Shorewall users - Nov 2003 - Shorewall Killing My PS2

Hi All,

I''ve not long started using shorewall and I''ve got the basics
and
everything is working as it should, except my Playstation''s connection
to the outside world. It''s very intermittent - sometimes it works,
other-times it doesn''t. I''ve checked its nothing to do with
the PS2 by
connecting directly to a mates ADSL router - works perfectly every time.

Here''s my setup (excuse the drawing ;p)...

WWW
 |
 | ppp0, dynamic IP
 |
FIREWALL
 |
 | eth0 192.168.1
 |
SWITCH 192.168.0.10 -------------
 |              |               |
 |              |               |
PC1             PC2             Playstation 2
192.168.0.2     192.168.0.5     192.168.0.4


In /etc/shorewall/rules i have forwarded the relevant ports to the
PS2...

DNAT            net             loc:192.168.0.4         tcp 10070:10080
DNAT            net             loc:192.168.0.4         udp 10070
DNAT            net             loc:192.168.0.4         udp 6000:6999
DNAT            net             loc:192.168.0.4         tcp 1721:1722

These are all the ports required, according to Sony.

I have checked the logs and it doesn''t look like anything important is
being dropped but can''t be sure.

I have looked at setting up the PS2 as a DMZ but it looks a bit
complicated, especially since my firewall box only has one NIC and no
PCI/ISA slots left :(

Does anyone have a similar setup with a working PS2 connection, if so
can you post / mail me your config - I''d REALLY appreciate it.

Thanks in advance,
Jeff

On Tue, 2003-11-25 at 07:16, Jeff wrote:
> Hi All,
> 
> I''ve not long started using shorewall and I''ve got the
basics and
> everything is working as it should, except my Playstation''s
connection
> to the outside world. It''s very intermittent - sometimes it works,
> other-times it doesn''t.
Do you have CLAMPMSS=Yes in /etc/shorewall/shorewall.conf?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi All,

I''ve not long started using shorewall and I''ve got the basics
and
everything is working as it should, except my Playstation''s connection
to the outside world. It''s very intermittent - sometimes it works,
other-times it doesn''t. I''ve checked its nothing to do with
the PS2 by
connecting directly to a mates ADSL router - works perfectly every time.

Here''s my setup (excuse the drawing ;p)...

WWW
 |
 | ppp0, dynamic IP
 |
FIREWALL
 |
 | eth0 192.168.1
 |
SWITCH 192.168.0.10 -------------
 |		|		|
 |		|		|
PC1		PC2		Playstation 2
192.168.0.2	192.168.0.5	192.168.0.4


In /etc/shorewall/rules i have forwarded the relevant ports to the
PS2...

DNAT            net             loc:192.168.0.4         tcp 10070:10080
DNAT            net             loc:192.168.0.4         udp 10070
DNAT            net             loc:192.168.0.4         udp 6000:6999
DNAT            net             loc:192.168.0.4         tcp 1721:1722

These are all the ports required, according to Sony.

I have checked the logs and it doesn''t look like anything important is
being dropped but can''t be sure.

I have looked at setting up the PS2 as a DMZ but it looks a bit
complicated, especially since my firewall box only has one NIC and no
PCI/ISA slots left :(

Does anyone have a similar setup with a working PS2 connection, if so
can you post / mail me your config - I''d REALLY appreciate it.

Thanks in advance,
Jeff

Hi,

I cannot understand why the following rule does not apply:

My friend is running Shorewall 1.4.5 on a Bering box. I would like to
Remote-Desktop to a Windows XP in the his local network. I would like to
allow only my IP to do that, so I add the following to
''rules'':

DNAT    net     loc:192.168.1.207       tcp     3389    -
209.139.218.226

firewall# shorewall version
1.4.5
firewall# shorewall restart
Processing /etc/shorewall/params ...
...
   Rule "DNAT net loc:192.168.1.207 tcp 3389 - 209.139.218.226" added.
...
Processing /etc/shorewall/start ...
...
Shorewall Restarted

But I cannot remote-login from the IP ''209.139.218.226'', and
the log shows:

Nov 22 07:12:07 firewall Shorewall:net2all:DROP: IN=eth0
OUTMAC=00:50:da:c5:4d:b8:00:03:42:6b:00:45:08:00  SRC=209.139.218.226
DST=216.232.xxx.yyy LEN=48 TOS=00 PREC=0x00 TTL=117 ID=56400 CE DF PROTO=TCP
SPT=2038 DPT=3389 SEQ=4051133599 ACK=0 WINDOW=65535 SYN URGP=0

If I remove the remote-IP from the ''rules'', then I can connect

either:
    DNAT    net     loc:192.168.1.207       tcp     3389    -
or
    DNAT    net     loc:192.168.1.207       tcp     3389

are OK.

Thank you for explanation.

> Hi,
>
> I cannot understand why the following rule does not apply:
>
> My friend is running Shorewall 1.4.5 on a Bering box. I
would like to
> Remote-Desktop to a Windows XP in the his local network. I
would like to
> allow only my IP to do that, so I add the following to
''rules'':
>
> DNAT    net     loc:192.168.1.207       tcp     3389    -
> 209.139.218.226
>
> firewall# shorewall version
> 1.4.5
> firewall# shorewall restart
> Processing /etc/shorewall/params ...
> ...
>    Rule "DNAT net loc:192.168.1.207 tcp 3389 -
209.139.218.226" added.
> ...
> Processing /etc/shorewall/start ...
> ...
> Shorewall Restarted
>
> But I cannot remote-login from the IP ''209.139.218.226'',
and the log shows:
>
> Nov 22 07:12:07 firewall Shorewall:net2all:DROP: IN=eth0
OUT> MAC=00:50:da:c5:4d:b8:00:03:42:6b:00:45:08:00
SRC=209.139.218.226
> DST=216.232.xxx.yyy LEN=48 TOS=00 PREC=0x00 TTL=117
ID=56400 CE DF PROTO=TCP
> SPT=2038 DPT=3389 SEQ=4051133599 ACK=0 WINDOW=65535 SYN
URGP=0
>
> If I remove the remote-IP from the ''rules'', then I can
connect
>
> either:
>     DNAT    net     loc:192.168.1.207       tcp
 3389    -
> or
>     DNAT    net     loc:192.168.1.207       tcp     3389
>
> are OK.
>
> Thank you for explanation.
209.139.218.226 is part of the ''net'' zone so that should be:

DNAT    net:209.139.218.226    loc:192.168.1.207       tcp
3389

Jerry Vonau

Thanks Jerry,

this makes sense and it works.

Anyway what does the last item mean? The comments said:

#       Example: All http requests from the internet to address
#                130.252.100.69 are to be forwarded to 192.168.1.3
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE
ORIGINAL
#       #
PORT    PORT(S)        DEST
#       DNAT      net   loc:192.168.1.3         tcp           80          -
130.252.100.69






----- Original Message ----- 
From: "Jerry Vonau" <jvonau@shaw.ca>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 25, 2003 3:50 PM
Subject: Re: [Shorewall-users] DNAT rule does not work

>
> > Hi,
> >
> > I cannot understand why the following rule does not apply:
> >
> > My friend is running Shorewall 1.4.5 on a Bering box. I
> would like to
> > Remote-Desktop to a Windows XP in the his local network. I
> would like to
> > allow only my IP to do that, so I add the following to
> ''rules'':
> >
> > DNAT    net     loc:192.168.1.207       tcp     3389    -
> > 209.139.218.226
> >
> > firewall# shorewall version
> > 1.4.5
> > firewall# shorewall restart
> > Processing /etc/shorewall/params ...
> > ...
> >    Rule "DNAT net loc:192.168.1.207 tcp 3389 -
> 209.139.218.226" added.
> > ...
> > Processing /etc/shorewall/start ...
> > ...
> > Shorewall Restarted
> >
> > But I cannot remote-login from the IP
''209.139.218.226'',
> and the log shows:
> >
> > Nov 22 07:12:07 firewall Shorewall:net2all:DROP: IN=eth0
> OUT> > MAC=00:50:da:c5:4d:b8:00:03:42:6b:00:45:08:00
> SRC=209.139.218.226
> > DST=216.232.xxx.yyy LEN=48 TOS=00 PREC=0x00 TTL=117
> ID=56400 CE DF PROTO=TCP
> > SPT=2038 DPT=3389 SEQ=4051133599 ACK=0 WINDOW=65535 SYN
> URGP=0
> >
> > If I remove the remote-IP from the ''rules'', then I
can
> connect
> >
> > either:
> >     DNAT    net     loc:192.168.1.207       tcp
>  3389    -
> > or
> >     DNAT    net     loc:192.168.1.207       tcp     3389
> >
> > are OK.
> >
> > Thank you for explanation.
>
> 209.139.218.226 is part of the ''net'' zone so that should
be:
>
> DNAT    net:209.139.218.226    loc:192.168.1.207       tcp
> 3389
>
> Jerry Vonau
>
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

> Thanks Jerry,
>
> this makes sense and it works.
>
> Anyway what does the last item mean? The comments said:
>
> #       Example: All http requests from the internet to
address
> #                130.252.100.69 are to be forwarded to
192.168.1.3
> #
> #       #ACTION  SOURCE DEST            PROTO   DEST
SOURCE
> ORIGINAL
> #       #
> PORT    PORT(S)        DEST
> #       DNAT      net   loc:192.168.1.3         tcp
80          -
> 130.252.100.69
You could have more than one ip on the external interface,
it just states what external ip the rule applies to.

Jerry

Yes, it''s enabled - my ADSL connection is PPPoA. Is that correct?

On Tue, 2003-11-25 at 16:52, Tom Eastep wrote:
> On Tue, 2003-11-25 at 07:16, Jeff wrote:
> > Hi All,
> > 
> > I''ve not long started using shorewall and I''ve got
the basics and
> > everything is working as it should, except my Playstation''s
connection
> > to the outside world. It''s very intermittent - sometimes it
works,
> > other-times it doesn''t.
> 
> Do you have CLAMPMSS=Yes in /etc/shorewall/shorewall.conf?
> 
> -Tom

On Tue, 25 Nov 2003, M  Lu wrote:
> Thanks Jerry,
>
> this makes sense and it works.
>
> Anyway what does the last item mean? The comments said:
>
> #       Example: All http requests from the internet to address
                                                       ----------
> #                130.252.100.69 are to be forwarded to 192.168.1.3
> #
>
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Any more ideas? I''m really stuck.

As mentioned in another post, I am in the UK, so my ADSL pipe is PPPoA -
do I still need CLAMPMSS=Yes?

TIA
Jeff

On Wed, 2003-11-26 at 01:53, Jeff wrote:
> Yes, it''s enabled - my ADSL connection is PPPoA. Is that correct?
> 
> On Tue, 2003-11-25 at 16:52, Tom Eastep wrote:
> > On Tue, 2003-11-25 at 07:16, Jeff wrote:
> > > Hi All,
> > > 
> > > I''ve not long started using shorewall and I''ve
got the basics and
> > > everything is working as it should, except my
Playstation''s connection
> > > to the outside world. It''s very intermittent - sometimes
it works,
> > > other-times it doesn''t.
> > 
> > Do you have CLAMPMSS=Yes in /etc/shorewall/shorewall.conf?
> > 
> > -Tom
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Wed, 2003-11-26 at 08:47, Jeff wrote:
> Any more ideas? I''m really stuck.
A Shorewall-generated Netfilter configuration is static. It does the
same thing for every connection request of a particular type. So the
cases where it can produce "works sometimes -- doesn''t work other
times"
behavior are fairly limited:

a) The "don''t work" cases involve ports that you
aren''t handling. You
should be seeing log messages when this happens but as a test you can
make your PS2 a "mini-DMZ" by simply adding this as the last entry in
your rules file:

	DNAT	net	loc:<PS2 IP>	all

Note that the above rule will disable any internet-accessible
applications on your firewall box.

b) The "don''t work" cases involve a DNAT rule that does load
balancing
and some of the server''s aren''t up. This case presumably
doesn''t apply
to you.

c) There are factors totally outside of the ruleset that are affecting
the connections. The most common is a brain-dead router configuration
along the way that drop fragmentation-needed ICMP packets and break the
MSS discovery protocol. CLAMPMSS=Yes is the usual solution for that.

d) The application involved doesn''t work with NAT or requires a NAT
helper. If this is your case, it should be documented on the Sony site.

e) You are using rate-limiting rules/policies and the "don''t
work" cases
are being dropped because your limits have been exceeded.
> 
> As mentioned in another post, I am in the UK, so my ADSL pipe is PPPoA -
> do I still need CLAMPMSS=Yes?
> 
Never hurts.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-11-26 at 09:19, Tom Eastep wrote:
> 
> > 
> > As mentioned in another post, I am in the UK, so my ADSL pipe is PPPoA
-
> > do I still need CLAMPMSS=Yes?
> > 
> 
> Never hurts.
> 
Actually, it is a requirement when the MTU of the firewall''s Internet
interface is smaller than the MTU of the interface to the local systems.
And this is almost always the case when any form of PPP is involved.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

what ppp daemon are you using ?!?

sometime clamping won''t work right .. i made the experience that
connections are more stable if you''re manually clamping to a very
conservative setting.

for example in my roaring penguin pppd (pppoe) setup i use 
/usr/sbin/pppoe -I eth0 -T 80 -m 1412

cya

Holger



On Wed, 2003-11-26 at 17:47, Jeff wrote:
> Any more ideas? I''m really stuck.
> 
> As mentioned in another post, I am in the UK, so my ADSL pipe is PPPoA -
> do I still need CLAMPMSS=Yes?
> 
> TIA
> Jeff
> 
> On Wed, 2003-11-26 at 01:53, Jeff wrote:
> > Yes, it''s enabled - my ADSL connection is PPPoA. Is that
correct?
> > 
> > On Tue, 2003-11-25 at 16:52, Tom Eastep wrote:
> > > On Tue, 2003-11-25 at 07:16, Jeff wrote:
> > > > Hi All,
> > > > 
> > > > I''ve not long started using shorewall and
I''ve got the basics and
> > > > everything is working as it should, except my
Playstation''s connection
> > > > to the outside world. It''s very intermittent -
sometimes it works,
> > > > other-times it doesn''t.
> > > 
> > > Do you have CLAMPMSS=Yes in /etc/shorewall/shorewall.conf?
> > > 
> > > -Tom
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm