Hi
I have a bit of a problem in that all broardcast packets from my firewall
to my local network are being blocked. This has the affect of causing
samba and thing like zebra(routing deamon) to report constant errors.
The blocking seams to be being done by the common chian which looks like
this:
Chain common (5 references)
pkts bytes target prot opt in out source
destination
6 336 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
1491 68338 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
3 1580 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x04/0x04
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
However the common file only contains
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p udp --dport 1900 -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
I can''t see where the last 2 entrys as reported by shorewall status are
comming from? or how to stop it blocking the 192.168.0.255 address from the
firewall out to the eth1 interface.
Thanks
--
Drew Alexander Reed
http://www.c-hacker.co.uk
ICQ: 47205581
Drew Alexander Reed wrote:> ... > I have a bit of a problem in that all broardcast packets from my firewall > to my local network are being blocked. This has the affect of causing > samba and thing like zebra(routing deamon) to report constant errors. > > The blocking seams to be being done by the common chian which looks like > this: > > Chain common (5 references) > pkts bytes target prot opt in out source > destination > ... > 0 0 DROP all -- * * 0.0.0.0/0 > 255.255.255.255 > 0 0 DROP all -- * * 0.0.0.0/0 > 192.168.0.255 > ... > I can''t see where the last 2 entrys as reported by shorewall status are > comming from?They''re definitely not coming from the common file. My common chain looks exactly like the common.def file. Presumably there is something else at work here. What other files have you changed from the defaults?> or how to stop it blocking the 192.168.0.255 address from the > firewall out to the eth1 interface.Keep in mind that common/common.def is only used when both rules and policies have already been processed. So, for example, if you have a policy of accept on loc2fw, then common will not be used. Thus, regardless of what exists in common, adding an appropriate rule should override it. Paul http://paulgear.webhop.net
On Tue, 30 Apr 2002, Paul Gear wrote:> Drew Alexander Reed wrote: > > > ... > > I have a bit of a problem in that all broardcast packets from my firewall > > to my local network are being blocked. This has the affect of causing > > samba and thing like zebra(routing deamon) to report constant errors. > > > > The blocking seams to be being done by the common chian which looks like > > this: > > > > Chain common (5 references) > > pkts bytes target prot opt in out source > > destination > > ... > > 0 0 DROP all -- * * 0.0.0.0/0 > > 255.255.255.255 > > 0 0 DROP all -- * * 0.0.0.0/0 > > 192.168.0.255 > > ... > > I can''t see where the last 2 entrys as reported by shorewall status are > > comming from? > > They''re definitely not coming from the common file. My common chain looks > exactly like the common.def file. Presumably there is something else at work > here. What other files have you changed from the defaults? >Shorewall adds the subnet broadcast address (if any) of each interface. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> Shorewall adds the subnet broadcast address (if any) of each interface.Any chance of an override option in interfaces (like we can specify noping, routestopped, etc) that would say ''permit broadcast on this interface''? Simon
On Tue, 30 Apr 2002, Simon Turvey wrote:> > Shorewall adds the subnet broadcast address (if any) of each interface. > > Any chance of an override option in interfaces (like we can specify noping, > routestopped, etc) that would say ''permit broadcast on this interface''? >Packets only traverse the ''common'' chain when the policy is other than ACCEPT. So if you simply put "-" in the BROADCAST column for an interface then broadcasts will be accepted if the applicable policy is ACCEPT. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 30 Apr 2002, Tom Eastep wrote:> On Tue, 30 Apr 2002, Simon Turvey wrote: > > > > Shorewall adds the subnet broadcast address (if any) of each interface. > > > > Any chance of an override option in interfaces (like we can specify noping, > > routestopped, etc) that would say ''permit broadcast on this interface''? > > > > Packets only traverse the ''common'' chain when the policy is other than > ACCEPT. So if you simply put "-" in the BROADCAST column for an interface > then broadcasts will be accepted if the applicable policy is ACCEPT. >Actually, it doesn''t matter what you put in the BROADCAST column but omitting that column results in one less useless rule in the common chain. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks Tom. That''s given me the info I needed to have a rethink of my
policies and slim down my rules file. It all seems to be working just dandy
now.
Cheers,
Simon
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Simon Turvey" <turveysp@ntlworld.com>
Cc: <shorewall-users@shorewall.net>
Sent: Tuesday, April 30, 2002 4:46 PM
Subject: Re: [Shorewall-users] Blocking local broadcasts
> On Tue, 30 Apr 2002, Tom Eastep wrote:
>
> > On Tue, 30 Apr 2002, Simon Turvey wrote:
> >
> > > > Shorewall adds the subnet broadcast address (if any) of each
interface.> > >
> > > Any chance of an override option in interfaces (like we can
specify
noping,> > > routestopped, etc) that would say ''permit broadcast on
this
interface''?> > >
> >
> > Packets only traverse the ''common'' chain when the
policy is other than
> > ACCEPT. So if you simply put "-" in the BROADCAST column for
an
interface> > then broadcasts will be accepted if the applicable policy is ACCEPT.
> >
>
> Actually, it doesn''t matter what you put in the BROADCAST column
but
> omitting that column results in one less useless rule in the common chain.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> AIM: tmeastep \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>
Tom Eastep wrote:> ... > > > ... > > > I can''t see where the last 2 entrys as reported by shorewall status are > > > comming from? > > > > They''re definitely not coming from the common file. My common chain looks > > exactly like the common.def file. Presumably there is something else at work > > here. What other files have you changed from the defaults? > > > > Shorewall adds the subnet broadcast address (if any) of each interface.I must be going blind - there they are right on the end of the list. Paul http://paulgear.webhop.net