thr3ads.net - Shorewall users - vpn-zone wide open [Dec 2004]

If this information is useful, please help other people find it:
Share via:

Northe, Juergen

2004-Dec-04 17:31 UTC

vpn-zone wide open

Hello!

I am using shorewall shorewall-2.0.11-1 on fedora core2 
(iptables-1.2.9-95.7). My box has 2 physical nic´s plus one virt. ipsec 
interface for a freeswan-vpn connection.

A few days ago, portsentry spit out a lot of connections from windows 
clients (port 135, 445). Ooops.

I review my shorewall settings but could not find a mistake. So I took a 
win-client and established a second connection to the internet and
used nmap to scan my linux-box. Wow ! My ipsec0 interface (vpn-zone) was 
wide open for everyone! If I shut down ipsec the ports accessible from 
the internet are closed.
I still can´t find the configuration error, so I need assistance.


Here are the relevant config-files:

------------------------------------------------------
* /etc/ipsec.conf
config setup
     interfaces=%defaultroute
...
------------------------------------------------------
* /etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
loc      eth0           172.21.255.255
net      ppp0           -               norfc1918,tcpflags,routefilter
vpn      ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------
* /etc/shorewall/zones
net     Net             Internet
loc     Local           Local networks
vpn     VPN             VPN Users
------------------------------------------------------
* /etc/shorewall/policy
vpn             fw              ACCEPT
fw              vpn             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT
loc             net             REJECT          info
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE
------------------------------------------------------
* /etc/shorewall/rules
# No rule specified for vpn related connections because
# everything is declared in the policy-file
------------------------------------------------------
* /etc/shorewall/masq
#ppp0                   172.21.0.0/16
ipsec0          eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
------------------------------------------------------
* /etc/shorewall/start
# Stamp incoming vpn-clients the ip-address from the vpn-gateway:
run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j SNAT 
--to-source 172.21.6.6
------------------------------------------------------
* /etc/shorewall/tcrules
# Stamp incoming vpn-clients the ip-address from the vpn-gateway,part2:
1               ipsec0          172.21.0.0/16   all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------------------------------------------------------
* /etc/shorwall/shorewall.conf
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTBLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
BOGON_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=no
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIXDISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
------------------------------------------------------




Where is the mistake ?



JN

Tom Eastep

2004-Dec-04 17:41 UTC

head link

Re: vpn-zone wide open

On Sat, 2004-12-04 at 18:31 +0100, Northe, Juergen
wrote:> Hello!
> 
> I am using shorewall shorewall-2.0.11-1 on fedora core2 
> (iptables-1.2.9-95.7). My box has 2 physical nic´s plus one virt. ipsec 
> interface for a freeswan-vpn connection.
> 
> A few days ago, portsentry spit out a lot of connections from windows 
> clients (port 135, 445). Ooops.
> 
> I review my shorewall settings but could not find a mistake. So I took a 
> win-client and established a second connection to the internet and
> used nmap to scan my linux-box. Wow ! My ipsec0 interface (vpn-zone) was 
> wide open for everyone!
I don''t understand what that means. Please explain what you are doing
with nmap and what you see.
> If I shut down ipsec the ports accessible from 
> the internet are closed.
> I still can´t find the configuration error, so I need assistance.
> 
> 
> Here are the relevant config-files:
Let''s see the output of "shorewall status". Since you
can''t find the
problem, it is likely that something you believe to be irrelevant is
causing it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Northe, Juergen

2004-Dec-04 18:03 UTC

head link

Re: vpn-zone wide open

> Copy of post sent to the mailing list:
> 
> On Sat, 2004-12-04 at 18:31 +0100, Northe, Juergen wrote:
> 
>>Hello!
>>
>>I am using shorewall shorewall-2.0.11-1 on fedora core2 
>>(iptables-1.2.9-95.7). My box has 2 physical nic´s plus one virt. ipsec 
>>interface for a freeswan-vpn connection.
>>
>>A few days ago, portsentry spit out a lot of connections from windows 
>>clients (port 135, 445). Ooops.
>>
>>I review my shorewall settings but could not find a mistake. So I took a
>>win-client and established a second connection to the internet and
>>used nmap to scan my linux-box. Wow ! My ipsec0 interface (vpn-zone) was
>>wide open for everyone!
> 
> 
> I don''t understand what that means. Please explain what you are
doing
> with nmap and what you see.
> 
> 
>>If I shut down ipsec the ports accessible from 
>>the internet are closed.
>>I still can´t find the configuration error, so I need assistance.
>>
>>
>>Here are the relevant config-files:
> 
> 
> Let''s see the output of "shorewall status". Since you
can''t find the
> problem, it is likely that something you believe to be irrelevant is
> causing it.
> 
> -Tom
-- 
ok.
''shorewall status'' with vpn:

Counters reset Sat Dec  4 19:03:42 CET 2004

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID
   461 39111 eth0_in    all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
   815 33603 ppp0_in    all  --  ppp0   *       0.0.0.0/0 
0.0.0.0/0
     5   420 ipsec0_in  all  --  ipsec0 *       0.0.0.0/0 
0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID
     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 ipsec0_fwd  all  --  ipsec0 *       0.0.0.0/0 
0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      lo      0.0.0.0/0 
0.0.0.0/0
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID
     8   835 fw2net     all  --  *      ppp0    0.0.0.0/0 
0.0.0.0/0
   569  244K fw2loc     all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
     5   420 fw2vpn     all  --  *      ipsec0  0.0.0.0/0 
0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain Drop (1 references)
  pkts bytes target     prot opt in     out     source 
destination
   809 32832 RejectAuth  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   807 32752 dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   807 32752 dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   807 32752 DropSMB    all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   800 32408 DropUPnP   all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   800 32408 dropNotSyn  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   800 32408 DropDNSrep  all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain DropDNSrep (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:53

Chain DropSMB (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:135
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:445
     1    48 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:135
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:139
     6   296 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:445

Chain DropUPnP (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:1900

Chain Reject (5 references)
  pkts bytes target     prot opt in     out     source 
destination
     4   916 RejectAuth  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     4   916 dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 RejectSMB  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 DropUPnP   all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 dropNotSyn  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 DropDNSrep  all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain RejectAuth (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     2    80 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113

Chain RejectSMB (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:135
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:445
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:135
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:139
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:445

Chain all2all (4 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     4   916 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain dropBcast (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     4   916 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast

Chain dropInvalid (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID

Chain dropNotSyn (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:!0x16/0x02

Chain dynamic (6 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       80.238.212.245 
0.0.0.0/0
     0     0 DROP       all  --  *      *       210.139.171.135 
0.0.0.0/0
     0     0 DROP       all  --  *      *       81.41.198.188 
0.0.0.0/0
     0     0 DROP       all  --  *      *       80.133.102.140 
0.0.0.0/0

Chain eth0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 loc2net    all  --  *      ppp0    0.0.0.0/0 
0.0.0.0/0
     0     0 loc2vpn    all  --  *      ipsec0  0.0.0.0/0 
0.0.0.0/0

Chain eth0_in (1 references)
  pkts bytes target     prot opt in     out     source 
destination
    13  1587 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
   461 39111 loc2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2loc (1 references)
  pkts bytes target     prot opt in     out     source 
destination
   569  244K ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:22
     0     0 all2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2net (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     7   760 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     ah   --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:500 dpt:500 state NEW
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:21
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:25
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:37
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:53
     1    75 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:53
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:80
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:110
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:123
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:123
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:222
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:443
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:500
     0     0 all2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2vpn (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     5   420 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:500 dpt:500 state NEW
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain icmpdef (0 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain ipsec0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 all2all    all  --  *      ppp0    0.0.0.0/0 
0.0.0.0/0
     0     0 vpn2loc    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0

Chain ipsec0_in (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     5   420 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     5   420 vpn2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain loc2fw (1 references)
  pkts bytes target     prot opt in     out     source 
destination
   448 37524 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:21
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:22
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:25
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:37
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:53
     6   527 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:53
     3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:110
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:123
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:123
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:515
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:4559
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:8000
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:10000
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpts:10240:64000
     4   916 all2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain loc2net (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
212.227.119.84      tcp dpt:21
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
212.227.119.84      tcp dpt:20
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
212.227.119.84      udp dpt:20
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
212.227.119.84      udp dpt:21
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:loc2net:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain loc2vpn (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain logflags (5 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain net2all (3 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
   809 32832 Drop       all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   800 32408 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
   800 32408 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain net2fw (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     6   771 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     ah   --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:500 dpt:500 state NEW
   809 32832 net2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain norfc1918 (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 rfc1918    all  --  *      *       172.16.0.0/12 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 172.16.0.0/12
     0     0 rfc1918    all  --  *      *       192.168.0.0/16 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 192.168.0.0/16
     0     0 rfc1918    all  --  *      *       10.0.0.0/8 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 10.0.0.0/8

Chain ppp0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 norfc1918  all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW
     0     0 tcpflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 net2all    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
     0     0 net2all    all  --  *      ipsec0  0.0.0.0/0 
0.0.0.0/0

Chain ppp0_in (1 references)
  pkts bytes target     prot opt in     out     source 
destination
   809 32832 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
   809 32832 norfc1918  all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW
   807 32344 tcpflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
   815 33603 net2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain reject (12 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast
     0     0 DROP       all  --  *      *       172.21.255.255 
0.0.0.0/0
     0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
     0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0
     2    80 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with tcp-reset
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-port-unreachable
     0     0 REJECT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-unreachable
     0     0 REJECT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain shorewall (0 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain smurfs (0 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       172.21.255.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       172.21.255.255 
0.0.0.0/0
     0     0 LOG        all  --  *      *       255.255.255.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
     0     0 LOG        all  --  *      *       224.0.0.0/4 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0

Chain tcpflags (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x3F/0x29
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x3F/0x00
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x06/0x06
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x03/0x03
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:0 flags:0x16/0x02

Chain vpn2fw (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:500 dpt:500 state NEW
     5   420 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain vpn2loc (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=44411 PROTO=TCP 
SPT=42450 DPT=996 WINDOW=2048 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=34846 PROTO=TCP 
SPT=42450 DPT=672 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=34 ID=2321 PROTO=TCP 
SPT=42450 DPT=1532 WINDOW=2048 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28423 PROTO=TCP 
SPT=42450 DPT=532 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=32632 PROTO=TCP 
SPT=42450 DPT=2430 WINDOW=2048 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=12890 PROTO=TCP 
SPT=42450 DPT=170 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=33 ID=43798 PROTO=TCP 
SPT=42450 DPT=552 WINDOW=1024 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=27469 PROTO=TCP 
SPT=42450 DPT=3064 WINDOW=2048 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=51252 PROTO=TCP 
SPT=42450 DPT=1530 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:28 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=39727 PROTO=TCP 
SPT=42450 DPT=5977 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=35 ID=14955 PROTO=TCP 
SPT=42449 DPT=387 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=42521 PROTO=TCP 
SPT=42449 DPT=769 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=1308 PROTO=TCP 
SPT=42449 DPT=1395 WINDOW=1024 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=21041 PROTO=TCP 
SPT=42449 DPT=982 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=21373 PROTO=TCP 
SPT=42449 DPT=198 WINDOW=4096 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=52091 PROTO=TCP 
SPT=42449 DPT=5432 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=62003 PROTO=TCP 
SPT=42449 DPT=1416 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=8768 PROTO=TCP 
SPT=42449 DPT=245 WINDOW=2048 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=54141 PROTO=TCP 
SPT=42449 DPT=1422 WINDOW=3072 RES=0x00 SYN URGP=0
Dec  4 19:05:29 net2all:DROP:IN=ppp0 OUT= SRC=212.144.172.233 
DST=80.133.199.60 LEN=40 TOS=0x00 PREC=0x00 TTL=32 ID=51577 PROTO=TCP 
SPT=42449 DPT=329 WINDOW=4096 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 8612 packets, 424K bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 469 packets, 25706 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ipsec0_masq  all  --  *      ipsec0  0.0.0.0/0 
0.0.0.0/0
     0     0 SNAT       all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0           MARK match 0x1 to:172.21.6.6

Chain OUTPUT (policy ACCEPT 465 packets, 25546 bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain ipsec0_masq (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 MASQUERADE  all  --  *      *       172.21.0.0/16 
0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 31415 packets, 3765K bytes)
  pkts bytes target     prot opt in     out     source 
destination
  1314 74722 pretos     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
  1312 74538 tcpre      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain INPUT (policy ACCEPT 31413 packets, 3765K bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 tcfor      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 35962 packets, 22M bytes)
  pkts bytes target     prot opt in     out     source 
destination
   593  250K outtos     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   589  250K tcout      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 35962 packets, 22M bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain outtos (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:22 TOS set 0x10
   542  246K TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:22 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:20 TOS set 0x08
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
  pkts bytes target     prot opt in     out     source 
destination
   430 36856 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:22 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:22 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:20 TOS set 0x08
     2    80 TOS        tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:20 TOS set 0x08

Chain tcfor (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 MARK       all  --  ipsec0 *       0.0.0.0/0 
172.21.0.0/16       MARK set 0x1

Chain tcout (1 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain tcpre (1 references)
  pkts bytes target     prot opt in     out     source 
destination

unknown  50 582 src=217.91.99.214 dst=80.133.199.60 src=80.133.199.60 
dst=217.91.99.214 use=1
tcp      6 48 TIME_WAIT src=172.21.3.1 dst=172.21.6.6 sport=2193 
dport=110 src=172.21.6.6 dst=172.21.3.1 sport=110 dport=2193 [ASSURED] 
use=1
tcp      6 47 TIME_WAIT src=172.21.3.1 dst=172.21.6.6 sport=2191 
dport=110 src=172.21.6.6 dst=172.21.3.1 sport=110 dport=2191 [ASSURED] 
use=1
tcp      6 47 TIME_WAIT src=172.21.3.1 dst=172.21.6.6 sport=2192 
dport=110 src=172.21.6.6 dst=172.21.3.1 sport=110 dport=2192 [ASSURED] 
use=1
udp      17 137 src=172.21.10.2 dst=172.21.6.6 sport=1030 dport=53 
src=172.21.6.6 dst=172.21.10.2 sport=53 dport=1030 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=172.21.3.1 dst=172.21.6.6 sport=2021 
dport=22 src=172.21.6.6 dst=172.21.3.1 sport=22 dport=2021 [ASSURED] use=1
tcp      6 431998 ESTABLISHED src=172.21.3.1 dst=172.21.6.6 sport=2009 
dport=22 src=172.21.6.6 dst=172.21.3.1 sport=22 dport=2009 [ASSURED] use=1
udp      17 71 src=80.133.199.60 dst=217.91.99.214 sport=500 dport=500 
src=217.91.99.214 dst=80.133.199.60 sport=500 dport=500 [ASSURED] use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:80:ad:91:3b:4f brd ff:ff:ff:ff:ff:ff
     inet 172.21.6.6/16 brd 172.21.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:05:5d:4d:7e:c0 brd ff:ff:ff:ff:ff:ff
     inet 1.1.1.1/32 brd 1.1.1.1 scope global eth1
5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
     link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0@NONE: <NOARP> mtu 1476 qdisc noop
     link/gre 0.0.0.0 brd 0.0.0.0
7: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
     link/ppp
     inet 80.133.199.60 peer 217.5.98.55/32 scope global ipsec0
8: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
     link/ipip
9: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
     link/ipip
10: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
     link/ipip
11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
     link/ppp
     inet 80.133.199.60 peer 217.5.98.55/32 scope global ppp0

/proc

    /proc/sys/net/ipv4/ip_forward = 1
    /proc/sys/net/ipv4/conf/all/proxy_arp = 0
    /proc/sys/net/ipv4/conf/all/arp_filter = 0
    /proc/sys/net/ipv4/conf/all/rp_filter = 1
    /proc/sys/net/ipv4/conf/default/proxy_arp = 0
    /proc/sys/net/ipv4/conf/default/arp_filter = 0
    /proc/sys/net/ipv4/conf/default/rp_filter = 0
    /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
    /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
    /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
    /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
    /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
    /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
    /proc/sys/net/ipv4/conf/ipsec0/proxy_arp = 0
    /proc/sys/net/ipv4/conf/ipsec0/arp_filter = 0
    /proc/sys/net/ipv4/conf/ipsec0/rp_filter = 0
    /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
    /proc/sys/net/ipv4/conf/lo/arp_filter = 0
    /proc/sys/net/ipv4/conf/lo/rp_filter = 0
    /proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
    /proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
    /proc/sys/net/ipv4/conf/ppp0/rp_filter = 1

Routing Rules

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Table local:

broadcast 172.21.255.255 dev eth0  proto kernel  scope link  src 172.21.6.6
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
local 172.21.6.6 dev eth0  proto kernel  scope host  src 172.21.6.6
local 1.1.1.1 dev eth1  proto kernel  scope host  src 1.1.1.1
broadcast 1.1.1.1 dev eth1  proto kernel  scope link  src 1.1.1.1
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 80.133.199.60 dev ppp0  proto kernel  scope host  src 80.133.199.60
local 80.133.199.60 dev ipsec0  proto kernel  scope host  src 80.133.199.60
broadcast 172.21.0.0 dev eth0  proto kernel  scope link  src 172.21.6.6
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

217.5.98.55 dev ppp0  proto kernel  scope link  src 80.133.199.60
217.5.98.55 dev ipsec0  proto kernel  scope link  src 80.133.199.60
172.26.0.0/16 via 217.5.98.55 dev ipsec0
169.254.0.0/16 dev eth1  scope link
172.21.0.0/16 dev eth0  proto kernel  scope link  src 172.21.6.6
default via 217.5.98.55 dev ppp0

Table default:



JN

Tom Eastep

2004-Dec-04 18:21 UTC

head link

Re: vpn-zone wide open

On Sat, 2004-12-04 at 19:03 +0100, Northe, Juergen
wrote:> >
> ok.
> ''shorewall status'' with vpn:
Would you be so kind as to re-send the status as an attachment? Inline,
your mailer has folded it into a pretzel and it''s very hard to read.

Also, please answer the other question I asked in my previous post -- I
want to know what you did with nmap and what you saw.

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Northe, Juergen

2004-Dec-04 18:46 UTC

head link

Re: vpn-zone wide open

- new status and nmap-report is attached.
- with nmap I want to see *which* ports are open from the internet.


Tom Eastep schrieb:> On Sat, 2004-12-04 at 19:03 +0100, Northe, Juergen wrote:
> 
>>ok.
>>''shorewall status'' with vpn:
> 
> 
> Would you be so kind as to re-send the status as an attachment? Inline,
> your mailer has folded it into a pretzel and it''s very hard to
read.
> 
> Also, please answer the other question I asked in my previous post -- I
> want to know what you did with nmap and what you saw.
> 
> Thanks!
> -Tom
--

Tom Eastep

2004-Dec-04 18:56 UTC

head link

Re: vpn-zone wide open

On Sat, 2004-12-04 at 19:46 +0100, Northe, Juergen
wrote:> - new status and nmap-report is attached.
> - with nmap I want to see *which* ports are open from the internet.
Unfortunately, the shorewall status was obtained shorewall cleared!! 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2004-Dec-04 19:20 UTC

head link

Re: vpn-zone wide open

On Sat, 2004-12-04 at 10:56 -0800, Tom Eastep wrote:> On Sat, 2004-12-04 at 19:46 +0100, Northe, Juergen wrote:
> > - new status and nmap-report is attached.
> > - with nmap I want to see *which* ports are open from the internet.
> 
> Unfortunately, the shorewall status was obtained shorewall cleared!! 
I of course meant ".. with shorewall cleared". In other words, there
are
no Netfilter rules whatsoever.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Northe, Juergen

2004-Dec-04 20:23 UTC

head link

Re: vpn-zone wide open

>>>On Sat, 2004-12-04 at 19:46 +0100, Northe, Juergen wrote:
>>>
>>>
>>>>- new status and nmap-report is attached.
>>>>- with nmap I want to see *which* ports are open from the
internet.
>>>
>>>
>>>Unfortunately, the shorewall status was obtained shorewall cleared!!
>>>
>>>-Tom
>>
>>I rebootet the system and rescanned it with nmap.
>>
>>the logs are attached.
> 
> 
> Sorry -- Shorewall is still not running!!!
> 
> -Tom
-- 

i forgot to restart shorewall after obtaining a new dynamic ip.
Now it looks good !
Thank you for your high-speed answers !!

Juergen.

Seemingly Similar Threads

Search for more reasonably related threads

Shorewall users - Dec 2004 - vpn-zone wide open

vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Re: vpn-zone wide open

Seemingly Similar Threads