Shorewall users - Apr 2002 - Policy Rules not working as expected (fwd)

Tom,

Thanks for the reply, and sorry for not being 100% clear about my setup. 
 Your guess is right...I have one interface (eth0) on each machine. 
 You''re right, it''s not a smart idea since anyone can get to
my computer
through SMB over TCP/IP, but the reason I did was because someone in my 
local LUG lied to me, and told me that my ADSL router/modem would not 
pass these packets out onto the Internet.  I guess the guy was probably 
a Windows user and was confused with NetBEUI or something.  My best 
option now is to just get a new network card for each computer and 
connect them with one cable.  Very secure.  But I''m making the best of 
it.  At any given time I either have no shares, or I put a complicated 
password on the share.

Anyways, about this problem, it''s kind of boggling me as to why
I''m
getting these packets blocked.  Here''s what I see in my syslog file: 
 (I''ve disgused my IP for security reasons):

syslog file:

Apr 25 11:36:25 bih8151uy48rg kernel: Shorewall:net2all:DROP:IN=eth0 
OUT= MAC=<MAC address> SRC=<IP of the computer downstairs>
DST=<IP of my
computer> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23296 PROTO=UDP SPT=137 
DPT=1038 LEN=70

interfaces file:

net     eth0            detect          routefilter,dhcp

policy file:

fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

rules file:

DROP            net       fw            tcp     113
ACCEPT          net     fw              tcp     80      #HTTP server
ACCEPT          net     fw              tcp     22      #SSH server
ACCEPT          fw      net             udp     137:139 #SAMBA
ACCEPT          fw      net             tcp     137,139    #SAMBA
ACCEPT          net     fw              udp     137:139    #SAMBA
ACCEPT          net     fw              tcp     137,139    #SAMBA
ACCEPT          net     fw              tcp     6346    #Gnutella

zones file:

net     Net             Internet

All other config files are empty.

I basically set up my system by downloading the example files from the 
shorewall website for a single interface network setup.  I did cp -f * 
/etc/shorewall/ to all the files, I then edied the rules file, and I 
think that''s it.  If I stop shorewall I can see the shares on the other
computer, and as soon as I start it, I can''t see the other computers 
shares (although I can see the computer) and I start to see dropped 
packets.  Oh yeah, the "other" computer is a Windows 98 PC by the way.

If you can give me any advice about this that would be great.  I hope I 
have explained everything more clearly this time.  Thanks,

David Grant


Tom Eastep wrote:
>Subject: Re: [Shorewall-users] Policy Rules not working as expected
>
>On Thu, 25 Apr 2002, Tom Eastep wrote:
>
>  
>
>>Sorry Patrick -- I didn''t pay attention to which post you were
replying
>>to. Yes, I agree totally that there is no reason to switch the meaning
of
>>''net'' and ''loc'' and I replied to
that effect to the original poster.
>>    
>>
>
>Ok -- hope that I haven''t made everyone else as confused as I am
:-)
>
>We had two posts this morning with similar traits:
>
>a) David Grant -- he reported that his local net was actually the internet 
>because of something that I didn''t understand.
>
>b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was his
>network interface and eth1 was his local yet his configuration looked to
>be the other way around. I thought that his opening paragraph was a typo
>given that the subnets on eth1 (with the exception of
''token'') use RFC1918
>addresses and that''s why I reacted to Patrick''s post. To
me, it still
>looks like a typo;  maybe Bernd can clear that up for us.
>
>It was David''s post that I responded to given that I
didn''t understand
>that part about why his local net being on the internet. I think
I''ve now
>muddled that one out. David has a single NIC in each of two systems, both
>of which get IP''s dynamically from his ISP. So he is using one lan
segment
>for both internet and local traffic. Not the world''s best idea
given that
>the rules that he posted will give all of his neighbors free SMB access to
>his SAMBA box.
>
>I have a similar configuration here currently but I use a PPTP VPN from my
>laptop to my firewall. The reason that the laptop moved out from behind my
>firewall is that any time that I need tech support from my employer,
>that''s the first thing that the help desk wants me to do :-/ I just
>decided to leave it outside the firewall permanently. Makes a good PoPToP 
>test bed :-)
>
>-Tom
>  
>

Hi David:

could this be the problem:

ACCEPT          net     fw              udp     137:139   
#SAMBA

shouldn''t that be 137,139??

To everybody:

to limit access, can''t you do something like:

ACCEPT          net     fw              udp     137,139  
-    <ip of allowed comp>

Just a couple of thoughts.....

