IPSEC and Internet are now working together , I simply put
interfaces="ipsec0=ppp0"
in the config setup part of the ipsec.conf file (i.e. in place of
%defaultroute)
thanks for help
On Sunday 05 October 2003 10:19, shorewall-users-request@lists.shorewall.net
wrote:> Send Shorewall-users mailing list submissions to
> shorewall-users@lists.shorewall.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> or, via email, send a message with subject or body ''help''
to
> shorewall-users-request@lists.shorewall.net
>
> You can reach the person managing the list at
> shorewall-users-owner@lists.shorewall.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Shorewall-users digest..."
>
>
> Today''s Topics:
>
> 1. Re: vpn (very) basic question (cmisip)
> 2. Re: An odd application (Richard Bown)
> 3. Firewall config (Arjun Kaul)
> 4. Firewall config (Arjun Kaul)
> 5. Problems with pptp clients (Stephen Pritchard)
> 6. Re: Problems with pptp clients (Tom Eastep)
> 7. SMTP+POP problem with MNF (Philippe PERLES - DIS-PRO Sarl)
> 8. Re: SMTP+POP problem with MNF (Jean-Pierre Denis)
> 9. Bad loopback traffic not logged (Guy Marcenac)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 04 Oct 2003 14:31:35 -0500
> From: cmisip <cmisip@insightbb.com>
> Subject: Re: [Shorewall-users] vpn (very) basic question
> To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> Message-ID: <1065295895.3063.6.camel@mylaptop>
> Content-Type: text/plain; charset=iso-8859-1
>
> You can use vpn and masquerade at the same time. This is my current
> setup. Only I am connecting a remote host to a local subnet (not subnet
> to subnet which you want). I think by default freeswan will attach
> ipsec0 to the default route which is ppp0 in your case.
>
> http://cmisip.home.insightbb.com/freeswan.htm
>
> On Sat, 2003-10-04 at 09:25, Tom Eastep wrote:
> > On Sat, 2003-10-04 at 07:03, No?l Nachtegael wrote:
> > > hi,
> > > my local net is connected via eth0
> > > my internet adsl link is connected via eth1
> > >
> > > shorewall is working fine
> > >
> > > I would try VPN connections with outside local nets
> > >
> > > when I start freeswan 2.02 ipsec (service ipsec start) I
can''t access
> > > internet anymore from my local zone or from my firewall
(shorewall
> > > 1.4.4b)
> > >
> > > ipsec0 and ppp0 are listed in ifconfig with the same dynamic
external
> > > ipaddress.
> >
> > That''s normal.
> >
> > > following your IPSEC.html document,
> > >
> > > in my policy file I have:
> > > loc net ACCEPT
> > > fw net ACCEPT
> > > net all DROP info
> > > vpn loc ACCEPT -
> > > loc vpn ACCEPT -
> > > all all REJECT info
> > >
> > > in the tunnels file:
> > > ipsec net 0.0.0.0/0
> > >
> > > in the zones file:
> > > net Net Internet
> > > loc Local Local networks
> > > vpn VPN Remote subnet
> > >
> > > and in the interfaces:
> > > net ppp0 - dhcp,noping
> > > loc eth0 - filterping
> > > vpn ipsec0 -
> > >
> > > I put also a rule in the rules file:
> > > ACCEPT all all udp - 500
> >
> > Unnecessary.
> >
> > > my VPN is not yet configured (generic ipsec.conf), I am in the
very
> > > first step of my testing...
> >
> > Don''t start IPSEC until you have configured it.
> >
> > > My question is: can I utilize VPNs in the same time than
continuing
> > > local internet access? Do I miss something?
> >
> > Don''t start IPSEC until you have configured it.
> >
> > -Tom
>
> ------------------------------
>
> Message: 2
> Date: 04 Oct 2003 21:35:51 +0100
> From: Richard Bown <richard.bown@blueyonder.co.uk>
> Subject: Re: [Shorewall-users] An odd application
> To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> Message-ID: <1065299751.3809.65.camel@gb7tf.org.uk>
> Content-Type: text/plain
>
> Thanks for the clarification Tom,
> I was looking at the upgrade issues section of the manual.
>
> Richard
>
> On Sat, 2003-10-04 at 19:30, Tom Eastep wrote:
> > On Sat, 4 Oct 2003, Richard Bown wrote:
> > > On Sat, 2003-10-04 at 18:19, Tom Eastep wrote:
> > > > On
> > > >
> > > > > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9
> > > > > DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00
> > > > >
> > > > > TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139
WINDOW=8760 RES=0x00
> > > > > ACK URGP=0
> > > >
> > > > Then set the ''routeback'' option on eth0.
> > >
> > > Thanks Tom
> > >
> > > Just a minor problem, at the moment I run ver. 1.3.14 on Mandrake
9.1,
> > > and "routeback" was put in on a later version.
> > > There are rpms for 1.4.6c on sourceforge, I assume from the
release
> > > notes these are for Redhat, which in most cases are compatible
with
> > > Mandrake distros.
> >
> > Possibly you should read the documentation:
> >
> > http://shorewall.net/download.htm
> >
> > "If you run a RedHat, SuSE, Mandrake, Linux PPC, Trustix or
> > TurboLinux distribution with a 2.4 kernel, you can use the RPM
> > version"
> >
> > > Is the iproute package still need to be "ip utility"
as in MDK its
> > > iproute2
> > >
> > >
> > >From http://shorewall.net/Install.htm:
> >
> > "Note2: Beginning with Shorewall 1.4.0, Shorewall is dependent
on
> > the iproute package. Unfortunately, some distributions call this
> > package iproute2 which will cause the installation of Shorewall
> > to fail with the diagnostic:
> >
> > error: failed dependencies:iproute is needed by
shorewall-1.4.x-1
> >
> > This may be worked around by using the --nodeps option of rpm
> > (rpm -ivh --nodeps <shorewall rpm>)."
> >
> > -Tom
> > --
> > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline, \ http://shorewall.net
> > Washington USA \ teastep@shorewall.net
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> > http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
>
> --
> Richard Bown <richard.bown@blueyonder.co.uk>
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 4 Oct 2003 19:20:50 -0600
> From: "Arjun Kaul" <arjun_kaul007@hotmail.com>
> Subject: [Shorewall-users] Firewall config
> To: <shorewall-users@lists.shorewall.net>
> Message-ID: <LAW12-OE29LEdyt3cew000029f7@hotmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi! I have recently implemented a 3 interface shorewall firewall in my web
> application. It was a breeze to setup thanks to Tom and the extensive
> documentation. I am using ProxyARP since it was easy to setup and preferred
> by Tom. So far there have not been any performance problems. I have 2
> servers in the DMZ with public IP''s and which are win2k servers,
one of
> them running the application server which opens a lot of software ports to
> the world besides 80,443 and 25. The application server needs to be
> communicating with a SQL 2000 DB constantly via ODBC which is in the LOC
> zone.
>
> Thanks to the various options available, I have managed to keep the
> accesses really tight in terms of terminal services etc.
>
> But, I was wondering if there was a inherent flaw in my Design by keeping
> the Application server in the DMZ, since if it gets compromised there is a
> direct connection from it to the LOC zone.
>
> Secondly, I am wondering if it would be better to use DNAT rather than
> direct connections between zones e.g.
>
> DNAT dmz loc:192.168.0.5:1433 tcp 6500
>
> or
>
> ACCEPT dmz loc tcp 1433
>
> The advantage with the former is that I can deny all incoming connections
> from DMZ to LOC zone and Only allow connections through the firewall. But
> would there be any performance considerations with the former.
>
> OR
>
> Is it in the best interest to put the application server from the DMZ to
> the LOC zone and use DNAT for all incoming requests on the firewall to go
> to the application server, but would performance be hindered by doing that.
> I have applied all the patches/fixes on the Windows boxes but am not sure
> about the application specific ports as the software is a third
party''s.
>
> The firewall runs Redhat 9.0 and a custom compiled monolithic kernel 2.4.22
> and shorewall 1.4.6c. Hardware is 512MB RAM on a P4 1.7Ghz
>
> Thanks in advance for any suggestions/comments
>
> Regards,
> Arjun
>
> ------------------------------
>
> Message: 4
> Date: Sat, 4 Oct 2003 19:22:40 -0600
> From: "Arjun Kaul" <arjun_kaul007@hotmail.com>
> Subject: [Shorewall-users] Firewall config
> To: <shorewall-users@lists.shorewall.net>
> Message-ID: <Law12-OE194EnAv1Og700002a01@hotmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi! I have recently implemented a 3 interface shorewall firewall in my web
> application. It was a breeze to setup thanks to Tom and the extensive
> documentation. I am using ProxyARP since it was easy to setup and preferred
> by Tom. So far there have not been any performance problems. I have 2
> servers in the DMZ with public IP''s and which are win2k servers,
one of
> them running the application server which opens a lot of software ports to
> the world besides 80,443 and 25. The application server needs to be
> communicating with a SQL 2000 DB constantly via ODBC which is in the LOC
> zone.
