I have been successfully running shorewall 1.2.3 for several months. The firewall machine connects to a cable modem on eth0 and routes to several other subnets on other NICs. Recently, internet access through the firewall failed and I began to investigate. I was able to SSH into the firewall. The /var/lib/dhcp/dhclient.lease file appeard to have current, unexpired leases. Pinging the gateway and name servers given in the dhclient.lease file resulted in "network destination unreachable" messages. I displayed "ip route" and did not see anything obviously wrong (although I am a novice at this). I rebooted the firewall machine and internet access is now restored. I should have gathered more info before rebooting - sorry :( I did notice that /var/log/messages had the following message repeated twice each day: May 3 20:43:04 RRFW kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:80:c8:b9:ae:75:00:07:0d:ac:5c:8c:08:00 SRC=10.116.16.1 DST=66.66.200.253 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=30966 PROTO=UDP SPT=67 DPT=68 LEN=345 May 4 07:17:02 RRFW kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:80:c8:b9:ae:75:00:07:0d:ac:5c:8c:08:00 SRC=10.116.16.1 DST=66.66.200.253 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=31532 PROTO=UDP SPT=67 DPT=68 LEN=345 I also noted that IP=10.116.16.1 is the IP address that is listed during the reboot as the server that issued my new DHCP license ! My naive guess is that the DHCP server machine has been trying to tell me something that is getting dropped in the firewall - but I could be all wrong on this. My interfaces file reads as follows: #ZONE INTERFACE BROADCAST OPTIONS cbl eth0 detect routefilter,norfc1918,dhcp,dropunclean - eth1 192.168.155.255 fam eth2 192.168.185.255 routestopped khr eth3 192.168.195.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Any suggestions appreciated ! Thanks, Scott.
On Sun, 5 May 2002, J.Scott Merritt wrote:> > I also noted that IP=10.116.16.1 is the IP address that is listed during > the reboot as the server that issued my new DHCP license ! My naive > guess is that the DHCP server machine has been trying to tell me > something that is getting dropped in the firewall - but I could be all > wrong on this. > > Any suggestions appreciated ! >Sounds like the solution in FAQ 14 (http://www.shorewall.net/FAQ.htm#faq14) would work for you. Just substitute the address of the DHCP server where the solution has 192.168.100.1. Also, I would upgrade to a newer version of Shorewall; 1.2.3 is 3 1/2 months old. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
"J.Scott Merritt" wrote:> ... > Recently, internet access through the firewall failed and I began to investigate. I was able to SSH into the firewall. The /var/lib/dhcp/dhclient.lease file appeard to have current, unexpired leases. > ... > May 3 20:43:04 RRFW kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:80:c8:b9:ae:75:00:07:0d:ac:5c:8c:08:00 SRC=10.116.16.1 DST=66.66.200.253 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=30966 PROTO=UDP SPT=67 DPT=68 LEN=345 > May 4 07:17:02 RRFW kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:80:c8:b9:ae:75:00:07:0d:ac:5c:8c:08:00 SRC=10.116.16.1 DST=66.66.200.253 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=31532 PROTO=UDP SPT=67 DPT=68 LEN=345 > > I also noted that IP=10.116.16.1 is the IP address that is listed during the reboot as the server that issued my new DHCP license ! My naive guess is that the DHCP server machine has been trying to tell me something that is getting dropped in the firewall - but I could be all wrong on this. > > My interfaces file reads as follows: > > #ZONE INTERFACE BROADCAST OPTIONS > cbl eth0 detect routefilter,norfc1918,dhcp,dropunclean > - eth1 192.168.155.255 > fam eth2 192.168.185.255 routestopped > khr eth3 192.168.195.255 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Any suggestions appreciated !10.116.16.1 is an RFC1918 IP address. You can''t run the interface in norfc1918 mode and use this as your DHCP server without an additional workaround. See http://shorewall.net/FAQ.htm#faq14 for the workaround. Paul http://paulgear.webhop.net
Paul, In an obvious statement of iqnorance, I will admit that I had no clue the 10.116.16.1 was an RFC1918 address nor that it would be "reasonable" for the cable modem ISP to use one for their DHCP server. Thanks for the help, Scott.
Hi Scott,>-----Original Message----- >From: J.Scott Merritt [mailto:Scott@PragmaSoft.com]=20 >Posted At: den 5 maj 2002 22:21 >Posted To: shorewall >Conversation: [Shorewall-users] dhcp problem >Subject: Re: [Shorewall-users] dhcp problem>Paul, > >In an obvious statement of iqnorance, I will admit that I had no cluethe 10.116.16.1 was an RFC1918 address nor >that it would be "reasonable" for the cable modem ISP to use one for their DHCP server.> >Thanks for the help, Scott.I don''t think it''s ignorant at all. The fact that some ISP''s use RFC1918 addresses for their DNS and DHCP servers undermines security. Unfortunately, a lot of us are stuck with their stubborn unwillingness to care about anything but making money... Of course we should all be able to run our firewalls in non-RFC1918-mode to protect ourselves but alas... You''re not the first to get caught by this! Cheers, Orjan _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Örjan Johansson wrote:> ... > > > >In an obvious statement of iqnorance, I will admit that I had no clue > the 10.116.16.1 was an RFC1918 address nor >that it would be > "reasonable" for the cable modem ISP to use one for their DHCP server. > > > >Thanks for the help, Scott. > > I don''t think it''s ignorant at all. The fact that some ISP''s use RFC1918 > addresses for their DNS and DHCP servers undermines security. > Unfortunately, a lot of us are stuck with their stubborn unwillingness > to care about anything but making money... Of course we should all be > able to run our firewalls in non-RFC1918-mode to protect ourselves but > alas... You''re not the first to get caught by this!I agree - nearly all cable and ADSL providers that i''ve seen use RFC 1918 addresses for their own infrastructure, so that they don''t have to use up their public IPs for anything except customers or critical servers. I think if it weren''t for RFC 1918, the world would stop turning. :-) The fact that Scott didn''t know what an RFC 1918 address was is forgivable. (But don''t let it happen again! ;-) In /etc/shorewall/firewall, the following address ranges are put on the rfc1918 chain: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 240.0.0.0/4 of these, only 10/8, 172.16/12, and 192.168/16 are included in RFC 1918. The rest are other reserved addresses (see http://www.isi.edu/~bmanning/dsua.html for a discussion of them). Tom, perhaps we should think about renaming the chain to ''reserved''? Paul http://paulgear.webhop.net
Thanks Tom, Thinking further ... it appears that the *initial* DHCP protocol exchange *is* working and assigning IP addresses, DNS servers, etc. For this to work from 10.116.16.1, I would assume that the DHCP option on my eth0 interfaces configuration file is "superceding" the norfc1918 option on that same line. Is this a good guess ? I don''t know enough about the DHCP protocol to determine whether the dropped messages logged by shorewall are part of that protocol (i.e. UPD SPT=67 DPT=68). Are these DHCP messages ? And if so, shouldn''t they be passed in the same fashion as the initial setup messages ? Thanks again, Scott. On Sun, 5 May 2002 12:12:58 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 5 May 2002, J.Scott Merritt wrote: > > > > > I also noted that IP=10.116.16.1 is the IP address that is listed during > > the reboot as the server that issued my new DHCP license ! My naive > > guess is that the DHCP server machine has been trying to tell me > > something that is getting dropped in the firewall - but I could be all > > wrong on this. > > > > Any suggestions appreciated ! > > > > Sounds like the solution in FAQ 14 > (http://www.shorewall.net/FAQ.htm#faq14) would work for you. Just > substitute the address of the DHCP server where the solution has > 192.168.100.1. Also, I would upgrade to a newer version of Shorewall; > 1.2.3 is 3 1/2 months old. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > > >
On Sun, 5 May 2002, J.Scott Merritt wrote:> > Thinking further ... it appears that the *initial* DHCP protocol > exchange *is* working and assigning IP addresses, DNS servers, etc. > For this to work from 10.116.16.1, I would assume that the DHCP option > on my eth0 interfaces configuration file is "superceding" the norfc1918 > option on that same line. Is this a good guess ? >I think that a better guess is that you are bringing up the interface before you are starting Shorewall. As I recall, you had "detect" in the BROADCAST column in the entry for your external interface (/etc/shorewall/interfaces) which requires that the interface be up and have an address assigned before Shorewall can start.> I don''t know enough about the DHCP protocol to determine whether the > dropped messages logged by shorewall are part of that protocol (i.e. UPD > SPT=67 DPT=68). Are these DHCP messages ?Yep.> And if so, shouldn''t they be passed in the same fashion as the initial > setup messages ? >Shorewall can''t stop anything if it hasn''t yet been started so the initial setup messages are passed -- once Shorewall is started, it is doing exactly what you are asking it to do. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 6 May 2002, Paul Gear wrote:> of these, only 10/8, 172.16/12, and 192.168/16 are included in RFC 1918. > The rest are other reserved addresses (see > http://www.isi.edu/~bmanning/dsua.html for a discussion of them). Tom,Or enhance the documentation of the ''rfc1918'' option - I like the chain name to be similar to the name of the option and since we have users setting the option without knowing what addresses it is blocking, it seems like a good idea to list the ip address ranges in the docs. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> I think that a better guess is that you are bringing up the interface > before you are starting Shorewall.Yes, I agree that is a much better guess :) I checked the startup log and indeed the RFC1918 filtering is enabled *after* the DHCP IP address is bound to eth0 ! Many thanks for the additional insight ... and for creating and supporting Shorewall in the first place ! All the best, Scott.