Christian Joensson
2004-Nov-09 10:10 UTC
How do I control shorewall when src and dst ports are different? [Or, sunrpc problems]
Hello. Trying to get shorewall to do what I want it to do and also not to do what I don''t, I have the following example which I''d like to ask about. I get this log message: Nov 9 11:06:36 fw kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:c0:4f:60:b3:e5:08:00:20:b0:92:c1:08:00 SRC=192.168.1.59 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=942 DPT=111 LEN=64 Now, what rule should I put into rules in order to not have this happening? I do have this in right now, maybe a bit to risky, do you think? ACCEPT net all tcp 111 ACCEPT net all udp 111 BTW, I''m using shorewall 2.0.10, the rpm one :) TIA, /ChJ
Jeff
2004-Nov-09 11:13 UTC
Re: How do I control shorewall when src and dst portsare different? [Or, sunrpc problems]
Hey Christian; In order to use this (or any other) packet filtering system efficiently you are going to need to learn how to read the logs. (Insert documentation plug here) ;-) Seriously I think Tom has a good page on how to read them but let''s use your example for the moment. First off we see a REJECT message received on the eth1 interface. Secondly we see the SRC as 192.168.1.59 so that tells those of us with experience reading shorewall logs that you have a machine on the second NIC in your firewall that was trying to send a packet to the firewall at 192.168.1.1 and it was NOT allowed because of the last REJECT policy (the last part I am assuming). Now the rule that you have created (below) would allow both TCP and UDP packets going to destination port 111 coming from any IP on the Internet to all zones. I don''t believe this is what you want. Assuming you are trying to connect to your firewall using port 111 (are you running NFS/NIS services on your firewall?) you would need to change your rule like so... ACCEPT loc fw tcp 111 ACCEPT loc fw udp 111 Assuming you have a machine on your local network that is trying to connect using NIS services to a machine (or machines) running in another zone protected by your firewall then the rule(s) get a bit more complicated. If you can share what you are trying to accomplish with us further I know someone on this list can probably help. (If you''re lucky it might even be Tom) HTH Jeff ----- Original Message ----- From: "Christian Joensson" <c.christian.joensson@comhem.se> To: <shorewall-users@lists.shorewall.net> Sent: Tuesday, November 09, 2004 5:10 AM Subject: [Shorewall-users] How do I control shorewall when src and dst portsare different? [Or, sunrpc problems]> Hello. > > Trying to get shorewall to do what I want it to do and also not to do > what I don''t, I have the following example which I''d like to ask about. > > I get this log message: > > Nov 9 11:06:36 fw kernel: Shorewall:all2all:REJECT:IN=eth1 OUT> MAC=00:c0:4f:60:b3:e5:08:00:20:b0:92:c1:08:00 SRC=192.168.1.59 > DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=942 DPT=111 LEN=64 > > Now, what rule should I put into rules in order to not have this > happening? I do have this in right now, maybe a bit to risky, do you > think? > > ACCEPT net all tcp 111 > ACCEPT net all udp 111 > > > BTW, I''m using shorewall 2.0.10, the rpm one :) > > > TIA, > > /ChJ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Christian Joensson
2004-Nov-09 11:41 UTC
Re: How do I control shorewall when src and dst portsare different? [Or, sunrpc problems]
On Tue, Nov 09, 2004 at 06:13:36AM -0500, Jeff wrote:> Hey Christian; > > In order to use this (or any other) packet filtering system efficiently you > are going to need to learn how to read the logs. (Insert documentation plug > here) ;-) > > Seriously I think Tom has a good page on how to read them but let''s use your > example for the moment. > > First off we see a REJECT message received on the eth1 interface. > Secondly we see the SRC as 192.168.1.59 so that tells those of us with > experience reading shorewall logs that you have a machine on the second NIC > in your firewall that was trying to send a packet to the firewall at > 192.168.1.1 and it was NOT allowed because of the last REJECT policy (the > last part I am assuming).right, I assume.> > Now the rule that you have created (below) would allow both TCP and UDP > packets going to destination port 111 coming from any IP on the Internet to > all zones. I don''t believe this is what you want.correct.> Assuming you are trying to connect to your firewall using port 111 (are you > running NFS/NIS services on your firewall?) you would need to change your > rule like so... > > ACCEPT loc fw tcp 111 > ACCEPT loc fw udp 111yes.> Assuming you have a machine on your local network that is trying to connect > using NIS services to a machine (or machines) running in another zone > protected by your firewall then the rule(s) get a bit more complicated.yes.> If you can share what you are trying to accomplish with us further I know > someone on this list can probably help. (If you''re lucky it might even be > Tom)ok, will take that separate then. Cheers, /ChJ