Shorewall users - Oct 2003 - Configuration for simple ssh forwarding

Hello,

I am having difficulties configuring a firewall on a vnc server. Shorewall
(1.3.14) has been configured as described in the single interface example,
with an additional rule to permit ssh connections. I can ssh into the box
normally, but the vnc server doesn''t seem to respond when I try to
forward
vnc through ssh (ssh -L 5900:localhost:5900 xxx.xxx.xxx.xxx). I believe the
problem lies in my shorewall configuration and not in sshd, since everything
works as expected when I change Shorewall''s default net->fw policy
to
accept.  

Any insight would be greatly appreciated!

- Alex

On Mon, 27 Oct 2003, Ferguson, Alex wrote:
> Hello,
> 
> I am having difficulties configuring a firewall on a vnc server. Shorewall
> (1.3.14) has been configured as described in the single interface example,
> with an additional rule to permit ssh connections. I can ssh into the box
> normally, but the vnc server doesn''t seem to respond when I try to
forward
> vnc through ssh (ssh -L 5900:localhost:5900 xxx.xxx.xxx.xxx). I believe the
> problem lies in my shorewall configuration and not in sshd, since
everything
> works as expected when I change Shorewall''s default net->fw
policy to
> accept.
"shorewall clear" is a much better way to temporarily disable
Shorewall.
> 
> Any insight would be greatly appreciated!
> 
The port number is 5900 + "THE DISPLAY NUMBER". So for display number 
one, the port number is 5901.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > 
> 
> The port number is 5900 + "THE DISPLAY NUMBER". So for display
number
> one, the port number is 5901.
> 
And you too Alex would have been well-served to look at your log before
posting; the answer would have been right there in front of you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 2003-10-27 at 17:44, Tom Eastep wrote:
> And you too Alex would have been well-served to look at your log before
> posting; the answer would have been right there in front of you.
looking through logfiles and recognizing what goes wrong seems to be a
difficult task. thats what separates wanna be admins from admins :)

i realized this, teaching a class of 20 people in linux security basics
(including iptables/ipchains). most of them were not able to recognize
their mistakes, even when i showed them the log file entry which was
generated by their faulty rule.

cya

Holger

On Mon, 2003-10-27 at 09:36, Holger Br?ckner wrote:
> On Mon, 2003-10-27 at 17:44, Tom Eastep wrote:
> > And you too Alex would have been well-served to look at your log
before
> > posting; the answer would have been right there in front of you.
> 
> looking through logfiles and recognizing what goes wrong seems to be a
> difficult task. thats what separates wanna be admins from admins :)
> 
When I started writing Shorewall, it was my intention that it be a
product for System Administrators only. I sometimes wish I would have
stuck to that plan...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-28 at 02:26, Tom Eastep wrote:
> When I started writing Shorewall, it was my intention that it be a
> product for System Administrators only. I sometimes wish I would have
> stuck to that plan...
And you really think that putting a label on the package that states,
"For use by trained "System Administrators Only" would stop mere
mortals
from attempting to use it?  Not to mention those few run of the mill
System Admins that couldn''t recognize a log file if it rolled over
them.

-- 
"An opinion is like an asshole - everybody has one."
    - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.

On Mon, 2003-10-27 at 14:07, Ed Greshko wrote:
> On Tue, 2003-10-28 at 02:26, Tom Eastep wrote:
> 
> > When I started writing Shorewall, it was my intention that it be a
> > product for System Administrators only. I sometimes wish I would have
> > stuck to that plan...
> 
> And you really think that putting a label on the package that states,
> "For use by trained "System Administrators Only" would stop
mere mortals
> from attempting to use it?  Not to mention those few run of the mill
> System Admins that couldn''t recognize a log file if it rolled over
them.
If you:

a) Provide only minimal documentation; and
b) Tell everyone who asks a stupid question to get lost

then you generally weed out those who aren''t serious.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

At 16:14 10/27/2003, you wrote:
>If you:
>
>a) Provide only minimal documentation; and
>b) Tell everyone who asks a stupid question to get lost
>
>then you generally weed out those who aren''t serious.
True, but you also (c) provide a much lower-quality product simply to 
create a fool filter. Bad approach, doing one bad thing to avoid another.

