Shorewall users - Jan 2003 - Rearranging the furniture....

Hi Tom and All,

I have been quietly watching the list for the last year (no new issues for 
me that weren''t covered in the docs or promptly "bug-fixed"
by Tom. Boy,
has this grown exponentially! Anyway, back to the point (the proverbial 
rearranging the furniture)... I have been evaluating Mandrake''s MNF as
an
upgrade for my Firewall box. If I do this( and even if I don''t), I
would
like to move Postfix into the DMZ like the rest of the services (this will 
leave the FW to  just routing and firewall duties). Since I know there are 
others (Tom included) that are currently doing just that, my questions are:

1) What is the best way to handle Postfix in the DMZ? MASQ, SNAT/DNAT, 
ProxyARP? Postfix relay at the FW?
I would rather leave the FW to it''s main purpose,and forgo the 
proxy/relay. This just adds another Postfix and forces me to use much 
bigger equipment than router/firewall alone. I''d rather not, but I 
could "cough-up" the extra IP if need be (as it appears from
Tom''s files,
he has). At the same time I don''t want to make a contorted mess just to
avoid the extra IP either. (postfix ideas welcome offlist too).

2) Aside from the GUI making it harder to read what used to be apparent to 
me in the usual config files, anyone notice anything that isn''t quite 
right in MNF? I''d defer to Tom on this, but the POLICY order seems not 
quite right...

Thanks for any imput, on or off list...

Wayne
admin@kiteflyer.com 



()  Join the ASCII ribbon campaign against HTML email 
/\ and Microsoft specific attachments. If I wanted to read HTML, 
    I would have visited your website! Support open standards.

--On Friday, January 03, 2003 08:03:08 PM +0000 admin@kiteflyer.com wrote:
>
> 1) What is the best way to handle Postfix in the DMZ? MASQ, SNAT/DNAT,
> ProxyARP? Postfix relay at the FW?
> I would rather leave the FW to it''s main purpose,and forgo the
> proxy/relay. This just adds another Postfix and forces me to use much
> bigger equipment than router/firewall alone. I''d rather not, but I
> could "cough-up" the extra IP if need be (as it appears from
Tom''s files,
> he has). At the same time I don''t want to make a contorted mess
just to
> avoid the extra IP either. (postfix ideas welcome offlist too).
It''s my impression that Postfix will run ok using DNAT/SNAT provided
that
you set ''proxy_interfaces'' to the external IP used by other
MTA''s to send
you mail. This is necessary to avoid false mail loops. It is still my 
preference though to handle a DMZ using ProxyARP provided that you have 
enough IP addresses to give each DMZ system it''s own address. It avoids
all
the hassles associated with the DMZ systems being known by two different IP 
addresses although as I point out in the Shorewall Setup Guide and 
elsewhere, Bind 9 "views" can help in that regard.

I run a single instance of Postfix for both input and output. While that 
results in Virus and Spam scanning of outbound email, I could easily avoid 
such scanning by port mapping tcp 25 from my local network to 10027 on the 
mail server.  TCP 10027 is the Postfix smtpd process that accepts mail from 
amavisd-new after Spam Scanning. Given the small volume of mail that Tarry 
& I send, it''s really not a problem either way.

I don''t see any value in using a gateway copy of Postfix on the
firewall --
I think I would simply use DNAT and Bind 9 views if I were trying to 
conserve my public IP addresses.
> 2) Aside from the GUI making it harder to read what used to be apparent 
to
> me in the usual config files, anyone notice anything that isn''t
quite
> right in MNF? I''d defer to Tom on this, but the POLICY order seems
not
> quite right...
I''m making it a point to remain ignorant about MNF -- that way, I
can''t be
accused of providing free MNF support and thus undermining
MandrakeSoft''s
two-tier licensing strategy.

