Frantzcy Paisible
2002-Oct-10 15:53 UTC
[Shorewall-users] shorewall, not respecting the rules
Hi,
I''ve had this issue before but manager to get around it, this this I
can''t.
What would cause this :
3 zones
net
zone_a
zone_b
2 interfaces
eth0: zone_a zone_b
eth1: net
policies:
zone_a zone_b ACCEPT
zone_b zone_a ACCEPT
interfaces (i know, i know routestopped in shorewall/routestopped, but it
can''t hurt)
eth0 multi,routestopped
eth1 noping,routefilter,routestopped,norfc1918,dropunclean,filterping
I even added in the rules
ACCEPT zone_a:IP_a zone_b:IP_b tcp 80
I still get :
Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 SRC=IP_a DST=IP_b LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=1508 DF PROTO=TCP SPT=1171 DPT=80 WINDOW=64240 RES=0x00 SYN
URGP=0
I don''t get it!
Plus |
shorewall # iptables -v -L eth0_in
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
579 88621 dynamic all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp echo-request
574 87578 zone_a2fw all -- any any IP_A_net/26 anywhere
5 1043 zone_a2fw all -- any any anywhere anywhere
0 0 zone22fw all -- any any IP_B_net/26 anywhere
shorewall # iptables -v -L qsweb2fw
Chain qsweb2fw (2 references)
pkts bytes target prot opt in out source destination
65 4247 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- any any anywhere anywhere
state NEW tcp flags:!SYN,RST,ACK/SYN
4 263 ACCEPT udp -- any any anywhere anywhere
state NEW udp dpt:domain
61 12483 ACCEPT udp -- any any anywhere anywhere
state NEW udp dpts:netbios-ns:netbios-ssn
0 0 ACCEPT tcp -- any any anywhere anywhere
state NEW tcp dpts:netbios-ns:netbios-ssn
12 1100 ACCEPT udp -- any any anywhere anywhere
state NEW udp dpt:snmp
478 76720 all2all all -- any any anywhere anywhere
Shouldn''t there be a chain called
zone_a2zone_b
and a
zone_b2zone_a
??
Frantzcy
--
Unreachability is bliss
Frantzcy Paisible wrote:> Hi, > > I''ve had this issue before but manager to get around it, this this I can''t. > > What would cause this : > > > 3 zones > net > zone_a > zone_b > > 2 interfaces > eth0: zone_a zone_b > eth1: net > > policies: > zone_a zone_b ACCEPT > zone_b zone_a ACCEPT > > interfaces (i know, i know routestopped in shorewall/routestopped, but it can''t hurt) > eth0 multi,routestopped > eth1 noping,routefilter,routestopped,norfc1918,dropunclean,filterping > > I even added in the rules > > ACCEPT zone_a:IP_a zone_b:IP_b tcp 80 > > > I still get : > > Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 SRC=IP_a DST=IP_b LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1508 DF PROTO=TCP SPT=1171 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 > > > I don''t get it! > > > Plus | > shorewall # iptables -v -L eth0_in > Chain eth0_in (1 references) > pkts bytes target prot opt in out source destination > 579 88621 dynamic all -- any any anywhere anywhere > 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request > 574 87578 zone_a2fw all -- any any IP_A_net/26 anywhere > 5 1043 zone_a2fw all -- any any anywhere anywhere > 0 0 zone22fw all -- any any IP_B_net/26 anywhere > > > shorewall # iptables -v -L qsweb2fw > Chain qsweb2fw (2 references) > pkts bytes target prot opt in out source destination > 65 4247 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED > 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN > 4 263 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain > 61 12483 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:netbios-ns:netbios-ssn > 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:netbios-ns:netbios-ssn > 12 1100 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:snmp > 478 76720 all2all all -- any any anywhere anywhere > > > > Shouldn''t there be a chain called > > zone_a2zone_b > and a > zone_b2zone_a > ??You''ve edited the description of your configuration to the point where your problem report is useless. Please email me privately and give me the real information. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Frantzcy Paisible wrote:> Hi, > > I''ve had this issue before but manager to get around it, this this I can''t. > > What would cause this : > > > 3 zones > net > zone_a > zone_b > > 2 interfaces > eth0: zone_a zone_b > eth1: net > > policies: > zone_a zone_b ACCEPT > zone_b zone_a ACCEPT > > interfaces (i know, i know routestopped in shorewall/routestopped, but it can''t hurt) > eth0 multi,routestopped > eth1 noping,routefilter,routestopped,norfc1918,dropunclean,filterping > > I even added in the rules > > ACCEPT zone_a:IP_a zone_b:IP_b tcp 80 > > > I still get : > > Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 SRC=IP_a DST=IP_b LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1508 DF PROTO=TCP SPT=1171 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 > > > I don''t get it! > > > Plus | > shorewall # iptables -v -L eth0_in > Chain eth0_in (1 references) > pkts bytes target prot opt in out source destination > 579 88621 dynamic all -- any any anywhere anywhere > 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request > 574 87578 zone_a2fw all -- any any IP_A_net/26 anywhere > 5 1043 zone_a2fw all -- any any anywhere anywhere > 0 0 zone22fw all -- any any IP_B_net/26 anywhere > > > shorewall # iptables -v -L qsweb2fw > Chain qsweb2fw (2 references) > pkts bytes target prot opt in out source destination > 65 4247 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED > 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN > 4 263 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain > 61 12483 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:netbios-ns:netbios-ssn > 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:netbios-ns:netbios-ssn > 12 1100 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:snmp > 478 76720 all2all all -- any any anywhere anywhere > > > > Shouldn''t there be a chain called > > zone_a2zone_b > and a > zone_b2zone_a > ??There are -- and they are jumped to from the eth0_fwd chain -- the eth0_in chain only handles traffic directed to the firewall itself. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Frantzcy Paisible wrote: > >> Hi, >> >> I''ve had this issue before but manager to get around it, this this I >> can''t. >> >> What would cause this : >> >> >> 3 zones >> net >> zone_a >> zone_b >> >> 2 interfaces >> eth0: zone_a zone_b >> eth1: net >> >> policies: >> zone_a zone_b ACCEPT >> zone_b zone_a ACCEPT >> >> interfaces (i know, i know routestopped in shorewall/routestopped, but >> it can''t hurt) >> eth0 multi,routestopped >> eth1 noping,routefilter,routestopped,norfc1918,dropunclean,filterping >> >> I even added in the rules >> >> ACCEPT zone_a:IP_a zone_b:IP_b tcp 80 >> >> >> I still get : >> >> Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 SRC=IP_a DST=IP_b LEN=48 >> TOS=0x00 PREC=0x00 TTL=127 ID=1508 DF PROTO=TCP SPT=1171 DPT=80 >> WINDOW=64240 RES=0x00 SYN URGP=0 >> >> >> I don''t get it! >> >>As is usual in these cases, the problem turned out to be incorrectly defined zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net