Shorewall users - Oct 2004 - Bluetooth, palm, ppp and shorewall

Hi Folks!

I''m new to shorewall (in the process of switching from Bastille), and I
have a question as to how to address using Bluetooth enabled Palms with 
a BT dongle on a linux box protected by shorewall.

Basically I followed the directions located at
http://www.metacon.ca/bcs/view.php?page=bluetooth
to get things working strictly with iptables, specifically:

echo ''1'' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, what happens is when you connect from the Palm to the linux box, a 
ppp0 DUN session is started, and then the routing happens to eth0, which 
is behind a hardware firewall (SMC barricade).  Here is my dun file.

/etc/ppp/peers/dun
# debug
57600
noipdefault
proxyarp
# IP address of PC : IP address to be assigned to Palm
192.168.0.1:192.168.0.2
# My DNS server
ms-dns 127.0.0.1
ktune
noauth
local
nodefaultroute
noipx

How would those iptables commands be represented in Shorewall?  I 
haven''t found anything like this, since most of the wireless docs are 
based on WiFi, and I''m not using that.  My Shorewall files are the
stock
Debian, since this is the first thing I want to get working as I learn 
about Shorewall.  This might be something to add to the FAQ also.

Thanks for your time!

/Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Brown wrote:
> Hi Folks!
>
> I''m new to shorewall (in the process of switching from Bastille),
and I
> have a question as to how to address using Bluetooth enabled Palms with
> a BT dongle on a linux box protected by shorewall.
>
> Basically I followed the directions located at
> http://www.metacon.ca/bcs/view.php?page=bluetooth
> to get things working strictly with iptables, specifically:
>
> echo ''1'' > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A FORWARD -i ppp0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Now, what happens is when you connect from the Palm to the linux box, a
> ppp0 DUN session is started, and then the routing happens to eth0, which
> is behind a hardware firewall (SMC barricade).  Here is my dun file.
>
> /etc/ppp/peers/dun
> # debug
> 57600
> noipdefault
> proxyarp
> # IP address of PC : IP address to be assigned to Palm
> 192.168.0.1:192.168.0.2
> # My DNS server
> ms-dns 127.0.0.1
> ktune
> noauth
> local
> nodefaultroute
> noipx
>
> How would those iptables commands be represented in Shorewall?  I
> haven''t found anything like this, since most of the wireless docs
are
> based on WiFi, and I''m not using that.  My Shorewall files are the
stock
> Debian, since this is the first thing I want to get working as I learn
> about Shorewall.  This might be something to add to the FAQ also.
I don''t think it needs any special treatment since in is just a
two-interface firewall where the local interface is ppp+; see
http://shorewall.net/two-interface.htm.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBeRuYO/MAbZfjDLIRAp9+AJwMDWMZWFtplAevKksxw/o6yK2i0ACdGZTN
uv7g83O5dBYnxT2oGaPtjU0=POeS
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
>
> I don''t think it needs any special treatment since in is just a
> two-interface firewall where the local interface is ppp+; see
> http://shorewall.net/two-interface.htm.
>
The only ''gotcha'' that I can think of is that you will need to
specify
the local subnet (which appears to be 192.168.0.0/24) in the SUBNET
column of your /etc/shorewall/masq entry rather than ppp+ (or ppp0 if
there is only ever one ppp device active at a time) because it is likely
that the ppp connection will not be active when you start Shorewall.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBeR42O/MAbZfjDLIRAtfVAJ9cEBilWKhqwqLxVDwGpIuZedfumgCgrLA/
+pCWC/acuW36oWf4Iz0Ksj8=GOmu
-----END PGP SIGNATURE-----

Hi Tom!

Yep, It wouldn''t work with ppp0 in the masq file.  It just barfed when 
trying to start up, since the BT adapter wasn''t in use.  I put
eth0    192.168.0.1
eth0    192.168.0.2

into the masq file, just so I masq''d only the addresses I needed.

The switch to shorewall went a lot easier than I expected.  I do have 
one little problem though... Because I''m behind a SMC barricade (like a
linksys cable router) I''m on 192.168.2 address space (but the linux box
is hard coded).  Now my problem is that it''s treating loc as net, and I
need to have identical rules on both.  Is there a way to treat certain 
local hosts differently than my SMC router (192.168.2.1)?  I''m running 
shorewall on a small home server, and I don''t want some services to be 
visible to the router.

Thanks for your time, and a great firewall solution!

/Mike

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> 
> 
>>I don''t think it needs any special treatment since in is just a
>>two-interface firewall where the local interface is ppp+; see
>>http://shorewall.net/two-interface.htm.
>>
> 
> 
> The only ''gotcha'' that I can think of is that you will
need to specify
> the local subnet (which appears to be 192.168.0.0/24) in the SUBNET
> column of your /etc/shorewall/masq entry rather than ppp+ (or ppp0 if
> there is only ever one ppp device active at a time) because it is likely
> that the ppp connection will not be active when you start Shorewall.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBeR42O/MAbZfjDLIRAtfVAJ9cEBilWKhqwqLxVDwGpIuZedfumgCgrLA/
> +pCWC/acuW36oWf4Iz0Ksj8> =GOmu
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Brown wrote:
> Hi Tom!
>
> Yep, It wouldn''t work with ppp0 in the masq file.  It just barfed
when
> trying to start up, since the BT adapter wasn''t in use.  I put
> eth0    192.168.0.1
> eth0    192.168.0.2
>
> into the masq file, just so I masq''d only the addresses I needed.
>
> The switch to shorewall went a lot easier than I expected.  I do have
> one little problem though... Because I''m behind a SMC barricade
(like a
> linksys cable router) I''m on 192.168.2 address space (but the
linux box
> is hard coded).  Now my problem is that it''s treating loc as net,
and I
> need to have identical rules on both.  Is there a way to treat certain
> local hosts differently than my SMC router (192.168.2.1)?  I''m
running
> shorewall on a small home server, and I don''t want some services
to be
> visible to the router.
>
You can nest the ''net'' and ''loc'' zones in a
way similar to what is shown
at http://shorewall.net/Multiple_Zones.html#OneArmed. In that case, the
Shorewall box needed two IP addresses on its external interface -- in
your case, it needs only one.

Another approach would be to turn your Shorewall box into a
bridge/router but that would require two ethernet adapters in the box.
It could act as a bridge between the SMC router and the local network
and as a router for the Bluetooth, palm devices.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBeUUIO/MAbZfjDLIRAhXIAKDGx8ta23hAM35H0rcOmN07WsWpkgCginUT
4piioTfTjvgNfwOSGgEEdSE=BLxq
-----END PGP SIGNATURE-----

Thanks Tom!  That worked nicely!  You might want to add that to the 
FAQ''s "Running shorewall behind a broadband firewall/router
appliance".

Much appreciated! I''ll be playing some more with this in the near 
future.  Bastille was great while I was learning, but shorewall is much 
more flexible and "controllable".

Have a great weekend!

/Mike

Tom Eastep wrote:
> You can nest the ''net'' and ''loc'' zones
in a way similar to what is shown
> at http://shorewall.net/Multiple_Zones.html#OneArmed. In that case, the
> Shorewall box needed two IP addresses on its external interface -- in
> your case, it needs only one.
> 
> Another approach would be to turn your Shorewall box into a
> bridge/router but that would require two ethernet adapters in the box.
> It could act as a bridge between the SMC router and the local network
> and as a router for the Bluetooth, palm devices.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBeUUIO/MAbZfjDLIRAhXIAKDGx8ta23hAM35H0rcOmN07WsWpkgCginUT
> 4piioTfTjvgNfwOSGgEEdSE> =BLxq
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Brown wrote:
> Thanks Tom!  That worked nicely!  You might want to add that to the
> FAQ''s "Running shorewall behind a broadband firewall/router
appliance".
>
The QuickStart Guides Introduction page
(http://shorewall.net/shorewall_quickstart_guide.htm) advocates a bridge
for such cases and provides a link to the appropriate documentation
(which unfortunately has been broken :-( ). I think that a bridge behind
a NAT router is a much more sensible solution than a NAT router/firewall
behind a NAT router (which is what you have) although I have yet to find
the time to write a cookbook for bridges on the same level as the other
quickstart guides.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBeU9HO/MAbZfjDLIRAkvoAKDJZzLEkBgFE+yx/WNue8Mx2ZElyACgwNe5
a1D0IhfAp9AdWSGchMkcsgM=5LkO
-----END PGP SIGNATURE-----