Hello all, Whilst looking for information in regards to dynamic zones in shorewall 2.X i only found an reference in the ipsec section. This doesn''t tell me enough, I was wondering if dyn zones could be used for the following: The idea is that somebody from outside the network (internet) wants access to some internal services such as imap/pop3/ssh etc. The idea is they go to a part of the public website where they authenticate. Their sourceip (or entered ip) is added to an dynamic zone that is allowed to access these services. Therefore the dynamic zone would have dnat rules for the imap/pop3/ssh services. The sourceip is then automaticly added with the command: /sbin/shorewall add ppp0:1.1.1.1 enet Where ppp0 is my adsl interface, 1.1.1.1 the sourceip and enet the zone for the extranet. Would dynamic zones work in this case? -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> Hello all, > > Whilst looking for information in regards to dynamic zones in shorewall > 2.X i only found an reference in the ipsec section. This doesn''t tell me > enough, I was wondering if dyn zones could be used for the following: > > The idea is that somebody from outside the network (internet) wants > access to some internal services such as imap/pop3/ssh etc. The idea is > they go to a part of the public website where they authenticate. Their > sourceip (or entered ip) is added to an dynamic zone that is allowed to > access these services. > > Therefore the dynamic zone would have dnat rules for the imap/pop3/ssh > services. The sourceip is then automaticly added with the command: > /sbin/shorewall add ppp0:1.1.1.1 enet > > Where ppp0 is my adsl interface, 1.1.1.1 the sourceip and enet the zone > for the extranet. > > Would dynamic zones work in this case? >Within the limitations of Dynamic Zones, yes. In addition to the limitation listed in the documentation: a) Remember that "shorewall restart" does not retain the contents of dynamic zones so you have to restore them in your /etc/shorewall/start script. b) The ruleset generated for dynamic zones is really ugly. It is a little better in the Shorewall-2.0.2 Betas but the facility still doesn''t scale well. Also, you need to devise a means for hosts to be removed from the dynamic zone at some point -- it isn''t clear to me how you do that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom,
First of all while testing the dynamic zones i could get shorewall add
ppp0:<ip> rcs working. The fix i found is a small patch/addition:
Version is 2.0.2Beta-1
--- firewall.orig 2004-05-09 17:00:12.000000000 +0200
+++ firewall 2004-05-09 17:00:27.000000000 +0200
@@ -5614,7 +5614,7 @@
chain=${zone}_dnat
if nat_chain_exists $chain; then
- do_iptables -t nat -A $(dynamic_in) -s $host -j $chain
+ do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain
fi
#
# Insert new rules into the filter table for the passed interface
Remainding comments inline:
Tom Eastep said the following on 09-05-04 16:49:> Stijn Jonker wrote:
>
>> Therefore the dynamic zone would have dnat rules for the imap/pop3/ssh
>> services. The sourceip is then automaticly added with the command:
>> /sbin/shorewall add ppp0:1.1.1.1 enet
>>
>> Where ppp0 is my adsl interface, 1.1.1.1 the sourceip and enet the
>> zone for the extranet.
>>
>> Would dynamic zones work in this case?
>>
>
> Within the limitations of Dynamic Zones, yes.
>
> In addition to the limitation listed in the documentation:
>
> a) Remember that "shorewall restart" does not retain the contents
of
> dynamic zones so you have to restore them in your /etc/shorewall/start
> script.
Yes I know, this is not a problem, shorewall "uptime" here is weeks.
>
> b) The ruleset generated for dynamic zones is really ugly. It is a
> little better in the Shorewall-2.0.2 Betas but the facility still
> doesn''t scale well.
I''m running 2.0.2beta for the actions directories ;-)
> Also, you need to devise a means for hosts to be removed from the
> dynamic zone at some point -- it isn''t clear to me how you do
that.
Thinking about 2 options: fixed time OR "idle" timeout. By enabeling
logging (or watching conntrack table) I could see whether they are idle
for X minutes and remove them. Not sure yet.
Thanks for the response.
--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> Tom, > > First of all while testing the dynamic zones i could get shorewall add > ppp0:<ip> rcs working. The fix i found is a small patch/addition:Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom,
While further testing, or I''m doing something wrong, or there is an
other issue. First of all the adding of an host doesn''t seem to catch
the defined rules (but I think this is a problem between keyboard and
chair) The other is that shorewall delete gives a warning the host not
being in the zone. See explanation below:
In the function add_to_zone the dynamic host should be added to
/var/lib/shorewall/zones by the loops at /usr/share/shorewall at line 5590
Somehow the command shorewall add ppp0:<ip> rcs works, but the
/var/lib/shorewall/zones remains empty.
looking at the shorewall debug add ... command:
+ chain_exists ppp0_dyni
+ qt iptables -L ppp0_dyni -n
+ iptables -L ppp0_dyni -n
+ newhost=ppp0:194.109.21.2
+ terminator=fatal_error
<<Starts here?>>
+ read z hosts
+ mv -f /var/lib/shorewall/zones_31685 /var/lib/shorewall/zones
+ chain=rcs_dnat
+ nat_chain_exists rcs_dnat
+ qt iptables -t nat -L rcs_dnat -n
+ iptables -t nat -L rcs_dnat -n
Due to the zones file being empty (as there aren''t any dynamic hosts
after starting) the following loop (line 5590) will never be executed:
while read z hosts; do
if [ "$z" = "$zone" ]; then
for h in $hosts; do
if [ "$h" = "$newhost" ]; then
rm -f ${STATEDIR}/zones_$$
startup_error "$1 already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhost ||
hosts="$hosts $newhost"
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> ${STATEDIR}/zones_$$
done < ${STATEDIR}/zones
As a result the formost last line "echo "$z $hosts" >>
${STATEDIR}/zones_$$" will never be executed.
As a result the shorewall delete command will issue the warning: "
Warning: ppp0:194.109.21.2 does not appear to be in zone rcs"
I don''t know how to fix work around this...
Tom Eastep said the following on 09-05-04 17:14:> Stijn Jonker wrote:
>
>> Tom,
>>
>> First of all while testing the dynamic zones i could get shorewall add
>> ppp0:<ip> rcs working. The fix i found is a small patch/addition:
>
>
> Thanks!
>
> -Tom
--
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> > Somehow the command shorewall add ppp0:<ip> rcs works, but the > /var/lib/shorewall/zones remains empty. >The ''firewall'' script in CVS corrects this problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks it looks like it fixed my other problem as well ;-) Again, wonderfully quick response, must as my other loved opensource project mailscanner (shameless plug) keep up the good work! Tom Eastep said the following on 09-05-04 22:21:> Stijn Jonker wrote: > > >> >> Somehow the command shorewall add ppp0:<ip> rcs works, but the >> /var/lib/shorewall/zones remains empty. >> > > The ''firewall'' script in CVS corrects this problem. > > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>