Shorewall users - Nov 2003 - Shorewall and 2.6.0-test9 kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone got Shorewall to work with the 2.6.0-test9 kernel?  If so, I would 
be curious to see your kernel configs so I can get my firewall working again.

- -- 
Kevin Miller, Jr.
Masters of Public Affairs,
Comparative and International Affairs, Information Systems, and Nonprofit 
Management,
School of Public and Environmental Affairs
Indiana University - Bloomington
http://www.amerasianworld.com
kevmille@e-civilsociety.org
mobile: 812-219-5047

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/p2hRP2TQUAjSykARAub2AJwMcZhZa9zLZspeYpzuQ3c4C29gwACgi/vQ
Sae7kto7thzKmU1WtWNhafQ=w80i
-----END PGP SIGNATURE-----

I have Shorewall 1.4.7 configured with ProxyARP. All of my IP addresses are
part of a public Class C network. Servers on the Internet see all
communication as originating from the IP address of my external interface on
the firewall. As a result of this behavior I have added an additional PTR
record to my DNS so that reverse lookups against my firewall''s IP
address
will return the hostname of my mailserver. Now I am having a problem with a
mailserver that doesn''t want receive email from my system because the
hostname of my mailserver doesn''t resolve to the same IP address as it
appears to be sent from. Is there a configuration parameter that will change
this behavior?

If more detailed configuration information is required to answer this
question let me know.


Steve Ledwith
San Jose Web

steve@sanjoseweb.com
www.sanjoseweb.com
408-226-5155

I think you want to use SNAT:
http://www.shorewall.net/shorewall_setup_guide.htm#SNAT

-Alex Martin
http://www.rettc.com


----- Original Message ----- 
From: "Steve Ledwith" <sanjoseweb@hotmail.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 04, 2003 3:14 PM
Subject: [Shorewall-users] ProxyARP question

> I have Shorewall 1.4.7 configured with ProxyARP. All of my IP addresses
are
> part of a public Class C network. Servers on the Internet see all
> communication as originating from the IP address of my external interface
on
> the firewall. As a result of this behavior I have added an additional PTR
> record to my DNS so that reverse lookups against my firewall''s IP
address
> will return the hostname of my mailserver. Now I am having a problem with
a
> mailserver that doesn''t want receive email from my system because
the
> hostname of my mailserver doesn''t resolve to the same IP address
as it
> appears to be sent from. Is there a configuration parameter that will
change
> this behavior?
>
> If more detailed configuration information is required to answer this
> question let me know.
>
>
> Steve Ledwith
> San Jose Web
>
> steve@sanjoseweb.com
> www.sanjoseweb.com
> 408-226-5155
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

> I have Shorewall 1.4.7 configured with ProxyARP. All of my IP addresses
> are part of a public Class C network. Servers on the Internet see all
> communication as originating from the IP address of my external
> interface on the firewall.
If that is the case, you are misusing Proxy ARP. Proxy ARP is a trick to
get around the lack of proper routing and doesn''t rewrite IP headers in
any way.

It sounds like you are also doing SNAT on traffic outbound from your servers.

-Tom
-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

If I''m doing SNAT on outbound traffic it''s not intentional. My
orginal
configuration was based on the 3-interface quick start.
I have included some of my configuration files as attachments.


Steve Ledwith
San Jose Web

steve@sanjoseweb.com
www.sanjoseweb.com
408-226-5155

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 04, 2003 2:37 PM
Subject: Re: [Shorewall-users] ProxyARP question

>
> > I have Shorewall 1.4.7 configured with ProxyARP. All of my IP
addresses
> > are part of a public Class C network. Servers on the Internet see all
> > communication as originating from the IP address of my external
> > interface on the firewall.
>
> If that is the case, you are misusing Proxy ARP. Proxy ARP is a trick to
> get around the lack of proper routing and doesn''t rewrite IP
headers in
> any way.
>
> It sounds like you are also doing SNAT on traffic outbound from your
servers.
>
> -Tom
> -- 
> Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
> Shoreline       \ http://www.shorewall.net
> Washington, USA  \ teastep@shorewall.net
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorewall.conf
Type: application/octet-stream
Size: 16464 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/shorewall-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: common.def
Type: application/octet-stream
Size: 1913 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/common-0002.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hosts
Type: application/octet-stream
Size: 2458 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/hosts-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: interfaces
Type: application/octet-stream
Size: 4548 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/interfaces-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: params
Type: application/octet-stream
Size: 921 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/params-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy
Type: application/octet-stream
Size: 3145 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/policy-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proxyarp
Type: application/octet-stream
Size: 11167 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/proxyarp-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: application/octet-stream
Size: 11259 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/rules-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: common
Type: application/octet-stream
Size: 112 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/common-0003.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zones
Type: application/octet-stream
Size: 406 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031104/0a20beee/zones-0001.obj

On Tue, 4 Nov 2003, Steve Ledwith wrote:
> If I''m doing SNAT on outbound traffic it''s not
intentional. My orginal
> configuration was based on the 3-interface quick start.
> I have included some of my configuration files as attachments.
>
So it seems that:

a) You have multiple public IP addresses (needed for any sane Proxy ARP
   configuration).

b) The link to the three-interface quickstart guide is marked in large red
   bold font as being for users with only *one* public IP address.

c) You used that guide any way.

d) Now it is behaving uncorrectly.

*The three-interface sample configuration does SNAT on all outbound
forwarded traffic*.

See your /etc/shorewall/masq file (which you didn''t include in your
post).

And in your free time, you might take a look at
http://www.shorewall.net/shorewall_setup_guide.htm (the Guide for Users
that have more than one public IP address).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Ok. Whoa. Might need some help here.

After looking at your config files, I must ask some questions:

1) Apparently, you have a whole bunch of networks behind the firewall. Were
you planning on having the firewall (shorewall) route between these
networks, or do you have another router(s) in place already?

2) Is your /etc/shorewall/masq file empty?

3) Have you tried defining your dmz hosts in the "hosts" file all on
one
line? (try this first...)

4) When shorewall is started, what does the routing table look like?
(''ip
route show'')

5) Are you manually configuring this firewall, or possibly are you using
webmin for configuration?

Also, after looking at your complex config, I would suggest reposting ALL
(routes, addressing, etc) of the info as requested on
http://www.shorewall.net/support.htm, so that the gurus may ponder your
situation. I bet I can help figure it out though, just need to understand
what you are trying to do.

Assumuing the previously attached config files is a complete list of your
/etc/shorewall directory, (ie no /etc/shorewall/masq, no /etc/shorewall/nat,
etc) than I would guess that the large list of hosts is getting screwed up
some where (any luck with Q #3?).

I dont see that you are purposely running SNAT anywhere. Since you state
that your firewall is showing all outbound traffic as coming from one ip,
this indicates either funny routing or confused shorewall configuration
(Q#2?)

Knowing the answer to Q#1 would be helpful, for example, does everything
work without the firewall in place?

Last, are you aware of the stale arp cache issues with switching to proxy
arp (http://www.shorewall.net/Documentation.htm#ProxyArp).

And did you read this http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/how.html?

With a better understanding of your setup, I hope to be able to debug this
one.

Doing my best...

-Alex
http://www.rettc.com


----- Original Message ----- 
From: "Steve Ledwith" <sanjoseweb@hotmail.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 04, 2003 5:45 PM
Subject: Re: [Shorewall-users] ProxyARP question

> If I''m doing SNAT on outbound traffic it''s not
intentional. My orginal
> configuration was based on the 3-interface quick start.
> I have included some of my configuration files as attachments.
>
>
> Steve Ledwith
> San Jose Web
>
> steve@sanjoseweb.com
> www.sanjoseweb.com
> 408-226-5155
>
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: <shorewall-users@lists.shorewall.net>
> Sent: Tuesday, November 04, 2003 2:37 PM
> Subject: Re: [Shorewall-users] ProxyARP question
>
>
> >
> > > I have Shorewall 1.4.7 configured with ProxyARP. All of my IP
addresses
> > > are part of a public Class C network. Servers on the Internet see
all
> > > communication as originating from the IP address of my external
> > > interface on the firewall.
> >
> > If that is the case, you are misusing Proxy ARP. Proxy ARP is a trick
to
> > get around the lack of proper routing and doesn''t rewrite IP
headers in
> > any way.
> >
> > It sounds like you are also doing SNAT on traffic outbound from your
> servers.
> >
> > -Tom
> > -- 
> > Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline       \ http://www.shorewall.net
> > Washington, USA  \ teastep@shorewall.net
> >
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
>

----------------------------------------------------------------------------
----

> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

After poking around your network, I would venture to guess that you have not
subnetted your class c network as your /etc/shorewall/hosts indicates. If I
am correct, what (who) made this hosts configuration?

-Alex
http://www.rettc.com


----- Original Message ----- 
From: "Steve Ledwith" <sanjoseweb@hotmail.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 04, 2003 5:45 PM
Subject: Re: [Shorewall-users] ProxyARP question

> If I''m doing SNAT on outbound traffic it''s not
intentional. My orginal
> configuration was based on the 3-interface quick start.
> I have included some of my configuration files as attachments.
>
>
> Steve Ledwith
> San Jose Web
>
> steve@sanjoseweb.com
> www.sanjoseweb.com
> 408-226-5155
>
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: <shorewall-users@lists.shorewall.net>
> Sent: Tuesday, November 04, 2003 2:37 PM
> Subject: Re: [Shorewall-users] ProxyARP question
>
>
> >
> > > I have Shorewall 1.4.7 configured with ProxyARP. All of my IP
addresses
> > > are part of a public Class C network. Servers on the Internet see
all
> > > communication as originating from the IP address of my external
> > > interface on the firewall.
> >
> > If that is the case, you are misusing Proxy ARP. Proxy ARP is a trick
to
> > get around the lack of proper routing and doesn''t rewrite IP
headers in
> > any way.
> >
> > It sounds like you are also doing SNAT on traffic outbound from your
> servers.
> >
> > -Tom
> > -- 
> > Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline       \ http://www.shorewall.net
> > Washington, USA  \ teastep@shorewall.net
> >
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
>

----------------------------------------------------------------------------
----

> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net] On 
> Behalf Of Alex Martin
> Sent: Tuesday, November 04, 2003 5:56 PM
> To: Shorewall Users Mailing List
> Subject: Re: [Shorewall-users] ProxyARP question
> 
> 
> Ok. Whoa. Might need some help here.
> 
> After looking at your config files, I must ask some questions:
> 
> 1) Apparently, you have a whole bunch of networks behind the 
> firewall. Were
> you planning on having the firewall (shorewall) route between these
> networks, or do you have another router(s) in place already?
Actually I have 2 networks. 209.237.24.0/24 and 209.237.2.128/25.
> 
> 2) Is your /etc/shorewall/masq file empty?
It turns out this was the problem. My masq file was not empty. 
It was from the 3-interface quick start. I removed the masq file
And it looks like everything is working fine.

Thanks for your help.

--- Steve Ledwith <sanjoseweb@hotmail.com> wrote:
As a result of this behavior I have added an additional
> PTR
> record to my DNS so that reverse lookups against my firewall''s IP
> address
> will return the hostname of my mailserver. Now I am having a problem
> with a
> mailserver that doesn''t want receive email from my system because
the
> hostname of my mailserver doesn''t resolve to the same IP address
as
> it
> appears to be sent from. 
Pretty straight forward to isolate. What is your mail name in DNS and
what does your PTR record look like? What is the actual source ip in
the smtp packet after being natted either via DNAT, SNAT or Static NAT?

This usually points to acouple of obvious things and that is you didn''t
 map your in-addr.arpa name correctly on you dns server or Shorewall is
misconfigured and packets are leaving shorewalls external interface
being masq''ed improperly using an ip other than what you thought.

It seems obvious now after reading further that mail is leaving the
external interface with an address that doesn''t match with
what''s
mapped in DNS. 

Hope you get this straightened out soon. I know how fire and brimestone
rain down when CEO''s and Exec''s cant get their mail. :D

JBanks



__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

On Tue, 4 Nov 2003, Kevin Miller, Jr. wrote:
> Has anyone got Shorewall to work with the 2.6.0-test9 kernel?  If so, I
would
> be curious to see your kernel configs so I can get my firewall working
again.
 Yes, I have it (2.6.0-test9-bk1). My config file is in attachment.

I would like to ask about related thing. Is here any recommendation or
plans how to use Shorewall together with native IPsec in 2.6 kernel?
This new kernel code does not create "ipsec" device and so (I think)
we cannot use traditional shorewall technique for "ipsec rules".

 Regards,
                 Milos Wimmer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Milos Wimmer
 Internet Services Specialist      e-mail: wimmer@zcu.cz
 Laboratory for Computer Science
 University of West Bohemia        phone : +420 377 632 843
 Univerzitni 8, 306 14 Plzen       fax   : +420 377 421 419
 Czech Republic, Europe            WWW   : http://www.zcu.cz/~wimmer/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: .config.gz
Type: application/octet-stream
Size: 5727 bytes
Desc: .config
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031105/1522a596/config.obj

> > I would like to ask about related thing. Is here any recommendation or
> plans how to use Shorewall together with native IPsec in 2.6 kernel?
> This new kernel code does not create "ipsec" device and so (I
think) we
> cannot use traditional shorewall technique for "ipsec rules".
I don''t intend to unstall 2.6 until 2.6.0 final is released. At that
time,
I will start to experiment with 2.6 features and will begin implementing
Shorewall support for them.

-Tom
-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

Milos Wimmer wrote:
>On Tue, 4 Nov 2003, Kevin Miller, Jr. wrote:
>
>  
>
>>Has anyone got Shorewall to work with the 2.6.0-test9 kernel?  If so, I
would
>>be curious to see your kernel configs so I can get my firewall working
again.
>>    
>>
>
> Yes, I have it (2.6.0-test9-bk1). My config file is in attachment.
>
>I would like to ask about related thing. Is here any recommendation or
>plans how to use Shorewall together with native IPsec in 2.6 kernel?
>This new kernel code does not create "ipsec" device and so (I
think)
>we cannot use traditional shorewall technique for "ipsec rules".
>
> Regards,
>                 Milos Wimmer
>
>
>  
>
I''ve been running Shorewall with 2.6 for some time and it works fine. 
I
originally had one problem with module loading in that 2.6 doesn''t seem
to automagically load the netfilter modules like 2.4 will.  I wound up 
adding:
    loadmodule iptable_mangle
    loadmodule ipt_conntrack
    loadmodule ipt_state
    loadmodule ipt_LOG
    loadmodule ipt_REJECT
    loadmodule ipt_MASQUERADE
    loadmodule ipt_TOS
    loadmodule ipt_TCPMSS

to /etc/shorewall/modules so that it would start cleanly.

IPSEC is a very good question however.  I just setup a tunnel between 
two systems and with Shorewall cleared, it works.  With Shorewall up, 
it''s giving me truncated-ip problems.  It seems that when the packet is
decrypted, it gets botched - not sure if it''s hosed on the sender side 
or receiver - and things just go haywire.  I''m not too sure where to 
look just yet to get this resolved.

Tom Eastep wrote:
>>>I would like to ask about related thing. Is here any recommendation
or
>>>      
>>>
>>plans how to use Shorewall together with native IPsec in 2.6 kernel?
>>This new kernel code does not create "ipsec" device and so (I
think) we
>>cannot use traditional shorewall technique for "ipsec rules".
>>    
>>
>
>I don''t intend to unstall 2.6 until 2.6.0 final is released. At
that time,
>I will start to experiment with 2.6 features and will begin implementing
>Shorewall support for them.
>
>-Tom
>  
>
In the meantime, any suggestions as to how to resolve this problem with 
an IPSEC tunnel?  The topology is:

192.168.1.0/24 - gw1 (69.22.77.196) - Internet - gw2 (4.63.121.42) - 
172.16.100.0/24


12:26:27.844456 4.63.121.42 > 69.22.77.196: ESP(spi=0x00000301,seq=0x67) 
(DF) [tos 0x10]
12:26:27.844456 truncated-ip - 16 bytes missing! 4.63.121.42 > 
69.16.0.60: truncated-ip - 16292 bytes missing! 69.22.77.196 > 
69.16.0.60: ip-proto-63 (frag 12804:16336@56992+) [tos 0x34]  (ipip-proto-4)
12:26:30.842893 4.63.121.42 > 69.22.77.196: ESP(spi=0x00000301,seq=0x68) 
(DF) [tos 0x10]
12:26:30.842893 truncated-ip - 16 bytes missing! 4.63.121.42 > 
69.16.0.60: truncated-ip - 16292 bytes missing! 69.22.77.196 > 
69.16.0.60: ip-proto-63 (frag 12804:16336@56992+) [tos 0x34]  (ipip-proto-4)


If I drop Shorewall on both ends, IPSEC works fine.  With Shorewall up, 
I get the above.   Looking at the packets with Ethereal, the decrypted 
traffic is totally hosed up.  There are IPv3 (yes 3) headers and such 
and the destination address is obviously dorked up. 

Any thoughts?

> >>
> In the meantime, any suggestions as to how to resolve this problem with
> an IPSEC tunnel?  The topology is:
>
> 192.168.1.0/24 - gw1 (69.22.77.196) - Internet - gw2 (4.63.121.42) -
> 172.16.100.0/24
>
>
> 12:26:27.844456 4.63.121.42 > 69.22.77.196: ESP(spi=0x00000301,seq=0x67)
>  (DF) [tos 0x10]
> 12:26:27.844456 truncated-ip - 16 bytes missing! 4.63.121.42 >
> 69.16.0.60: truncated-ip - 16292 bytes missing! 69.22.77.196 >
> 69.16.0.60: ip-proto-63 (frag 12804:16336@56992+) [tos 0x34]
> (ipip-proto-4) 12:26:30.842893 4.63.121.42 > 69.22.77.196:
> ESP(spi=0x00000301,seq=0x68)  (DF) [tos 0x10]
> 12:26:30.842893 truncated-ip - 16 bytes missing! 4.63.121.42 >
> 69.16.0.60: truncated-ip - 16292 bytes missing! 69.22.77.196 >
> 69.16.0.60: ip-proto-63 (frag 12804:16336@56992+) [tos 0x34]
> (ipip-proto-4)
>
>
> If I drop Shorewall on both ends, IPSEC works fine.  With Shorewall up,
> I get the above.   Looking at the packets with Ethereal, the decrypted
> traffic is totally hosed up.  There are IPv3 (yes 3) headers and such
> and the destination address is obviously dorked up.
>
> Any thoughts?
>
I suggest the Netfilter list -- Start at www.netfilter.org. This sounds
like a kernel networking bug.

-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks a lot.  I will try to compile my kernel later today and see if I can 
get Shorewall running again.

Kevin

On Wednesday 05 November 2003 1:56 am, Milos Wimmer
wrote:
> On Tue, 4 Nov 2003, Kevin Miller, Jr. wrote:
> > Has anyone got Shorewall to work with the 2.6.0-test9 kernel?  If so,
I
> > would be curious to see your kernel configs so I can get my firewall
> > working again.
>
>  Yes, I have it (2.6.0-test9-bk1). My config file is in attachment.
>
> I would like to ask about related thing. Is here any recommendation or
> plans how to use Shorewall together with native IPsec in 2.6 kernel?
> This new kernel code does not create "ipsec" device and so (I
think)
> we cannot use traditional shorewall technique for "ipsec rules".
>
>  Regards,
>                  Milos Wimmer
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Milos Wimmer
>  Internet Services Specialist      e-mail: wimmer@zcu.cz
>  Laboratory for Computer Science
>  University of West Bohemia        phone : +420 377 632 843
>  Univerzitni 8, 306 14 Plzen       fax   : +420 377 421 419
>  Czech Republic, Europe            WWW   : http://www.zcu.cz/~wimmer/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- -- 
Kevin Miller, Jr.
Masters of Public Affairs,
Comparative and International Affairs, Information Systems, and Nonprofit 
Management,
School of Public and Environmental Affairs
Indiana University - Bloomington
http://www.amerasianworld.com
kevmille@e-civilsociety.org
mobile: 812-219-5047

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/qVTJP2TQUAjSykARAuqOAJ9wgBm7JlzpZEFXgamQt2l4oa7iYwCgh464
iyH+g8rt2xoOSHi6Rj8EhJA=Rskm
-----END PGP SIGNATURE-----

On Wed, 5 Nov 2003, David T Hollis wrote:
> If I drop Shorewall on both ends, IPSEC works fine.  With Shorewall up,
> I get the above.   Looking at the packets with Ethereal, the decrypted
> traffic is totally hosed up.  There are IPv3 (yes 3) headers and such
> and the destination address is obviously dorked up.
 I tried to connect single host in Internet to firewall with Shorewall and
IPSec gateway (with PSK, racoon and tunnel mode). It works nice and fine.

But I have problem to set appropriate shorewall rules for accepting of
traffic going through IPsec tunnel into private network. Kernel 2.6 has no
virtual ipsec interface. Data of remote single host are decrypted on IPsec
end point on the firewall and Shorewall sees them as data coming from IP
address of single host in Internet to external interface (Net zone) of
firewall (Shorewall writes it into the log so).
But how to determine that these data are coming through IPsec tunnel
and not directly?
Maybe some "iptables -A POSTROUTING" rules could help...

I agree - kernel 2.6 is future technology today and "global" solution
of this problem will be much better than some partial steps.

 Regards,
             Milos

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Milos Wimmer
 Internet Services Specialist      e-mail: wimmer@zcu.cz
 Laboratory for Computer Science
 University of West Bohemia        phone : +420 377 632 843
 Univerzitni 8, 306 14 Plzen       fax   : +420 377 421 419
 Czech Republic, Europe            WWW   : http://www.zcu.cz/~wimmer/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Wed, 2003-11-05 at 16:26, Milos Wimmer wrote:
> On Wed, 5 Nov 2003, David T Hollis wrote:
> 
> > If I drop Shorewall on both ends, IPSEC works fine.  With Shorewall
up,
> > I get the above.   Looking at the packets with Ethereal, the decrypted
> > traffic is totally hosed up.  There are IPv3 (yes 3) headers and such
> > and the destination address is obviously dorked up.
> 
>  I tried to connect single host in Internet to firewall with Shorewall and
> IPSec gateway (with PSK, racoon and tunnel mode). It works nice and fine.
> 
> But I have problem to set appropriate shorewall rules for accepting of
> traffic going through IPsec tunnel into private network. Kernel 2.6 has no
> virtual ipsec interface. Data of remote single host are decrypted on IPsec
> end point on the firewall and Shorewall sees them as data coming from IP
> address of single host in Internet to external interface (Net zone) of
> firewall (Shorewall writes it into the log so).
> But how to determine that these data are coming through IPsec tunnel
> and not directly?
> Maybe some "iptables -A POSTROUTING" rules could help...
> 
> I agree - kernel 2.6 is future technology today and "global"
solution
> of this problem will be much better than some partial steps.
> 
>  Regards,
>              Milos
> 
I''m finally making some progress with this.  The big snag seems to be
the lack of a defined interface for the IPSEC traffic.  I found that if
I did something kludgy like:

ACCEPT   net:192.168.1.0/24  loc   icmp 8

in my rules file, I could ping from the 192.168.1.0/24 subnet on one
side of the VPN to local hosts on the other side.  I''m now in the
process of trying to figure out if using the multi-networks/zone
approach can work.  The hard part is that I don''t have one or two
specific networks on my ''net'' zone, I have the VPN networks
and also
0.0.0.0/0.  

Here''s my configs that almost get me there:

Gateway #1 Configs --

interfaces:
-       eth0           detect          dhcp,blacklist
loc     eth1           detect          dhcp

hosts:
rastampa        eth0:172.16.100.0/24
net             eth0:0.0.0.0/0

policy:
loc             net             ACCEPT
rastampa        loc             ACCEPT
loc             rastampa        ACCEPT
net             all             DROP            info

Gateway #2 Configs --

interfaces:
-        eth0           detect
loc      eth1           detect          dhcp

hosts:
dhollis         eth0:192.168.1.0/24
net             eth0:0.0.0.0/0

policy:
loc             net             ACCEPT
dhollis         loc             ACCEPT
loc             dhollis         ACCEPT
net             all             DROP            info

Pinging from gw1''s internal net to gw2s net gives me these logs on gw2:

Shorewall:net2all:DROP:IN=eth0 OUT=eth1 SRC=192.168.1.164
DST=172.16.100.100 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=42531 SEQ=601

I''ve noticed that eth0_fwd gets created like this:

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  0.0.0.0/0            0.0.0.0/0
net2all    all  --  0.0.0.0/0            0.0.0.0/0
net2all    all  --  0.0.0.0/0            192.168.1.0/24
dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0


If eth0_fwd is tweaked to be like this:

Chain eth0_fwd (1 references)
target     prot opt source               destination
dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0
dynamic    all  --  0.0.0.0/0            0.0.0.0/0
net2all    all  --  0.0.0.0/0            0.0.0.0/0


than it works.  

Reordering entries in hosts didn''t make a difference in how the chain
created.  Any other tricks to influence the ordering?

> On Wed, 2003-11-05 at 16:26, Milos Wimmer wrote:
>> _fwd gets created like this:
>
> Chain eth0_fwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  0.0.0.0/0            0.0.0.0/0
> net2all    all  --  0.0.0.0/0            0.0.0.0/0
> net2all    all  --  0.0.0.0/0            192.168.1.0/24
> dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0
>
>
> If eth0_fwd is tweaked to be like this:
>
> Chain eth0_fwd (1 references)
> target     prot opt source               destination
> dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0
> dynamic    all  --  0.0.0.0/0            0.0.0.0/0
> net2all    all  --  0.0.0.0/0            0.0.0.0/0
>
>
> than it works.
>
> Reordering entries in hosts didn''t make a difference in how the
chain
> created.  Any other tricks to influence the ordering?
>
Rules are always created in zone order so you need to reorder the zone file.

-Tom
-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net

On Thu, 2003-11-06 at 16:11, Tom Eastep wrote:
> > On Wed, 2003-11-05 at 16:26, Milos Wimmer wrote:
> >> _fwd gets created like this:
> >
> > Chain eth0_fwd (1 references)
> > target     prot opt source               destination
> > dynamic    all  --  0.0.0.0/0            0.0.0.0/0
> > net2all    all  --  0.0.0.0/0            0.0.0.0/0
> > net2all    all  --  0.0.0.0/0            192.168.1.0/24
> > dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0
> >
> >
> > If eth0_fwd is tweaked to be like this:
> >
> > Chain eth0_fwd (1 references)
> > target     prot opt source               destination
> > dhollis_frwd  all  --  192.168.1.0/24       0.0.0.0/0
> > dynamic    all  --  0.0.0.0/0            0.0.0.0/0
> > net2all    all  --  0.0.0.0/0            0.0.0.0/0
> >
> >
> > than it works.
> >
> > Reordering entries in hosts didn''t make a difference in how
the chain
> > created.  Any other tricks to influence the ordering?
> >
> 
> Rules are always created in zone order so you need to reorder the zone
file.
> 
> -Tom
Sweet!  That worked.  Moving my VPN zones to the top of the list made
the ethX_fwd chains come up correctly and things seem to be rolling.