thr3ads.net - Shorewall users - [Shorewall-users] Shorewall 1.4.7a

If this information is useful, please help other people find it:
Share via:

Ivan R Nausley

2003-Oct-23 19:54 UTC

[Shorewall-users] Shorewall 1.4.7a - loc_frwd chain

I''ve been running shorewall 1.4.7 with the following setup and configs
with
no problem.  After I updated to 1.4.7a my dial-in no longer can access my
local network, but can still access the net.  The following was in my log:

Oct 23 16:39:07 xxxx kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=eth1
SRC=192.168.1.40 DST=192.168.1.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=9348
DF PROTO=TCP SPT=4605 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0

Below you will find chains from working version 1.4.7 and non-working
version 1.4.7a.  I appears chain loc_frwd is incomplete, or did the
configuration requirements change with 1.4.7a?  I downgraded to 1.4.7 and
everything is once again working.  Your help is appreciated.

Network setup -->
net  ---   Firewall --- loc (192.168.1.0/24)
            w/ pppd
               |
               |
             Dial-In
            (192.168.1.40)

interfaces -->
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            detect
dhcp,routefilter,norfc1918,blacklist,newnotsyn
-       ppp+            -               newnotsyn
loc     eth1            detect          dhcp,newnotsyn

hosts -->
#ZONE           HOST(S)                         OPTIONS
loc             ppp+:192.168.1.0/24

policy -->
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT
loc             loc             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info


Shorewall version 1.4.7
Chain FORWARD (policy DROP 9 packets, 452 bytes)
 pkts bytes target     prot opt in     out     source
destination
   48  3196 accounting  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
   18  1713 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 ppp_fwd    all  --  ppp+   *       0.0.0.0/0
0.0.0.0/0
   23  1119 eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain ppp_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 loc_frwd   all  --  *      *       192.168.1.0/24
0.0.0.0/0

Chain loc_frwd (2 references)
 pkts bytes target     prot opt in     out     source
destination
   58  3247 loc2net    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 loc2loc    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0
    0     0 loc2loc    all  --  *      ppp+    0.0.0.0/0
192.168.1.0/24

===========================================================================================
Shorewall version 1.4.7a
Chain FORWARD (policy DROP 6 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source
destination
   15   775 accounting  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
    4   211 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 ppp_fwd    all  --  ppp+   *       0.0.0.0/0
0.0.0.0/0
    5   252 eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain ppp_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 loc_frwd   all  --  *      *       192.168.1.0/24
0.0.0.0/0

Chain loc_frwd (2 references)
 pkts bytes target     prot opt in     out     source
destination
   99  5147 loc2net    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0

Tom Eastep

2003-Oct-23 20:00 UTC

head link

[Shorewall-users] Shorewall 1.4.7a - loc_frwd chain

On Thu, 23 Oct 2003, Ivan R Nausley wrote:
> I''ve been running shorewall 1.4.7 with the following setup and
configs with
> no problem.  After I updated to 1.4.7a my dial-in no longer can access my
> local network, but can still access the net.  The following was in my log:
>
> Oct 23 16:39:07 xxxx kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=eth1
> SRC=192.168.1.40 DST=192.168.1.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=9348
> DF PROTO=TCP SPT=4605 DPT=110 WINDOW=8760 RES=0x00 SYN URGP=0
>
> Below you will find chains from working version 1.4.7 and non-working
> version 1.4.7a.  I appears chain loc_frwd is incomplete, or did the
> configuration requirements change with 1.4.7a?  I downgraded to 1.4.7 and
> everything is once again working.  Your help is appreciated.
>
This problem should be corrected by the ''firewall'' and
''functions'' scripts
in CVS (STABLE/ project). As I posted just yesterday, I''ll be releasing
1.4.7b shortly to correct this problem.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Oct 2003 - Shorewall 1.4.7a - loc_frwd chain

[Shorewall-users] Shorewall 1.4.7a - loc_frwd chain

[Shorewall-users] Shorewall 1.4.7a - loc_frwd chain