Juan Jose Ledesma Poveda
2003-Jun-13 04:50 UTC
[Shorewall-users] Oracle SQL*Net through Shorewall
Hello all, I am a newbie to Linux firewalls, and am trying to setup shorewall to allow connections from an Oracle client to an Oracle Server. The client tries to connect to the server via port 1521 (it works fine) and once the first connection has been successful, the server sends a redirect to the client to a random high port. So, when the client tries to connect again to the sevrer on that port the connection is not allowed. The only way I''ve found (which I don?t like) is to open all ports from the client to the server. I''ve googled for some days and found no way to do it. Any advice please? This is my rules and log file (IP addresses faked) Rules: ACCEPT loc:w.x.y.z net:a.b.c.d tcp 1024:65535 And this is the log file: Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=4040 DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN URGP=0 Regards
On Fri, 2003-06-13 at 04:50, Juan Jose Ledesma Poveda wrote:> Hello all, > I am a newbie to Linux firewalls, and am trying to setup shorewall to allow connections from an Oracle client to an Oracle Server. The client tries to connect to the server via port 1521 (it works fine) and once the first connection has been successful, the server sends a redirect to the client to a random high port. So, when the client tries to connect again to the sevrer on that port the connection is not allowed. The only way I''ve found (which I don?t like) is to open all ports from the client to the server. I''ve googled for some days and found no way to do it. > Any advice please? > > This is my rules and log file (IP addresses faked) > > Rules: > ACCEPT loc:w.x.y.z net:a.b.c.d tcp 1024:65535 > > And this is the log file: > > Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=4040 > DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN URGP=0 >I assume that you are seeing that message when the rule is *not* present? You are doing the only thing possible unless you establish a VPN of some sort between the client and server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom and the list, is there any restriction on INCLUDE? For easier and quicker upgrade to newer versions, I tried to use INCLUDE inside the files I need to change and then have my_files to contain the actual data. E.g. I copy ''zones'' to ''my_zones'' and edit ''my_zones'', I also keep all original comments for reference. However I got error using INCLUDE and no error if I copied back the data into zones (see below). What wrong do I do? Thank you. M Lu ---------- START zones ---------------- # Shorewall 1.4 -- Sample Zone File For Two Interfaces # /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS # INCLUDE my_zones # #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -------------- END zones ------------ ''my_zones'' is ------------- START my_zones ----------- # # Shorewall 1.4 /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONE Short name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS #net Net Internet #loc Local Local networks #dmz DMZ Demilitarized zone # net Net Internet loc Local Local Networks dmz DMZ Demilitarized Zone vpn VPN VPN loc vpn2 VPN2 VPN DMZ vpnRW VPNRW VPN RW # ------------ END my_zones --------------- # shorewall restart Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: INCLUDE Validating interfaces file... Error: Invalid zone (net) in record "net eth0 detect dhcp,routefilter,norfc1918,blacklist" Terminated The following ''zones'' is OK -------- START good zones ------------- # # Shorewall 1.4 -- Sample Zone File For Two Interfaces # /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone # COMMENTS Comments about the zone # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks dmz DMZ Demilitarized Zone vpn VPN VPN loc vpn2 VPN2 VPN DMZ vpnRW VPNRW VPN RW # #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ----------- END good zones -----------------
On Fri, 2003-06-13 at 09:20, M Lu wrote:> Hi Tom and the list, > > is there any restriction on INCLUDE? > > For easier and quicker upgrade to newer versions, I tried to use INCLUDE > inside the files I need > to change and then have my_files to contain the actual data. E.g. I copy > ''zones'' to ''my_zones'' > and edit ''my_zones'', I also keep all original comments for reference. > > However I got error using INCLUDE and no error if I copied back the data > into zones (see below). What wrong do I do?What version of Shorewall are you running ("/sbin/shorewall version")? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
1.4.4b on Bering router 1.2 Thank you Tom. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "M Lu" <mlu919@hotmail.com> Cc: <shorewall-users@lists.shorewall.net> Sent: Friday, June 13, 2003 9:22 AM Subject: Re: [Shorewall-users] INCLUDE directive> On Fri, 2003-06-13 at 09:20, M Lu wrote: > > Hi Tom and the list, > > > > is there any restriction on INCLUDE? > > > > For easier and quicker upgrade to newer versions, I tried to use INCLUDE > > inside the files I need > > to change and then have my_files to contain the actual data. E.g. I copy > > ''zones'' to ''my_zones'' > > and edit ''my_zones'', I also keep all original comments for reference. > > > > However I got error using INCLUDE and no error if I copied back the data > > into zones (see below). What wrong do I do? > > What version of Shorewall are you running ("/sbin/shorewall version")? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >
On Fri, 2003-06-13 at 09:22, Tom Eastep wrote:> On Fri, 2003-06-13 at 09:20, M Lu wrote: > > Hi Tom and the list, > > > > is there any restriction on INCLUDE? > > > > For easier and quicker upgrade to newer versions, I tried to use INCLUDE > > inside the files I need > > to change and then have my_files to contain the actual data. E.g. I copy > > ''zones'' to ''my_zones'' > > and edit ''my_zones'', I also keep all original comments for reference. > > > > However I got error using INCLUDE and no error if I copied back the data > > into zones (see below). What wrong do I do? > > What version of Shorewall are you running ("/sbin/shorewall version")?Never mind -- I see that the code for handling the zones file doesn''t invoke the logic necessary to handle include. So there is a (temporary) restriction which I''ll correct in the next release. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
OK, Tom. Thank you. Just for your information, I prepared the following my_files: my_blacklist my_hosts my_interfaces my_masq my_modules my_params my_policy my_routestopped my_rules my_tunnels my_zones when my_zones did not work, I used original ''zones''. Then I got ''shorewall restart'' running OK, but I cannot do VPN anymore. ''tcpdump -i ipsec0'' does not indicate any packets being sent/receive and nothing in log showing something stuck. But it was late so I went back to using all original files and VPN worked again. I will try to locate which of my_files caused that or if I did something silly. M Lu. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "M Lu" <mlu919@hotmail.com> Cc: <shorewall-users@lists.shorewall.net> Sent: Friday, June 13, 2003 9:31 AM Subject: Re: [Shorewall-users] INCLUDE directive> > Never mind -- I see that the code for handling the zones file doesn''t > invoke the logic necessary to handle include. So there is a (temporary) > restriction which I''ll correct in the next release. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >
On Fri, 2003-06-13 at 09:31, Tom Eastep wrote:> > Never mind -- I see that the code for handling the zones file doesn''t > invoke the logic necessary to handle include. So there is a (temporary) > restriction which I''ll correct in the next release. >ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions should corect this problem. Install it in /usr/share/shorewall/functions. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Juan Jose Ledesma Poveda
2003-Jun-16 06:27 UTC
[Shorewall-users] Oracle SQL*Net through Shorewall
Yes to your question. It is the message when the rule was not present. And thanks for the information. By the way, I searched and found about someone saying that he wanted to make that kind of proxy, but nothing else I could find. Do any of you know if there are any plans on doing this? According to what I read, Oracle released source code to main firewall vendors for building that kind of proxy, but I suppose that nothing of this was done for Linux. Regards -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: viernes, 13 de junio de 2003 15:49 To: Juan Jose Ledesma Poveda Cc: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] Oracle SQL*Net through Shorewall On Fri, 2003-06-13 at 04:50, Juan Jose Ledesma Poveda wrote:> Hello all, > I am a newbie to Linux firewalls, and am trying to setup shorewall to allow connections from an Oracle client to an Oracle Server. The client tries to connect to the server via port 1521 (it works fine) and once the first connection has been successful, the server sends a redirect to the client to a random high port. So, when the client tries to connect again to the sevrer on that port the connection is not allowed. The only way I''ve found (which I don?t like) is to open all ports from the client to the server. I''ve googled for some days and found no way to do it. > Any advice please? > > This is my rules and log file (IP addresses faked) > > Rules: > ACCEPT loc:w.x.y.z net:a.b.c.d tcp 1024:65535 > > And this is the log file: > > Jun 13 10:29:22 firewall kernel: Shorewall:loc2net:DROP:IN=eth1 > OUT=eth0 SRC=w.x.y.z DST=a.b.c.d LEN=44 TOS=0x00 PREC=0x00 TTL=127 > ID=4040 DF PROTO=TCP SPT=1358 DPT=1696 WINDOW=8192 RES=0x00 SYN > URGP=0 >I assume that you are seeing that message when the rule is *not* present? You are doing the only thing possible unless you establish a VPN of some sort between the client and server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net