Hello, I am stumped on a problem I am having with Shorewall 2.0.1 on Mandrake 10. My setup is as follows. I have a /28 and have assiigned all ip addresses to my firewall using aliases. I am able to setup rules to allow specific traffic to specfic ip addresses on the firewall like so: ACCEPT net:w.x.y.z $FW:w.x.y.z tcp 22 This works great for TCP and UDP traffic. I can also open the same port on all ip addresses by doing this: ACCEPT net fw tcp 22 In this case every ip address assigned to the firewall will have port 22 open. Here''s my problem, if I create a similar rule for icmp like this: ACCEPT net $FW:w.x.y.z icmp or ACCEPT net fw icmp Neither work. In the logs the packets just get denied. I do not have any of the ping blocking options set on the interface, and I have tried disabling all the interface options on my external interface but this didn''t make any difference either. I have also analyzed my rules and policy file and there is nothing that would be blocking icmp. If anyone has any ideas I would appreciate hearing them Si.
Bob Smith wrote on 09/12/2004 14:36:40:> > Here''s my problem, if I create a similar rule for icmp like this: > > ACCEPT net $FW:w.x.y.z icmp > or > ACCEPT net fw icmp >without your configuration, it is really hard to help you, but... - the order in which you put your zones in the zones file makes a difference - the order in which you enter your policies in the policy file too - the order in which you enter your rules also also - finally, there is a standard action just for the ping: AllowPING net fw should do the trick. Maybe the problem on your above line is the lack of which icmp-type are you talking about... cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Thu, 2004-12-09 at 14:55 -0200, Eduardo Ferreira wrote:> Bob Smith wrote on 09/12/2004 14:36:40: > > > > > Here''s my problem, if I create a similar rule for icmp like this: > > > > ACCEPT net $FW:w.x.y.z icmp > > or > > ACCEPT net fw icmp > > > without your configuration, it is really hard to help you, but... > - the order in which you put your zones in the zones file makes a > difference > - the order in which you enter your policies in the policy file too > - the order in which you enter your rules also also > - finally, there is a standard action just for the ping: > AllowPING net fw > should do the trick. Maybe the problem on your above line is the lack ofAlso be sure that you don''t have ping disabled in sysctl -- I believe that Drake 10.0 does that by default. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
the rule for ICMP ACCEPT net $FW icmp 8 - saludos. Miguel Espejo Eduardo Ferreira wrote:>Bob Smith wrote on 09/12/2004 14:36:40: > > > >>Here''s my problem, if I create a similar rule for icmp like this: >> >>ACCEPT net $FW:w.x.y.z icmp >>or >>ACCEPT net fw icmp >> >> >> >without your configuration, it is really hard to help you, but... >- the order in which you put your zones in the zones file makes a >difference >- the order in which you enter your policies in the policy file too >- the order in which you enter your rules also also >- finally, there is a standard action just for the ping: >AllowPING net fw >should do the trick. Maybe the problem on your above line is the lack of >which icmp-type are you talking about... > > >cheers, > >________________________ >Eduardo Ferreira >Icatu Holding S.A. >Supervisor de TI >(5521) 3804-8606 > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
Check your msec settings. Levels 4 & 5 in Mandrake do not allow icmp. You can tweak these levels in /usr/share/msec/level.* See here for more info: http://mandrakeuser.org/docs/mdoc/ref/prog-msec.html On 9 Dec 2004 at 11:36, Bob Smith wrote:> > Hello, > > I am stumped on a problem I am having with Shorewall 2.0.1 on Mandrake 10. > My setup is as follows. I have a /28 and have assiigned all ip addresses to > my firewall using aliases. I am able to setup rules to allow specific > traffic to specfic ip addresses on the firewall like so: > > ACCEPT net:w.x.y.z $FW:w.x.y.z tcp 22 > > This works great for TCP and UDP traffic. I can also open the same port on > all ip addresses by doing this: > > ACCEPT net fw tcp 22 > > In this case every ip address assigned to the firewall will have port 22 > open. > > Here''s my problem, if I create a similar rule for icmp like this: > > ACCEPT net $FW:w.x.y.z icmp > or > ACCEPT net fw icmp > > Neither work. In the logs the packets just get denied. I do not have any > of the ping blocking options set on the interface, and I have tried > disabling all the interface options on my external interface but this didn''t > make any difference either. I have also analyzed my rules and policy file > and there is nothing that would be blocking icmp. > > If anyone has any ideas I would appreciate hearing them > > Si. > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
Your bang on as always Tom. It wasn''t a shorewall problem at all, rather it was the fact my Mandrake box was running in level 4 which blocks ICMP. Thanks for your response. Bob.>From: Tom Eastep <teastep@shorewall.net> >Reply-To: Mailing List for Shorewall Users ><shorewall-users@lists.shorewall.net> >To: Shorewall Users <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] Can''t allow ICMP to firewall? >Date: Thu, 09 Dec 2004 09:01:33 -0800 > >On Thu, 2004-12-09 at 14:55 -0200, Eduardo Ferreira wrote: > > Bob Smith wrote on 09/12/2004 14:36:40: > > > > > > > > Here''s my problem, if I create a similar rule for icmp like this: > > > > > > ACCEPT net $FW:w.x.y.z icmp > > > or > > > ACCEPT net fw icmp > > > > > without your configuration, it is really hard to help you, but... > > - the order in which you put your zones in the zones file makes a > > difference > > - the order in which you enter your policies in the policy file too > > - the order in which you enter your rules also also > > - finally, there is a standard action just for the ping: > > AllowPING net fw > > should do the trick. Maybe the problem on your above line is the lack >of > >Also be sure that you don''t have ping disabled in sysctl -- I believe >that Drake 10.0 does that by default. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm
Hi Shawn, Tom mentioned this as well, and this was indeed my problem. Thanks for link however, as I was having a hard time finding much in the way of documentation for the msec utility in Mandrake. Bob.>From: "Shawn Wright" <swright@sls.bc.ca> >Reply-To: swright@sls.bc.ca,Mailing List for Shorewall Users ><shorewall-users@lists.shorewall.net> >To: Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] Can''t allow ICMP to firewall? Date: Thu, 09 >Dec 2004 13:43:21 -0800 > >Check your msec settings. Levels 4 & 5 in Mandrake do not allow icmp. >You can tweak these levels in /usr/share/msec/level.* > >See here for more info: > >http://mandrakeuser.org/docs/mdoc/ref/prog-msec.html > >On 9 Dec 2004 at 11:36, Bob Smith wrote: > > > > Hello, > > > > I am stumped on a problem I am having with Shorewall 2.0.1 on Mandrake >10. > > My setup is as follows. I have a /28 and have assiigned all ip >addresses to > > my firewall using aliases. I am able to setup rules to allow specific > > traffic to specfic ip addresses on the firewall like so: > > > > ACCEPT net:w.x.y.z $FW:w.x.y.z tcp 22 > > > > This works great for TCP and UDP traffic. I can also open the same port >on > > all ip addresses by doing this: > > > > ACCEPT net fw tcp 22 > > > > In this case every ip address assigned to the firewall will have port 22 > > open. > > > > Here''s my problem, if I create a similar rule for icmp like this: > > > > ACCEPT net $FW:w.x.y.z icmp > > or > > ACCEPT net fw icmp > > > > Neither work. In the logs the packets just get denied. I do not have >any > > of the ping blocking options set on the interface, and I have tried > > disabling all the interface options on my external interface but this >didn''t > > make any difference either. I have also analyzed my rules and policy >file > > and there is nothing that would be blocking icmp. > > > > If anyone has any ideas I would appreciate hearing them > > > > Si. > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >Shawn Wright, I.T. Manager >Shawnigan Lake School >http://www.sls.bc.ca >swright@sls.bc.ca > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm