-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, I have this strange case. In my notebook, I set the policy and rules like this: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net $FW DROP ULOG $FW net ACCEPT ULOG loc net ACCEPT ULOG all all DROP ULOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT:ULOG loc $FW tcp 110 - ACCEPT:ULOG loc $FW tcp 25 - ACCEPT:ULOG loc $FW tcp 22,21 - ACCEPT:ULOG $FW net tcp 5050 - ACCEPT:ULOG $FW all all - - DROP:ULOG net $FW all - - ACCEPT:ULOG net $FW tcp 80 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE And in my local server, very similar: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net fw DROP info #net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,783,993,10000 - ACCEPT fw net all - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE But the PROBLEM is: I can''t connect to my server using FTP, nor from the server to my notebook. In /var/log/messages of the server, it drops high port: Mar 31 21:14:20 server2 kernel: Shorewall:net2fw:DROP:IN=eth0 OUTMAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234 DST=192.168.0.236 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=29064 DF PROTO=TCP SPT=20 DPT=32802 WINDOW=5840 RES=0x00 SYN URGP=0 Can anyone give me direction here? Why the setting doesn''t work? How do I open this "high port"? Is it safe to do so? TIA - -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux.arinet.org 20:20:11 up 12:23, Mandrake Linux release 9.2 (FiveStar) for i586 public key: https://www.arinet.org/fajar-pub.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAa4lXkp5CsIXuxqURAsqqAJ9DW+8XJsRDtOJDEU1oyLvAej+2GACbB3yA lLqx5RIT5WCG+fssPovIapg=MrJd -----END PGP SIGNATURE-----
Fajar Priyanto wrote:> > But the PROBLEM is: > I can''t connect to my server using FTP, nor from the server to my notebook. In > /var/log/messages of the server, it drops high port: > Mar 31 21:14:20 server2 kernel: Shorewall:net2fw:DROP:IN=eth0 OUT> MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234 > DST=192.168.0.236 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=29064 DF PROTO=TCP > SPT=20 DPT=32802 WINDOW=5840 RES=0x00 SYN URGP=0 > > Can anyone give me direction here? Why the setting doesn''t work? How do I open > this "high port"? Is it safe to do so?Most people who have FTP problems with Shorewall manage to find Shorewall FAQ #29. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Fajar Priyanto wrote: > > >> >> But the PROBLEM is: >> I can''t connect to my server using FTP, nor from the server to my >> notebook. In >> /var/log/messages of the server, it drops high port: >> Mar 31 21:14:20 server2 kernel: Shorewall:net2fw:DROP:IN=eth0 OUT>> MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234 >> DST=192.168.0.236 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=29064 DF PROTO=TCP >> SPT=20 DPT=32802 WINDOW=5840 RES=0x00 SYN URGP=0 >> >> Can anyone give me direction here? Why the setting doesn''t work? How >> do I open >> this "high port"? Is it safe to do so? > > > Most people who have FTP problems with Shorewall manage to find > Shorewall FAQ #29.That FAQ may be found at http://shorewall.net/FAQ.htm#faq29. If you follow the link in that FAQ and follow the instructions that you find there and are still having problems, let us know. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 01 April 2004 09:45 pm, Tom Eastep wrote:> > Most people who have FTP problems with Shorewall manage to find > > Shorewall FAQ #29. > > That FAQ may be found at http://shorewall.net/FAQ.htm#faq29. > > If you follow the link in that FAQ and follow the instructions that you > find there and are still having problems, let us know. > > -TomThanks Tom, Yes I''ve read the FAQ #29 (it comes with shorewall installation in my mdk9.2). Unfortunately, I''m not quite following what it says. Does it mean that I have to set my proftpd to open a fix range of port for passive ftp? Then set shorewall in accordance to it? What is most confusing me is that in my notebook, the shorewall works perfectly. I even "virtually" drop all traffic except those that I specifically open. And this resulted in a very good "score" from Shields Up! scanning engine. What is the problem? It beats me. I have open high port from 1024-65535, and passive ftp is now working. But is it the right thing to do? - -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux.arinet.org 13:04:48 up 4:36, Mandrake Linux release 9.2 (FiveStar) for i586 public key: https://www.arinet.org/fajar-pub.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAbQPtkp5CsIXuxqURAswWAJ4iIokrcM+TjFVCQ0VKGhJSFBf+wwCeMSm8 dEaQC2hC8bvfGiODlM4awwI=gxqd -----END PGP SIGNATURE-----
Fajar Priyanto wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 01 April 2004 09:45 pm, Tom Eastep wrote: > >>>Most people who have FTP problems with Shorewall manage to find >>>Shorewall FAQ #29. >> >>That FAQ may be found at http://shorewall.net/FAQ.htm#faq29. >> >>If you follow the link in that FAQ and follow the instructions that you >>find there and are still having problems, let us know. >> >>-Tom > > Thanks Tom, > Yes I''ve read the FAQ #29 (it comes with shorewall installation in my mdk9.2). > Unfortunately, I''m not quite following what it says. > > Does it mean that I have to set my proftpd to open a fix range of port for > passive ftp? Then set shorewall in accordance to it? > > What is most confusing me is that in my notebook, the shorewall works > perfectly. I even "virtually" drop all traffic except those that I > specifically open. And this resulted in a very good "score" from Shields Up! > scanning engine. What is the problem? It beats me. > > I have open high port from 1024-65535, and passive ftp is now working. But is > it the right thing to do?Stop!! You countinously refer to your notebook and your server but you haven''t given us a clue about the network topology. Now you''ve started another thread complaining about email on your notebook but in that thread you post an entirely different set of rules from what you have in this thread. Please: a) Send us a diagram of your network pointing out where the notebook, ftp server, pop3 server and smtp servers are. b) If you are running Shorewall on more than one system (which seems to be the case), make that clear and be sure that you indicate in your posts which system you are referring to when you post configuration files. c) Don''t describe your symptoms as "I can''t send or receive email" -- about all that will get you is a little sympathy. For example, what happens when you try to telnet to ports 25 or 110 on the respective servers? If that fails, say how it fails. If it fails using DNS names, does it succeed using IP addresses? d) Regarding your FTP problem, please confirm that the ip_conntrack_ftp and ip_nat_ftp modules are being loaded correctly. Since you are running Mandrake, the Important Note at the top of the Shorewall FTP page probably applies to you. With a properly configured Shorewall firewall: a) You don''t have to do anything special to configure your FTP server. b) The only Shorewall rules you need are those that allow/forward TCP port 21 to the server; you do *NOT* need to open any high ports. c) In rare cases, you may need to open TCP *SOURCE* port 20 from the server to the clients in order to work around ACTIVE mode FTP problems (you seem to be using passive mode). That is also described on the Shorewall FTP page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 02 April 2004 09:56 pm, Tom Eastep wrote:> Stop!! > > You countinously refer to your notebook and your server but you haven''t > given us a clue about the network topology. Now you''ve started another > thread complaining about email on your notebook but in that thread you > post an entirely different set of rules from what you have in this thread. > > Please: > > a) Send us a diagram of your network pointing out where the notebook, > ftp server, pop3 server and smtp servers are. > > b) If you are running Shorewall on more than one system (which seems to > be the case), make that clear and be sure that you indicate in your > posts which system you are referring to when you post configuration files. > > c) Don''t describe your symptoms as "I can''t send or receive email" -- > about all that will get you is a little sympathy. For example, what > happens when you try to telnet to ports 25 or 110 on the respective > servers? If that fails, say how it fails. If it fails using DNS names, > does it succeed using IP addresses? > > d) Regarding your FTP problem, please confirm that the ip_conntrack_ftp > and ip_nat_ftp modules are being loaded correctly. Since you are running > Mandrake, the Important Note at the top of the Shorewall FTP page > probably applies to you. With a properly configured Shorewall firewall: > > a) You don''t have to do anything special to configure your FTP server. > b) The only Shorewall rules you need are those that allow/forward TCP > port 21 to the server; you do *NOT* need to open any high ports. > c) In rare cases, you may need to open TCP *SOURCE* port 20 from the > server to the clients in order to work around ACTIVE mode FTP problems > (you seem to be using passive mode). That is also described on the > Shorewall FTP page. > > -TomHi Tom, I''m so sorry for creating this chaos since I haven''t given any clear description. 1. My network topology is: internet --- gateway box (mdk9.0 with ppp0 and eth0) --- switch --- notebook (which I also use it at home), some file servers and one server (mdk9.2, let''s named it servA) which I plan to put in colocation later when I''m done setting it (including shorewall). 2. The related services are located in: - - gateway (shorewall, ftp, squid) -- 192.168.0.250 - - servA (shorewall, ftp, www) -- 192.168.0.236 - - notebook (shorewall, ftp) -- 192.168.0.234 3. Now, this afternoon, I replaced gShield (turn it off to be exact), and brought up shorewall in the gateway box (mdk9.0, with shorewall version 1.3.7 if I''m correct). I set the shorewall with all the settings including in my previous email with smtp-pop3 thread. 4. Regarding www, I succeeded in setting squid tranparent proxy using shorewall, by following from the Tutorial in mdk installation of shorewall. When browsing, I could see that shorewall was accepting port 53 (dns). 5. Now, regarding emails. When I tried to download or send email using Kmail in my notebook, it just failed. There was no any dropping or rejecting shows in the log of the gateway box. This no logging event really confuses me and also makes it harder for me to see what I have done wrong. I''ll try to telnet to my ISP mail server tomorrow (i''m at home now), and let you know the result. 6. I even set the policy: ACCEPT all all But with the same results. Cannot pop3 or smtp from inside the network to the internet. I''m sorry if this gives you nothing, but I have the same feeling here. I don''t see any rejecting or dropping in the log for me to diagnose. Tomorrow I plan to format the gateway box into mdk9.2 hoping that maybe after all this time some part of the system has corrupted and need replacement. TIA Tom, all. - -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux.arinet.org 22:01:37 up 1:00, Mandrake Linux release 9.2 (FiveStar) for i586 public key: https://www.arinet.org/fajar-pub.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAbYXqkp5CsIXuxqURAvjYAJ9aUtsxDnYKr8/yIlr5POCmhCr1xwCbB8Ag Ld6QzTIZ+WKQDo4E/gnBwJk=aZZB -----END PGP SIGNATURE-----
Fajar Priyanto wrote:> 1. My network topology is: > internet --- gateway box (mdk9.0 with ppp0 and eth0) --- switch --- notebook > (which I also use it at home), some file servers and one server (mdk9.2, > let''s named it servA) which I plan to put in colocation later when I''m done > setting it (including shorewall). > > 2. The related services are located in: > - - gateway (shorewall, ftp, squid) -- 192.168.0.250 > - - servA (shorewall, ftp, www) -- 192.168.0.236 > - - notebook (shorewall, ftp) -- 192.168.0.234So you say that there are FTP servers on all three boxes? And they all don''t work or only some of them don''t work? And *ONCE AGAIN* are the ip_conntrack_ftp and ip_conntrack_nat modules loaded on the gateway and is ip_conntrack_ftp loaded on servA and on the notebook? If not, then you must take whatever steps necessary to ensure that> > 3. Now, this afternoon, I replaced gShield (turn it off to be exact), and > brought up shorewall in the gateway box (mdk9.0, with shorewall version 1.3.7 > if I''m correct). I set the shorewall with all the settings including in my > previous email with smtp-pop3 thread.Shorewall 1.3.7 will not automatically load modules on recent Mandrake releases. *ONCE AGAIN* please see http://shorewall.net/FTP.html -- the IMPORTANT note at the top of the page covers this issue.> > 4. Regarding www, I succeeded in setting squid tranparent proxy using > shorewall, by following from the Tutorial in mdk installation of shorewall. > When browsing, I could see that shorewall was accepting port 53 (dns).So I take it that Squid is running on the gateway.> > 5. Now, regarding emails. When I tried to download or send email using Kmail > in my notebook, it just failed. There was no any dropping or rejecting shows > in the log of the gateway box. This no logging event really confuses me and > also makes it harder for me to see what I have done wrong. I''ll try to telnet > to my ISP mail server tomorrow (i''m at home now), and let you know the > result. > > 6. I even set the policy: > ACCEPT all all > But with the same results.Yet you persist in the belief that your connection problems are due to Shorewall. NOT ALL CONNECTION PROBLEMS ARE SHOREWALL PROBLEMS.> Cannot pop3 or smtp from inside the network to the > internet. I''m sorry if this gives you nothing, but I have the same feeling > here. I don''t see any rejecting or dropping in the log for me to diagnose. > Tomorrow I plan to format the gateway box into mdk9.2 hoping that maybe after > all this time some part of the system has corrupted and need replacement.That almost never happens except when configuration files get "corrupted" by the system administrator not having a clear idea of what he/she is doing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net