Shorewall users - Oct 2004 - Problem with local email after shorewall installation

Hi,
 
  Summary of problem: 
  Local mail on the firewall stopped working after installing shorewall

  Background
  yesterday I installed shorewall, based on the debian package from  
www.backports.org
 (which seems to be a 2.0.3 package) on an otherwise virgin debian woody set up.
  Configuration was done based on the two-interface setup.
 
  Kernel is  2.6.8.1 unpatched. A 2.4.23 kernel, with an ipchains config works. 
  
  After a while, I started missing the regular logcheck messages. It turned out
 that any mail originating on the firewall and directed to a
local-to-the-firewall address,
was rejected with a "Connection refused" message.

   The relevant rules for SMTP
#
# SMTP
ACCEPT          loc             fw             tcp     25
ACCEPT          loc             fw             tcp     465
ACCEPT          loc             net            tcp     25
ACCEPT          loc             net            tcp     465
ACCEPT          net             fw             tcp     25
ACCEPT          net             fw             tcp     465
ACCEPT          fw              fw             tcp     25
ACCEPT          fw              fw             tcp     465
ACCEPT          all             all            tcp     25
ACCEPT          all             all            tcp     465

  (Yes.. probably over did it there.. suggestions for a good trim are welcome)

Possibly relevant sendmail message
Oct  5 22:02:05 dibbler sendmail[13122]: i95K25xA013122: to=timt,
ctladdr=root \(0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=30057, relay=[127.0.0\.1] [127.0.0.1], dsn=4.0.0, stat=Deferred:
Connection refused by [127.0.0.1]

And the section of the syslog

Oct  5 22:02:05 dibbler kernel: Shorewall:all2all:REJECT:IN= OUT=lo
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF
PROTO=TCP SPT=32819 DPT=587 WINDOW=32767 RES=0x00 SYN URGP=0
Oct  5 22:02:05 dibbler kernel: Shorewall:all2all:REJECT:IN= OUT=lo
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF
PROTO=TCP SPT=32819 DPT=587 WINDOW=32767 RES=0x00 SYN URGP=0
Oct  5 22:02:05 dibbler kernel: Shorewall:all2all:REJECT:IN= OUT=lo
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00

Other relevant log entries
Oct  5 22:02:06 dibbler tcplogd: smtp connection attempt from
localhost [127.0.\0.1]
Since dibbler is the firewall, something is listening
Oct  5 22:02:23 dibbler sm-mta[13127]: i95K26EM013127: localhost
[127.0.0.1] di\d not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA
But is not getting what it expects. 

  What am I missing here ? 
(and a possibly related question: Does shorewall block all ident/auth
access by default ? )

 Thanks for any tips, and pointers

Tim T.

claas@rootdir.de wrote:
> ...
>>And the section of the syslog
>>
>>Oct  5 22:02:05 dibbler kernel: Shorewall:all2all:REJECT:IN= OUT=lo
>>SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF
>>PROTO=TCP SPT=32819 DPT=587 WINDOW=32767 RES=0x00 SYN URGP=0
>>Oct  5 22:02:05 dibbler kernel: Shorewall:all2all:REJECT:IN= OUT=lo
>>SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7 DF
>>PROTO=TCP SPT=32819 DPT=587 WINDOW=32767 RES=0x00 SYN URGP=0
> 
> 
> DPT = destination port = 587
> tcp port 587 has nothing to do with your mail rules.
> 
> choose if you want to open port 587 or if you want to block it.
> thats what you have the firewall for :)
> Besides I don''t know what that port is for.
>From my /etc/services:
submission      587/tcp         msa             # mail message submission
submission      587/udp         msa             # mail message submission

This should always be allowed on the loopback interface for local mail
submission.  Something''s funny with your configuration if
you''re
blocking traffic on lo.  Have you specified it in your interfaces
file?  I don''t think that is recommended.  There shouldn''t be
any good
reason to firewall lo.
> ...
>>  What am I missing here ? 
>>(and a possibly related question: Does shorewall block all ident/auth
>>access by default ? )
That is not the problem here as far as i can tell from the info you''ve
provided.
> i dont know, auth is tcp port 113, just open it.
Conventional wisdom is to REJECT, not ACCEPT, ident traffic.  It is
useless except in a trusted environment, so there''s no point
responding to it.

