I''m trying to understand how the three-interface environment operates.
The first thing I''ve done is set up a time server on the firewall which
is questioning an atomic clock periodically.
My two zones (loc & dmz) have their machines set up to get their time
synchronisation from the firewall.
Policy
Source dest policy log
Loc net accept
Fw net accept
Dmz net accept
Net all drop info
All all reject info
Rules
Action source dest proto dest
Port
Accept net fw tcp ntp
Accept fw net tcp ntp
I don''t think I need this 2nd rule?
The firewall is reporting a continuous all2all error message from all ip
numbers from both loc and dmz zones.
I''ve googled and read everything I can find on shorewall/ntp (not a
lot)
and I''m confused.
Do I need to set up:
Accept loc fw tcp ntp
Accept dmz fw tcp ntp ?
Or is there a better way of ensuring all clients on loc and dmz are time
synchronised with the fw time server? (Maybe the time server should be
in the dmz!)
Thanks for any enlightenment.
John
Onsdag den 16. juli 2003 14:09 skrev John Hedge: i am not an expert but i think ntp runs on udp not tcp if you look in your log you can see it hope i could help Mikkel Mondrup Kristensen sorry i sent this first to you john i just got out of bed :)> I''m trying to understand how the three-interface environment operates. > > > > The first thing I''ve done is set up a time server on the firewall which > is questioning an atomic clock periodically. > > > > My two zones (loc & dmz) have their machines set up to get their time > synchronisation from the firewall. > > > > Policy > > > > Source dest policy log > > Loc net accept > > Fw net accept > > Dmz net accept > > Net all drop info > > All all reject info > > > > Rules > > > > Action source dest proto dest > > Port > > > > Accept net fw tcp ntp > > Accept fw net tcp ntp > I don''t think I need this 2nd rule? > > > > > > The firewall is reporting a continuous all2all error message from all ip > numbers from both loc and dmz zones. > > > > I''ve googled and read everything I can find on shorewall/ntp (not a lot) > and I''m confused. > > > > Do I need to set up: > > > > Accept loc fw tcp ntp > > Accept dmz fw tcp ntp ? > > > > Or is there a better way of ensuring all clients on loc and dmz are time > synchronised with the fw time server? (Maybe the time server should be > in the dmz!) > > > > Thanks for any enlightenment. > > > > John > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
G''day Mikkel. Have a good one and thx for the assist. John On Wed, 2003-07-16 at 22:51, Mikkel Mondrup Kristensen wrote:> Onsdag den 16. juli 2003 14:09 skrev John Hedge: > i am not an expert but i think ntp runs on udp not tcp if you look in your log > you can see it > > hope i could help > Mikkel Mondrup Kristensen > sorry i sent this first to you john i just got out of bed :) > > I''m trying to understand how the three-interface environment operates. > > > > > > > > The first thing I''ve done is set up a time server on the firewall which > > is questioning an atomic clock periodically. > > > > > > > > My two zones (loc & dmz) have their machines set up to get their time > > synchronisation from the firewall. > > > > > > > > Policy > > > > > > > > Source dest policy log > > > > Loc net accept > > > > Fw net accept > > > > Dmz net accept > > > > Net all drop info > > > > All all reject info > > > > > > > > Rules > > > > > > > > Action source dest proto dest > > > > Port > > > > > > > > Accept net fw tcp ntp > > > > Accept fw net tcp ntp > > I don''t think I need this 2nd rule? > > > > > > > > > > > > The firewall is reporting a continuous all2all error message from all ip > > numbers from both loc and dmz zones. > > > > > > > > I''ve googled and read everything I can find on shorewall/ntp (not a lot) > > and I''m confused. > > > > > > > > Do I need to set up: > > > > > > > > Accept loc fw tcp ntp > > > > Accept dmz fw tcp ntp ? > > > > > > > > Or is there a better way of ensuring all clients on loc and dmz are time > > synchronised with the fw time server? (Maybe the time server should be > > in the dmz!) > > > > > > > > Thanks for any enlightenment. > > > > > > > > John > > > > > > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-07-16 at 05:09, John Hedge wrote:> I''m trying to understand how the three-interface environment operates. >> > Do I need to set up: > > > > Accept loc fw tcp ntp > > Accept dmz fw tcp ntp ? > > > > Or is there a better way of ensuring all clients on loc and dmz are time > synchronised with the fw time server? (Maybe the time server should be > in the dmz!)Placing the ntp server on the firewall is fine (that''s what I do -- see http://shorewall.net/myfiles.htm). You need a rule *any time that the connection is not allowed by policy*. To see the effective policy between each ordered pair of zones, run "shorewall check". In the output, you will see where the Policy file is validated; there, for each ordered pair of zones, the applicable policy is printed. If the policy is DROP or REJECT then connections from the first zone listed will not be allowed to the second zone listed. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 16 Jul 2003 22:09:55 +1000, John Hedge <john@hedge.com.au> wrote:> Policy > > > > Source dest policy log > > Loc net accept > > Fw net accept > > Dmz net accept > > Net all drop info > > All all reject infoThat all looks fine, apart from the case of Loc, Fw etc (should be loc, fw and so on). I''d have thought this would have caused shorewall to fail to start though, instead of giving the problem you describe, so perhaps you''ve got things a bit mixed up when typing out your mail.> > > > Rules > > > > Action source dest proto dest > > Port > > > > Accept net fw tcp ntp > > Accept fw net tcp ntp > I don''t think I need this 2nd rule?again the case of Accept is wrong here. Should be ACCEPT, but again I''m assuming that''s just a typing error. NTP uses both tcp and udp. You need to have: ACCEPT fw net tcp 123 ACCEPT fw net udp 123 I think the replies from the lower stratum servers will be classed as related traffic by netfilter (correct me Tom?) so you might not need to put in explicit rules to allow them. If you do need them, they''d be: ACCEPT net fw tcp 123 ACCEPT net fw udp 123> The firewall is reporting a continuous all2all error message from all ip > numbers from both loc and dmz zones.I hope you don''t mind if I make a potentially grumpy-sounding comment. If you''re asking for help in future, actual extracts of logs are much more helpful than making statements like that. It''s also helpful if you can quote your config files exactly too - simple transcription errors like getting the case wrong often confuse the problem.> Or is there a better way of ensuring all clients on loc and dmz are time > synchronised with the fw time server? (Maybe the time server should be > in the dmz!)The server should go in the dmz if you intend to serve ntp to the net at large. Otherwise it''s acting as a client doesn''t really matter. My ntp server is in my local zone. cheers Julian -- jc@ljchurch.co.uk www.ljchurch.co.uk
On Wed, 2003-07-16 at 06:01, Julian Church wrote:> NTP uses both tcp and udp.NTP only uses UDP port 123. The Time service (rdate) uses TCP port 37.> You need to have: > > ACCEPT fw net tcp 123 > ACCEPT fw net udp 123 > > I think the replies from the lower stratum servers will be classed as > related traffic by netfilter (correct me Tom?)That''s correct Julian. In general with Shorewall, you only need to have rules for the initial connection request (initial packet for connectionless protocols like UDP); all subsequent packets in the exchange are handled automatically. If the host at either end can "speak first" (initiate the connection) then you need the appropriate policy/rule in both directions. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
John Hedge wrote:> Policy > > > > Source dest policy log > > Loc net accept > > Fw net accept > > Dmz net accept > > Net all drop info > > All all reject info > > > > Rules > > > > Action source dest proto dest > > Port > > > > Accept net fw tcp ntp > > Accept fw net tcp ntp > I don''t think I need this 2nd rule?Hello John, I just wanted to fill in with a note, if you don''t run very many services from your firewall except for only a few it would probably be safer in the long run to reject or drop all traffic from the firewall to the net, the default policy list that is installed with Shorewall looks like this: SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc all ACCEPT net all DROP info all all REJECT info Which is very tight. A suggestion from my end would be to: fw net REJECT and allow only those specific services you run from the firewall to the net in the rules list. It''s also a way of protecting oneself from adding, mixing with too many rules that can get to be too confusing after awhile, which most of us have encountered already. :) That second rule would have been ok if you dropped, rejected traffic from the fw to the net. Regards, -- Patrick Benson Stockholm, Sweden
I''d like to thank: Patrick Tom (of course) Rodolfo Julian Mikkel for such prompt and accurate assistance. Keep up the good work fellows. John> John Hedge wrote: > >> Policy >> >> >> >> Source dest policy log >> >> Loc net accept >> >> Fw net accept >> >> Dmz net accept >> >> Net all drop info >> >> All all reject info >> >> >> >> Rules >> >> >> >> Action source dest proto dest >> >> Port >> >> >> >> Accept net fw tcp ntp >> >> Accept fw net tcp ntp >> I don''t think I need this 2nd rule? > > Hello John, > > I just wanted to fill in with a note, if you don''t run very many > services from your firewall except for only a few it would probably be > safer in the long run to reject or drop all traffic from the firewall > to the net, the default policy list that is installed with Shorewall > looks like this: > > SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc all ACCEPT > > net all DROP info > > all all REJECT info > > Which is very tight. A suggestion from my end would be to: > > fw net REJECT > > and allow only those specific services you run from the firewall to the > net in the rules list. It''s also a way of protecting oneself from > adding, mixing with too many rules that can get to be too confusing > after awhile, which most of us have encountered already. :) That second > rule would have been ok if you dropped, rejected traffic from the fw to > the net. > > > > Regards, > -- > Patrick Benson > Stockholm, Sweden > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm