Shorewall users - Aug 2003 - problem getting ulogd and shorewall working on debian

I''m trying to get Shorewall to use ulogd for logging, but I''m
not
seeing any logging in either the file I set up for logs, nor in 
/var/log/messages (where the logs used to be).

I''m running a stock Debian 3.0 woody system, with a custom 2.4.21 
kernel.  I used all the settings as described on shorewall.net when 
configuring the kernel.  ulogd (0.97-1) and shorewall (1.4.5-1) were 
installed via apt, and shorewall is set up with the 3-interface example.

All the /etc/shorewall/* files have "ULOG" where they used to have 
"info".  /etc/ulogd.conf has:

nlgroup 1
logfile /var/log/ulogd.log
loglevel 5
plugin /usr/lib/ulogd/ulogd_BASE.so
syslogfile /var/log/shorewall
syslogsync 1
plugin /usr/lib/ulogd/ulogd_LOGEMU.so
dumpfile /var/log/ulogd.pktlog


And lsmod shows:

Module                  Size  Used by    Not tainted
ipt_ULOG                3456   8
ipt_TOS                 1088  12  (autoclean)
ipt_MASQUERADE          1248   2  (autoclean)
ipt_LOG                 3168   0  (autoclean)
ipt_REJECT              3040   4  (autoclean)
ipt_state                608  41  (autoclean)
iptable_mangle          2208   1  (autoclean)
ip_nat_irc              2240   0  (unused)
ip_nat_ftp              2848   0  (unused)
iptable_nat            15380   3  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        2976   1
ip_conntrack_ftp        3744   1
ip_conntrack           16628   4  [ipt_MASQUERADE ipt_state ip_nat_irc 
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter          1728   1  (autoclean)
ip_tables              10400  11  [ipt_ULOG ipt_TOS ipt_MASQUERADE 
ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter]

I''m not even sure this is a Shorewall issue, but I''m stumped. 
Where
are my logs going, and how do I get them into /var/log/shorewall?

- Colin

Hi Colin,

On Fri, 29 Aug 2003, Colin Viebrock wrote:
>I''m trying to get Shorewall to use ulogd for logging, but
I''m not
>seeing any logging in either the file I set up for logs, nor in
>/var/log/messages (where the logs used to be).
>
>I''m running a stock Debian 3.0 woody system, with a custom 2.4.21
>kernel.
I saw the same problem a while back when setting up a Debian "testing"
system.  The fix at the time was to get a newer version of ulogd by
installing the "unstable" distro''s ulogd.  The cause of the
problem had to
do with something that changed around kernel 2.4.18 and that you need a
newer ulogd which can handle that change.

Try installing ulogd from "unstable" and if you have everything
configured
correctly I bet that it will just start working for you.

I hope this helps.

-Jason

There might also be a less official but nonetheless useful backport on
http://www.apt-get.org

dave


----- Original Message -----
From: "Jason Maas" <maasj@dm.org>
> Try installing ulogd from "unstable" and if you have everything
configured
> correctly I bet that it will just start working for you.

> ----- Original Message -----
> From: "Jason Maas" <maasj@dm.org>
>
>> Try installing ulogd from "unstable" and if you have
everything
>> configured
>> correctly I bet that it will just start working for you.
>>
Well, that did it.  Thanks.

I tried installing the unstable version originally, but got lots of 
error messages from apt, so I went back to stable.  Anyway, unstable 
works pefectly now.

- Colin

I''m trying to "secure" access to few services that run on the
firewall
machine: specifically web (apache), IMAP (courier) and SMTP (postfix).

I''d like all these services available on their standard ports from 
inside the local network, but through different ports from the outside 
world.  Taking the web server as an example, I thought these rules 
would work:

     ACCEPT          loc     fw      tcp     80
     REDIRECT        net     80      tcp     50080

This doesn''t seem to work; I can access the web server through both 
ports from the outside world (whereas I would like only port 50080 
open).

I even tried binding apache to only listen on the internal IP address 
(192.160.0.1), and added an "original dest" field to the REDIRECT
rule,
without success.  I''m on a DSL connection (PPPoE), so my external IP 
does change occasionally, if that makes a difference.

Any pointers?

- Colin

On Fri, 15 Oct 2004 11:46:20 -0400
Colin Viebrock <colin@easydns.com> wrote:
> I''m trying to "secure" access to few services that run
on the firewall
> machine: specifically web (apache), IMAP (courier) and SMTP (postfix).
> 
> I''d like all these services available on their standard ports from
> inside the local network, but through different ports from the outside 
> world.  Taking the web server as an example, I thought these rules 
> would work:
> 
>      ACCEPT          loc     fw      tcp     80
>      REDIRECT        net     80      tcp     50080
> 
> This doesn''t seem to work; I can access the web server through
both
> ports from the outside world (whereas I would like only port 50080 
> open).
> 
> I even tried binding apache to only listen on the internal IP address 
> (192.160.0.1), and added an "original dest" field to the REDIRECT
rule,
> without success.  I''m on a DSL connection (PPPoE), so my external
IP
> does change occasionally, if that makes a difference.
> 
> Any pointers?
You need to use DNAT rules.
For example, here''s the rule for my IRC server:

DNAT    net     loc:192.168.100.10:6667 tcp     8076

It will take tcp connections from the net on port 8076 and connect them to port
6667 on my local machine with IP 192.168.100.10.

