Shorewall users - Jun 2003 - Oracle SQL*Net through Shorewall

Hello all,
	I am a newbie to Linux firewalls, and am trying to setup shorewall to allow
connections from an Oracle client to an Oracle Server. The client tries to
connect to the server via port 1521 (it works fine) and once the first
connection has been successful, the server sends a redirect to the client to a
random high port. So, when the client tries to connect again to the sevrer on
that port the connection is not allowed. The only way I''ve found (which
I don?t like) is to open all ports from the client to the server. I''ve
googled for some days and found no way to do it.
	Any advice please?

	This is my rules and log file (IP addresses faked)

	Rules:
	ACCEPT  loc:w.x.y.z    net:a.b.c.d                    tcp     1024:65535

	And this is the log file:

Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0
SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=4040
 DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN URGP=0

	Regards

On Fri, 2003-06-13 at 04:50, Juan Jose Ledesma Poveda
wrote:
> 	Hello all,
> 	I am a newbie to Linux firewalls, and am trying to setup shorewall to
allow connections from an Oracle client to an Oracle Server. The client tries to
connect to the server via port 1521 (it works fine) and once the first
connection has been successful, the server sends a redirect to the client to a
random high port. So, when the client tries to connect again to the sevrer on
that port the connection is not allowed. The only way I''ve found (which
I don?t like) is to open all ports from the client to the server. I''ve
googled for some days and found no way to do it.
> 	Any advice please?
> 
> 	This is my rules and log file (IP addresses faked)
> 
> 	Rules:
> 	ACCEPT  loc:w.x.y.z    net:a.b.c.d                    tcp     1024:65535
> 
> 	And this is the log file:
> 
> Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0
SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=4040
>  DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN URGP=0
> 
I assume that you are seeing that message when the rule is *not*
present?


You are doing the only thing possible unless you establish a VPN of some
sort between the client and server.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom and the list,

is there any restriction on INCLUDE?

For easier and quicker upgrade to newer versions, I tried to use INCLUDE
inside the files I need
to change and then have my_files to contain the actual data. E.g. I copy
''zones'' to ''my_zones''
and edit ''my_zones'', I also keep all original comments for
reference.

However I got error using INCLUDE and no error if I copied back the data
into zones (see below). What wrong do I do?

Thank you.

M Lu


---------- START zones ----------------
#       Shorewall 1.4 -- Sample Zone File For Two Interfaces
#       /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#       ZONE            Short name of the zone
#       DISPLAY         Display name of the zone
#       COMMENTS        Comments about the zone
#
#ZONE   DISPLAY         COMMENTS
#
INCLUDE my_zones
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--------------  END zones ------------


''my_zones'' is

-------------  START my_zones -----------
#
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#       ZONE            Short name of the zone (5 Characters or less in
length).
#       DISPLAY         Display name of the zone
#       COMMENTS        Comments about the zone
#
#ZONE   DISPLAY         COMMENTS
#net    Net             Internet
#loc    Local           Local networks
#dmz    DMZ             Demilitarized zone
#
net     Net             Internet
loc     Local           Local Networks
dmz     DMZ             Demilitarized Zone
vpn     VPN             VPN loc
vpn2    VPN2            VPN DMZ
vpnRW   VPNRW           VPN RW
#
------------ END my_zones ---------------




# shorewall restart

Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
   Zones: INCLUDE
Validating interfaces file...
   Error: Invalid zone (net) in record "net eth0 detect
dhcp,routefilter,norfc1918,blacklist"
Terminated

The following ''zones'' is OK

--------  START good zones  -------------
#
#       Shorewall 1.4 -- Sample Zone File For Two Interfaces
#       /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#       ZONE            Short name of the zone
#       DISPLAY         Display name of the zone
#       COMMENTS        Comments about the zone
#
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local Networks
dmz     DMZ             Demilitarized Zone
vpn     VPN             VPN loc
vpn2    VPN2            VPN DMZ
vpnRW   VPNRW           VPN RW
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-----------  END good zones  -----------------

On Fri, 2003-06-13 at 09:20, M Lu wrote:
> Hi Tom and the list,
> 
> is there any restriction on INCLUDE?
> 
> For easier and quicker upgrade to newer versions, I tried to use INCLUDE
> inside the files I need
> to change and then have my_files to contain the actual data. E.g. I copy
> ''zones'' to ''my_zones''
> and edit ''my_zones'', I also keep all original comments
for reference.
> 
> However I got error using INCLUDE and no error if I copied back the data
> into zones (see below). What wrong do I do?
What version of Shorewall are you running ("/sbin/shorewall version")?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

1.4.4b on Bering router 1.2

Thank you Tom.



----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "M Lu" <mlu919@hotmail.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Friday, June 13, 2003 9:22 AM
Subject: Re: [Shorewall-users] INCLUDE directive

> On Fri, 2003-06-13 at 09:20, M Lu wrote:
> > Hi Tom and the list,
> >
> > is there any restriction on INCLUDE?
> >
> > For easier and quicker upgrade to newer versions, I tried to use
INCLUDE
> > inside the files I need
> > to change and then have my_files to contain the actual data. E.g. I
copy
> > ''zones'' to ''my_zones''
> > and edit ''my_zones'', I also keep all original
comments for reference.
> >
> > However I got error using INCLUDE and no error if I copied back the
data
> > into zones (see below). What wrong do I do?
>
> What version of Shorewall are you running ("/sbin/shorewall
version")?
>
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

On Fri, 2003-06-13 at 09:22, Tom Eastep wrote:
> On Fri, 2003-06-13 at 09:20, M Lu wrote:
> > Hi Tom and the list,
> > 
> > is there any restriction on INCLUDE?
> > 
> > For easier and quicker upgrade to newer versions, I tried to use
INCLUDE
> > inside the files I need
> > to change and then have my_files to contain the actual data. E.g. I
copy
> > ''zones'' to ''my_zones''
> > and edit ''my_zones'', I also keep all original
comments for reference.
> > 
> > However I got error using INCLUDE and no error if I copied back the
data
> > into zones (see below). What wrong do I do?
> 
> What version of Shorewall are you running ("/sbin/shorewall
version")?
Never mind -- I see that the code for handling the zones file doesn''t
invoke the logic necessary to handle include. So there is a (temporary)
restriction which I''ll correct in the next release.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

OK, Tom. Thank you. Just for your information, I prepared the following
my_files:

my_blacklist
my_hosts
my_interfaces
my_masq
my_modules
my_params
my_policy
my_routestopped
my_rules
my_tunnels
my_zones

when my_zones did not work, I used original ''zones''. Then I
got
''shorewall restart'' running OK, but I cannot do VPN anymore.
''tcpdump -i ipsec0'' does not indicate any packets being
sent/receive
and nothing in log showing something stuck.

But it was late so I went back to using all original files and VPN
worked again. I will try to locate which of my_files caused that or
if I did something silly.

M Lu.


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "M Lu" <mlu919@hotmail.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Friday, June 13, 2003 9:31 AM
Subject: Re: [Shorewall-users] INCLUDE directive

>
> Never mind -- I see that the code for handling the zones file
doesn''t
> invoke the logic necessary to handle include. So there is a (temporary)
> restriction which I''ll correct in the next release.
>
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

On Fri, 2003-06-13 at 09:31, Tom Eastep wrote:
> 
> Never mind -- I see that the code for handling the zones file
doesn''t
> invoke the logic necessary to handle include. So there is a (temporary)
> restriction which I''ll correct in the next release.
> 
ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions should
corect this problem. Install it in /usr/share/shorewall/functions.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Yes to your question. It is the message when the rule was not present. And
thanks for the information.
By the way, I searched and found about someone saying that he wanted to make
that kind of proxy, but nothing else I could find. Do any of you know if there
are any plans on doing this? According to what I read, Oracle released source
code to main firewall vendors for building that kind of proxy, but I suppose
that nothing of this was done for Linux.
Regards

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: viernes, 13 de junio de 2003 15:49
To: Juan Jose Ledesma Poveda
Cc: shorewall-users@lists.shorewall.net
Subject: Re: [Shorewall-users] Oracle SQL*Net through Shorewall


On Fri, 2003-06-13 at 04:50, Juan Jose Ledesma Poveda
wrote:
> 	Hello all,
> 	I am a newbie to Linux firewalls, and am trying to setup shorewall to
allow connections from an Oracle client to an Oracle Server. The client tries to
connect to the server via port 1521 (it works fine) and once the first
connection has been successful, the server sends a redirect to the client to a
random high port. So, when the client tries to connect again to the sevrer on
that port the connection is not allowed. The only way I''ve found (which
I don?t like) is to open all ports from the client to the server. I''ve
googled for some days and found no way to do it.
> 	Any advice please?
> 
> 	This is my rules and log file (IP addresses faked)
> 
> 	Rules:
> 	ACCEPT  loc:w.x.y.z    net:a.b.c.d                    tcp     1024:65535
> 
> 	And this is the log file:
> 
> Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 
> OUT=eth0 SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 
> ID=4040  DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN 
> URGP=0
> 
I assume that you are seeing that message when the rule is *not* present?


You are doing the only thing possible unless you establish a VPN of some sort
between the client and server.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net