I respect people much more when they take your approach: do it right and do 
it thoroughly. You deserve a lot of credit for the work you''ve done. 
However, if the support job gets somewhat too heavy (part of the price of 
success), you should try to make the FAQ bigger and better, perhaps more 
detailed, and then simply answer fewer questions on the list. Let the 
shorewall community grow and distribute some of that load among its members.


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

On Mon, 2003-10-27 at 14:51, Rodolfo J. Paiz wrote:
> However, if the support job gets somewhat too heavy (part of the price of 
> success), you should try to make the FAQ bigger and better, perhaps more 
> detailed, and then simply answer fewer questions on the list. Let the 
> shorewall community grow and distribute some of that load among its
members.
I am absolutely convinced that more documentation is not the answer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> At 16:14 10/27/2003, you wrote:
> >If you:
> >
> >a) Provide only minimal documentation; and
> >b) Tell everyone who asks a stupid question to get lost
> >
> >then you generally weed out those who aren''t serious.
> 
> True, but you also (c) provide a much lower-quality product simply to
> create a fool filter. Bad approach, doing one bad thing to avoid another.
> 
> I respect people much more when they take your approach: do it right and
> do
> it thoroughly. You deserve a lot of credit for the work you''ve
done.
> However, if the support job gets somewhat too heavy (part of the price of
> success), you should try to make the FAQ bigger and better, perhaps more
> detailed, and then simply answer fewer questions on the list. Let the
> shorewall community grow and distribute some of that load among its
> members.
I agree with Rodolfo, Shorewall makes iptables within easier reach of the
less qualified admins (that would be me...).  IMHO, the Shorewall interface
is what iptables should have been. 

In any case, I would recommend identifying some qualified Shorewall users
who can answer the easier problems in that show up in the list.  I would
think that you could find some people out here that will help with the
support load.

Granted there will be problems that Tom will have to answer.  My problem
involved recompiling the net interface for the reject feature.  I know that
I couldn''t figure that one out on my own.  But having gotten past that,
I
now have a two-interface network firewall and three single-interface
servers.  Hopefully the difficult problems will not occur as often.

With Linux you almost have to expect some of your support will really fall
into what could be considered education.  It is an OS with so many features
it would hard to be a qualified admin in everything.

I honestly don''t know how Tom does the coding and support for Shorewall
(seemingly 24x7) and has a job, too.

sj

> On Mon, 2003-10-27 at 14:51, Rodolfo J. Paiz wrote:
> 
> > However, if the support job gets somewhat too heavy (part of the price
> of
> > success), you should try to make the FAQ bigger and better, perhaps
more
> > detailed, and then simply answer fewer questions on the list. Let the
> > shorewall community grow and distribute some of that load among its
> members.
> 
> I am absolutely convinced that more documentation is not the answer.
Yes, there is already a *lot* of good documentation out there on the site
and in the etc/shorewall files.  Back when I was more in the business of
writing & selling software, I would keep a log of the
''stupid'' questions.
For example, if I had three times as many questions about a feature I would
then look at the feature to see if I could either (not in any particular
order):

1. Document that feature better (this rarely helped).
2. Redesign the feature.
3. Review to see if there is a bug in the feature.

My goal was to eliminate questions... :)

I usually ended up with either option #2 or #3, though.  It''s easier to
send
an email instead of read the docs.

sj

On Tue, 2003-10-28 at 00:09, Tom Eastep wrote:
> On Mon, 2003-10-27 at 14:51, Rodolfo J. Paiz wrote:
> 
> > However, if the support job gets somewhat too heavy (part of the price
of
> > success), you should try to make the FAQ bigger and better, perhaps
more
> > detailed, and then simply answer fewer questions on the list. Let the 
> > shorewall community grow and distribute some of that load among its
members.
> 
> I am absolutely convinced that more documentation is not the answer.
yip, documentation is excellent, although sometimes i am having a hard
time finding the relevant parts. i help myself by grepping through the
doc directory, but i don''t expect everyone to do this like this. 

i don''t know exactly why, but it''s probably something about
the
structure on the web page. maybe some expert in this field could help
reorganising it, so that it''s easier to find information. i think thats
a common problem for open source projects. most of the time information
is there but it''s hard to find. (zope is a very good example for a nice
system with horrible documentation structure)

i just realized that there is a search feature for documentation.
although it really hidden under "Getting help or answers to
questions".
maybe it would be enough to have a simple search (documentation) box in 
the navigation ot the shorewall site ?


cya

Holger

On Tue, 2003-10-28 at 03:40, Holger Br?ckner wrote:
> 
> i just realized that there is a search feature for documentation.
> although it really hidden under "Getting help or answers to
questions".
> maybe it would be enough to have a simple search (documentation) box in 
> the navigation ot the shorewall site ?
a) Go to http://shorewall.net.
b) Stare at the upper right-hand corner of the screen.

I''m sure something will occur to you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> a) Go to http://shorewall.net.
> b) Stare at the upper right-hand corner of the screen.
> I''m sure something will occur to you.
i did, i see a google clone :-)

well i like to know if i am the only one that would like to find webmin module
for shorewall latest ?

On Tue, 2003-10-28 at 07:14, Benny Pedersen wrote:
> On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> 
> > a) Go to http://shorewall.net.
> > b) Stare at the upper right-hand corner of the screen.
> > I''m sure something will occur to you.
> 
> i did, i see a google clone :-)
> 
> well i like to know if i am the only one that would like to find webmin
module for shorewall latest ?
You would look on the Webmin site for that. I have absolutely nothing to
do with the development or support of the Webmin Shorewall module. The
development of the Webmin Shorewall module does not track the
development of Shorewall so it is very unlikely that you will ever find
a Webmin module that supports the current Shorewall version completely.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> a) Go to http://shorewall.net.
> b) Stare at the upper right-hand corner of the screen.
>
> I''m sure something will occur to you.
Well all I see is _nothing_. I had to stare at the lower part of my
browser''s
window to see that I had a scrollbar there. When I scrolled right, I saw the 
search function. Maybe you should redesign the page so that the whole of it 
fits into a normal browser window (I even have to scroll one full page to the 
right when the browser is maximized at 1280x1024).


Alex

On Tue, 2003-10-28 at 07:07, Alexander Gretencord wrote:
> On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> > a) Go to http://shorewall.net.
> > b) Stare at the upper right-hand corner of the screen.
> >
> > I''m sure something will occur to you.
> 
> Well all I see is _nothing_. I had to stare at the lower part of my
browser''s
> window to see that I had a scrollbar there. When I scrolled right, I saw
the
> search function. Maybe you should redesign the page so that the whole of it
> fits into a normal browser window (I even have to scroll one full page to
the
> right when the browser is maximized at 1280x1024).
Which browser are you using?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-28 at 07:07, Alexander Gretencord wrote:
> On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> > a) Go to http://shorewall.net.
> > b) Stare at the upper right-hand corner of the screen.
> >
> > I''m sure something will occur to you.
> 
> Well all I see is _nothing_. I had to stare at the lower part of my
browser''s
> window to see that I had a scrollbar there. When I scrolled right, I saw
the
> search function. Maybe you should redesign the page so that the whole of it
> fits into a normal browser window (I even have to scroll one full page to
the
> right when the browser is maximized at 1280x1024).
> 
> 
"Redesign" complete (removed 1.4.7 release notes containing wide
preformated text from the home page).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-28 at 06:40, Tom Eastep wrote:
> On Tue, 2003-10-28 at 03:40, Holger Br?ckner wrote:
> 
> > 
> > i just realized that there is a search feature for documentation.
> > although it really hidden under "Getting help or answers to
questions".
> > maybe it would be enough to have a simple search (documentation) box
in
> > the navigation ot the shorewall site ?
> 
> a) Go to http://shorewall.net.
> b) Stare at the upper right-hand corner of the screen.
> 
> I''m sure something will occur to you.
> 
My apologies, Holger -- I didn''t realize that the "Search"
was scrolling
off of the window on smaller displays. It has been corrected now.

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> On Tue, 2003-10-28 at 07:07, Alexander Gretencord wrote:
> > On Tuesday 28 October 2003 15:40, Tom Eastep wrote:
> > > a) Go to http://shorewall.net.
> > > b) Stare at the upper right-hand corner of the screen.
> > >
> > > I''m sure something will occur to you.
> >
> > Well all I see is _nothing_. I had to stare at the lower part of my
> browser''s
> > window to see that I had a scrollbar there. When I scrolled right, I
saw
> the
> > search function. Maybe you should redesign the page so that the whole
of
> it
> > fits into a normal browser window (I even have to scroll one full page
> to the
> > right when the browser is maximized at 1280x1024).
> >
> >
> 
> "Redesign" complete (removed 1.4.7 release notes containing wide
> preformated text from the home page).
Hi Tom,

You may consider using a three frame layout like this:

+------------------------------+
| Shorewall banner      search |
+-----+------------------------+
|  M  | content                |
|  e  |                        |
|  n  |                        |
|  u  |                        |
+------------------------------+

The search is part of the top frame.  Then it will be available from any
page that is selected from the menu on the menu frame instead of just the
''home'' page.  Here''s a code snippet if you want it:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<title>Shoreline Firewall</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>

<frameset rows="90,*" cols="*"
frameborder="yes" border="1"
framespacing="0">
  <frame src="put_top_menu_source_file_here.htm"
name="topFrame"
scrolling="NO" noresize >
  <frameset cols="242,*" frameborder="yes"
border="1" framespacing="0">
    <frame src="Shorewall_index_frame.htm"
name="contents" scrolling="no"
noresize>
    <frame src="seattlefirewall_index.htm"
name="main">
  </frameset>
</frameset>
<noframes><body>
<p>This page uses frames, but your browser doesn''t support
them.</p>
</body></noframes>
</html>

You may have to change the search so that it targets the
''main'' frame.  Then
you could move the images from Shorewall_index_frame.htm and
seattlefirewall_index.htm to be in the source for topFrame along with the
search code.

On Tue, 28 Oct 2003, Scott Jibben wrote:
>
> You may consider using a three frame layout like this:
>
> +------------------------------+
> | Shorewall banner      search |
> +-----+------------------------+
> |  M  | content                |
> |  e  |                        |
> |  n  |                        |
> |  u  |                        |
> +------------------------------+
>
> The search is part of the top frame.  Then it will be available from any
> page that is selected from the menu on the menu frame instead of just the
> ''home'' page.  Here''s a code snippet if you want
it:
>
Thanks, Scott -- checkout http://shorewall.net

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>
> Thanks, Scott -- checkout http://shorewall.net
Good improvement.  Small bug - your main shorewall image is refering to a 
local file.

Thanks Tom,
- -- 
Proudly a Gentoo User.
GnuPG/PGP signed and encrypted email preferred
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x32A64DC8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/nx/6TDSbtjKmTcgRAn2iAJ0TZdDp+IfRPMGRdVvT8Yj2DibJPACguKNe
VOQqf5tFNhkTLBvC57IULrk=1kA1
-----END PGP SIGNATURE-----

On 29 Oct 2003 at 11:33, Daniel wrote:
> > Thanks, Scott -- checkout http://shorewall.net
> 
> Good improvement.  Small bug - your main shorewall image is
> refering
> to a local file.
> 
> Thanks Tom,
Wish I had a nickle for every time Front Page did that to me...

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

> On Tue, 28 Oct 2003, Scott Jibben wrote:
> >
> > You may consider using a three frame layout like this:
> >
> > +------------------------------+
> > | Shorewall banner      search |
> > +-----+------------------------+
> > |  M  | content                |
> > |  e  |                        |
> > |  n  |                        |
> > |  u  |                        |
> > +------------------------------+
> >
> > The search is part of the top frame.  Then it will be available from
any
> > page that is selected from the menu on the menu frame instead of just
> the
> > ''home'' page.  Here''s a code snippet if you
want it:
> >
> 
> Thanks, Scott -- checkout http://shorewall.net
That looks nice.  Making the background blue for the top frame really makes
it stand out, too.

sj

great,

now we will see if that little conversation will result
in less email traffic on this list ;)

cya

Holger

On Wed, 2003-10-29 at 02:17, Tom Eastep wrote:
> On Tue, 28 Oct 2003, Scott Jibben wrote:
> >
> > You may consider using a three frame layout like this:
> >
> > +------------------------------+
> > | Shorewall banner      search |
> > +-----+------------------------+
> > |  M  | content                |
> > |  e  |                        |
> > |  n  |                        |
> > |  u  |                        |
> > +------------------------------+
> >
> > The search is part of the top frame.  Then it will be available from
any
> > page that is selected from the menu on the menu frame instead of just
the
> > ''home'' page.  Here''s a code snippet if you
want it:
> >
> 
> Thanks, Scott -- checkout http://shorewall.net
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm