Shorewall users - Dec 2004 - Problem report -- shorewall 1.4

Hello list,
I wish to report a problem with openvpn tunnels. 
Synopsis:  Despite adding policies to the shorewall  policy file, I have
to add extra rules to allow the UDP port 5000 packets to get through.
I have used no particular setup guide.
I believe this problem goes away with shorewall 2.0.9, as I have
implemented openvpn with that version on a different machine, and I see
no UDP:5000 packet drops so far.  I have included the openvpn
configurations and shorewall logs in addition to the material requested
by the "how to post a problem report", below.

firewall: -root-
# ip addr sho
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
    inet 216.12.22.89/26 brd 216.12.22.127 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:12:7d:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
10
    link/ppp 
    inet 10.1.1.1 peer 10.1.1.2/32 scope global tun0
6: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff
    inet 216.12.22.89/26 brd 216.12.22.127 scope global ipsec0
7: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 
8: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 
9: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip 

firewall: -root-
# ip route sho
216.12.22.89 via 10.1.1.2 dev tun0 
10.1.1.2 dev tun0  proto kernel  scope link  src 10.1.1.1 
216.12.22.64/26 dev eth0  proto kernel  scope link  src 216.12.22.89 
216.12.22.64/26 dev ipsec0  proto kernel  scope link  src 216.12.22.89 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
default via 216.12.22.65 dev eth0 
 

Dear list:
I am having a weird problem with shorewall rejecting openvpn packets
unless I include some redundant rules, that shorewall complains about
(but that make things work).  Below are the shorewall files  and the
resulting logs.
Unless I uncomment the last 8 ACCEPTS in the rules file, I get Rejects
of openvpn traffic from shorewall. Uncommenting those lines makes
shorewall complain during bootup as it is working through the rules file
before prompting for login.

Any ideas??  TIA, Rick

The shorewall zones file is
net	NET		Internet
loc	Local		Local Networks
vpn1	VPN-ipsec	RoadWarrior
bpn3	WLAN-openvpn	openvpn

The interfaces file is
net 	eth0	detect	norfc1918
loc	eth1	detect	dhcp
vpn1	ipsec0
vpn3	tun0

The tunnels file is
ipsec			net	0.0.0.0/0		vpn1
generic:udp:5000	loc	192.168.1.0/24	vpn3

firewall: -root-
# more policy
#
#       Shorewall 1.4 -- Sample Policy File For Two Interfaces
###
#SOURCE         DEST            POLICY          LOG LEVEL
LIMIT:BURST
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
#fw             net             ACCEPT
loc             vpn1            ACCEPT
#loc            vpn2            ACCEPT
loc             vpn3            ACCEPT
fw              vpn3            ACCEPT
net             vpn3            ACCEPT
vpn1            loc             ACCEPT
#vpn2           loc             ACCEPT
vpn3            loc             ACCEPT
vpn3            fw              ACCEPT
vpn3            net             ACCEPT
fw              loc             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

firewall: -root-
# more rules
#
#       Shorewall version 1.4 - Sample Rules File For Two Interfaces
#                                                       PORT    PORT(S)
DEST
#
#       Accept DNS connections from the firewall to the network
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#                           
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
ACCEPT          net:137.45.192.73       fw      tcp     22
ACCEPT          net:137.45.34.77        fw      tcp     22
ACCEPT          net:137.45.192.86       fw      tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
# Rules for openvpn (despite policies being set)
#ACCEPT         loc             fw              all
#ACCEPT         fw              loc             all
#ACCEPT         loc             net             all
#ACCEPT         net             loc             all
#ACCEPT         vpn3            fw              all
#ACCEPT         fw              vpn3            all
#ACCEPT         vpn3            net             all
#ACCEPT         net             vpn3            all
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#  .... deleted for brevity....

firewall: -root-
#  

The logs that result from the 8 ACCEPT lines being commented out are:
f3:08:00  SRC=192.168.1.3 DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00
TTL=128 ID=21018 PROTO=UDP SPT=5000 DPT=5000 LEN=68 
Dec  9 11:18:48 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21079 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:18:58 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21154 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:09 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21207 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:18 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21256 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:30 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21329 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:40 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21381 PROTO=UDP
SPT=5000 DPT=5000 LEN=68 
Dec  9 11:19:50 firewall Shorewall:all2all:REJECT: IN=eth1
OUTMAC=00:02:e3:12:7d:94:00:0e:35:15:24:f3:08:00  SRC=192.168.1.3
DST=192.168.1.254 LEN=88 TOS=00 PREC=0x00 TTL=128 ID=21433 PROTO=UDP
SPT=5000 DPT=5000 LEN=68

On Sat, 2004-12-11 at 12:06 -0500, Tibbs, Richard wrote:
> The tunnels file is
> ipsec			net	0.0.0.0/0		vpn1
> generic:udp:5000	loc	192.168.1.0/24	vpn3
You are running Shorewall 1.4.2 -- Generic tunnels were added in
1.4.7!!! When you start Shorewall it is giving you a warning saying that
the record above is ignored.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Ah!. Were openvpn tunnels supported in 1.4.2?
I was having trouble getting things going and was switching back and
forth between openvpn and generic.
Rick.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Saturday, December 11, 2004 12:15 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] Problem report -- shorewall 1.4

On Sat, 2004-12-11 at 12:06 -0500, Tibbs, Richard wrote:
> The tunnels file is
> ipsec			net	0.0.0.0/0		vpn1
> generic:udp:5000	loc	192.168.1.0/24	vpn3
You are running Shorewall 1.4.2 -- Generic tunnels were added in
1.4.7!!! When you start Shorewall it is giving you a warning saying that
the record above is ignored.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Sat, 2004-12-11 at 12:18 -0500, Tibbs, Richard wrote:
> Ah!. Were openvpn tunnels supported in 1.4.2?
> I was having trouble getting things going and was switching back and
> forth between openvpn and generic.
OpenVPN tunnel support was added in 1.3.14. You can answer these
questions yourself by searching http://shorewall.net/News.htm -- that
page gives you the release highlights from all Shorewall releases from
1.0.3 up through 2.0.9.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks, Tom!
I will switch back to openvpn tunnels and wipe out the rules.
Having now learned that shorewall restart will reproduce the error
remarks, that will help. (On bootup, it goes by too fast.  Seems like
the pause key is not supported by bering)
 
I would like to ask an additional question:
In wrestling with openvpn, I added the policies
loc             vpn3            ACCEPT
fw              vpn3            ACCEPT
net             vpn3            ACCEPT
vpn3            loc             ACCEPT
vpn3            fw              ACCEPT
vpn3            net             ACCEPT

The other end of the VPN3 tunnel is an openvpn running on my wireless
laptop.
If I am trying to use openvpn to secure my WLAN, but still want my
wireless laptop to be able to pull up web pages, etc., do I need the
vpn3		net
net		vpn3
policies?

TIA
Rick.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Saturday, December 11, 2004 12:22 PM
To: Shorewall Users
Subject: RE: [Shorewall-users] Problem report -- shorewall 1.4

On Sat, 2004-12-11 at 12:18 -0500, Tibbs, Richard wrote:
> Ah!. Were openvpn tunnels supported in 1.4.2?
> I was having trouble getting things going and was switching back and
> forth between openvpn and generic.
OpenVPN tunnel support was added in 1.3.14. You can answer these
questions yourself by searching http://shorewall.net/News.htm -- that
page gives you the release highlights from all Shorewall releases from
1.0.3 up through 2.0.9.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Sat, 2004-12-11 at 12:31 -0500, Tibbs, Richard wrote:
> If I am trying to use openvpn to secure my WLAN, but still want my
> wireless laptop to be able to pull up web pages, etc., do I need the
> vpn3		net
> net		vpn3
> policies?
You need the first one.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key