Hi all, How has Webmin been working with newer versions of Shorewall(1.4 and up). Anyone notice any issues or problems? -- Joe *** I can only please one person a day. Today is not your day and tomorrow doesn''t look good either. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am running 1.4.5, and I haven''t had any problems with Webmin. - --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com Want reliable web hosting at affordable prices? www.modevia.com Web Dev/Design Community/Zine www.developercube.com - -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Joe Gofton Sent: Friday, July 18, 2003 12:10 PM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Webmin Question Hi all, How has Webmin been working with newer versions of Shorewall(1.4 and up). Anyone notice any issues or problems? - -- Joe *** I can only please one person a day. Today is not your day and tomorrow doesn''t look good either. *** _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPxgxCLrnDjSLw9ADEQJYGgCg83nH1VAwGPXcMjvwgHs+w5UAtV8AoM1/ mJ3gDhXZN1qG2x45m9qgbvjU =KGSF -----END PGP SIGNATURE-----
Hello.
I recently installed shorewall-1.4.5-1.noarch.rpm on Redhat 8.0 to set
up a firewall with two interfaces. After configuring Shorewall using the two
interface sample file the firewall isn''t working as I expected. There
also a
couple of thing from the output in the command line that make me wonder what
am I doing wrong. Here''s a piece of it:
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0 [ISN''T SUPPOSED TO SHOW THE ACTUAL IP
ADDRESS RANGE SET UP FOR eth0 AND eht1?]
Local Zone: eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP [MY LINUX BOX ISN?T CONFIGURED AS A DHCP
SERVER, NOR IN THE SHOREWALL CONFIG FILES HAVE CONFIGURED DHCP]
Enabling RFC1918 Filtering
Setting up Blacklisting...
Blacklisting enabled on eth1
[LIST OF BLACKLISTED IP ADDRESSES]
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT fw loc icmp 8" added.
Rule "ACCEPT fw net icmp 8" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy ACCEPT for fw to loc using chain fw2loc
Policy DROP for net to fw using chain net2all
Policy ACCEPT for loc to fw using chain loc2fw
Policy ACCEPT for loc to net using chain loc2net
Policy ACCEPT for loc to loc using chain loc2loc
Masqueraded Subnets and Hosts:
Warning: default route ignored on interface eth1
To 0.0.0.0/0 from 148.202.86.0/24 through eth0 [THIS IS DEFINITELY
WRONG ISN''T IT?]
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted
Thank you very much.
Regards,
Carlos Cajina
On Fri, 2003-07-18 at 11:51, Carlos Cajina wrote:> Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 [ISN''T SUPPOSED TO SHOW THE ACTUAL IP > ADDRESS RANGE SET UP FOR eth0 AND eht1?]NO! (I can yell too).> Local Zone: eth1:0.0.0.0/0 > Processing /etc/shorewall/init ... > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP [MY LINUX BOX ISN?T CONFIGURED AS A DHCP > SERVER, NOR IN THE SHOREWALL CONFIG FILES HAVE CONFIGURED DHCP]So Shorewall didn''t do anything during that step.> Enabling RFC1918 Filtering > Setting up Blacklisting... > Blacklisting enabled on eth1 > [LIST OF BLACKLISTED IP ADDRESSES] > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT fw net tcp 53" added. > Rule "ACCEPT fw net udp 53" added. > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT loc fw icmp 8" added. > Rule "ACCEPT net fw icmp 8" added. > Rule "ACCEPT fw loc icmp 8" added. > Rule "ACCEPT fw net icmp 8" added. > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy ACCEPT for fw to loc using chain fw2loc > Policy DROP for net to fw using chain net2all > Policy ACCEPT for loc to fw using chain loc2fw > Policy ACCEPT for loc to net using chain loc2net > Policy ACCEPT for loc to loc using chain loc2loc > Masqueraded Subnets and Hosts: > Warning: default route ignored on interface eth1 > To 0.0.0.0/0 from 148.202.86.0/24 through eth0 [THIS IS DEFINITELY > WRONG ISN''T IT?]Yes -- you probably have eth0 and eth1 reversed in your /etc/shorewall/masq record. Are you sure that you don''t also have them reversed in /etc/shorewall/interfaces as well? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-07-18 at 11:00, Tom Eastep wrote:> On Fri, 2003-07-18 at 11:51, Carlos Cajina wrote: > > > Determining Hosts in Zones... > > Net Zone: eth0:0.0.0.0/0 [ISN''T SUPPOSED TO SHOW THE ACTUAL IP > > ADDRESS RANGE SET UP FOR eth0 AND eht1?] > > NO! (I can yell too). >This is also a FAQ -- see http://shorewall.net/FAQ.htm#faq9 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-07-18 at 11:00, Tom Eastep wrote:> > Masqueraded Subnets and Hosts: > > Warning: default route ignored on interface eth1 > > To 0.0.0.0/0 from 148.202.86.0/24 through eth0 [THIS IS DEFINITELY > > WRONG ISN''T IT?] > > Yes -- you probably have eth0 and eth1 reversed in your > /etc/shorewall/masq record. Are you sure that you don''t also have them > reversed in /etc/shorewall/interfaces as well? >You should probably go back and double-check each item flagged with a red arrow in the QuickStart Guide (http://shorewall.net/two-interface.htm) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-07-18 at 13:02, Carlos Cajina wrote:> Hello again. > The UPPERCASE from my first mail wans''t yelling, I was just trying to make > my comments visible :) I apologize if it seemed rude.No problem.> > Anyway, I think it was my mistake about Shorewall not working. I am using > version 1.4.0 and decided to try 1.4.5 before upgrade. The problem might be > hiding in my local network configuration "not being compatible" with > Shorewall v1.4.5 and here is the possible why: my firewall internal and > external interfaces are connected to the same switch because in my network > segment two different sub-nets can be used almost transparently.This shouldn''t have worked with 1.4.0 either (or not very well anyway). It *might* work better if you included these two statements in /etc/shorewall/start: echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter> I decided > that I would use one segment to be "loc" and the other to be the "net" and > would filter by blacklisting IP addresses from "loc" even though I would be > "wasting" practically the whole IP address range from "net" segment. I > followed the two-interface how-to and everything has been working fine since > I installed the firewall 4 months ago. Now, it seems to me that newer > versions of Shorewall don''t allow eth0 and eth1 to be connected to the same > hub/switch (as stated in the docs), and I certainly ended up confused and > believing that Shorewall didn''t work at all. >The output that you posted showed that you were trying to masquerade out of eth0 when your default route was out of eth1; that *definitely* indicates a configuration problem and would have been a problem with 1.4.0 as well. How did you upgrade from 1.4.0->1.4.5? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-07-18 at 12:14, Tom Eastep wrote:> > This shouldn''t have worked with 1.4.0 either (or not very well anyway). > It *might* work better if you included these two statements in > /etc/shorewall/start: > > echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter > echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter >Doh -- cut and paste error; the second line should refer to eth1 of course. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-07-18 at 11:00, Tom Eastep wrote:> > Adding Common Rules > > Adding rules for DHCP [MY LINUX BOX ISN?T CONFIGURED AS A DHCP > > SERVER, NOR IN THE SHOREWALL CONFIG FILES HAVE CONFIGURED DHCP] > > So Shorewall didn''t do anything during that step. > > > Enabling RFC1918 FilteringI''ve changed the code in 1.4.6 so that the DHCP message is suppressed when there are no DHCP rules to add. Thanks for pointing out that little wart, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net