thr3ads.net - Shorewall users - [Shorewall-users] Trouble with fw->dmz net->dmz traffic [Jun 2003]

If this information is useful, please help other people find it:
Share via:

j6m@cvni.net

2003-Jun-25 15:40 UTC

[Shorewall-users] Trouble with fw->dmz net->dmz traffic

Hello,

I installed a 3 leg firewall using Shorewall 1.4.5 on a box running SuSE 8.2
(kernel 2.4.20 patched with Yast Online Update).

My NICs are configured that way:

eth0 10.0.0.1 (255.0.0.0)
     (connected to a DSL modem)
eth1 192.168.1.1 (255.255.255.0)
     (local zone)
eth2 192.168.2.1 (255.255.255.0)
      (dmz)

My dmz main server is at 192.168.2.5, it offers DNS (bind9),HTTP,SMTP services

As I use PPPoE (fixed IP assigned by ISP) to connect I took the three-interface
template and changed eth0 by ppp0 in interfaces, masq and routestopped examples.

Then I edited the rules file and added :
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
(works)
ACCEPT          fw              dmz             tcp     53
ACCEPT          fw              dmz             udp     53
(does not work)
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
(works)
DNAT            net             dmz:192.168.2.5 tcp 53
DNAT            net             dmz:192.168.2.5 udp 53
(does not work)

Although I allowed fw access to DNS service in the DMZ, when doing
host <whatever domain> 192.168.2.5 I got busted. Inspecting
/var/log/messages
shows that Shorewall reject such connections :

Jun 26 00:02:59 hotel kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.2.1 DST=192.168.2.5 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=44100 DF
PROTO=UDP SPT=32776 DPT=53 LEN=42

I must have missed something somewhere. Maybe is it related to the fact that
also DNAT does not occur.

Jun 25 16:41:39 hotel kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth1
SRC=80.67.173.196 DST=192.168.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=45136 DF
PROTO=TCP SPT=1225 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0

It is just as if these four rules did not exist causing Shorewall to follow what
is defined in policy.

----
My interfaces file is 

net     ppp0            detect          routefilter,norfc1918,dropunclean
        (Yes, I know I am a bit paranoid but they are all out after me ;))
loc     eth1            detect
dmz     eth2            detect

(Of course I take care to stop and start shorewall in ip-up so that ppp0 is
always up when Shorewall restarts, should a disconnect occurn which actually
happens every 24 hours by the telco) 

An oddity in my system is that, as present, there is no physical computer in my
local zone.

Tom Eastep

2003-Jun-25 15:53 UTC

head link

[Shorewall-users] Trouble with fw->dmz net->dmz traffic

On Thu, 26 Jun 2003 00:19:34 +0200, <j6m@cvni.net> wrote:
>
>
> Hello,
>
> I installed a 3 leg firewall using Shorewall 1.4.5 on a box running SuSE 
> 8.2
> (kernel 2.4.20 patched with Yast Online Update).
>
> My NICs are configured that way:
>
> eth0 10.0.0.1 (255.0.0.0)
> (connected to a DSL modem)
> eth1 192.168.1.1 (255.255.255.0)
> (local zone)
> eth2 192.168.2.1 (255.255.255.0)
> (dmz)
>
> My dmz main server is at 192.168.2.5, it offers DNS (bind9),HTTP,SMTP 
> services
>
> As I use PPPoE (fixed IP assigned by ISP) to connect I took the three- 
> interface
> template and changed eth0 by ppp0 in interfaces, masq and routestopped 
> examples.
>
> Then I edited the rules file and added :
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> (works)
> ACCEPT          fw              dmz             tcp     53
> ACCEPT          fw              dmz             udp     53
> (does not work)
> ACCEPT          dmz             net             tcp     53
> ACCEPT          dmz             net             udp     53
> (works)
> DNAT            net             dmz:192.168.2.5 tcp 53
> DNAT            net             dmz:192.168.2.5 udp 53
> (does not work)
>
> Although I allowed fw access to DNS service in the DMZ, when doing
> host <whatever domain> 192.168.2.5 I got busted. Inspecting 
> /var/log/messages
> shows that Shorewall reject such connections :
>
> Jun 26 00:02:59 hotel kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
> SRC=192.168.2.1 DST=192.168.2.5 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=44100 
> DF
> PROTO=UDP SPT=32776 DPT=53 LEN=42
>
> I must have missed something somewhere. Maybe is it related to the fact 
> that
> also DNAT does not occur.
>
> Jun 25 16:41:39 hotel kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth1
> SRC=80.67.173.196 DST=192.168.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=56 
> ID=45136 DF
> PROTO=TCP SPT=1225 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
>
> It is just as if these four rules did not exist causing Shorewall to 
> follow what
> is defined in policy.
>
> ----
> My interfaces file is
>
> net     ppp0            detect          routefilter,norfc1918,dropunclean
> (Yes, I know I am a bit paranoid but they are all out after me ;))
> loc     eth1            detect
> dmz     eth2            detect
While you claim that eth1 goes to the local net and eth2 to the DMZ, the 
log messages above indicate that eth1 goes to the DMZ.

-tOM
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2003 - Trouble with fw->dmz net->dmz traffic

[Shorewall-users] Trouble with fw->dmz net->dmz traffic

[Shorewall-users] Trouble with fw->dmz net->dmz traffic