>
> Thanks to the various options available, I have managed to keep the
> accesses really tight in terms of terminal services etc.
>
> But, I was wondering if there was a inherent flaw in my Design by keeping
> the Application server in the DMZ, since if it gets compromised there is a
> direct connection from it to the LOC zone.
>
> Secondly, I am wondering if it would be better to use DNAT rather than
> direct connections between zones e.g.
>
> DNAT dmz loc:192.168.0.5:1433 tcp 6500
>
> or
>
> ACCEPT dmz loc tcp 1433
>
> The advantage with the former is that I can deny all incoming connections
> from DMZ to LOC zone and Only allow connections through the firewall. But
> would there be any performance considerations with the former.
>
> OR
>
> Is it in the best interest to put the application server from the DMZ to
> the LOC zone and use DNAT for all incoming requests on the firewall to go
> to the application server, but would performance be hindered by doing that.
> I have applied all the patches/fixes on the Windows boxes but am not sure
> about the application specific ports as the software is a third
party''s.
>
> The firewall runs Redhat 9.0 and a custom compiled monolithic kernel 2.4.22
> and shorewall 1.4.6c. Hardware is 512MB RAM on a P4 1.7Ghz
>
> Thanks in advance for any suggestions/comments
>
> Regards,
> Arjun
>
> ------------------------------
>
> Message: 5
> Date: Sun, 5 Oct 2003 16:37:59 +1300
> From: "Stephen Pritchard" <stephenp@aspdirect.co.nz>
> Subject: [Shorewall-users] Problems with pptp clients
> To: shorewall-users@lists.shorewall.net
> Message-ID: <3f7f9217.19e1.0@aspdirect.co.nz>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I have a Bering leaf 1.2 firewall. I''m trying to allow PCs in the
internal
> network to connect to a external pptp server.
>
> I have the following kernel modules loaded
>
> ip_nat_proto_gre 1012 0 (unused)
> ip_nat_h323 2656 0 (unused)
> ip_nat_irc 2176 0 (unused)
> ip_nat_ftp 2784 0 (unused)
> ip_conntrack_pptp 2124 1
> ip_conntrack_proto_gre 1728 0 [ip_conntrack_pptp]
> ip_conntrack_h323 2336 3
> ip_conntrack_irc 2880 0 (unused)
> ip_conntrack_ftp 3648 0 (unused)
>
> I have ip_nat_pptp set to load on boot as well but when it loads it comes
> up with Input/output error I don''t know if this is significant.
>
> and I have also added
>
> ip_conntrack_proto_gre
> ip_conntrack_pptp
> ip_nat_proto_gre
> ip_nat_pptp
>
> to the shorewall modules file but I have not added any rules to shorewall
> for the pptp connections.
>
> When they try to connect to the pptp server with a client it authenticates
> on the server but I then get the following errors in shorewall and the
> client fails to connect.
>
> Oct 3 18:42:03 firewall Shorewall:net2all:DROP: IN=eth0 OUT>
MAC=00:40:f4:18:30:7f:ff:40:f5:77:57:e7:08:00 SRC=203.88.65.186
> DST=203.113.155.73 LEN=65 TOS=00 PREC=0x00 TTL=55 ID=55841 DF PROTO=47
> Oct 3 18:42:04 firewall Shorewall:net2all:DROP: IN=eth0 OUT>
MAC=00:40:f4:18:30:7f:ff:40:f5:77:57:e7:08:00 SRC=203.88.65.186
> DST=203.113.155.73 LEN=74 TOS=00 PREC=0x00 TTL=55 ID=55842 DF PROTO=47
>
> Where 203.113.155.73 is the external IP address of the firewall and
> 203.88.65.186 is the pptp server.
>
> It looks to me like the firewall is not masqurading the proto 47 pptp
> connections correctly. Is there something I''m missing? do I have
to add any
> rules to shorewall for the clients or is there a module I''m not
loading
> correctly?