> 
> - Colin
Mark II

-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Viebrock wrote:
> I''m trying to "secure" access to few services that run
on the firewall
> machine: specifically web (apache), IMAP (courier) and SMTP (postfix).
>
> I''d like all these services available on their standard ports from
> inside the local network, but through different ports from the outside
> world.  Taking the web server as an example, I thought these rules would
> work:
>
>     ACCEPT          loc     fw      tcp     80
>     REDIRECT        net     80      tcp     50080
>
> This doesn''t seem to work; I can access the web server through
both
> ports from the outside world (whereas I would like only port 50080 open).
>
> I even tried binding apache to only listen on the internal IP address
> (192.160.0.1), and added an "original dest" field to the REDIRECT
rule,
> without success.  I''m on a DSL connection (PPPoE), so my external
IP
> does change occasionally, if that makes a difference.
>
> Any pointers?
>
There is no current way in Shorewall to avoid this problem (unless you
add your own DROP rule in the ''nat'' table in an extension
script.
Netfilter/iptables lacks the means to do this cleanly in Shorewall.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBcAIwO/MAbZfjDLIRApzxAKCDu2aA2q9zU9k/OlumZltXyIMFgACfaD70
7E3WS67QaQFJzFQ1vDyY3kQ=EZsm
-----END PGP SIGNATURE-----

> You need to use DNAT rules.
> For example, here''s the rule for my IRC server:
>
> DNAT    net     loc:192.168.100.10:6667 tcp     8076
>
> It will take tcp connections from the net on port 8076 and connect 
> them to port 6667 on my local machine with IP 192.168.100.10.
But I''m not redirecting to another machine; I''m redirecting to
the
firewall machine itself (i.e. the web server also runs on the 
firewall).

I''m guessing that you can''t use a DNAT rule with a destination
of "fw"
or "loc:<ip_of_fw>".

Tom''s response seems to answer my question, although not the way I was 
hoping.

- Colin

On 15-Oct-04, at 1:00 PM, Tom Eastep wrote:
> There is no current way in Shorewall to avoid this problem (unless you
> add your own DROP rule in the ''nat'' table in an extension
script.
> Netfilter/iptables lacks the means to do this cleanly in Shorewall.
>
I found a way around this: run all my services on the non-standard 
ports, and use REDIRECT for the internal network.  So instead of this:

     ACCEPT          loc     fw      tcp     80
     REDIRECT        net     80      tcp     50080

I have this:

     ACCEPT          loc     fw      tcp     50080
     REDIRECT        net     50080   tcp     80

And, of course, apache now listens on port 50080 instead of 80.  Not 
the most elegant solution, for sure, but at least the ports that are 
open to the outside world are the non-standard ones, which should add 
some obfuscation.

- Colin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Viebrock wrote:
> On 15-Oct-04, at 1:00 PM, Tom Eastep wrote:
>
>> There is no current way in Shorewall to avoid this problem (unless you
>> add your own DROP rule in the ''nat'' table in an
extension script.
>> Netfilter/iptables lacks the means to do this cleanly in Shorewall.
>>
>
> I found a way around this: run all my services on the non-standard
> ports, and use REDIRECT for the internal network.  So instead of this:
>
>     ACCEPT          loc     fw      tcp     80
>     REDIRECT        net     80      tcp     50080
>
> I have this:
>
>     ACCEPT          loc     fw      tcp     50080
>     REDIRECT        net     50080   tcp     80
>
I rather think that you rather should have:

	ACCEPT	 net	fw	tcp	50080
	REDIRECT loc	50080	tcp	80	-	<internal ip>

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBcBycO/MAbZfjDLIRAiNoAKCnX8cirbYm14Ea0LJi4+mYGavnXwCeN7eb
A6xzTTKnOKXq2b9tydhaCy4=M/8C
-----END PGP SIGNATURE-----

On Fri, 15 Oct 2004 13:13:13 -0400
Colin Viebrock <colin@viebrock.ca> wrote:
> > You need to use DNAT rules.
> > For example, here''s the rule for my IRC server:
> >
> > DNAT    net     loc:192.168.100.10:6667 tcp     8076
> >
> > It will take tcp connections from the net on port 8076 and connect 
> > them to port 6667 on my local machine with IP 192.168.100.10.
> 
> But I''m not redirecting to another machine; I''m
redirecting to the
> firewall machine itself (i.e. the web server also runs on the 
> firewall).
> 
> I''m guessing that you can''t use a DNAT rule with a
destination of "fw"
> or "loc:<ip_of_fw>".
> 
> Tom''s response seems to answer my question, although not the way I
was
> hoping.
ah.
Oops.
Didn''t catch that.
:)
> 
> - Colin
Mark II


-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
WHO sees a BEACH BUNNY sobbing on a SHAG RUG?!
-----------------------------------