Problem: "Firewall" machine cannot get DNS but is allowing DNS through internally. Something changed with the configuration but we''re not sure what. Here is the pertinent info: Shorewall Status Entries Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=65.175.131.201 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP SPT=32973 DPT=53 LEN=35 Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=65.175.128.181 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP SPT=32973 DPT=53 LEN=35 Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=65.175.128.240 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP SPT=32973 DPT=53 LEN=35 Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=65.175.131.181 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32768 DPT=53 LEN=43 Oct 5 09:24:51 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=198.41.0.4 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32768 DPT=53 LEN=30 Oct 5 09:24:52 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 DST=65.175.131.240 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32768 DPT=53 LEN=43 I''d like the above requests to be allowed but I''ve tried several different rules and none of them work.> shorewall version1.4.9> ip addr show1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:07:e9:1a:7a:03 brd ff:ff:ff:ff:ff:ff inet 10.1.10.55/24 brd 10.1.10.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 08:00:09:fc:e4:d3 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 brd 10.1.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:d0:b7:1a:f8:6a brd ff:ff:ff:ff:ff:ff inet 192.168.7.55/24 brd 192.168.7.255 scope global eth2> ip route show192.168.7.0/24 dev eth2 scope link 10.1.8.0/24 via 10.1.1.139 dev eth1 192.168.1.0/24 via 10.1.1.145 dev eth1 10.1.10.0/24 dev eth0 scope link 10.1.5.0/24 via 10.1.1.145 dev eth1 10.1.1.0/24 dev eth1 scope link 10.1.3.0/24 via 10.1.1.145 dev eth1 169.254.0.0/16 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 192.168.7.1 dev eth2 Rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT ACCEPT $FW net udp 53 53 ACCEPT $FW net tcp 53 53 ACCEPT:info net $FW tcp 22 - ACCEPT net:66.63.101.52 $FW TCP 5901 ACCEPT net:65.175.131.197 $FW tcp 5901 - ACCEPT net:65.175.182.37 $FW TCP 3389 ACCEPT loc $FW all - - ACCEPT loc loc tcp - - ACCEPT $FW loc all - - ACCEPT loc all icmp - - Thanks for your help. Garrett
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garrett Johnson wrote:> Problem: > > "Firewall" machine cannot get DNS but is allowing DNS through internally. > Something changed with the configuration but we''re not sure what. Here is > the pertinent info: > > Shorewall Status Entries > Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 > DST=65.175.131.201 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP > SPT=32973 DPT=53 LEN=35 > Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 > DST=65.175.128.181 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP > SPT=32973 DPT=53 LEN=35 > Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 > DST=65.175.128.240 LEN=55 TOS=0x00 PREC=0x00 TTL=64 ID=50982 DF PROTO=UDP > SPT=32973 DPT=53 LEN=35 > Oct 5 09:24:50 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 > DST=65.175.131.181 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=32768 DPT=53 LEN=43 > Oct 5 09:24:51 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55DST=198.41.0.4> LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32768 DPT=53LEN=30> Oct 5 09:24:52 all2all:REJECT:IN= OUT=eth2 SRC=192.168.7.55 > DST=65.175.131.240 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=32768 DPT=53 LEN=43> > Rules > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > RATE USER > # PORT PORT(S) DEST > LIMIT > ACCEPT $FW net udp 53 53 > ACCEPT $FW net tcp 53 53The above rules only admit DNS traffic *WITH SOURCE PORT = 53*. Remove the entries in the SOURCE PORT(S) column. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYsEkO/MAbZfjDLIRAhpVAJwKlvV7aGi2ykVjjMy8dTjjN9AxrgCghrqA yEGdtiln5F1wQKC/NCTn5w4=wdEm -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garrett Johnson wrote:> Tom, > > Thanks for the response. That worked however I don''t understand whyit was> working previously. This only started happening yesterday after aco-worker> added a temporary port forward for remote control from home. We''ve been > doing it in the past and everything worked fine. It''s possible that > something else changed but it looks just like it did before to my memory. > Now I "have to" add a rule for every port that runs through the Squidproxy.> Do I "have to" or can I tell shorewall that Squid is an ok application.- From your description, I have no idea what has happened. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYtE6O/MAbZfjDLIRAuNSAKCsiv4DKK6hfCtgaDERcVOOMvLWnACeIOao ZptjS0j3t1/NE0byk2hmjpE=N0dv -----END PGP SIGNATURE-----
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Garrett Johnson" <garrettj@annalee.com>; "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, October 05, 2004 10:52 AM Subject: Re: [Shorewall-users] Something Changed?> Garrett Johnson wrote: >> Tom, >> >> Thanks for the response. That worked however I don''t understand why > it was >> working previously. This only started happening yesterday after a > co-worker >> added a temporary port forward for remote control from home. We''ve been >> doing it in the past and everything worked fine. It''s possible that >> something else changed but it looks just like it did before to my memory. >> Now I "have to" add a rule for every port that runs through the Squid > proxy. >> Do I "have to" or can I tell shorewall that Squid is an ok application. > > - From your description, I have no idea what has happened. > > - -TomHere is a guess at what happend it was setup right at one time, you changed it long ago and did not restart shorewall. Then when it was changed the other day and restarted to cause the changes to take effect the other changes made long ago to break DNS also took effect. I have had something similar happen to one of the boxes that I babysit (or computer-sit). Just a thought about what happened. Take it for what it is worth. -- _ /-\ ndrew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Niemantsverdriet wrote:> Here is a guess at what happend it was setup right at one time, you > changed it long ago and did not restart shorewall. Then when it was > changed the other day and restarted to cause the changes to take effect > the other changes made long ago to break DNS also took effect. I have > had something similar happen to one of the boxes that I babysit (or > computer-sit). Just a thought about what happened. Take it for what it > is worth.Perhaps in the process, an ACCEPT fw->new policy got deleted? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYvmNO/MAbZfjDLIRAhjMAKCy4eW+Nmys7oSaIDtPsIXUxE7gZACfQ6wu uHuo+8AAlVp5tMMoBmT29HE=L4aH -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Andrew Niemantsverdriet wrote: > > >>>Here is a guess at what happend it was setup right at one time, you >>>changed it long ago and did not restart shorewall. Then when it was >>>changed the other day and restarted to cause the changes to take effect >>>the other changes made long ago to break DNS also took effect. I have >>>had something similar happen to one of the boxes that I babysit (or >>>computer-sit). Just a thought about what happened. Take it for what it >>>is worth. > > > Perhaps in the process, an ACCEPT fw->new policy got deleted? >Grrr -- make that fw->net - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYv2lO/MAbZfjDLIRAhvKAKCMIceqANRXJ2hQumDZIfWf3ghfbQCghNC9 FgC07eIcPxO7i347hIdXYmY=wUXj -----END PGP SIGNATURE-----
On Tue, 2004-10-05 at 09:52 -0700, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Garrett Johnson wrote: > > Tom, > > > > Thanks for the response. That worked however I don''t understand why > it was > > working previously. This only started happening yesterday after a > co-worker > > added a temporary port forward for remote control from home. We''ve been > > doing it in the past and everything worked fine. It''s possible that > > something else changed but it looks just like it did before to my memory. > > Now I "have to" add a rule for every port that runs through the Squid > proxy. > > Do I "have to" or can I tell shorewall that Squid is an ok application.If you happen to use version control (cvs, subversion) software for your Shorewall configs, you''d be able to tell when those entries were added and by whom. -- David Hollis <dhollis@davehollis.com>