Shorewall users - Sep 2004 - Possible bug in shorewall 2.0.8

Hello,

I believe there may be a bug in shorewall version 2.0.8. I''ve been
using
shorewall for years without problems (last installed version was 1.4.6b-1). 
I''ve posted previously with the subject line "After upgrade people
can no
longer connect" dated on Sunday, September 19, 2004 which contains all the 
information for the upgrade.

Today I uninstalled shorewall 2.0.8:

rpm -e shorewall-2.0.8-1

I deleted the directory and all contents in this directory:
/etc/shorewall

Reinstalled shorewall:

rpm -ivh shorewall-2.0.8-1.noarch.rpm

Then setup a basic firewall with the following:

/etc/shorewall/interfaces
net	eth0		detect		routefilter,blacklist
net	eth1		detect		routefilter,blacklist
net	eth2		detect		routefilter,blacklist

/etc/shorewall/policy
fw		net		ACCEPT
net		all		DROP		info
all		all		REJECT		info

/etc/shorewall/routestopped
eth0		64.140.165.128/27
eth1		64.140.165.128/27
eth2		64.140.165.128/27

/etc/shorewall/rules
ACCEPT	net		fw		tcp	80 # HTTP
ACCEPT	net		fw		tcp	443 #HTTPS
ACCEPT	net		fw		tcp	22 # SSH
ACCEPT	net		fw		tcp	25 # SMTP
ACCEPT	net		fw		tcp	465 # SMTP over SSL

/etc/shorewall/zones
net	Net		Internet

Then deleted "startup_disabled" and everything else was left at their 
default settings.

Then I started shorewall:

/etc/rc.d/init.d/shorewall start

And I''ll be darn, the outside world is not able to connect to any
services
which I enabled via "rules" (can''t connect to anything).

I''ve read everything in http://www.shorewall.net/upgrade_issues.htm for
Version >= 1.4.6 to current release and I see nothing there that would cause 
this problem. When shorewall is disabled everything works fine so I
can''t
see it is a network problem. Also everything worked fine in previous 
versions. So I can only assume there is something with this new version that 
is different, but I can not pinpoint the problem.

Any help would be appreciated,
John

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

J and T wrote:
| Hello,
|
| I believe there may be a bug in shorewall version 2.0.8. I''ve been
using
| shorewall for years without problems (last installed version was
| 1.4.6b-1). I''ve posted previously with the subject line "After
upgrade
| people can no longer connect" dated on Sunday, September 19, 2004 which
| contains all the information for the upgrade.
|
| Today I uninstalled shorewall 2.0.8:
|
| rpm -e shorewall-2.0.8-1
|
| I deleted the directory and all contents in this directory:
| /etc/shorewall
|
| Reinstalled shorewall:
|
| rpm -ivh shorewall-2.0.8-1.noarch.rpm
|
| Then setup a basic firewall with the following:
|
| /etc/shorewall/interfaces
| net    eth0        detect        routefilter,blacklist
| net    eth1        detect        routefilter,blacklist
| net    eth2        detect        routefilter,blacklist
|
| /etc/shorewall/policy
| fw        net        ACCEPT
| net        all        DROP        info
| all        all        REJECT        info
|
| /etc/shorewall/routestopped
| eth0        64.140.165.128/27
| eth1        64.140.165.128/27
| eth2        64.140.165.128/27
|
| /etc/shorewall/rules
| ACCEPT    net        fw        tcp    80 # HTTP
| ACCEPT    net        fw        tcp    443 #HTTPS
| ACCEPT    net        fw        tcp    22 # SSH
| ACCEPT    net        fw        tcp    25 # SMTP
| ACCEPT    net        fw        tcp    465 # SMTP over SSL
|
| /etc/shorewall/zones
| net    Net        Internet
|
| Then deleted "startup_disabled" and everything else was left at
their
| default settings.
|
| Then I started shorewall:
|
| /etc/rc.d/init.d/shorewall start
|
| And I''ll be darn, the outside world is not able to connect to any
| services which I enabled via "rules" (can''t connect to
anything).
|

Try removing the ''routefilter'' on each interface. That option
was broken
in the 1.4 version of Shorwall so it didn''t do anything. Now it works
and with your odd-ball setup, you don''t want route filtering.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBTvBhO/MAbZfjDLIRAgaIAKDF4BBr6DSDj4x13AN0A4SADGGnrACdFIkw
r30ub7uPxWRrRmAmgoFTQPg=ZOyZ
-----END PGP SIGNATURE-----

That FIXED IT! I thought this was just an anti-spoofing measure, but I guess 
it does more than that.