-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Gear wrote:
>>From my /etc/services:
>
> submission      587/tcp         msa             # mail message submission
> submission      587/udp         msa             # mail message submission
>
> This should always be allowed on the loopback interface for local mail
> submission.  Something''s funny with your configuration if
you''re
> blocking traffic on lo.  Have you specified it in your interfaces
> file?  I don''t think that is recommended.  There
shouldn''t be any good
> reason to firewall lo.
>
Agreed -- 99% of people who try to firewall fw->fw traffic manage to
shoot themselves in the foot. We can add this OP to the list...

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZHr3O/MAbZfjDLIRAvvXAKClavn9taqX6uAL080PWckiBHgfUgCgr1NI
qHdiCC2J/Pn7Lrm3CQNP+DA=7uAJ
-----END PGP SIGNATURE-----

On Wed, 06 Oct 2004 16:08:40 -0700, Tom Eastep <teastep@shorewall.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Gear wrote:
> 
> >>From my /etc/services:
> >
> > submission      587/tcp         msa             # mail message
submission
> > submission      587/udp         msa             # mail message
submission
> >
> > This should always be allowed on the loopback interface for local mail
> > submission.  Something''s funny with your configuration if
you''re
> > blocking traffic on lo.  Have you specified it in your interfaces
> > file?  I don''t think that is recommended.  There
shouldn''t be any good
> > reason to firewall lo.
> >
> 
> Agreed -- 99% of people who try to firewall fw->fw traffic manage to
> shoot themselves in the foot. We can add this OP to the list...
  I''m certain  (can''t check, I''m a 100 km away from
the box) that I
 - Don''t have lo in the interface list
 - Am not filtering any traffic on the firewall itself.. 

 Hmm..  I''ll trry and explicitely open port 587. If that
doesn''t work,
it''s back to a clean
install I guess.. 

Are there any known issues with the 2.6.8.1 kernel that might affect
this problem ?

  TimT
 
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBZHr3O/MAbZfjDLIRAvvXAKClavn9taqX6uAL080PWckiBHgfUgCgr1NI
> qHdiCC2J/Pn7Lrm3CQNP+DA> =7uAJ
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

<snip hack cut>
>  I''m certain  (can''t check, I''m a 100 km away
from the box) that I
> - Don''t have lo in the interface list
> - Am not filtering any traffic on the firewall itself.. 
>
> Hmm..  I''ll trry and explicitely open port 587. If that
doesn''t work,
>it''s back to a clean
>install I guess.. 
>  
>
Ummm.. if you can change rules and restart the firewall, you CAN check 
if lo is in the interface list.

I think you should post your config as in 
http://www.shorewall.net/support.htm, I bet a trained eye can spot your 
misconfiguration.

Also, it is not the best method to ''just try stuff'', like
opening random
ports that are not understood, at least in the realm of security....

Again post your config as in http://www.shorewall.net/support.htm and I 
bet it can be cleared up without a clean install.

Alex Martin
http://www.rettc.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim T. wrote:
> On Wed, 06 Oct 2004 16:08:40 -0700, Tom Eastep
<teastep@shorewall.net>
wrote:
>
> Paul Gear wrote:
>
>
>>>From my /etc/services:
>
>>submission      587/tcp         msa             # mail message
submission
>>submission      587/udp         msa             # mail message
submission
>
>>This should always be allowed on the loopback interface for local mail
>>submission.  Something''s funny with your configuration if
you''re
>>blocking traffic on lo.  Have you specified it in your interfaces
>>file?  I don''t think that is recommended.  There
shouldn''t be any good
>>reason to firewall lo.
>
>
> Agreed -- 99% of people who try to firewall fw->fw traffic manage to
> shoot themselves in the foot. We can add this OP to the list...
>
>>   I''m certain  (can''t check, I''m a 100 km
away from the box) that I
>>  - Don''t have lo in the interface list
>>  - Am not filtering any traffic on the firewall itself..
You have fw->fw Rules!!!!

- From your original post:
> ACCEPT          fw              fw             tcp     25
> ACCEPT          fw              fw             tcp     465
So the ONLY traffic that will go from localhost->localhost is tcp 25 and
465 (I assume that you don''t have a fw->fw policy so the default
all->all applies).

Remove those rules and all will be well.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZVuHO/MAbZfjDLIRAr8BAKCmO/BDcaqF+QAe7cHKhP8WvltmPACfSiIR
2RR4qvFfSKTBi2aC9GmH87E=XWTB
-----END PGP SIGNATURE-----

> >>   I''m certain  (can''t check, I''m a 100
km away from the box) that I
> >>  - Don''t have lo in the interface list
> >>  - Am not filtering any traffic on the firewall itself..
> 
> You have fw->fw Rules!!!!
> 
> - From your original post:
> 
> > ACCEPT          fw              fw             tcp     25
> > ACCEPT          fw              fw             tcp     465
> 
> So the ONLY traffic that will go from localhost->localhost is tcp 25 and
> 465 (I assume that you don''t have a fw->fw policy so the
default
> all->all applies).
> 
> Remove those rules and all will be well.
> 
> - -Tom
Which situation do I need to have rules like fw <-> fw, net <-> net,
etc ?
Any links ?

Thanks
[Guilsson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guilsson   wrote:
>>>>  I''m certain  (can''t check, I''m a
100 km away from the box) that I
>>>> - Don''t have lo in the interface list
>>>> - Am not filtering any traffic on the firewall itself..
>>
>>You have fw->fw Rules!!!!
>>
>>- From your original post:
>>
>>
>>>ACCEPT          fw              fw             tcp     25
>>>ACCEPT          fw              fw             tcp     465
>>
>>So the ONLY traffic that will go from localhost->localhost is tcp 25
and
>>465 (I assume that you don''t have a fw->fw policy so the
default
>>all->all applies).
>>
>>Remove those rules and all will be well.
>>
>>- -Tom
>
>
> Which situation do I need to have rules like fw <-> fw, net <->
net, etc ?
> Any links ?
>
The *ONLY* case that I can think of for fw->fw is if you want to
redirect certain local users'' browsers to a Proxy -- that is why I
implemented the ability for fw->fw rules. A user wanted to police his
children''s browsing so had something like:

REDIRECT	fw	3128	tcp	80	-	-	:kids
ACCEPT		fw	net	tcp	80

Note that it is NOT necessary to define the ''lo'' interface in
/etc/shorewall/interfaces in order to have fw->fw rules; you simply need
Shorewall 2.0.0 or later. Remember that like all intra-zone traffic,
fw->fw is automatically ACCEPTED until you add your first intra-zone
rule; then traffic that doesn''t match the rule(s) is goverened by the
applicable policy, just like any other traffic.

For all other cases, see http://shorewall.net/Multiple_Zones.html
("Routing on One Interface").

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZWQRO/MAbZfjDLIRAoJBAJ97mga8ttC0asb5wxTMwyonKy2rFwCeJlx/
+BLFHWoqXDTGJhV3PeEcWhg=/ENJ
-----END PGP SIGNATURE-----

First off, everyone thanks for all the input so far.. If I understand
it, having an explicit
accept route on the firewall will turn on filtering for all fw->fw
traffic. That''s something I''ll
have to look into.

Unfortunately, I don''t have physical access to the box right now, so
any exploration and further experimentation will have to wait till the
weekend.

 Thanks !
    TimT.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim T. wrote:
> First off, everyone thanks for all the input so far.. If I understand
> it, having an explicit
> accept route on the firewall will turn on filtering for all fw->fw
> traffic.
It''s a *rule*, not a *route*.

Note that this is the case with *ANY* zone -- not just $FW (fw).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBZXpJO/MAbZfjDLIRAlIPAKCJmmQfXttZ1Q/K02Yu2JuzLrt3ggCghx69
5jvW9C+oRbUuNjgoxtoG9B8=+6mf
-----END PGP SIGNATURE-----