It goes without saying that I won''t allow this list to become a free
MNF
support forum either.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

>> 1) What is the best way to handle Postfix in the DMZ? MASQ, SNAT/DNAT,
>> ProxyARP? Postfix relay at the FW?
>> I would rather leave the FW to it''s main purpose,and forgo the
>> proxy/relay. This just adds another Postfix and forces me to use much
>> bigger equipment than router/firewall alone. I''d rather not,
but I
>> could "cough-up" the extra IP if need be (as it appears from
Tom''s files,
>> he has). At the same time I don''t want to make a contorted
mess just to
>> avoid the extra IP either. (postfix ideas welcome offlist too).
>
> It''s my impression that Postfix will run ok using DNAT/SNAT
provided that
> you set ''proxy_interfaces'' to the external IP used by
other MTA''s to send
> you mail. This is necessary to avoid false mail loops. It is still my 
> preference though to handle a DMZ using ProxyARP provided that you have 
> enough IP addresses to give each DMZ system it''s own address. It
avoids
> all the hassles associated with the DMZ systems being known by two
> different IP addresses although as I point out in the Shorewall Setup
> Guide and elsewhere, Bind 9 "views" can help in that regard.
Thanks for the input. From what I was reading in the Shorewall archives and
the Postfix archives, I got the impression that would be the cleanest.
However, I am often surpised by the ingenuity of fellow "problem
solvers"...thus the post.
>
> I run a single instance of Postfix for both input and output. While that 
> results in Virus and Spam scanning of outbound email, I could easily avoid 
> such scanning by port mapping tcp 25 from my local network to 10027 on the 
> mail server.  TCP 10027 is the Postfix smtpd process that accepts mail
> from amavisd-new after Spam Scanning. Given the small volume of mail 
> that Tarry & I send, it''s really not a problem either way.
Amavis here, not yet at -new. I don''t worry about scanning either, but
the
load is increasing...
>
> I don''t see any value in using a gateway copy of Postfix on the
firewall
It was suggested as a Postfix solution to move the load and keep the naming
correct without issues.
> -- 
> I think I would simply use DNAT and Bind 9 views if I were trying to 
> conserve my public IP addresses.
I think you made enough valid arguments for ProxyARP. 
>
>> 2) Aside from the GUI making it harder to read what used to be apparent
>> to me in the usual config files, anyone notice anything that
isn''t quite
>> right in MNF? I''d defer to Tom on this, but the POLICY order
seems not
>> quite right...
>
> I''m making it a point to remain ignorant about MNF -- that way, I
can''t
> be accused of providing free MNF support and thus undermining
> MandrakeSoft''s two-tier licensing strategy.
>
> It goes without saying that I won''t allow this list to become a
free
> MNF support forum either.
>
I can understand and respect that. Mandrake has had to make some tough
choices with MNF. I had also looked into Bering, but felt it was too
stripped down to do what I was looking for. I may end up with a
"roll-your-own", but don''t like to re-invent the wheel.

As has been said lots of times before - Tom, thank you for your tireless
hours of effort with Shorewall and the user community. (My favorite repeat
question remains - MAC filtering...)

Wayne
admin@kiteflyer.com





()  Join the ASCII ribbon campaign against HTML email 
/\ and Microsoft specific attachments. If I wanted to read HTML, 
    I would have visited your website! Support open standards.

--On Saturday, January 04, 2003 2:20 AM +0000 admin@kiteflyer.com wrote:

> (My favorite repeat question remains - MAC filtering...)
What question is that?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

>> (My favorite repeat question remains - MAC filtering...)
> 
> What question is that?
> 
> -Tom
Sorry, that was an allusion to the question that seems to hit the list
every few months. "Can I blacklist by MAC" or "Can I block a
spammer by
MAC", etc.
which usually turns out to be the Cablemodem.

Attempt at subtle humor > /dev/null

Wayne


()  Join the ASCII ribbon campaign against HTML email 
/\ and Microsoft specific attachments. If I wanted to read HTML, 
    I would have visited your website! Support open standards.

I''m hoping some kind soul can easy my frustrating experience with this
:-). The ipchains fw I hand wrote has been working for years, but trying
to move up to RH8/Shorewall has been hard...

