-)
> ...
> interfaces file ###
>
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            212.19.72.255   routefilter,norfc1918
> loc     eth0            10.0.0.255
> dmz     eth2            212.19.75.255   routestopped
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
All looks well here, although i would recommend routefilter and
log/dropunclean
(if your kernel supports it) being on for all interfaces (and
''detect'' as
mentioned above).  You don''t want people on your internal or DMZ LANs
spoofing
IPs to the rest of the world (although it''s pretty unlikely the
internal LAN
could do it).

Paul
http://paulgear.webhop.net


_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users