Shorewall users - Nov 2004 - How do I control shorewall when src and dst ports are different? [Or, sunrpc problems]

Hello.

Trying to get shorewall to do what I want it to do and also not to do 
what I don''t, I have the following example which I''d like to
ask about.

I get this log message:

Nov  9 11:06:36 fw kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= 
MAC=00:c0:4f:60:b3:e5:08:00:20:b0:92:c1:08:00 SRC=192.168.1.59 
DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP 
SPT=942 DPT=111 LEN=64

Now, what rule should I put into rules in order to not have this 
happening? I do have this in right now, maybe a bit to risky, do you 
think?

ACCEPT          net             all     tcp     111
ACCEPT          net             all     udp     111


BTW, I''m using shorewall 2.0.10, the rpm one :)


TIA,

/ChJ

Hey Christian;

 In order to use this (or any other) packet filtering system efficiently you
are going to need to learn how to read the logs. (Insert documentation plug
here) ;-)

Seriously I think Tom has a good page on how to read them but let''s use
your
example for the moment.

First off we see a REJECT message received on the eth1 interface.
Secondly we see the SRC as 192.168.1.59  so that tells those of us with
experience reading shorewall logs that you have a machine on the second NIC
in your firewall that was trying to send a packet to the firewall at
192.168.1.1 and it was NOT allowed because of the last REJECT policy (the
last part I am assuming).

Now the rule that you have created (below) would allow both TCP and UDP
packets going to destination port 111 coming from any IP on the Internet to
all zones. I don''t believe this is what you want.

Assuming you are trying to connect to your firewall using port 111 (are you
running NFS/NIS services on your firewall?) you would need to change your
rule like so...

ACCEPT    loc    fw    tcp    111
ACCEPT    loc    fw   udp    111

Assuming you have a machine on your local network that is trying to connect
using NIS services to a machine (or machines) running in another zone
protected by your firewall then the rule(s) get a bit more complicated.

If you can share what you are trying to accomplish with us further I know
someone on this list can probably help. (If you''re lucky it might even
be
Tom)

HTH

Jeff

----- Original Message ----- 
From: "Christian Joensson" <c.christian.joensson@comhem.se>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, November 09, 2004 5:10 AM
Subject: [Shorewall-users] How do I control shorewall when src and dst
portsare different? [Or, sunrpc problems]

> Hello.
>
> Trying to get shorewall to do what I want it to do and also not to do
> what I don''t, I have the following example which I''d like
to ask about.
>
> I get this log message:
>
> Nov  9 11:06:36 fw kernel: Shorewall:all2all:REJECT:IN=eth1 OUT>
MAC=00:c0:4f:60:b3:e5:08:00:20:b0:92:c1:08:00 SRC=192.168.1.59
> DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=942 DPT=111 LEN=64
>
> Now, what rule should I put into rules in order to not have this
> happening? I do have this in right now, maybe a bit to risky, do you
> think?
>
> ACCEPT          net             all     tcp     111
> ACCEPT          net             all     udp     111
>
>
> BTW, I''m using shorewall 2.0.10, the rpm one :)
>
>
> TIA,
>
> /ChJ
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Tue, Nov 09, 2004 at 06:13:36AM -0500, Jeff wrote:
> Hey Christian;
> 
>  In order to use this (or any other) packet filtering system efficiently
you
> are going to need to learn how to read the logs. (Insert documentation plug
> here) ;-)
> 
> Seriously I think Tom has a good page on how to read them but
let''s use your
> example for the moment.
> 
> First off we see a REJECT message received on the eth1 interface.
> Secondly we see the SRC as 192.168.1.59  so that tells those of us with
> experience reading shorewall logs that you have a machine on the second NIC
> in your firewall that was trying to send a packet to the firewall at
> 192.168.1.1 and it was NOT allowed because of the last REJECT policy (the
> last part I am assuming).
right, I assume.
> 
> Now the rule that you have created (below) would allow both TCP and UDP
> packets going to destination port 111 coming from any IP on the Internet to
> all zones. I don''t believe this is what you want.
correct.
 
> Assuming you are trying to connect to your firewall using port 111 (are you
> running NFS/NIS services on your firewall?) you would need to change your
> rule like so...
> 
> ACCEPT    loc    fw    tcp    111
> ACCEPT    loc    fw   udp    111
yes.
 
> Assuming you have a machine on your local network that is trying to connect
> using NIS services to a machine (or machines) running in another zone
> protected by your firewall then the rule(s) get a bit more complicated.
yes.
 
> If you can share what you are trying to accomplish with us further I know
> someone on this list can probably help. (If you''re lucky it might
even be
> Tom)
ok, will take that separate then.

Cheers,

/ChJ