Shorewall users - Jun 2004 - help with rules / log entries

Hello,

I''m working in configuring a very restrictive firewall to stick between
our
techroom and our internal network.  Basically nothing should be allowed into
the techroom and only a limited amount of traffic is to leave the techroom.
Below are a few log entries I looking to get explained.

DHCP is handled by the firewall, DNS is handled by servers side our
techroom.

my rules file
AllowSSH        all     fw
AllowDNS        all     net:10.1.1.159,10.1.1.160
AllowFTP        loc     net
AllowWeb        loc     net
AllowPOP3       loc     net
AllowSMTP       loc     net:172.16.35.10,172.16.35.33
AllowSMB        loc     net:10.1.1.159,10.1.1.160

my policy file
loc             all             DROP            info
net             all             DROP            info
all             all             REJECT          info 

192.168.50.1 = Internal interface of shorewall firewall
192.168.50.199 = Workstation inside shorewall firewall

What is this traffic?  The firewall is trying to talk to the workstation.
Ports 67/68 are for the "Bootstrap Protocol".  I was thinking that
it''s DHCP
but DHCP is working so I''m not sure.
Jun 11 09:14:24 techgw kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.50.1 DST=192.168.50.199 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jun 11 09:14:26 techgw kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.50.1 DST=192.168.50.199 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=67 DPT=68 LEN=308 

10.1.1.18 = Virus defination update server on campus but outside shorewall
firewall
I thought this just worked on FTP, but I guess not, since that should have
been allowed with my rules file.

Jun 11 10:53:02 techgw kernel: Shorewall:loc2all:DROP:IN=eth1 OUT=eth0
SRC=192.168.50.199 DST=10.1.1.18 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=61186
DF PROTO=TCP SPT=1117 DPT=34253 WINDOW=8192 RES=0x00 SYN URGP=0 
Jun 11 10:53:05 techgw kernel: Shorewall:loc2all:DROP:IN=eth1 OUT=eth0
SRC=192.168.50.199 DST=10.1.1.18 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=61698
DF PROTO=TCP SPT=1117 DPT=34253 WINDOW=8192 RES=0x00 SYN URGP=0 

One last thing... should the AllowSMB rule let the machines inside the
firewall logon to our Windows Domain.  It doesn''t seem to work, the
machine
can''t see the domain.  I don''t have a log entry to show for
that handy at
the moment.  I really want to sort out the inability to do virus defination
updates first.

Thanks.

-- 
Edward Chase
Providence College
Information Technology 

Protect your PC
http://www.microsoft.com/security/protect/

Edward Chase wrote:
> 
> DHCP is handled by the firewall, DNS is handled by servers side our
> techroom.
Something is wrong with the syntax of that sentence (or your typing 
resembles my own :-) ). I''m guessing that you meant to say "...by 
servers outside our techroom.".
> 
> my rules file
> AllowSSH        all     fw
> AllowDNS        all     net:10.1.1.159,10.1.1.160
> AllowFTP        loc     net
> AllowWeb        loc     net
> AllowPOP3       loc     net
> AllowSMTP       loc     net:172.16.35.10,172.16.35.33
> AllowSMB        loc     net:10.1.1.159,10.1.1.160
> 
> my policy file
> loc             all             DROP            info
> net             all             DROP            info
> all             all             REJECT          info 
> 
> 192.168.50.1 = Internal interface of shorewall firewall
> 192.168.50.199 = Workstation inside shorewall firewall
Please include your /etc/shorewall/interfaces (and /etc/shorewall/hosts 
if you use it) when you include log messages in your problem reports. 
Terms like "internal interface" and "inside shorewall" are
ambiguous
since Shorewall itself has no concept of "inside" or
"outside",
"external" or "internal". Your rules and policies are
expressed in terms
of zones while log messages contain interface names -- without knowing 
the correspondence, we are forced to guess who is who.

Using a more intuitive name for the tech room zone would have also 
helped us (since we''re not 100% certain if it is
''net'' or ''loc'').
> 
> What is this traffic?  The firewall is trying to talk to the workstation.
> Ports 67/68 are for the "Bootstrap Protocol".  I was thinking
that it''s DHCP
> but DHCP is working so I''m not sure.
Please consult the Shorewall DHCP documentation: 
http://shorewall.net/DHCP.html. I suspect that you don''t have
''dhcp''
specified on eth1 in /etc/shorewall/interfaces.
> I thought this just worked on FTP, but I guess not, since that should have
> been allowed with my rules file.
And you have of course verified that you have Shorewall/netfilter FTP 
support configured properly as described at 
http://shorewall.net/FTP.html (particularly the part about module loading).

Have you tried testing FTP (both active and passive) from whichever side 
of the firewall you call "behind"?
> 
> One last thing... should the AllowSMB rule let the machines inside the
> firewall logon to our Windows Domain.  It doesn''t seem to work,
the machine
> can''t see the domain.  I don''t have a log entry to show
for that handy at
> the moment.
The default common actions (Drop and Reject) silently dispose of SMB 
traffic before it is logged. This stops 1000s of silly reports of 
firewalls being under attack by the very systems that they are trying to 
protect.

In general for Microsoft networking to work, you need AllowSMB in both 
directions.

Also, the last time I tested it logon to a domain didn''t work through 
NAT -- I wouldn''t think that this configuration would be doing NAT but 
you haven''t said.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Sorry about the incomplete info before.  I guess I should not assume that
you can read my mind or my configs...

I had started looking thru the FTP webpage you sent and noticed that when I
did an lsmod, I was missing the "ftp" modules that it spoke of.  I
then
loaded them up by hand using the modprobe command.  And the ftp started to
work.  Further on down the page it spoke of the /etc/shorewall/modules file.
Once again here was a file that I was missing.

It seems that I''m running into problems due to the way the debian
package
was put together.  As your own FAQ notes, by default, the /etc/shorewall
directory is empty.  Your notes state, "Simply copy the files you need from
that directory to /etc/shorewall and modify the copies."  This is what
I''ve
been doing as I find that I need a file.  So far my /etc/shorewall directory
contains

techgw:~# ls /etc/shorewall
interfaces  masq  modules  policy  rules  shorewall.conf  zones

Should I just copy all from /usr/share/doc/shorewall/default-config to
/etc/shorewall?  (Obviously don''t overwrite what I''ve already
got.)  Had I
done this from the start, I wouldn''t have asked the ftp question.

Thanks for your help so far.  This has been much easier than dealing
directly with iptables!!!

I administer our Checkpoint firewall here and normally work at the
Checkpoint object level.  Going down to the iptable level for this techroom
firewall was causing my brain to hurt.

Edward Chase wrote:
> Should I just copy all from /usr/share/doc/shorewall/default-config to
> /etc/shorewall?  (Obviously don''t overwrite what I''ve
already got.)  Had I
> done this from the start, I wouldn''t have asked the ftp question.
I should probably update my Debian docs to mention that both 
"shorewall.conf" and "modules" should be copied
unconditionally to
/etc/shorewall -- I currently only mention "shorewall.conf"

There is no point in copying files that are empty (except for comments).
> 
> Thanks for your help so far.  This has been much easier than dealing
> directly with iptables!!!
> 
You''re welcome.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

snip
> > my rules file
> > AllowSSH        all     fw
> > AllowDNS        all     net:10.1.1.159,10.1.1.160
> > AllowFTP        loc     net
> > AllowWeb        loc     net
> > AllowPOP3       loc     net
> > AllowSMTP       loc     net:172.16.35.10,172.16.35.33
> > AllowSMB        loc     net:10.1.1.159,10.1.1.160
> > 
> > my policy file
> > loc             all             DROP            info
> > net             all             DROP            info
> > all             all             REJECT          info 
snip
> In general for Microsoft networking to work, you need 
> AllowSMB in both 
> directions.
> 
> Also, the last time I tested it logon to a domain didn''t work
through
> NAT -- I wouldn''t think that this configuration would be 
> doing NAT but 
> you haven''t said.
yes, shorewall is doing nat

ignoring that NAT may be a problem since you appear to be unsure about that,
I tried doing 

AllowSMB        loc     net:10.1.1.159,10.1.1.160
AllowSMB        net:10.1.1.159,10.1.1.160       loc

That didn''t work...

However if nat is the only issue, let me continue to pick your brain here
for other second.  Our network is basically a 10.1.x.x class B addressing
scheme.  Way back when we were static addressing machines, the 3rd octet we
used to specify a building and the last was the machine within the building.
So in general our workstations are getting DHCP assigned IP addresses from a
server on the outside (net) side of this shorewall box.  If I have the
shorewall box assign a different range, but still 10.1.x.x numbers, I
wouldn''t have to do nat and still have the shorewall protection?  For
some
reason I see a problem here...  I guess my interfaces file would be helpful
now...

interfaces
net     eth0    detect
loc     eth1    detect  dhcp

ifconfig
eth0	inet addr:10.1.50.27  Bcast:10.1.255.255  Mask:255.255.0.0
eth1	inet addr:192.168.50.1  Bcast:192.168.50.255  Mask:255.255.255.0

I''m thinking changing eth1 to something like 10.1.250.1/24, but my loc
network would be part of my net network.  That won''t work, correct? 
I''d
have to do some thinking about my net/eth0 netmask to get this to work,
correct?

Assuming I get that straight... right now our workstations are in a
Novell/Windows Domain transition.  I''ve asked about the Windows Domain
part...  Should I be able to do Novell thru the shorewall box?

Edward Chase wrote:
> 
> interfaces
> net     eth0    detect
> loc     eth1    detect  dhcp
> 
> ifconfig
> eth0	inet addr:10.1.50.27  Bcast:10.1.255.255  Mask:255.255.0.0
> eth1	inet addr:192.168.50.1  Bcast:192.168.50.255  Mask:255.255.255.0
> 
> I''m thinking changing eth1 to something like 10.1.250.1/24, but my
loc
> network would be part of my net network.  That won''t work,
correct?  I''d
> have to do some thinking about my net/eth0 netmask to get this to work,
> correct?
> 
There''s no problem with that as far as Shorewall is concerned but your 
other routers would need to know that 10.1.250.0/24 is gatewayed through 
10.1.50.27. While you could use proxy arp (set the proxyarp option on 
both interfaces in /etc/shorewall/interfaces), you would probably have 
problems with MS networking since the Shorewall box would still behave 
as a router and wouldn''t pass broadcasts.

Another approach is to configure the Shorewall box as a bridge 
(http://shorewall.net/bridge.html) so that the systems in the tech room 
are just part of the 10.1.0.0 network. That requires patching Debian 2.4 
kernels.
> Assuming I get that straight... right now our workstations are in a
> Novell/Windows Domain transition.  I''ve asked about the Windows
Domain
> part...  Should I be able to do Novell thru the shorewall box?
I haven''t a clue what you need for Novell -- you''ll have to
ask someone
who can spell Novell.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net