Thanks a million,
John
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>J and T wrote:
>| Hello,
>|
>| I believe there may be a bug in shorewall version 2.0.8. I''ve
been using
>| shorewall for years without problems (last installed version was
>| 1.4.6b-1). I''ve posted previously with the subject line
"After upgrade
>| people can no longer connect" dated on Sunday, September 19, 2004
which
>| contains all the information for the upgrade.
>|
>| Today I uninstalled shorewall 2.0.8:
>|
>| rpm -e shorewall-2.0.8-1
>|
>| I deleted the directory and all contents in this directory:
>| /etc/shorewall
>|
>| Reinstalled shorewall:
>|
>| rpm -ivh shorewall-2.0.8-1.noarch.rpm
>|
>| Then setup a basic firewall with the following:
>|
>| /etc/shorewall/interfaces
>| net    eth0        detect        routefilter,blacklist
>| net    eth1        detect        routefilter,blacklist
>| net    eth2        detect        routefilter,blacklist
>|
>| /etc/shorewall/policy
>| fw        net        ACCEPT
>| net        all        DROP        info
>| all        all        REJECT        info
>|
>| /etc/shorewall/routestopped
>| eth0        64.140.165.128/27
>| eth1        64.140.165.128/27
>| eth2        64.140.165.128/27
>|
>| /etc/shorewall/rules
>| ACCEPT    net        fw        tcp    80 # HTTP
>| ACCEPT    net        fw        tcp    443 #HTTPS
>| ACCEPT    net        fw        tcp    22 # SSH
>| ACCEPT    net        fw        tcp    25 # SMTP
>| ACCEPT    net        fw        tcp    465 # SMTP over SSL
>|
>| /etc/shorewall/zones
>| net    Net        Internet
>|
>| Then deleted "startup_disabled" and everything else was left at
their
>| default settings.
>|
>| Then I started shorewall:
>|
>| /etc/rc.d/init.d/shorewall start
>|
>| And I''ll be darn, the outside world is not able to connect to any
>| services which I enabled via "rules" (can''t connect to
anything).
>|
>
>Try removing the ''routefilter'' on each interface. That
option was broken
>in the 1.4 version of Shorwall so it didn''t do anything. Now it
works
>and with your odd-ball setup, you don''t want route filtering.
>
>- -Tom
>- --
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFBTvBhO/MAbZfjDLIRAgaIAKDF4BBr6DSDj4x13AN0A4SADGGnrACdFIkw
>r30ub7uPxWRrRmAmgoFTQPg>=ZOyZ
>-----END PGP SIGNATURE-----
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

J and T wrote:
| That FIXED IT! I thought this was just an anti-spoofing measure, but I
| guess it does more than that.
|

It is an anti-spoofing measure -- it rejects packets received on an
interface when responses to those packets would not be routed back out
of that same interface. How else could you try to detect source address
spoofing???

~From an earlier post, here''s your routing table:

192.168.234.236 dev ppp0  proto kernel  scope link  src 192.168.234.235
64.140.165.128/27 dev eth2  scope link
64.140.165.128/27 dev eth1  proto kernel  scope link  src 64.140.165.133
64.140.165.128/27 dev eth2  proto kernel  scope link  src 64.140.165.134
127.0.0.0/8 dev lo  scope link
default via 64.140.165.129 dev eth0

So any traffic received on eth1 and eth2 that isn''t from
64.140.165.128/27 will be dropped. And if ''log_martians''
isn''t set on
those interfaces, then dropping will be silent. And it occurs before
netfilter ever sees the packets which is why I couldn''t see anything
wrong from looking at the included documentation.

As a final note, now that you are on Shorewall 2.0, you can replace your
/etc/shorewall/start file with entries in /etc/shorewall/masq.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBTzsyO/MAbZfjDLIRAtYkAJ9i0cuajtXLLxVRMkf1x8OhvWoaKwCbBQDv
QClgT1i9OT2sDoVrHdoLwvk=hhSn
-----END PGP SIGNATURE-----