Tom, I am NOT subscribed (yet). I dropped SuSeFirewall2 in favor of shorewall to get past the configuration hurdles I as experiencing. At the moment, when my SuSe 9.1 starts up, I can see shorewall processing the rules, policies, etc. and I see no errors and then moves on with the rest of the SuSe boot process . However, no traffic passes through using the rules. I run an iptables -L and I can see that the rules and policies are not in place as if it didn''t run the rules I have, but some other rules. Yet, I saw the rules running during the boot process. I have to manually execute shorewall a second time from the shell in order for the rules/policies to take effect. Rerunning iptables after excuting shorewall again reveals the proper iptables results and my rules/policies have taken effect. What am I overlooking? Nice product BTW. You spent a lot of time on it. Thanks, Greg
On Sat, 2004-12-18 at 03:27 -0500, Greg Shepherd wrote:> > Rerunning iptables after excuting shorewall again reveals the proper > iptables results and my rules/policies have taken effect. > > What am I overlooking?Two posibilities: a) You have changed your Shorewall configuration since you last did a ''shorewall save'' and you are getting your old rules restored. b) You haven''t disabled startup of SuSEfirewall2 and it is starting after Shorewall.> > Nice product BTW. You spent a lot of time on it. >Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-12-18 at 07:53 -0800, Tom Eastep wrote:> On Sat, 2004-12-18 at 03:27 -0500, Greg Shepherd wrote:> > Two posibilities: > > a) You have changed your Shorewall configuration since you last did a > ''shorewall save'' and you are getting your old rules restored. > b) You haven''t disabled startup of SuSEfirewall2 and it is starting > after Shorewall.There''s a third possibility -- ''shorewall start'' is failing during boot because something required by your configuration isn''t available at boot time (DHCP-managed interface isn''t up and configured yet possibly). This can also be overcome by using ''shorewall save''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Please keep your replies on the list -- I''m not your personal SusE support tech! On Sat, 2004-12-18 at 12:08 -0500, Greg Shepherd wrote:> Well, nertz. > > I performed the shorewall save command with my current working and running > configuration (I misunderstood how to use it last time and supplied a > filename instead of just issuing shorewall save). > > SuSeFirewall2 was not installed. > > I rebooted and got the same result. > > I reinstalled SuSeFirewall2 and disabled the > SuSeFirewall2_setup,SuSeFirewall2_init and SuSeFirewall2_final services in > YaST RunLevel Editor, but they still are starting up (what good is the > disable service function if it doesn''t work? That''s a rhetorical question.) > > I restart shorewall and it works, but not at boot time. > > Do you have any other suggestions?No -- I''ve run SuSE on my firewalls off and on for almost a year and I''ve never seen the problem you report. Of course, I''ve never used the YaST RunLevel Editor either; I use insserv or chkconfig. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-12-18 at 14:16 -0500, Greg Shepherd wrote:> > > > I restart shorewall and it works, but not at boot time. > > > > Do you have any other suggestions? > > No -- I''ve run SuSE on my firewalls off and on for almost a year and > I''ve never seen the problem you report. Of course, I''ve never used the > YaST RunLevel Editor either; I use insserv or chkconfig.What does the output of "chkconfig --list" look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Am Samstag, 18. Dezember 2004 20:34 schrieb Tom Eastep:> On Sat, 2004-12-18 at 14:16 -0500, Greg Shepherd wrote: > > > I restart shorewall and it works, but not at boot time. > > > > > > Do you have any other suggestions? > > > > No -- I''ve run SuSE on my firewalls off and on for almost a year and > > I''ve never seen the problem you report. Of course, I''ve never used the > > YaST RunLevel Editor either; I use insserv or chkconfig. >include this section in your /etc/init.d/shorewall: #### BEGIN INIT INFO # Provides: shorewall # Required-Start: $network # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops the shorewall firewall ### END INIT INFO then run insserv shorewall and the shorewall service should be startet on booting your machine read man insserv and read man init
Tom, I punted by the time I got your message on the startup issue. I re-imaged my system to a base configuration and resolved my problem with the startup issue. Thanks for your help. To All! I am on my last portion of my configuration and I must confess to being stumped. I read the documentation about interfaces, zones, hosts, etc. and read some googled postings on groups of hosts in the same subnet and managing those hosts by zones. I have been attempting to accomplish the following: Two interface system. (works) Redirecting transparently users to squid port 3128 except for web server on local system. (works) DNAT of a different port to an internal system. (works) Create adm zone with a short list of specific hosts with unrestricted access. (HELP!) Use adm zone to bypass squid port. (Help) Access to 3128 is for an admin system acting as a content-filtering server and attempting