thr3ads.net - Shorewall users - [Shorewall-users] Opening all access from local network for beowulf cluster [Oct 2003]

If this information is useful, please help other people find it:
Share via:

Reuben D. Budiardja

2003-Oct-01 07:03 UTC

[Shorewall-users] Opening all access from local network for beowulf cluster

Hello,
I am using shorewall for masquerading and NAT for a linux beowulf cluster. The 
master node, the only one who sees the wold, has 2 interface, eth0 external, 
eth1 internal connecting to switch.
I followed the User guide for 2 interface and all seems to work fine.

But then I realized I am getting a *lot* of this  from the internal network:

Sep 28 04:16:13 geat kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= 
MAC=00:06:5b:0e:bd:73:00
:06:5b:0e:d4:2b:08:00 SRC=10.0.0.247 DST=10.0.0.250 LEN=84 TOS=0x00 PREC=0x00 
TTL=64 ID=146
51 PROTO=ICMP TYPE=0 CODE=0 ID=8966 SEQ=17461 

Sep 28 04:16:13 geat kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 
SRC=10.0.0.250 DST=10.0.
0.247 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=39029 PROTO=ICMP TYPE=3 CODE=1 
[SRC=10.0.0.247 
DST=10.0.0.250 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=14651 PROTO=ICMP TYPE=0 
CODE=0 ID=8966 S
EQ=17461 ] 

And in my logwatch mail to root, something like:

Rejected 1207291 packets on interface eth1
   From 10.0.0.241 - 86233 packets
      To 10.0.0.250 - 86233 packets
         Service: 0 (icmp/0) (Shorewall:all2all:REJECT:,eth1,none) - 86206 
packets
         Service: syslog (udp/514) (Shorewall:all2all:REJECT:,eth1,none) - 27 
packets
   From 10.0.0.242 - 86236 packets
      To 10.0.0.250 - 86236 packets
         Service: 0 (icmp/0) (Shorewall:all2all:REJECT:,eth1,none) - 86212 
packets
         Service: syslog (udp/514) (Shorewall:all2all:REJECT:,eth1,none) - 24 
packets
   From 10.0.0.243 - 86238 packets
      To 10.0.0.250 - 86238 packets
         Service: 0 (icmp/0) (Shorewall:all2all:REJECT:,eth1,none) - 86214 
packets
         Service: syslog (udp/514) (Shorewall:all2all:REJECT:,eth1,none) - 24 
packets

I''m using MPI for parallel programming, and not sure if that''s
the cause of
all this. But then I also notice that my parallel program would fail with 
something like the following when shorewall run:

[reubendb@geat my_document]$ mpirun -np 4 send_val.exe 
rm_13951:  p4_error: rm_start: net_conn_to_listener failed: 51371
p0_20375:  p4_error: Child process exited while making connection to remote 
process on geat2.phys.utk.edu: 0
/opt/mpich/bin/mpirun: line 1: 20375 Broken pipe             
/summerhome/reubendb/my_document/send_val.exe -p4pg 
/summerhome/reubendb/my_document/PI20249 -p4wd 
/summerhome/reubendb/my_document


In anycase, I am thinking of just opening everything for the internal network 
(eth1). Being a newbie in this, can I just add the following in my policy 
file:
loc fw accept
?

Currently, here is my policy files (just look like the sample for 2 
interface):
loc   net   ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw    net   ACCEPT
net   all   DROP    info
all   all   REJECT    info

If I do that (opening the eth1 interface), is there any security risk?
Let''s
just say I fully trust the local network. So I''m more worry about
exploit
from outside. Right now the local network can see the external world using 
masquerading.

Thanks for any help
Reuben D. Budiardja

-- 
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
-------------------------------------------------
/"\  ASCII Ribbon Campaign against HTML    
\ /  email and proprietary format      
 X   attachments.
/ \
-------------------------------------------------
Have you been used by Microsoft today? 
Choose your life. Choose freedom. 
Choose LINUX.
-------------------------------------------------

Tom Eastep

2003-Oct-01 07:26 UTC

head link

[Shorewall-users] Opening all access from local network for beowulf cluster

On Wed, 2003-10-01 at 07:04, Reuben D. Budiardja wrote:
> In anycase, I am thinking of just opening everything for the internal
network
> (eth1). Being a newbie in this, can I just add the following in my policy 
> file:
> loc fw accept
> ?
> 
> Currently, here is my policy files (just look like the sample for 2 
> interface):
> loc   net   ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw    net   ACCEPT
> net   all   DROP    info
> all   all   REJECT    info
> 
> If I do that (opening the eth1 interface), is there any security risk?
Let''s
> just say I fully trust the local network. So I''m more worry about
exploit
> from outside. Right now the local network can see the external world using 
> masquerading.
Then such a policy is fine -- just be sure you add it before the "all
all" policy at the bottom.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Peter Eis

2003-Oct-01 07:34 UTC

head link

[Shorewall-users] Opening all access from local network for beowulf cluster

Reuben D. Budiardja wrote:
>Hello,
>I am using shorewall for masquerading and NAT for a linux beowulf cluster.
The
>master node, the only one who sees the wold, has 2 interface, eth0 external,
>eth1 internal connecting to switch.
>I followed the User guide for 2 interface and all seems to work fine.
>
>But then I realized I am getting a *lot* of this  from the internal network:
>
>Sep 28 04:16:13 geat kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= 
>MAC=00:06:5b:0e:bd:73:00
>:06:5b:0e:d4:2b:08:00 SRC=10.0.0.247 DST=10.0.0.250 LEN=84 TOS=0x00
PREC=0x00
>TTL=64 ID=146
>51 PROTO=ICMP TYPE=0 CODE=0 ID=8966 SEQ=17461 
>
>Sep 28 04:16:13 geat kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 
>SRC=10.0.0.250 DST=10.0.
>0.247 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=39029 PROTO=ICMP TYPE=3 CODE=1 
>[SRC=10.0.0.247 
>DST=10.0.0.250 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=14651 PROTO=ICMP TYPE=0 
>CODE=0 ID=8966 S
>EQ=17461 ] 
>
>In anycase, I am thinking of just opening everything for the internal
network
>(eth1). Being a newbie in this, can I just add the following in my policy 
>file:
>loc fw accept
>?
>
>Currently, here is my policy files (just look like the sample for 2 
>interface):
>loc   net   ACCEPT
># If you want open access to the Internet from your Firewall
># remove the comment from the following line.
>fw    net   ACCEPT
>net   all   DROP    info
>all   all   REJECT    info
>  
>I guess you have to add the following rule in your policy file:
loc loc ACCEPT (or change ''loc net ACCEPT'' to ''loc
all ACCEPT'')

Peter
>If I do that (opening the eth1 interface), is there any security risk?
Let''s
>just say I fully trust the local network. So I''m more worry about
exploit
>from outside. Right now the local network can see the external world using 
>masquerading.
>
>Thanks for any help
>Reuben D. Budiardja
>
>  
>

-- 
_______________________________
Dr. Hagen & Partner GmbH
Am Weichselgarten 7
91058 Erlangen
Tel: (0049)9131/691-330
Fax: (0049)9131/691-248
_______________________________

Shorewall users - Oct 2003 - Opening all access from local network for beowulf cluster

[Shorewall-users] Opening all access from local network for beowulf cluster

[Shorewall-users] Opening all access from local network for beowulf cluster

[Shorewall-users] Opening all access from local network for beowulf cluster