I''m running Shorewall 1.37b with iptables 1.2.5 under RH 7.2 It appears that my firewall is rejecting this connection even though my configuration should accept all traffic directed outward: Nov 15 14:10:04 main kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=my.ip.address DST=208.246.35.55 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=34874 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 This is a standalone server with only one interface eth0: Can anyone tell me why shorewall is rejecting these connections? These connections are being initiated by a Postfix server running on the firewall. Interestingly, the connections later succeed. I had recently upgraded the kernel to 2.4.18 and the iptables came with it. I do not know if this problem existed with the old kernel/iptables. hosts: -------------------- #ZONE HOST(S) OPTIONS office eth0:208.246.35.242/24 net eth0:0.0.0.0/0 -------------------- zones: ------------------- 2.4.18 office Office Office Proxy net Net Internet ------------------------ interfaces: --------------------------- - eth0 detect norfc1918,filterping,routestopped,routefilter,dropunclean,blacklist --------------------------- policy: --------------------- fw net ACCEPT office fw ACCEPT net all DROP info all all REJECT info ---------------------------------------------- shorewall.conf ------------------------------ FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIR LOGRATE=1/minute LOGBURST=5 LOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=no MANGLE_ENABLED=Yes IP_FORWARDING=Off ADD_IP_ALIASES=no ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL CLAMPMSS=No ROUTE_FILTER=Yes NAT_BEFORE_RULES=Yes MULTIPORT=No DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 LOGNEWNOTSYN FORWARDPING=no -------------------------------- ALL other files have default values
Hi Links, Am Sam, 2002-11-16 um 04.04 schrieb Links at Momsview:> I''m running Shorewall 1.37b with iptables 1.2.5 under RH 7.2 > It appears that my firewall is rejecting this connection even though > my configuration should accept all traffic directed outward: > Nov 15 14:10:04 main kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=my.ip.address DST=208.246.35.55 LEN=52 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=TCP SPT=34874 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > > This is a standalone server with only one interface eth0: > Can anyone tell me why shorewall is rejecting these connections? > These connections are being initiated by a Postfix server running on > the firewall. > Interestingly, the connections later succeed. > I had recently upgraded the kernel to 2.4.18 and the iptables came > with it. I do not know if this problem existed with the old > kernel/iptables. > > hosts: > -------------------- > #ZONE HOST(S) OPTIONS > office eth0:208.246.35.242/24 > net eth0:0.0.0.0/0 > -------------------- > > zones: > ------------------- > 2.4.18 > office Office Office Proxy > net Net Internet > ------------------------ > > interfaces: > --------------------------- > - eth0 detect > norfc1918,filterping,routestopped,routefilter,dropunclean,blacklist > --------------------------- > > policy: > --------------------- > fw net ACCEPT > office fw ACCEPT > net all DROP info > all all REJECT info > ----------------------------------------------<snip> According to your policy, you reject all connections from all2all, like the one above. So this is okay. Greets Dennis -- Dennis Borngraeber <h@wking.de>
While I do have the all to all reject, this connection is outbound (which should be passed by my fw to net ACCEPT policy) and is to an address that is part of the office zone that also has a default ACCEPT policy. That is why I don''t understand the REJECT of this connection. ----- Original Message ----- From: Links at Momsview To: shorewall-users@shorewall.net Sent: Friday, November 15, 2002 10:04 PM Subject: Strange reject I''m running Shorewall 1.37b with iptables 1.2.5 under RH 7.2 It appears that my firewall is rejecting this connection even though my configuration should accept all traffic directed outward: Nov 15 14:10:04 main kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=my.ip.address DST=208.246.35.55 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=34874 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 This is a standalone server with only one interface eth0: Can anyone tell me why shorewall is rejecting these connections? These connections are being initiated by a Postfix server running on the firewall. Interestingly, the connections later succeed. I had recently upgraded the kernel to 2.4.18 and the iptables came with it. I do not know if this problem existed with the old kernel/iptables. hosts: -------------------- #ZONE HOST(S) OPTIONS office eth0:208.246.35.242/24 net eth0:0.0.0.0/0 -------------------- zones: ------------------- 2.4.18 office Office Office Proxy net Net Internet ------------------------ interfaces: --------------------------- - eth0 detect norfc1918,filterping,routestopped,routefilter,dropunclean,blacklist --------------------------- policy: --------------------- fw net ACCEPT office fw ACCEPT net all DROP info all all REJECT info ---------------------------------------------- shorewall.conf ------------------------------ FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIR LOGRATE=1/minute LOGBURST=5 LOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=no MANGLE_ENABLED=Yes IP_FORWARDING=Off ADD_IP_ALIASES=no ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL CLAMPMSS=No ROUTE_FILTER=Yes NAT_BEFORE_RULES=Yes MULTIPORT=No DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 LOGNEWNOTSYN FORWARDPING=no -------------------------------- ALL other files have default values
Thanks for the reply. While I do have the all to all reject, this connection is outbound (which should be passed by my fw to net ACCEPT policy) and is to an address that is part of the office zone that also has a default ACCEPT policy. That is why I don''t understand the REJECT of this connection. ----- Original Message ----- From: Links at Momsview To: shorewall-users@shorewall.net Sent: Friday, November 15, 2002 10:04 PM Subject: Strange reject I''m running Shorewall 1.37b with iptables 1.2.5 under RH 7.2 It appears that my firewall is rejecting this connection even though my configuration should accept all traffic directed outward: Nov 15 14:10:04 main kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=my.ip.address DST=208.246.35.55 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=34874 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 This is a standalone server with only one interface eth0: Can anyone tell me why shorewall is rejecting these connections? These connections are being initiated by a Postfix server running on the firewall. Interestingly, the connections later succeed. I had recently upgraded the kernel to 2.4.18 and the iptables came with it. I do not know if this problem existed with the old kernel/iptables. hosts: -------------------- #ZONE HOST(S) OPTIONS office eth0:208.246.35.242/24 net eth0:0.0.0.0/0 -------------------- zones: ------------------- 2.4.18 office Office Office Proxy net Net Internet ------------------------ interfaces: --------------------------- - eth0 detect norfc1918,filterping,routestopped,routefilter,dropunclean,blacklist --------------------------- policy: --------------------- fw net ACCEPT office fw ACCEPT net all DROP info all all REJECT info ---------------------------------------------- shorewall.conf ------------------------------ FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIR LOGRATE=1/minute LOGBURST=5 LOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=no MANGLE_ENABLED=Yes IP_FORWARDING=Off ADD_IP_ALIASES=no ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL CLAMPMSS=No ROUTE_FILTER=Yes NAT_BEFORE_RULES=Yes MULTIPORT=No DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 LOGNEWNOTSYN FORWARDPING=no -------------------------------- ALL other files have default values
--On Saturday, November 16, 2002 08:30:04 AM -0500 Links at Momsview <links@momsview.com> wrote:> > While I do have the all to all reject, this connection is outbound (which > should be passed by my fw to net ACCEPT policy) and is to an address that > is part of the office zone that also has a default ACCEPT policy. That > is why I don''t understand the REJECT of this connection.But this isn''t a fw->net connection - it''s a fw->office connection. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, November 17, 2002 02:06:53 PM -0500 Links at Momsview <links@momsview.com> wrote:> Thanks for the reply. > While I do have the all to all reject, this connection is outbound (which > should be passed by my fw to net ACCEPT policy) and is to an address that > is part of the office zone that also has a default ACCEPT policy. That > is why I don''t understand the REJECT of this connection.The office->fw policy is ACCEPT -- the connection request that is being rejected is fw->office!!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
whoa!: I guess what''s has gotten me really confused is that I had thought of the shorewall policy line: fw net ACCEPT equivalent to the line iptables --policy OUTPUT ACCEPT on a standalone box with only one interface. Obviously that is not the case. Are you saying I need a line like ?: fw office ACCEPT Thanks in advance.> > > --On Saturday, November 16, 2002 08:30:04 AM -0500 Links at Momsview > <links@momsview.com> wrote: > > > > > While I do have the all to all reject, this connection is outbound(which> > should be passed by my fw to net ACCEPT policy) and is to an addressthat> > is part of the office zone that also has a default ACCEPT policy. That > > is why I don''t understand the REJECT of this connection. > > But this isn''t a fw->net connection - it''s a fw->office connection. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net >
--On Sunday, November 17, 2002 09:03:44 PM -0500 Links at Momsview <links@momsview.com> wrote:> whoa!: > I guess what''s has gotten me really confused is that I had thought of the > shorewall policy line: > fw net ACCEPT > > equivalent to the line > > iptables --policy OUTPUT ACCEPT > > on a standalone box with only one interface. > > Obviously that is not the case. Are you saying I need a line like ?: > > fw office ACCEPT >That''s what I''m saying -- be sure to put it in the proper place (before the ''all2all'' rule). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net