Jerry Vonau





David Grant wrote:
> 
> Tom,
> 
> Thanks for the reply, and sorry for not being 100% clear about my setup.
>  Your guess is right...I have one interface (eth0) on each machine.
>  You''re right, it''s not a smart idea since anyone can get
to my computer
> through SMB over TCP/IP, but the reason I did was because someone in my
> local LUG lied to me, and told me that my ADSL router/modem would not
> pass these packets out onto the Internet.  I guess the guy was probably
> a Windows user and was confused with NetBEUI or something.  My best
> option now is to just get a new network card for each computer and
> connect them with one cable.  Very secure.  But I''m making the
best of
> it.  At any given time I either have no shares, or I put a complicated
> password on the share.
> 
> Anyways, about this problem, it''s kind of boggling me as to why
I''m
> getting these packets blocked.  Here''s what I see in my syslog
file:
>  (I''ve disgused my IP for security reasons):
> 
> syslog file:
> 
> Apr 25 11:36:25 bih8151uy48rg kernel: Shorewall:net2all:DROP:IN=eth0
> OUT= MAC=<MAC address> SRC=<IP of the computer downstairs>
DST=<IP of my
> computer> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23296 PROTO=UDP SPT=137
> DPT=1038 LEN=70
> 
> interfaces file:
> 
> net     eth0            detect          routefilter,dhcp
> 
> policy file:
> 
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
> rules file:
> 
> DROP            net       fw            tcp     113
> ACCEPT          net     fw              tcp     80      #HTTP server
> ACCEPT          net     fw              tcp     22      #SSH server
> ACCEPT          fw      net             udp     137:139 #SAMBA
> ACCEPT          fw      net             tcp     137,139    #SAMBA
> ACCEPT          net     fw              udp     137:139    #SAMBA
> ACCEPT          net     fw              tcp     137,139    #SAMBA
> ACCEPT          net     fw              tcp     6346    #Gnutella
> 
> zones file:
> 
> net     Net             Internet
> 
> All other config files are empty.
> 
> I basically set up my system by downloading the example files from the
> shorewall website for a single interface network setup.  I did cp -f *
> /etc/shorewall/ to all the files, I then edied the rules file, and I
> think that''s it.  If I stop shorewall I can see the shares on the
other
> computer, and as soon as I start it, I can''t see the other
computers
> shares (although I can see the computer) and I start to see dropped
> packets.  Oh yeah, the "other" computer is a Windows 98 PC by the
way.
> 
> If you can give me any advice about this that would be great.  I hope I
> have explained everything more clearly this time.  Thanks,
> 
> David Grant
> 
> Tom Eastep wrote:
> 
> >Subject: Re: [Shorewall-users] Policy Rules not working as expected
> >
> >On Thu, 25 Apr 2002, Tom Eastep wrote:
> >
> >
> >
> >>Sorry Patrick -- I didn''t pay attention to which post you
were replying
> >>to. Yes, I agree totally that there is no reason to switch the
meaning of
> >>''net'' and ''loc'' and I replied
to that effect to the original poster.
> >>
> >>
> >
> >Ok -- hope that I haven''t made everyone else as confused as I
am :-)
> >
> >We had two posts this morning with similar traits:
> >
> >a) David Grant -- he reported that his local net was actually the
internet
> >because of something that I didn''t understand.
> >
> >b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was
his
> >network interface and eth1 was his local yet his configuration looked
to
> >be the other way around. I thought that his opening paragraph was a
typo
> >given that the subnets on eth1 (with the exception of
''token'') use RFC1918
> >addresses and that''s why I reacted to Patrick''s post.
To me, it still
> >looks like a typo;  maybe Bernd can clear that up for us.
> >
> >It was David''s post that I responded to given that I
didn''t understand
> >that part about why his local net being on the internet. I think
I''ve now
> >muddled that one out. David has a single NIC in each of two systems,
both
> >of which get IP''s dynamically from his ISP. So he is using one
lan segment
> >for both internet and local traffic. Not the world''s best idea
given that
> >the rules that he posted will give all of his neighbors free SMB access
to
> >his SAMBA box.
> >
> >I have a similar configuration here currently but I use a PPTP VPN from
my
> >laptop to my firewall. The reason that the laptop moved out from behind
my
> >firewall is that any time that I need tech support from my employer,
> >that''s the first thing that the help desk wants me to do :-/ I
just
> >decided to leave it outside the firewall permanently. Makes a good
PoPToP
> >test bed :-)
> >
> >-Tom
> >
> >
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

On Thu, 25 Apr 2002, Jerry Vonau wrote:
> Hi David:
>
> could this be the problem:
>
> ACCEPT          net     fw              udp     137:139
> #SAMBA
>
> shouldn''t that be 137,139??
No -- UDP 138 is the netbios datagram service which you need to allow.
>
> To everybody:
>
> to limit access, can''t you do something like:
>
> ACCEPT          net     fw              udp     137,139
> -    <ip of allowed comp>
>
No -- that is an invalid rule. The correct way to do that would be:

ACCEPT	net:<ip of allowed comp>	fw	udp	137:139

Alas, David has dynamic IPs.

I''ve been working privately with David and his situation is very odd.
The
packets that are getting rejected have SOURCE port 137 so they look like
replies but there is NO entry in the connection tracking table that
matches these packets. This means that the RELATED, ESTABLISHED rule at
the head of the ''net2fw'' chain is not passing the packets as
it normally
would.

David and I welcome other ideas. If David hasn''t made any more
progress,
we have to start looking at tcpdump traces.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom:

Tom Eastep wrote:
> 
> On Thu, 25 Apr 2002, Jerry Vonau wrote:
> 
> > Hi David:
> >
> > could this be the problem:
> >
> > ACCEPT          net     fw              udp     137:139
> > #SAMBA
> >
> > shouldn''t that be 137,139??
> 
> No -- UDP 138 is the netbios datagram service which you need to allow.
I was referring to the syntax of the port range, not the
ports involved.
Which is correct 137:139 137,139 or both?
> >
> > To everybody:
> >
> > to limit access, can''t you do something like:
> >
> > ACCEPT          net     fw              udp     137,139
> > -    <ip of allowed comp>
> >
> 
> No -- that is an invalid rule. The correct way to do that would be:
> 
> ACCEPT  net:<ip of allowed comp>        fw      udp     137:139
> 
OK, I blew that one..... Must think before speaking or at
least look at
my own rules. ;-)

> Alas, David has dynamic IPs.
> 
> I''ve been working privately with David and his situation is very
odd. The
> packets that are getting rejected have SOURCE port 137 so they look like
> replies but there is NO entry in the connection tracking table that
> matches these packets. This means that the RELATED, ESTABLISHED rule at
> the head of the ''net2fw'' chain is not passing the packets
as it normally
> would.
That is a little weird, problems with ip_conntrack? That is
not very reassuring.
Just curious, what kernel version is this puppy running?
 
> David and I welcome other ideas. If David hasn''t made any more
progress,
> we have to start looking at tcpdump traces.
Going on the assumption that there is a hub/switch between
the 2 computers
and the adsl modem, could you not use MAC addresses to
filter on?
 

Jerry

On Thu, 25 Apr 2002, Jerry Vonau wrote:
>
> I was referring to the syntax of the port range, not the
> ports involved.
> Which is correct 137:139 137,139 or both?
>
Both -- "137:139" is a range including 138. "137,139" is a
list that
doesn''t include 138.
> > the head of the ''net2fw'' chain is not passing the
packets as it normally
> > would.
>
> That is a little weird, problems with ip_conntrack? That is
> not very reassuring.
> Just curious, what kernel version is this puppy running?
Drake 8.2 (2.4.18-xxxmdk).
>
> Going on the assumption that there is a hub/switch between
> the 2 computers
> and the adsl modem, could you not use MAC addresses to
> filter on?
On input, yes.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

At 25/4/2002 20:17, you wrote:
 > policy file:
 >
 > fw              net             ACCEPT
 > net             all             DROP            info
 > all             all             REJECT          info
 >
 > rules file:
 >
 > DROP            net       fw            tcp     113
 > ACCEPT          net     fw              tcp     80      #HTTP server
 > ACCEPT          net     fw              tcp     22      #SSH server

 > ACCEPT          fw      net             udp     137:139 #SAMBA
 > ACCEPT          fw      net             tcp     137,139    #SAMBA

These two are useless because the POLICY from fw to net is ACCEPT.

 > ACCEPT          net     fw              udp     137:139    #SAMBA
 > ACCEPT          net     fw              tcp     137,139    #SAMBA
 > ACCEPT          net     fw              tcp     6346    #Gnutella

-Gilson

At 25/4/2002 20:17, you wrote:
 > policy file:
 >
 > fw              net             ACCEPT
 > net             all             DROP            info
 > all             all             REJECT          info
 >
 > rules file:
 >
 > DROP            net       fw            tcp     113
 > ACCEPT          net     fw              tcp     80      #HTTP server
 > ACCEPT          net     fw              tcp     22      #SSH server

 > ACCEPT          fw      net             udp     137:139 #SAMBA
 > ACCEPT          fw      net             tcp     137,139    #SAMBA

These two are useless because the POLICY from fw to net is ACCEPT.

 > ACCEPT          net     fw              udp     137:139    #SAMBA
 > ACCEPT          net     fw              tcp     137,139    #SAMBA
 > ACCEPT          net     fw              tcp     6346    #Gnutella

-Gilson

Tom Eastep wrote
>No -- that is an invalid rule. The correct way to do that would be:
>
>ACCEPT	net:<ip of allowed comp>	fw	udp	137:139
>
>Alas, David has dynamic IPs.
>  
>
Would it be possible to put a dynamic host name here?  Is it able to 
look it up?  I have dynamic host names for each computer.  I won''t 
bother trying it now as I haven''t gotten Samba working at all yet.

On Fri, 26 Apr 2002, David Grant wrote:
> >
> Would it be possible to put a dynamic host name here?  Is it able to
> look it up?  I have dynamic host names for each computer.  I won''t
> bother trying it now as I haven''t gotten Samba working at all yet.
>
No -- as explained in the FAQ, I don''t support that.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net