I''m under the impression that using "three-interfaces" out of
the box
should allow a caching name server on network ''loc'' to work
via MASQ, but
I have never gotten that to work.

I try "host chrysler.com" (something likely not in the cache), from
a machine on the "loc" net and... timeout.

I can ssh and lynx from my private side to a machine on an outside
network using an IP, so MASQ seems to be working.

These appeared in messages as a result of the "host" command...
Jan  3 23:11:45 anode kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:00:c0:bd:bf:ed:00:02:3b:02:01:18:08:00 SRC=207.155.183.73
DST=216.254.34.6 LEN=62 TOS=0x00 PREC=0x00 TTL=241 ID=38147 DF PROTO=UDP
SPT=1053 DPT=53 LEN=42

.. So, I added the rule "ACCEPT net fw udp 53" and now I see no
messages
relating to port 53, but I my private nameserver still can''t query.

''shorewall status'' shows no messages relating to port 53
either. (plenty
about port 123 and 161, but nothing to do with this problem- just NTP &
MRTG which I can solve with rules).

Yes, I went through the quick start guide, but experiments as a result
provided no relief.

I plug in my old firewall, and everything is working normal again. Well,
except for the disk errors ;-)

Thanks for whatever help you can offer!

-C



-- 
Christopher Nielsen    chris@ZORINco.com    http://ZORINco.com
______________________________________________________________
 Makers of fine microcontroller products -

     C  O  N  T  R  O  L    Y  O  U  R    W  O  R  L  D

--On Saturday, January 04, 2003 1:01 AM -0800 "Christopher A. Nielsen"
<chris@zorinco.com> wrote:
>
> These appeared in messages as a result of the "host" command...
> Jan  3 23:11:45 anode kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=00:00:c0:bd:bf:ed:00:02:3b:02:01:18:08:00 SRC=207.155.183.73
> DST=216.254.34.6 LEN=62 TOS=0x00 PREC=0x00 TTL=241 ID=38147 DF PROTO=UDP
> SPT=1053 DPT=53 LEN=42
>
> .. So, I added the rule "ACCEPT net fw udp 53" and now I see no
messages
> relating to port 53, but I my private nameserver still can''t
query.
>
Now stop and ask yourself "Why would a ''host'' command
from inside my
network generate a DNS query from the net?" (note that I have the GUESS 
where you ran ''host'' because you apparently think
that''s irrelevant).

Something is very wrong with your setup if that''s what is happening:

a) Internal/external NICs reversed?
b) Two or more NICs connected to the same hub/switch?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Thanks, Tom for your reply.

I think I err''d in paying attention to (and posting) that log line. 
It''s
likely that that was an unrelated INCOMING DNS query to my public name
server that just happened at the same time, so sorry about confusing the
issue with that.

The ones I should have posted look like this:
udp      17 29 src=192.168.0.111 dst=192.33.14.30 sport=1286 dport=53
[UNREPLIED] src=192.33.14.30 dst=216.254.34.6 sport=53 dport=1286 use=2

It appears the reply isn''t getting back through the firewall? But if
''three-interfaces'' should work without modification,
I''m confused, and
thinking I''m barking up the wrong tree by assuming I need to add rules
for
those unreplied packets.

I figured that being able to ssh into a remote host would
prove the problem isn''t reversed NICs or something really wacky like
that.
I have separate hubs for ''loc'' and ''dmz'',
and eth0 is to a dsl box and I
am using ''host'' from a ''loc'' machine that is
also the caching name server.

It seems that something may be dropping the packets, but I haven''t seen
any easy way to "log everything dropped or rejected" the
troubleshooting/support type pages.

I noticed a debug option to the shorewall command, but I''m trying to
remember what that does. There doesn''t seem to be a
''man'' or ''info'' page,
and the documentation index and reference manual don''t seem to have
command line details (that I can find right now). I''ve been staring at
all
this firewall stuff for far to long so I''m probably just missing it.

Thanks for any tips you can provide! Sorry if I missed anything important.
I''m just going crosseyed from all the research and trying many things
:-)

Cheers,
C
> > These appeared in messages as a result of the "host"
command...
> > Jan  3 23:11:45 anode kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
> MAC=00:00:c0:bd:bf:ed:00:02:3b:02:01:18:08:00 SRC=207.155.183.73
> > DST=216.254.34.6 LEN=62 TOS=0x00 PREC=0x00 TTL=241 ID=38147 DF
PROTO=UDP
> > SPT=1053 DPT=53 LEN=42
> >
> > .. So, I added the rule "ACCEPT net fw udp 53" and now I see
no messages
> > relating to port 53, but I my private nameserver still can''t
query.
> >
>
> Now stop and ask yourself "Why would a ''host''
command from inside my
> network generate a DNS query from the net?" (note that I have the
GUESS
> where you ran ''host'' because you apparently think
that''s irrelevant).
>
> Something is very wrong with your setup if that''s what is
happening:
>
> a) Internal/external NICs reversed?
> b) Two or more NICs connected to the same hub/switch?
-- 
Christopher Nielsen    chris@ZORINco.com    http://ZORINco.com
______________________________________________________________
 Makers of fine microcontroller products -

     C  O  N  T  R  O  L    Y  O  U  R    W  O  R  L  D

--On Saturday, January 04, 2003 10:59:19 AM -0800 "Christopher A.
Nielsen"
<chris@zorinco.com> wrote:
>
> Thanks, Tom for your reply.
>
> I think I err''d in paying attention to (and posting) that log
line.  It''s
> likely that that was an unrelated INCOMING DNS query to my public name
> server that just happened at the same time, so sorry about confusing the
> issue with that.
>
> The ones I should have posted look like this:
> udp      17 29 src=192.168.0.111 dst=192.33.14.30 sport=1286 dport=53
> [UNREPLIED] src=192.33.14.30 dst=216.254.34.6 sport=53 dport=1286 use=2
>
> It appears the reply isn''t getting back through the firewall?
Entries like that in the connection tracking table usually mean that the 
replies _aren''t getting back to_ the firewall. Have you looked at this
with
ethereal or tcpdump?
> But if
> ''three-interfaces'' should work without modification,
I''m confused, and
> thinking I''m barking up the wrong tree by assuming I need to add
rules for
> those unreplied packets.
_If you have installed the three-interfrace sample properly_, then you 
don''t have to add anything for DNS to work from the local zone, be it a
caching name server or not.
>
> I figured that being able to ssh into a remote host would
> prove the problem isn''t reversed NICs or something really wacky
like that.
> I have separate hubs for ''loc'' and
''dmz'', and eth0 is to a dsl box and I
> am using ''host'' from a ''loc'' machine
that is also the caching name server.
>
> It seems that something may be dropping the packets, but I haven''t
seen
> any easy way to "log everything dropped or rejected" the
> troubleshooting/support type pages.
Sigh -- Shorewall does that by default except for the silent drop/rejects 
that you see in the ''common'' chain (shorewall show common).
>
> I noticed a debug option to the shorewall command, but I''m trying
to
> remember what that does. There doesn''t seem to be a
''man'' or ''info'' page,
> and the documentation index and reference manual don''t seem to
have
> command line details (that I can find right now). I''ve been
staring at all
> this firewall stuff for far to long so I''m probably just missing
it.

--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Sunday, January 05, 2003 04:21:10 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
>>
>> I noticed a debug option to the shorewall command, but I''m
trying to
>> remember what that does. There doesn''t seem to be a
''man'' or ''info'' page,
>> and the documentation index and reference manual don''t seem to
have
>> command line details (that I can find right now). I''ve been
staring at
>> all this firewall stuff for far to long so I''m probably just
missing it.
>
The ''debug'' command is for getting a trace in the event that
Shorewall
won''t start. See http://shorewall.sf.net/troubleshoot.htm.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net