Shorewall users - Feb 2004 - rule interpretation bug

On Tuesday 10 February 2004 03:05 pm, FredN wrote:
> Hey,
>
> Running Shorewall 1.4.7.c on a Gentoo Linux.
> Using the WEBMIN GUI I added/edited my own rules and I made a mistake:
> I defined a range off ip-addresses by 10.0.0.151-10.0.0.153 note the -
> Oke it''s wrong syntax, but valid for port definitions, so a typo.
On the contrary -- it is VALID syntax in the DEST column of the rules file and 
has been since Shorewall version 1.4.6.

It is NOT valid port syntax (the syntax for a port range uses ":"
rather than
"-").
> Note 
> that Shorewall configuration file and Shorewall does not give any
> warning, it''s accepted!!
> What happens is:
> - the supposed range is interpreted and a weard calculation gives a
> valid but unmeant address, so a unmeant rule
> - secondly the startup/restart takes a veryyyy long time
>
I would be interested in seeing a trace -- again, this is valid Shorewall 
syntax and may mean that you have a broken shell.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 10 February 2004 02:22 pm, Tom Eastep wrote:
> I would be interested in seeing a trace -- again, this is valid Shorewall
> syntax and may mean that you have a broken shell.
>
Or you could start with:

	/sbin/shorewall iprange 10.0.0.151-10.0.0.153

It should look like:

	gateway:~# shorewall iprange 10.0.0.151-10.0.0.153
	10.0.0.151
	10.0.0.152/31
	gateway:~#

That is the "wierd calculation" that Shorewall *should* do (and it
shouldn''t
take very long).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 10 February 2004 03:30 pm, FredN wrote:
>
> I''m sorry but I don''t know about a trace, besides
overhere it''s bedtime.
> But you see it''s very easy to reproduce!!!!
>
Not so -- 

Processing /etc/test/rules...
iptables v1.2.9: host/network `10.0.0.151-10.0.0.153'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
Processing /etc/shorewall/stop ...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 10 February 2004 02:48 pm, Tom Eastep wrote:
> On Tuesday 10 February 2004 03:30 pm, FredN wrote:
> > I''m sorry but I don''t know about a trace, besides
overhere it''s bedtime.
> > But you see it''s very easy to reproduce!!!!
>
> Not so --
>
> Processing /etc/test/rules...
> iptables v1.2.9: host/network `10.0.0.151-10.0.0.153'' not found
> Try `iptables -h'' or ''iptables --help'' for more
information.
> Processing /etc/shorewall/stop ...
>
So the ip range was included in the SOURCE column -- that IS illegal. Note 
that Shorewall isn''t doing any calculation on the IP range but is
simply
passing it to iptables expecting iptables to generate an error if it finds an 
error. 

Try this:

iptables -N foo
iptables -A foo -p tcp -m state --state NEW -s 10.0.0.151-10.0.0.153 \
   --dport 12345 -j ACCEPT
iptables -L foo -n -v

What happens?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hey,

Running Shorewall 1.4.7.c on a Gentoo Linux.
Using the WEBMIN GUI I added/edited my own rules and I made a mistake:
I defined a range off ip-addresses by 10.0.0.151-10.0.0.153 note the - 
Oke it''s wrong syntax, but valid for port definitions, so a typo. Note 
that Shorewall configuration file and Shorewall does not give any 
warning, it''s accepted!!
What happens is:
- the supposed range is interpreted and a weard calculation gives a 
valid but unmeant address, so a unmeant rule
- secondly the startup/restart takes a veryyyy long time

For your information,

I''m not on the subscription list, yet.

Fred Nijdam

Here is the input configuration

  GNU nano 1.2.2             File: /etc/shorewall/rules
                                                                      
ACCEPT  net:10.0.0.151-10.0.0.153       all     tcp     -       12345 
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


And here the iptables:

Chain net2dmz (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 2049,10000,20000 state NEW LOG flags 0 level 5 prefix
`Shorewall:net2dmz:REJECT:''
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 2049,10000,20000 state NEW
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 2049,10000,20000 state NEW LOG flags 0 level 5 prefix
`Shorewall:net2dmz:REJECT:''
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 2049,10000,20000 state NEW
    0     0 ACCEPT     tcp  --  *      *       64.49.213.239        0.0.0.0/0   
state NEW tcp spt:12345
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0


Offcouse in more chains, but this will do  

I''m sorry but I don''t know about a trace, besides overhere
it''s bedtime.
But you see it''s very easy to reproduce!!!!

On Tuesday 10 February 2004 03:30 pm, FredN wrote:
> Here is the input configuration
>
>   GNU nano 1.2.2             File: /etc/shorewall/rules
>
> ACCEPT  net:10.0.0.151-10.0.0.153       all     tcp     -       12345
>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> And here the iptables:
>
> Chain net2dmz (0 references)
>  pkts bytes target     prot opt in     out     source              
> destination 0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
> 0.0.0.0/0          state RELATED,ESTABLISHED 0     0 newnotsyn  tcp  --  * 
>     *       0.0.0.0/0            0.0.0.0/0          state NEW tcp
> flags:!0x16/0x02 0     0 LOG        tcp  --  *      *       0.0.0.0/0      
>      0.0.0.0/0          multiport dports 2049,10000,20000 state NEW LOG
> flags 0 level 5 prefix `Shorewall:net2dmz:REJECT:'' 0     0 reject 
tcp
> --  *      *       0.0.0.0/0            0.0.0.0/0          multiport dports
> 2049,10000,20000 state NEW 0     0 LOG        udp  --  *      *      
> 0.0.0.0/0            0.0.0.0/0          multiport dports 2049,10000,20000
> state NEW LOG flags 0 level 5 prefix `Shorewall:net2dmz:REJECT:'' 0
0
> reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0         
> multiport dports 2049,10000,20000 state NEW 0     0 ACCEPT     tcp  --  *  
>    *       64.49.213.239        0.0.0.0/0          state NEW tcp spt:12345
>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
0
>     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0
>
To wrap up this thread. Fred had a domain in his DNS search list that did 
wild-carding; the "DNS Name" 10.0.0.151-10.0.0.153 was resolving to 
64.49.213.239 (and taking a long time to do so -- hence the slow startup that 
Fred was complaining about).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net