Shorewall users - Jan 2003 - Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 OUT=eth2 SRC Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2

I have the problem when my localnetwork do telnet to the net
 Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2

my files are the following:
policy
#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
loc             net             CONTINUE        info
loc             fw              ACCEPT            info   
loc        loc        ACCEPT
loc             dmz             ACCEPT        info
fw              loc             ACCEPT        info
fw        fw        ACCEPT        info
fw              net             ACCEPT          info   
fw              dmz             ACCEPT          info
dmz             net             ACCEPT         info
dmz             fw              ACCEPT         
net             loc             DROP             info
net        fw        DROP        info
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

interfaces


net      eth2           detect          filterping     
loc      eth0           detect          filterping     
dmz      eth1           detect                         


and when I tried to go to the net the messages are:
Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 
OUT=eth2 SRC
=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877 
DF PROT
O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 16 17:49:33 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0 
OUT=eth2 SRC=1
92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877 
DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 
OUT=eth2 SRC
=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889 
DF PROT
O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0 
OUT=eth2 SRC=1
92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889 
DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0 
OUT=eth2 SRC
=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900 
DF PROT
O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0 
OUT=eth2 SRC=1
--M?s--
92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900 
DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0



can you help me?
thanks a lot of??

You should probably have shown the rules file also... but
I see the loc->net policy is CONTINUE, but don''t see where the
policy
subsequently allows this outbound traffic.  Do you really mean for that to
be CONTINUE, or ACCEPT?

And without seeing the rules, it''s difficult to say more, I think...
-Alan

Marta Jara said:
> I have the problem when my localnetwork do telnet to the net
>  Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2
>
> my files are the following:
> policy
> #SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
> loc             net             CONTINUE        info
> loc             fw              ACCEPT            info
> loc        loc        ACCEPT
> loc             dmz             ACCEPT        info
> fw              loc             ACCEPT        info
> fw        fw        ACCEPT        info
> fw              net             ACCEPT          info
> fw              dmz             ACCEPT          info
> dmz             net             ACCEPT         info
> dmz             fw              ACCEPT
> net             loc             DROP             info
> net        fw        DROP        info
> all             all             REJECT          info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> interfaces
>
>
> net      eth2           detect          filterping
> loc      eth0           detect          filterping
> dmz      eth1           detect
>
>
> and when I tried to go to the net the messages are:
> Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
> OUT=eth2 SRC
> =192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877
>  DF PROT
> O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> Jan 16 17:49:33 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
> OUT=eth2 SRC=1
> 92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877
> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
> OUT=eth2 SRC
> =192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889
>  DF PROT
> O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
> OUT=eth2 SRC=1
> 92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889
> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
> OUT=eth2 SRC
> =192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900
>  DF PROT
> O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
> Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
> OUT=eth2 SRC=1
> --M?s--
> 92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900
> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>
>
>
> can you help me?
> thanks a lot of??
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users

==========Alan Sparks, UNIX/Linux Systems Administrator   
<asparks@doublesparks.net>

excuse me, here is my rules


#                                       PORT    PORT(S)    DEST
ACCEPT        loc    fw    tcp    23
ACCEPT        loc    fw    udp    23
ACCEPT        loc    fw    tcp    22
ACCEPT        loc    fw    udp    22
ACCEPT        fw    net    tcp    53
ACCEPT        fw    net    udp     53
ACCEPT        dmz    loc    tcp    53
ACCEPT        dmz    loc    udp     53
ACCEPT        fw    dmz    tcp    23
ACCEPT        fw    dmz    udp    23
ACCEPT        fw    dmz    tcp    22
ACCEPT        loc    net    icmp       
ACCEPT        loc    net    tcp    149
ACCEPT        dmz:192.168.235.2  loc:192.168.2.4    tcp    143
ACCEPT        dmz:192.168.235.2  loc:192.168.2.4    tcp    25
ACCEPT        dmz:192.168.235.2  net    tcp    smtp
ACCEPT        net    loc    tcp    1494
ACCEPT            loc    net    tcp    1494
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Alan Sparks wrote:
>You should probably have shown the rules file also... but
>I see the loc->net policy is CONTINUE, but don''t see where the
policy
>subsequently allows this outbound traffic.  Do you really mean for that to
>be CONTINUE, or ACCEPT?
>
>And without seeing the rules, it''s difficult to say more, I
think...
>-Alan
>
>Marta Jara said:
>  
>
>>I have the problem when my localnetwork do telnet to the net
>> Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2
>>
>>my files are the following:
>>policy
>>#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
>>loc             net             CONTINUE        info
>>loc             fw              ACCEPT            info
>>loc        loc        ACCEPT
>>loc             dmz             ACCEPT        info
>>fw              loc             ACCEPT        info
>>fw        fw        ACCEPT        info
>>fw              net             ACCEPT          info
>>fw              dmz             ACCEPT          info
>>dmz             net             ACCEPT         info
>>dmz             fw              ACCEPT
>>net             loc             DROP             info
>>net        fw        DROP        info
>>all             all             REJECT          info
>>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>
>>interfaces
>>
>>
>>net      eth2           detect          filterping
>>loc      eth0           detect          filterping
>>dmz      eth1           detect
>>
>>
>>and when I tried to go to the net the messages are:
>>Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>OUT=eth2 SRC
>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877
>> DF PROT
>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>Jan 16 17:49:33 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>OUT=eth2 SRC=1
>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6877
>>DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>OUT=eth2 SRC
>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889
>> DF PROT
>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>OUT=eth2 SRC=1
>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6889
>>DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>OUT=eth2 SRC
>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900
>> DF PROT
>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>OUT=eth2 SRC=1
>>--M?s--
>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6900
>>DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>
>>
>>
>>can you help me?
>>thanks a lot of??
>>
>>_______________________________________________
>>Shorewall-users mailing list
>>Shorewall-users@shorewall.net
>>http://mail.shorewall.net/mailman/listinfo/shorewall-users
>>    
>>
>
>
>==========>Alan Sparks, UNIX/Linux Systems Administrator   
<asparks@doublesparks.net>
>
>
>
>  
>

There is no rule to go loc->net with telnet (port 23), if that''s
what
you''re doing... the rules are not transitive.
Could be the problem.
-Alan

Marta Jara said:
> excuse me, here is my rules
>
>
> #                                       PORT    PORT(S)    DEST
> ACCEPT        loc    fw    tcp    23
> ACCEPT        loc    fw    udp    23
> ACCEPT        loc    fw    tcp    22
> ACCEPT        loc    fw    udp    22
> ACCEPT        fw    net    tcp    53
> ACCEPT        fw    net    udp     53
> ACCEPT        dmz    loc    tcp    53
> ACCEPT        dmz    loc    udp     53
> ACCEPT        fw    dmz    tcp    23
> ACCEPT        fw    dmz    udp    23
> ACCEPT        fw    dmz    tcp    22
> ACCEPT        loc    net    icmp
> ACCEPT        loc    net    tcp    149
> ACCEPT        dmz:192.168.235.2  loc:192.168.2.4    tcp    143
> ACCEPT        dmz:192.168.235.2  loc:192.168.2.4    tcp    25
> ACCEPT        dmz:192.168.235.2  net    tcp    smtp
> ACCEPT        net    loc    tcp    1494
> ACCEPT            loc    net    tcp    1494
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> Alan Sparks wrote:
>
>>You should probably have shown the rules file also... but
>>I see the loc->net policy is CONTINUE, but don''t see where
the policy
>> subsequently allows this outbound traffic.  Do you really mean for that
>> to be CONTINUE, or ACCEPT?
>>
>>And without seeing the rules, it''s difficult to say more, I
think...
>> -Alan
>>
>>Marta Jara said:
>>
>>
>>>I have the problem when my localnetwork do telnet to the net
>>> Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2
>>>
>>>my files are the following:
>>>policy
>>>#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
loc
>>>            net             CONTINUE        info
>>>loc             fw              ACCEPT            info
>>>loc        loc        ACCEPT
>>>loc             dmz             ACCEPT        info
>>>fw              loc             ACCEPT        info
>>>fw        fw        ACCEPT        info
>>>fw              net             ACCEPT          info
>>>fw              dmz             ACCEPT          info
>>>dmz             net             ACCEPT         info
>>>dmz             fw              ACCEPT
>>>net             loc             DROP             info
>>>net        fw        DROP        info
>>>all             all             REJECT          info
>>>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>>
>>>interfaces
>>>
>>>
>>>net      eth2           detect          filterping
>>>loc      eth0           detect          filterping
>>>dmz      eth1           detect
>>>
>>>
>>>and when I tried to go to the net the messages are:
>>>Jan 16 17:49:33 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>> OUT=eth2 SRC
>>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
>>> ID=6877
>>> DF PROT
>>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>Jan 16 17:49:33 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>> OUT=eth2 SRC=1
>>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=6877
>>> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>> OUT=eth2 SRC
>>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
>>> ID=6889
>>> DF PROT
>>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>> OUT=eth2 SRC=1
>>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=6889
>>> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>Jan 16 17:49:34 murowall kernel: Shorewall:loc2net:CONTINUE:IN=eth0
>>> OUT=eth2 SRC
>>>=192.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
>>> ID=6900
>>> DF PROT
>>>O=TCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>Jan 16 17:49:34 murowall kernel: Shorewall:FORWARD:REJECT:IN=eth0
>>> OUT=eth2 SRC=1
>>>--M?s--
>>>92.168.2.96 DST=80.25.233.57 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=6900
>>> DF PROTOTCP SPT=1813 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0
>>>
>>>
>>>
>>>can you help me?
>>>thanks a lot of??
>>>
>>>_______________________________________________
>>>Shorewall-users mailing list
>>>Shorewall-users@shorewall.net
>>>http://mail.shorewall.net/mailman/listinfo/shorewall-users
>>>
>>>
>>
>>
>>==========>>Alan Sparks, UNIX/Linux Systems Administrator
>> <asparks@doublesparks.net>
>>
>>
>>
>>

==========Alan Sparks, UNIX/Linux Systems Administrator   
<asparks@doublesparks.net>