First off, I am not subscibed to the list, so please be sure that I am CC
in any reply (gearry_judkins@mtvalleyhs.sad43.k12.me.us).
I am running 1.4.7-beta1 from the debian unstable distribution.
Previously I had this working (not sure if it was exactly the same
version) but after I rebuilt my system I have not been able to get it
working (wish I had saved those config files).
I installed from the package and then copied in the sample files from the
one-interface quick start guide.
With shorewall off everything works fine. When I issue a shorewall start
I can no longer make connection is the net zone. I am on a single
interface (eth0) laptop that functions as a standalone system. The only
changes I have made from the sample files is that I removed the norfc1918
option from my net interface, as this machine is sometimes (and currently)
on an rfc1918 subnet.
Anyhow, here is the information I was instructed to inlcude:
shorewall version
1.4.7-Beta1
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:e2:57:7c:e1 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.4/24 brd 255.255.255.255 scope global eth0
ip route show
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.4
default via 10.0.1.1 dev eth0
I wanted to mention that when I start shorewall I see the line:
Determining Host Zones
Net Zone: eth0:0.0.0.0/0
That does not seem right to me.
When I issue a shorewall reset I get this:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Giving up on lock file /var/lib/shorewall/lock
Shorewall Not Started
It should be noted that this is immediately following a shorewall start
that seems to succeed. The only error I see during start is:
/usr/share/shorewall/firewall: line 3902: /etc/shorewall/common.def: No
such file or directory
Unfortunately I am using a linux beta of a proprietary mail client, and
attachments do not currently work, so here is the output of a shorewall
status:
Shorewall-1.4.7-Beta1 Status at viator - Sat Sep 27 05:45:02 EDT 2003
Chain INPUT (policy DROP 9 packets, 1183 bytes)
pkts bytes target prot opt in out source
destination
54 3404 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain OUTPUT (policy DROP 6 packets, 360 bytes)
pkts bytes target prot opt in out source
destination
77 5463 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain common (0 references)
pkts bytes target prot opt in out source
destination
Chain dynamic (2 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (0 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (0 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain newnotsyn (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
NAT Table
Chain PREROUTING (policy ACCEPT 547 packets, 61920 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 56 packets, 3670 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 128 packets, 8614 bytes)
pkts bytes target prot opt in out source
destination
Mangle Table
Chain PREROUTING (policy ACCEPT 3076 packets, 2224K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 3047 packets, 2220K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1992 packets, 139K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1920 packets, 134K bytes)
pkts bytes target prot opt in out source
destination
tcp 6 431995 ESTABLISHED src=10.0.1.4 dst=169.244.181.37 sport=1071
dport=510 src=169.244.181.37 dst=10.0.1.4 sport=510 dport=1071 [ASSURED]
use=1
That last connection to 169.244.181.37 is my connection the mail server
that was up when I started shorewall. It appears to have remained active
after shorewall started, which I think is correct. That was kind of an
accident. I had forgotten that I was logged in when I started shorewall.
This is the output I get when I ping my gateway:
PING 10.0.1.1 (10.0.1.1): 56 data bytes
ping: sendto: Operation not permitted
ping: wrote 10.0.1.1 64 chars, ret=-1
I do not see any messages other than the startup banner when I issue a
shorewall show log.
I did not include my config files as I mentioned the only change I made
from the sample config above.
Gearry R. Judkins
IT Department Maine School Administrative District #43
On Sat, 2003-09-27 at 07:17, Gearry Judkins wrote:> > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Giving up on lock file /var/lib/shorewall/lock > Shorewall Not Started >Remove /var/lib/shorewall/lock!!!!!> It should be noted that this is immediately following a shorewall start > that seems to succeed. The only error I see during start is: > > /usr/share/shorewall/firewall: line 3902: /etc/shorewall/common.def: No > such file or directory >It is a bug in recent Debian packages that this file has been omitted from the package. I''ve included the common.def file as an attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -------------- next part -------------- ############################################################################ # Shorewall 1.4 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include # the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 135 -j reject run_iptables -A common -p udp --dport 137:139 -j reject run_iptables -A common -p udp --dport 445 -j reject run_iptables -A common -p tcp --dport 139 -j reject run_iptables -A common -p tcp --dport 445 -j reject run_iptables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP # run_iptables -A common -p udp --dport 1900 -j DROP ############################################################################ # BROADCASTS # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don''t get delayed. # run_iptables -A common -p tcp --dport 113 -j reject ############################################################################ # DNS -- Silenty drop late replies run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP