thr3ads.net - Shorewall users - [Shorewall-users] shorewall problem [Jul 2002]

If this information is useful, please help other people find it:
Share via:

Tom Eastep

2002-Jul-09 15:08 UTC

[Shorewall-users] shorewall problem

On Tue, 9 Jul 2002, Abdul Karim wrote:
>  
> ACCEPT          fw        net           tcp     53
> ACCEPT          fw        net           udp     53
> 
> ACCEPT          loc       fw            tcp     22
> 
> The question I have is about the ssh line.  It seems when I try to connect
> to fw  I can still connect on the public ip (net)address, even though on
the
> rules it is say''s only on the loc (private interface), or I am
reading this
> theory incorrectly?  In the log file the message appears as its been
dropped
> but the connection is still established.  
The last rule above allows SSH connections from any system in the loc zone 
to the firewall REGARDLESS OF WHICH FIREWALL ADDRESS YOU USE. If you want 
to restrict it to only the private address:

ACCEPT	loc	fw:<private address>	tcp	22

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Abdul Karim

2002-Jul-09 15:10 UTC

head link

[Shorewall-users] shorewall problem

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2275A.B6C52AF0
Content-Type: text/plain;
	charset="iso-8859-1"

Hi there,
I have installed redhat 7.2 updated the kernal to 2.4.9-34 , shorewall
1.3.3. As far as I can recall I have installed all the necessary package.  
 
The machine has two NIC''s eth0 has public IP address and eth1 has
internal
ip. I am just testing with the basic configuration for two interfaces.  I
have followed http://www.shorewall.net/shorewall_quickstart_guide.htm
<http://www.shorewall.net/shorewall_quickstart_guide.htm> 
 
and completed all the necessary steps. I haven''t done the masq. yet.
all I
am trying test at this stage is the ssh connection to the fw.  now the rules
only has the following lines
 
ACCEPT          fw        net           tcp     53
ACCEPT          fw        net           udp     53

ACCEPT          loc       fw            tcp     22

The question I have is about the ssh line.  It seems when I try to connect
to fw  I can still connect on the public ip (net)address, even though on the
rules it is say''s only on the loc (private interface), or I am reading
this
theory incorrectly?  In the log file the message appears as its been dropped
but the connection is still established.  
 
I am not to sure whether I missed something but I went through the config
files thoroughly.  I haven''t tried anything else yet. just wanted to
know
why its doing this first. 
 
Please do let me know if you need anymore information.  Hope its clear.
 
Thanks.

Karim 



------_=_NextPart_001_01C2275A.B6C52AF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
charset=3Diso-8859-1">


<META content=3D"MSHTML 5.50.4913.1100"
name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>Hi=20
there,</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>I have installed=20
redhat 7.2 updated the kernal to 2.4.9-34&nbsp;, shorewall 1.3.3. As far as
I=20
can recall I have installed all the necessary package.&nbsp;=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>The machine has two=20
NIC''s eth0 has public IP address and eth1 has&nbsp;internal ip. I
am just=20
testing with the basic configuration for two interfaces.&nbsp; I have
followed=20
<A=20
href=3D"http://www.shorewall.net/shorewall_quickstart_guide.htm">http://www.shorewall.net/shorewall_quickstart_guide.htm</A></FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>and completed all=20
the necessary steps. I haven''t done the masq. yet. all I am trying test
at this=20
stage is the ssh connection to the fw.&nbsp;
</FONT></SPAN><SPAN=20
class=3D031374214-09072002><FONT face=3DArial size=3D2>now the rules
only has the=20
following lines</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2>ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
fw&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
tcp&nbsp;&nbsp;&nbsp;&nbsp;=20
53<BR>ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
fw&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
udp&nbsp;&nbsp;&nbsp;&nbsp;=20
53<BR><BR>ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
loc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
fw&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
tcp&nbsp;&nbsp;&nbsp;&nbsp;
22<BR></FONT></SPAN><SPAN=20
class=3D031374214-09072002><FONT face=3DArial
size=3D2></DIV></FONT></SPAN>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>The question I have=20
is about the ssh line.&nbsp; It seems when I try to connect to fw&nbsp;
I can=20
still&nbsp;connect on the public ip (net)address, even though on the rules
it is=20
say''s only on the loc (private interface), or I am reading this
theory=20
incorrectly?&nbsp; In the log file&nbsp;the message appears as its been
dropped=20
but the connection is still established.&nbsp;
</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>I am not to sure=20
whether I missed something but I went through the config files
thoroughly.&nbsp;=20
I haven''t tried anything else yet. just wanted to know why its doing
this=20
first.&nbsp;</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial
size=3D2>Please do let me=20
know if you need anymore information.&nbsp; Hope its
clear.</FONT></SPAN></DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D031374214-09072002><FONT face=3DArial=20
size=3D2>Thanks.</DIV></FONT></SPAN>
<P><FONT face=3DArial size=3D2>Karim</FONT>
<BR></P></BODY></HTML>

------_=_NextPart_001_01C2275A.B6C52AF0--

Abdul Karim

2002-Jul-09 16:00 UTC

head link

[Shorewall-users] shorewall problem

Hi Tom,
Thanks for your prompt reply.  My local zone is eth1 which has private ip
address.  The machine I am connecting from has a public ip address (same
subnet as the external ip (etho). So I don''t understand what makes it
think
its a local zone. but yeh if I do what you suggested does work.

Thanks.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, July 09, 2002 4:09 PM
To: Abdul Karim
Cc: ''Shorewall-users@shorewall.net''
Subject: Re: [Shorewall-users] shorewall problem


On Tue, 9 Jul 2002, Abdul Karim wrote:
>  
> ACCEPT          fw        net           tcp     53
> ACCEPT          fw        net           udp     53
> 
> ACCEPT          loc       fw            tcp     22
> 
> The question I have is about the ssh line.  It seems when I try to connect
> to fw  I can still connect on the public ip (net)address, even though on
the> rules it is say''s only on the loc (private interface), or I am
reading
this> theory incorrectly?  In the log file the message appears as its been
dropped> but the connection is still established.  
The last rule above allows SSH connections from any system in the loc zone 
to the firewall REGARDLESS OF WHICH FIREWALL ADDRESS YOU USE. If you want 
to restrict it to only the private address:

ACCEPT	loc	fw:<private address>	tcp	22

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

Tom Eastep

2002-Jul-09 16:46 UTC

head link

[Shorewall-users] shorewall problem

On Tue, 9 Jul 2002, Abdul Karim wrote:
> Hi Tom,
> Thanks for your prompt reply.  My local zone is eth1 which has private ip
> address.  The machine I am connecting from has a public ip address (same
> subnet as the external ip (etho). So I don''t understand what makes
it think
> its a local zone. but yeh if I do what you suggested does work.
> 
You had better let me see all of your configuration files -- there is 
something very wrong or I''m really missing something.

You don''t have both interfaces connected to the same hub or switch do
you?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Shorewall users - Jul 2002 - shorewall problem

[Shorewall-users] shorewall problem

[Shorewall-users] shorewall problem

[Shorewall-users] shorewall problem

[Shorewall-users] shorewall problem