>
> -Stephen
>
> ------------------------------
>
> Message: 6
> Date: Sat, 4 Oct 2003 19:29:26 -0700 (Pacific Daylight Time)
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] Problems with pptp clients
> To: stephenp@aspdirect.co.nz, Shorewall Users Mailing List
> <shorewall-users@lists.shorewall.net>
> Message-ID: <Pine.WNT.4.55.0310041922160.2140@TIPPER.shorewall.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Sun, 5 Oct 2003, Stephen Pritchard wrote:
> > I have ip_nat_pptp set to load on boot as well but when it loads it
comes
> > up with Input/output error I don''t know if this is
significant.
> >
> > and I have also added
> >
> > ip_conntrack_proto_gre
> > ip_conntrack_pptp
> > ip_nat_proto_gre
> > ip_nat_pptp
> >
> > to the shorewall modules file but I have not added any rules to
shorewall
> > for the pptp connections.
>
> The standard loc->net ACCEPT policy is all you should need.
>
> > When they try to connect to the pptp server with a client it
> > authenticates on the server but I then get the following errors in
> > shorewall and the client fails to connect.
>
> You had better post on the LEAF list. Those modules are from Patch-O-Matic
> and are not in the standard kernels. I don''t use them and I
can''t help you
> with problems involving their use.
>
> That having been said, I use PPTP every day in my work and the only
> relevant configuration parameter is the loc->net ACCEPT policy mentioned
> above (and I don''t build or load any of the modules listed above).
>
> -Tom
>
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
> ------------------------------
>
> Message: 7
> Date: Sun, 5 Oct 2003 07:42:48 +0300
> From: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>
> Subject: [Shorewall-users] SMTP+POP problem with MNF
> To: <shorewall-users@lists.shorewall.net>
> Message-ID: <018601c38afb$210eac60$3cfaa8c0@DISPRO.DJ>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I am using MNF 8.2. From my local network I can access the Internet with
> success. But I am unable to get smtp and pop working from my mail server
> (or Outlook client) in my local network. I don''t understand why.
Any ideas
> ?
>
> In my configuration I have the following rules :
> ACCEPT lan wan tcp smtp
> ACCEPT lan wan tcp pop
>
>
> Best regards,
> Philippe Perles
>
>
> ------------------------------
>
> Message: 8
> Date: Sun, 5 Oct 2003 03:00:25 -0400 (EDT)
> From: "Jean-Pierre Denis" <jp@msfree.ca>
> Subject: Re: [Shorewall-users] SMTP+POP problem with MNF
> To: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>,
> "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Cc: shorewall-users@lists.shorewall.net
> Message-ID:
> <59782.198.103.167.50.1065337225.webmail@webmaildev.msfree.ca>
> Content-Type: text/plain;charset=iso-8859-1
>
> Hi,
>
> Philippe PERLES - DIS-PRO Sarl wrote:
> > Hello,
> >
> > I am using MNF 8.2. From my local network I can access the Internet
with
> > success. But I am unable to get smtp and pop working from my mail
server
> > (or
> > Outlook client) in my local network. I don''t understand why.
Any ideas ?
> >
> > In my configuration I have the following rules :
> > ACCEPT lan wan tcp smtp
> > ACCEPT lan wan tcp pop
>
> Try:
> ACCEPT wan lan tcp smtp
> ACCEPT wan lan tcp pop
>
> --
> Thanks,
>
> Jean-Pierre Denis
> jp at msfree dot ca
>
>
> ------------------------------
>
> Message: 9
> Date: Sun, 5 Oct 2003 10:18:21 +0200
> From: "Guy Marcenac" <marcguy@ifrance.com>
> Subject: [Shorewall-users] Bad loopback traffic not logged
> To: "Shorewall Users Mailing List"
> <shorewall-users@lists.shorewall.net>
> Message-ID: <000d01c38b19$3df62290$0800a8c0@i7k>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I set up a snort sensor on my external interface.
> I got lots of loopback alerts like the following
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> [**] BAD TRAFFIC loopback traffic [**]
> 10/05-00:20:28.933495 127.0.0.1:80 -> xxx.xxx.xxx.xxx:1009
> TCP TTL:126 TOS:0x0 ID:18604 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x434D0001 Win: 0x0 TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The source port is always 80, the destination port changes with each
> packet.
>
> I think I''ve enabled the rfc1918 filtering and logging but I cant
see any
> of these packets in my log
> my settings are:
>
> shorewall.conf
> RFC1918_LOG_LEVEL=ULOG
> ROUTE_FILTER=No
>
> file interfaces:
> net ppp0 -
> routefilter,norfc1918,tcpflags,blacklist
>
>
> Thank you very much for shorewall, wich makes the use of netfilter much
> more easy and efficient.