thr3ads.net - Shorewall users - [Shorewall-users] redundant rules ? [Oct 2003]

If this information is useful, please help other people find it:
Share via:

Holger Brückner

2003-Oct-15 07:18 UTC

[Shorewall-users] redundant rules ?

Hello,

i''m new to shorewall, but i really like it a lot. it''s quite
similar to
the firewall concept i did on my own. i also created zones in my own
script, although not as simple to configure as shorewall. great work.

what i am trying to accomplish:


dsl dialup (pppoe)	       dsl leased line
 dynamic ip                     fixed ip range
     |                                 |
     |             transport net       |
shorewall router 2  ---------  shorewall router 1 --- dmz
     |
     |
  local net(s)
 (3 subnets)

router 2 is currently running my own setup and does all of the work
involved in router2 and 1 in one configuration. because of this setup we
are using source ip routing on that box to determine on which dsl line
will get used for external traffic.

now i want to split this one box into two boxes to get better
possiblility of management and most important, to have a vpn endpoint
(on router 1).

im currently setting up router one and noticed some redundant rules in
some chains created by shorewall (complete status attached). for example
chain dmz_frwd looks like this:

Chain dmz_frwd (2 references)
 target     prot opt in     out     source             destination
 dmz2net    all  --  *      eth1    0.0.0.0/0          0.0.0.0/0
 dmz2net    all  --  *      eth1    0.0.0.0/0          0.0.0.0/0
 dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.0.0/24
 dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.1.0/24
 dmz2loc    all  --  *      eth3    0.0.0.0/0          192.168.3.0/24
 dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.0.0/24
 dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.1.0/24
 dmz2loc    all  --  *      eth3    0.0.0.0/0          192.168.3.0/24
 ACCEPT     all  --  *      eth0    0.0.0.0/0          217.89.141.24/29
 ACCEPT     all  --  *      eth0    0.0.0.0/0          217.5.177.76/30

as you can see, line 1,2 ; 3,6 ; 4,7 ; 5,8 are exactly the same. is this
a bug or a feature ?!? it won''t do any harm although these lines are
not
really neccesary.

thanks for your help

Holger Brueckner
net-labs Systemhaus GmbH


-------------- next part --------------
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:e9:3e:c4:0c brd ff:ff:ff:ff:ff:ff
    inet 217.5.177.77/30 brd 217.5.177.79 scope global eth0
    inet 217.89.141.30/29 brd 217.89.141.31 scope global eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:22:fd:ec:74 brd ff:ff:ff:ff:ff:ff
    inet 217.5.177.74/30 brd 217.5.177.75 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:5f:a6:13:99 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.124/24 brd 10.0.1.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:45:a8:5a brd ff:ff:ff:ff:ff:ff
    inet 10.0.5.1/30 brd 10.0.5.3 scope global eth3
-------------- next part --------------
10.0.5.0/30 dev eth3  proto kernel  scope link  src 10.0.5.1 
217.5.177.72/30 dev eth1  proto kernel  scope link  src 217.5.177.74 
217.5.177.76/30 dev eth0  proto kernel  scope link  src 217.5.177.77 
217.89.141.24/29 dev eth0  proto kernel  scope link  src 217.89.141.30 
10.0.1.0/24 dev eth2  proto kernel  scope link  src 10.0.1.124 
default via 10.0.1.254 dev eth2 
-------------- next part --------------
[H[JShorewall-1.4.7-Beta1 Status at router1 - Wed Oct 15 13:42:08 CEST 2003

Counters reset Wed Oct 15 13:41:46 CEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   576 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth3_in    all  --  eth3   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth3_fwd   all  --  eth3   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   576 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 fw2net     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 fw2loc     all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 fw2loc     all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 fw2loc     all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 fw2dmz     all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30
    0     0 fw2dmz     all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29
  114  7962 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  114  7962 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
  114  7962 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (12 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            217.5.177.79
    0     0 DROP       all  --  *      *       0.0.0.0/0           
217.89.141.31
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.0.5.3
    0     0 DROP       all  --  *      *       0.0.0.0/0            217.5.177.75

Chain dmz2loc (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 22,119 state NEW
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       217.5.177.78         0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       217.5.177.78         0.0.0.0/0   
multiport dports 25,7,2703 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz_frwd (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dmz2net    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 dmz2net    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 dmz2loc    all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dmz_frwd   all  --  *      *       217.5.177.76/30      0.0.0.0/0
    0     0 dmz_frwd   all  --  *      *       217.89.141.24/29     0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      *       217.5.177.76/30      0.0.0.0/0
    0     0 all2all    all  --  *      *       217.89.141.24/29     0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 net2all    all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 net2all    all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 net2dmz    all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30
    0     0 net2dmz    all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth3_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc_frwd   all  --  *      *       10.0.0.0/24          0.0.0.0/0
    0     0 loc_frwd   all  --  *      *       10.0.1.0/24          0.0.0.0/0
    0     0 loc_frwd   all  --  *      *       192.168.3.0/24       0.0.0.0/0

Chain eth3_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2fw     all  --  *      *       10.0.0.0/24          0.0.0.0/0
    0     0 loc2fw     all  --  *      *       10.0.1.0/24          0.0.0.0/0
    0     0 loc2fw     all  --  *      *       192.168.3.0/24       0.0.0.0/0

Chain fw2dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.2    
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2dmz (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
217.89.141.26      state NEW tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            217.5.177.78
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 80,443 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.5.177.78
multiport dports 143,993 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
217.89.141.28      multiport dports 389,636 state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc_frwd (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 all2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0           
192.168.3.0/24
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0            10.0.0.0/24
    0     0 ACCEPT     all  --  *      eth3    0.0.0.0/0            10.0.1.0/24
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.5.177.76/30
    0     0 loc2dmz    all  --  *      eth0    0.0.0.0/0           
217.89.141.24/29

Chain net2all (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.5.177.78
state NEW tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            217.5.177.78
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
217.89.141.28      multiport dports 2401,80,443 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.5.177.78
multiport dports 143,993 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
217.89.141.28      multiport dports 80,443 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
217.89.141.29      multiport dports 80,443 state NEW
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
  114  7962 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58069 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58069 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58069 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58069 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=58069 DF PROTO=UDP SPT=1035 DPT=53 LEN=47
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=58070 DF PROTO=UDP SPT=1035 DPT=53 LEN=47
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=47
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=47
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58071 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58072 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=58072 DF PROTO=UDP SPT=1035 DPT=53 LEN=51
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58072 DF PROTO=UDP SPT=1035 DPT=53 LEN=52
Oct 14 16:00:21 OUTPUT:REJECT:IN= OUT=eth2 SRC=10.0.1.124 DST=217.5.177.78
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=58072 DF PROTO=UDP SPT=1035 DPT=53 LEN=52

NAT Table

Chain PREROUTING (policy ACCEPT 824 packets, 146K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 67 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 409 packets, 95639 bytes)
 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 2184 packets, 322K bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   576 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 2184 packets, 322K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2018 packets, 390K bytes)
 pkts bytes target     prot opt in     out     source               destination
  120  8538 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 1496 packets, 287K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

udp      17 162 src=10.0.1.124 dst=217.5.177.78 sport=1035 dport=53
src=217.5.177.78 dst=10.0.1.124 sport=53 dport=1035 [ASSURED] use=1

Tom Eastep

2003-Oct-15 07:53 UTC

head link

[Shorewall-users] redundant rules ?

On Wed, 2003-10-15 at 07:18, Holger Br?ckner wrote:
> 
> im currently setting up router one and noticed some redundant rules in
> some chains created by shorewall (complete status attached). for example
> chain dmz_frwd looks like this:
> 
> Chain dmz_frwd (2 references)
>  target     prot opt in     out     source             destination
>  dmz2net    all  --  *      eth1    0.0.0.0/0          0.0.0.0/0
>  dmz2net    all  --  *      eth1    0.0.0.0/0          0.0.0.0/0
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.0.0/24
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.1.0/24
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          192.168.3.0/24
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.0.0/24
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          10.0.1.0/24
>  dmz2loc    all  --  *      eth3    0.0.0.0/0          192.168.3.0/24
>  ACCEPT     all  --  *      eth0    0.0.0.0/0          217.89.141.24/29
>  ACCEPT     all  --  *      eth0    0.0.0.0/0          217.5.177.76/30
> 
> as you can see, line 1,2 ; 3,6 ; 4,7 ; 5,8 are exactly the same. is this
> a bug or a feature ?!? it won''t do any harm although these lines
are not
> really neccesary.
If you will show us your ''interfaces'' and
''hosts'' files, we will be able
to see why these duplications are occurring. Also, you might consider
looking at the output produced by "shorewall [re]start" or
"shorewall
check"; it will show you how you have defined each of the zones.
>From the above, it looks like your ''loc'' zone has
duplicate entries init.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Holger Brückner

2003-Oct-15 08:18 UTC

head link

[Shorewall-users] redundant rules ?

On Wed, 2003-10-15 at 16:53, Tom Eastep wrote:> If you will show us your ''interfaces'' and
''hosts'' files, we will be able
> to see why these duplications are occurring. Also, you might consider
> looking at the output produced by "shorewall [re]start" or
"shorewall
> check"; it will show you how you have defined each of the zones.
> 
> >From the above, it looks like your ''loc'' zone has
duplicate entries in
> it.
interfaces:

#ZONE    INTERFACE      BROADCAST       OPTIONS
-       eth0    217.5.177.79,217.89.141.31      #dmz see hosts
-       eth3    10.0.5.3                        #loc see hosts
#-      eth2    10.0.1.254                      #loc see hosts
net     eth1    217.5.177.75
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

(eth2 is just for testing)

hosts:
#ZONE           HOST(S)                         OPTIONS
loc             eth3:10.0.0.0/24
loc             eth3:10.0.1.0/24
loc             eth3:192.168.3.0/24
dmz             eth0:217.5.177.76/30
dmz             eth0:217.89.141.24/29
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

from init-log:

Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth1:0.0.0.0/0
   Local Zone: eth3:10.0.0.0/24 eth3:10.0.1.0/24 eth3:192.168.3.0/24
   DMZ Zone: eth0:217.5.177.76/30 eth0:217.89.141.24/29
Processing /etc/shorewall/init ...

which looks correct to me

Holger Brueckner
net-labs Systemhaus GmbH

Tom Eastep

2003-Oct-15 08:23 UTC

head link

[Shorewall-users] redundant rules ?

On Wed, 2003-10-15 at 08:18, Holger Br?ckner wrote:
> from init-log:
> 
> Initializing...
> Shorewall has detected the following iptables/netfilter capabilities:
>    NAT: Available
>    Packet Mangling: Available
>    Multi-port Match: Available
>    Connection Tracking Match: Available
> Determining Zones...
>    Zones: net loc dmz
> Validating interfaces file...
> Validating hosts file...
> Validating Policy file...
> Determining Hosts in Zones...
>    Net Zone: eth1:0.0.0.0/0
>    Local Zone: eth3:10.0.0.0/24 eth3:10.0.1.0/24 eth3:192.168.3.0/24
>    DMZ Zone: eth0:217.5.177.76/30 eth0:217.89.141.24/29
> Processing /etc/shorewall/init ...
> 
> which looks correct to me
> 
Me too. I would like to see a debugging trace of "shorewall [re]start"
(see http://shorewall.net/troubleshooting.htm under "If the firewall
fails to start" for instructions).

Please send the trace to me privately so we don''t spam the list with a
large trace file.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Oct 2003 - redundant rules ?

[Shorewall-users] redundant rules ?

[Shorewall-users] redundant rules ?

[Shorewall-users] redundant rules ?

[Shorewall-users] redundant rules ?