Shorewall users - Apr 2002 - Policy Rules not working as expected

Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected to the 
internet and behind eth1 are several subnets.

My hosts files looks like this:

#ZONE           HOST(S)         OPTIONS
dinslaken       eth0:10.95.0.0/16       routestopped
moers           eth0:10.96.0.0/16       routestopped
dortmund        eth0:10.97.0.0/16       routestopped
pdv             eth0:192.168.100.0/24   routestopped
token           eth0:149.202.30.0/16    routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

My interface file:

#ZONE    INTERFACE      BROADCAST       OPTIONS
net             eth1    detect          routestopped,noping
-       eth0    detect          multi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And my policy file looks like this:

net             all             DROP            info
all             all             REJECT          info
dinslaken       all             DROP            info
moers           net             DROP
dortmund        net             DROP
pdv             net             DROP
token           net             DROP
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

The strange thing is that when I start shorewall this message is generated:

Processing /etc/shorewall/policy...
   Policy REJECT for fw to net.
   Policy DROP for net to fw.
   Policy DROP for net to dinslaken.
   Policy REJECT for dinslaken to fw.
   Policy REJECT for dinslaken to net.
   Policy REJECT for moers to net.
   Policy REJECT for dortmund to net.
   Policy REJECT for pdv to net.
   Policy REJECT for token to net.

Why is the Policy REJECT ??? and why is it logged ?

Apr 25 10:09:25 intra kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth1 
SRC=10.95.30.20 DST=207.46.226.34 LEN=76 TOS=0x00 PREC=0x00 TTL=126 ID=11 
PROTO=UDP SPT=123 DPT=123 LEN=56

Any help would be nice.

Thanks Bernd




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

nowak@ebi-service.de wrote:
> ...
> And my policy file looks like this:
> ...
> all             all             REJECT          info
> ....
> The strange thing is that when I start shorewall this message is generated:
>
> Processing /etc/shorewall/policy...
>    Policy REJECT for fw to net.
>    Policy DROP for net to fw.
>    Policy DROP for net to dinslaken.
>    Policy REJECT for dinslaken to fw.
>    Policy REJECT for dinslaken to net.
>    Policy REJECT for moers to net.
>    Policy REJECT for dortmund to net.
>    Policy REJECT for pdv to net.
>    Policy REJECT for token to net.
>
> Why is the Policy REJECT ??? and why is it logged ?
The answer to this is in *big red letters* in the shorewall documentation:

WARNING:

The firewall script processes  the /etc/shorewall/policy file from top to bottom
and uses the first applicable policy that it finds. For example, in the
following policy file, the policy for (loc, loc) connections would be ACCEPT as
specified in the first entry even though the third entry in the file
specifies REJECT.

So your answer is: Because of the all -> all rule.  Put it *below* the other
policies and it should work.

Paul
http://paulgear.webhop.net

Thanks Paul, that was the clue. I changed it and now it is working. I read it 
in the documentation but could not see that it was the missing key ;).


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

nowak@ebi-service.de wrote:
> 
> Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected to
the
> internet and behind eth1 are several subnets.
Hello,

I''m just a little curious. You have defined that eth0 is connected to
the internet yet you bind your local subnets with eth0 instead of eth1
below:
 
> My hosts files looks like this:
> 
> #ZONE           HOST(S)         OPTIONS
> dinslaken       eth0:10.95.0.0/16       routestopped
> moers           eth0:10.96.0.0/16       routestopped
> dortmund        eth0:10.97.0.0/16       routestopped
> pdv             eth0:192.168.100.0/24   routestopped
> token           eth0:149.202.30.0/16    routestopped
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
Tom''s documentation usually looks like this, copied from his site:

ZONE  INTERFACE  BROADCAST  OPTIONS
net    eth0      detect     dhcp,noping,norfc1918,blacklist
loc    eth1      detect     routestopped
 
> My interface file:
> 
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net             eth1    detect          routestopped,noping
> -       eth0    detect          multi
..yet you have it switched the other way around. Shouldn''t your net
interface be eth0? I just mention this because you may get more problems
later on without realizing what may be causing the errors...


Regards,
-- 
Patrick Benson
Stockholm, Sweden

On Thu, 25 Apr 2002, Patrick Benson wrote:
> nowak@ebi-service.de wrote:
> > 
> > Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected
to the
> > internet and behind eth1 are several subnets.
> 
> Hello,
> 
> I''m just a little curious. You have defined that eth0 is connected
to
> the internet yet you bind your local subnets with eth0 instead of eth1
> below:
>  
> > My hosts files looks like this:
> > 
> > #ZONE           HOST(S)         OPTIONS
> > dinslaken       eth0:10.95.0.0/16       routestopped
> > moers           eth0:10.96.0.0/16       routestopped
> > dortmund        eth0:10.97.0.0/16       routestopped
> > pdv             eth0:192.168.100.0/24   routestopped
> > token           eth0:149.202.30.0/16    routestopped
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
> 
> Tom''s documentation usually looks like this, copied from his site:
> 
> ZONE  INTERFACE  BROADCAST  OPTIONS
> net    eth0      detect     dhcp,noping,norfc1918,blacklist
> loc    eth1      detect     routestopped
>  
> > My interface file:
> > 
> > #ZONE    INTERFACE      BROADCAST       OPTIONS
> > net             eth1    detect          routestopped,noping
> > -       eth0    detect          multi
> 
> ..yet you have it switched the other way around. Shouldn''t your
net
> interface be eth0? I just mention this because you may get more problems
> later on without realizing what may be causing the errors...
>
Shorewall doesn''t care which interface is which -- there are only two 
names that Shorewall attaches any meaning to:

a) The contents of the FW variable (normally ''fw'') -- that is
the zone of
the firewall itself.
b) ''multi'' which is the pseudo-zone that Shorewall creates to
be able to
report on the ''multi2fw'' chain. 

The reason that my documentation and the samples use eth0 for the external 
interface is because many of them are taken from my setup which is 
configured that way. No other reason.

So if you want to call your internet zone ''foo'' and your local
zone ''bar'',
go for it :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> Shorewall doesn''t care which interface is which -- there are only
two
> names that Shorewall attaches any meaning to:
> 
> a) The contents of the FW variable (normally ''fw'') --
that is the zone of
> the firewall itself.
> b) ''multi'' which is the pseudo-zone that Shorewall
creates to be able to
> report on the ''multi2fw'' chain.
> 
> The reason that my documentation and the samples use eth0 for the external
> interface is because many of them are taken from my setup which is
> configured that way. No other reason.
> 
> So if you want to call your internet zone ''foo'' and your
local zone ''bar'',
> go for it :-)
Sure, Tom, that''s quite understandable....   :)  ...but it''s
not the
point I''m trying to offer.

The problem is that he may *think* he has it configured one way but it
actually is configured totally the opposite. He mentioned, in the
beginning, that eth0 is connected to the net and eth1 is used for his
subnets, but his configuration was actually switched the other way
round. What happens if he starts modifying the policies and rules and
thinks he''s doing one thing but will be doing something quite the
opposite?.. Security should be primarily about knowing exactly what one
is doing, not just being satisfied that it works ok for the moment..
 
-- 
Patrick Benson
Stockholm, Sweden

On Thu, 25 Apr 2002, Patrick Benson wrote:
> Tom Eastep wrote:
> 
> Sure, Tom, that''s quite understandable....   :)  ...but
it''s not the
> point I''m trying to offer.
> 
> The problem is that he may *think* he has it configured one way but it
> actually is configured totally the opposite. He mentioned, in the
> beginning, that eth0 is connected to the net and eth1 is used for his
> subnets, but his configuration was actually switched the other way
> round. What happens if he starts modifying the policies and rules and
> thinks he''s doing one thing but will be doing something quite the
> opposite?.. Security should be primarily about knowing exactly what one
> is doing, not just being satisfied that it works ok for the moment..
>  
Sorry Patrick -- I didn''t pay attention to which post you were replying
to. Yes, I agree totally that there is no reason to switch the meaning of 
''net'' and ''loc'' and I replied to that effect
to the original poster.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Thu, 25 Apr 2002, Tom Eastep wrote:
> 
> Sorry Patrick -- I didn''t pay attention to which post you were
replying
> to. Yes, I agree totally that there is no reason to switch the meaning of 
> ''net'' and ''loc'' and I replied to that
effect to the original poster.
Ok -- hope that I haven''t made everyone else as confused as I am :-)

We had two posts this morning with similar traits:

a) David Grant -- he reported that his local net was actually the internet 
because of something that I didn''t understand.

b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was his
network interface and eth1 was his local yet his configuration looked to
be the other way around. I thought that his opening paragraph was a typo
given that the subnets on eth1 (with the exception of ''token'')
use RFC1918
addresses and that''s why I reacted to Patrick''s post. To me,
it still
looks like a typo;  maybe Bernd can clear that up for us.

It was David''s post that I responded to given that I didn''t
understand
that part about why his local net being on the internet. I think I''ve
now
muddled that one out. David has a single NIC in each of two systems, both
of which get IP''s dynamically from his ISP. So he is using one lan
segment
for both internet and local traffic. Not the world''s best idea given
that
the rules that he posted will give all of his neighbors free SMB access to
his SAMBA box.

I have a similar configuration here currently but I use a PPTP VPN from my
laptop to my firewall. The reason that the laptop moved out from behind my
firewall is that any time that I need tech support from my employer,
that''s the first thing that the help desk wants me to do :-/ I just
decided to leave it outside the firewall permanently. Makes a good PoPToP 
test bed :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> > Sorry Patrick -- I didn''t pay attention to which post you
were replying
> > to. Yes, I agree totally that there is no reason to switch the meaning
of
> > ''net'' and ''loc'' and I replied to
that effect to the original poster.
> 
> Ok -- hope that I haven''t made everyone else as confused as I am
:-)
> 
> We had two posts this morning with similar traits:
Hey Tom,

Maybe it''s time for you to ask us users for some help in helping you
out
with answering all these questions? Don''t burn yourself out!   :)
 

-- 
Patrick Benson
Stockholm, Sweden