Francesco Cabigliera - F.Imm. S.r.l. - wrote:> Hi all! > I have a vpn connection with freeSwan and I use Shorewall (Mandrake mnf). The vpn works fine > but if the external client trying to connect using Oracle Client, doesen''t work. > My Shorewall situation is: > *ZONES > lan LAN local_area_network > dmz DMZ demilitarized_zone > wan NET internet > vpn VPN vpn-tunnel > *POLICY > wan lan ACCEPT > lan wan ACCEPT > all vpn ACCEPT info > vpn all ACCEPT info > lan all REJECT info > dmz all REJECT info > wan all DROP info > all all REJECT info > lan lan ACCEPT > *RULES > I''ve inserted the ports about the vpn conn. and also these rules for Client Oracle (I think right) > ACCEPT lan:1.0.0.9 vpn tcp 1024:65535 > ACCEPT vpn: lan:1.0.0.9 tcp 1024:65535 > DNAT vpn lan:1.0.0.9 tcp 1024:65535 > DNAT vpn lan:1.0.0.9 udp > (note that the 1.0.0.9 is my server into my lan) > but I don''t have any results! > The problem is: when the client trying to connect into my server, there''s a first request into > an high port to tcp 1521, and the response is from 1521 to the high port! If I monitor the ipsec0 > with tcpdump I view the traffic about the request and response, but all the requests are in (DF) > > Could anyone give me some tips about? Sorry for my english! :) >Does someone have the time today to help this fellow? It looks like he is adding more and more policies and rules when the problem is very likely not in Shorewall at all. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi all! I have a vpn connection with freeSwan and I use Shorewall (Mandrake mnf). The vpn works fine but if the external client trying to connect using Oracle Client, doesen''t work. My Shorewall situation is: *ZONES lan LAN local_area_network dmz DMZ demilitarized_zone wan NET internet vpn VPN vpn-tunnel *POLICY wan lan ACCEPT lan wan ACCEPT all vpn ACCEPT info vpn all ACCEPT info lan all REJECT info dmz all REJECT info wan all DROP info all all REJECT info lan lan ACCEPT *RULES I''ve inserted the ports about the vpn conn. and also these rules for Client Oracle (I think right) ACCEPT lan:1.0.0.9 vpn tcp 1024:65535 ACCEPT vpn: lan:1.0.0.9 tcp 1024:65535 DNAT vpn lan:1.0.0.9 tcp 1024:65535 DNAT vpn lan:1.0.0.9 udp (note that the 1.0.0.9 is my server into my lan) but I don''t have any results! The problem is: when the client trying to connect into my server, there''s a first request into an high port to tcp 1521, and the response is from 1521 to the high port! If I monitor the ipsec0 with tcpdump I view the traffic about the request and response, but all the requests are in (DF) Could anyone give me some tips about? Sorry for my english! :) Many Thanks Francesco Cabigliera
On Tue, 2004-07-13 at 19:20 +0200, Francesco Cabigliera - F.Imm. S.r.l. - wrote:> The problem is: when the client trying to connect into my server, there''s a first request into > an high port to tcp 1521, and the response is from 1521 to the high port! If I monitor the ipsec0 > with tcpdump I view the traffic about the request and response, but all the requests are in (DF) >Don''t worry about the high-ports that you are seeing. That is standard TCP behavior - the client uses a random high port (also called ephemeral port) from the 1024:65535 range and connects to the specified service port, 1521/tcp in your case. If I''m understanding your setup correctly, the Oracle server is in the LAN zone and your ''external'' client is in the VPN zone (external could also easily be taken to mean Internet zone). Assuming that you are not needing to perform NAT between the VPN and internal (not really a typical scenario in my experience), you should just need a rule like: ACCEPT vpn lan:1.0.0.9 tcp 1521 in your rules file. You really don''t want to have your policy for vpn->loc and loc->vpn to be ACCEPT. Otherwise, if your VPN is compromised,everything is fully exposed - definitely not best practice. With the above rule, someone in the vpn zone can hit host 1.0.0.9 (are you really using this address space??) on port 1521/tcp. The high-port business is taken care of by iptables/netfilter. -- David T Hollis <dhollis@davehollis.com>