My logs are getting bloated with:
Oct 15 08:43:24 ParanSCSI kernel: Shorewall:FORWARD:REJECT:IN=eth3 OUT=eth3
SRC=10.172.16.1 DST=172.17.0.60 LEN=56 TOS=0x00 PREC=0x00 TTL=62 ID=10038
PROTO=ICMP TYPE=3 CODE=1 [SRC=172.17.0.60 DST=172.16.246.28 LEN=92 TOS=0x00
PREC=0x00 TTL=124 ID=8946 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=31352 ]
Oct 15 08:43:24 ParanSCSI kernel: Shorewall:FORWARD:REJECT:IN=eth3 OUT=eth3
SRC=10.172.16.1 DST=172.17.0.60 LEN=56 TOS=0x00 PREC=0x00 TTL=62 ID=10039
PROTO=ICMP TYPE=3 CODE=1 [SRC=172.17.0.60 DST=172.16.246.27 LEN=92 TOS=0x00
PREC=0x00 TTL=124 ID=8945 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=31096 ]
This must be traffic that originated from Blaster and "friends".
Where can I put a rule to just drop these without logging?
On my system, eth3 is multi hosted. From my hosts file:
# Cable modem subnets
cbl eth3:$CBL_LAN
# dialup and other private addrs
priv eth3:$PRIV_LAN
attun eth3:$MEYAD_IP
yext eth3:$YAIR_EXT
mext eth3:$MDMS_EXT
yair eth3:$YAIR_LAN
where (from params)
CBL_LAN=172.16.0.0/12
The above two rows from the log show "host unreachable" packets from a
router (10.172.16.1) back to the originator of the echo request 172.17.0.60.
Obviously, I don''t want to block all "Host unreachable"
replies.
Would a rule like:
DROP cbl cbl icmp 3
do it??
Thanks
--Micha
____________________________________________________
Quiet people aren''t the only ones who don''t say much. -
R. Baalke
On Wed, 2003-10-15 at 00:21, Micha Silver wrote:> Would a rule like: > > DROP cbl cbl icmp 3 > > do it?? >Only if you set the ''routeback'' option on the ''cbl'' entry in /etc/shorewall/hosts (or /etc/shorewall/interfaces if you have an entry for that zone there). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello all: I''m trying to work out the Shorewall details for running OpenVPN in "Ethernet Bridging" mode. (I''ve successfully connected a roadwarrior with openvpn and routing, following the shorewall guides, but this does not allow the remote user to browse the Windows LAN.) First, regarding my interfaces file. In my setup, eth1 is the interface for two LANs. I currently have: net eth0 212.29.226.63 norfc1918,blacklist,tcpflags,routefilter dmz eth2 192.168.10.255 - eth1 192.168.1.255,192.168.2.255 - eth3 192.168.5.255 tcpflags,routefilter vpn tun+ In my current hosts file, for eth1, I have: loc1 eth1:$MOETSA_LAN #192.168.1.0/24 loc2 eth1:$SHITTIM_LAN #192.168.2.0/24 And in tunnels: openvpn:5000 net 0.0.0.0/0 openvpn:5001 net 0.0.0.0/0 openvpn:5002 net 0.0.0.0/0 openvpn:5003 net 0.0.0.0/0 ... First question-Would the following be correct for ethernet bridging: # interfaces loc1 br0 192.168.1.255 loc2 eth1 192.168.2.255 And second: Would I be correct in thinking that I don''t need a vpn zone at all ?? (since the remote vpn connections are coming in with IP addresses from the LAN subnet, so they''re part of the loc1 zone) If anyone has other insight on allowing remote users to browse a windows (i.e. "network neighborhood") LAN thru vpn, I''d appreciate hearing. TIA, --Micha
On Sat, 2003-10-18 at 08:10, Micha Silver wrote:> > If anyone has other insight on allowing remote users to browse a windows > (i.e. "network neighborhood") LAN thru vpn, I''d appreciate hearing. >Most people simply run a WINS server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>On Sat, 2003-10-18 at 08:10, Micha Silver wrote: > > > >>If anyone has other insight on allowing remote users to browse a windows >>(i.e. "network neighborhood") LAN thru vpn, I''d appreciate hearing. >> >> >> > >Most people simply run a WINS server. > >Hi Tom: We''re drifting away from Shorewall here, and if this gets too far off, I''ll go to the OpenVPN list. I have a WINS server running in the Windows LAN, and I added it''s address manually to the "tap" device on the remote road warrior which connected using openvpn in a P to P (routed) mode, but that didn''t help. I could ping the WINS server - and others - and use non browse-dependant apps (i.e. VNC). But no Network Neighborhood, and no "shares". Is there something else I missed? Do I need any special rules to allow the smb ports out thru the tunnels? Thanks, Micha>-Tom > >
On Sat, 2003-10-18 at 09:08, Micha Silver wrote:> Tom Eastep wrote: > > >On Sat, 2003-10-18 at 08:10, Micha Silver wrote: > > > > > > > >>If anyone has other insight on allowing remote users to browse a windows > >>(i.e. "network neighborhood") LAN thru vpn, I''d appreciate hearing. > >> > >> > >> > > > >Most people simply run a WINS server. > > > > > > Hi Tom: > > We''re drifting away from Shorewall here, and if this gets too far off, > I''ll go to the OpenVPN list. > > I have a WINS server running in the Windows LAN, and I added it''s > address manually to the "tap" device on the remote road warrior which > connected using openvpn in a P to P (routed) mode, but that didn''t help. > I could ping the WINS server - and others - and use non browse-dependant > apps (i.e. VNC). But no Network Neighborhood, and no "shares". Is there > something else I missed? > Do I need any special rules to allow the smb ports out thru the tunnels?--------------------------------------------------------------------------- Shorewall 101: a) Policies define the default behavior of traffic between zones. b) Rules are exceptions to policies. The above applies to ALL PROTOCOLS and ALL PORTS (for those protocols that support the notion of ports). So if your policies through the tunnels are ACCEPT then you don''t need rules. If your policies through the tunnels are other than ACCEPT then you need rules. The output of "shorewall [re]start" and "shorewall check" will show you the policy between each pair of zones. --------------------------------------------------------------------------- By default, SMB traffic that is being dropped or rejected by policy is not logged by Shorewall (as a result of entries in /etc/shorewall/common.def). This is because people normally run Windoze systems and if Shorewall were to log this traffic, we would have 500 newbies a day franticly posting on the list about the "attack" that they were seeing. The page http://shorewall.net/samba.htm shows the rules that are required -- you just need to adjust the zones in the rules to fit your situation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat Oct 10/18/03, 2003 at 05:10:23PM +0200, Micha Silver wrote:> If anyone has other insight on allowing remote users to browse a windows > (i.e. "network neighborhood") LAN thru vpn, I''d appreciate hearing. >What are the Windoze versions of both the DCs and the workstations? - it''s important. NT4 DCs with any clients have a very different set of rules for what''s needed for browsing to work properly than Win2K/2K3 DCs with Win2K/XP clients.... NT4 DCs of course depend on WINS and NetBIOS over TCP/IP. Win2K/2K3 DCs with 2K+ clients depend entirely on DNS - if the client is using outside DNS servers, he''s blind as a bat to the internal domain structure. -- Greg White