to force users to use that internal server on a different port for http access. Use loc zone for denying access to 3128 on firewall and port 80 to Internet, but not port 80 on firewall. (I belie I can do this if I can get the zone/hosts piece working. Here is what I have at the moment. Interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter, tcpflags - eth1 detect tcpflags Zones #ZONE DISPLAY COMMENTS net net The Internet ADM ADM Administrative stations loc Local Local Network This is how it is spaced in the file. Policy #SOURCE DEST POLICY LOG LEVEL ADM net CONTINUE loc net ACCEPT net all DROP info all all REJECT info Hosts #ZONE HOST(S) OPTIONS loc eth1:0.0.0.0/0 ADM eth1:10.0.0.103 Rules ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp ACCEPT fw net icmp ACCEPT loc $FW tcp 5801,5901 ACCEPT net $FW tcp 5801,5901 DNAT net loc:10.0.0.100 tcp 3389 REDIRECT loc 3128 tcp www - 10.0.0.102 ACCEPT $FW net tcp www #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Can anyone guide me? Thanks! Greg -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, December 18, 2004 2:35 PM To: Greg.Shepherd@netmanaged.com Cc: Shorewall Users Subject: RE: [Shorewall-users] SuSe 9.1 startup issue On Sat, 2004-12-18 at 14:16 -0500, Greg Shepherd wrote:> > > > I restart shorewall and it works, but not at boot time. > > > > Do you have any other suggestions? > > No -- I''ve run SuSE on my firewalls off and on for almost a year and > I''ve never seen the problem you report. Of course, I''ve never used the > YaST RunLevel Editor either; I use insserv or chkconfig.What does the output of "chkconfig --list" look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 13:42 -0500, Greg Shepherd wrote:> > Can anyone guide me? >Add this BEFORE your REDIRECT rule: ACCEPT+ adm net tcp 80 Note the "+". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
One more thing: On Sun, 2004-12-19 at 13:42 -0500, Greg Shepherd wrote:> REDIRECT loc 3128 tcp www - 10.0.0.102I also don''t understand why you have 10.0.0.102 in the ORIGINAL DEST column; that will only redirect connections to that IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
As I understand the Squid (transparent) Running on the Firewall: Squid (transparent) Running on the Firewall You want to redirect all local www connection requests EXCEPT those to your own http server (10.0.0.102) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3128 tcp www - !10.0.0.102 ACCEPT fw net tcp www The firewall is running Apache. 10.0.0.102 is on the internal NIC. I wanted to redirect all www connection requests to 3128 except my own http server on 10.0.0.102. Did I understand that right? IS the ! Required? How is the rest of the configuration? I am getting "Destination host unreachable" when I ping 10.0.0.102 or public IP from 10.0.0.103 (in the ADM zone). No DNS resolving either from that IP. Does anyone have a working config of what I am attempting to do that I can learn from? Thanks Greg -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, December 19, 2004 2:10 PM To: Greg.Shepherd@netmanaged.com; Shorewall Users Subject: Re: [Shorewall-users] Shorewall and selective access One more thing: On Sun, 2004-12-19 at 13:42 -0500, Greg Shepherd wrote:> REDIRECT loc 3128 tcp www - 10.0.0.102I also don''t understand why you have 10.0.0.102 in the ORIGINAL DEST column; that will only redirect connections to that IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 14:30 -0500, Greg Shepherd wrote:> As I understand the Squid (transparent) Running on the Firewall: > > Squid (transparent) Running on the Firewall > You want to redirect all local www connection requests EXCEPT those to your > own http server (10.0.0.102) to a Squid transparent proxy running on the > firewall and listening on port 3128. Squid will of course require access to > remote web servers. > > In /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL > # PORT(S) DEST > REDIRECT loc 3128 tcp www - > !10.0.0.102 > ACCEPT fw net tcp www > > The firewall is running Apache. 10.0.0.102 is on the internal NIC. I wanted > to redirect all www connection requests to 3128 except my own http server on > 10.0.0.102. > > Did I understand that right? IS the ! Required?You understand correcly and yes, the "!" is required.> > How is the rest of the configuration? > > I am getting "Destination host unreachable" when I ping 10.0.0.102 or public > IP from 10.0.0.103 (in the ADM zone). > > No DNS resolving either from that IP. > > Does anyone have a working config of what I am attempting to do that I can > learn from?Please post the output of "shorewall status" as an attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I modified the address to include the !. I missed that detail. Here is the shorewall status file you requests. The public interface is currently 192.168.1.80. Later, this will change to a public address when it is deployed. Thanks Tom! Greg -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, December 19, 2004 2:38 PM To: Greg.Shepherd@netmanaged.com; Shorewall Users Subject: RE: [Shorewall-users] Shorewall and selective access On Sun, 2004-12-19 at 14:30 -0500, Greg Shepherd wrote:> As I understand the Squid (transparent) Running on the Firewall: > > Squid (transparent) Running on the Firewall > You want to redirect all local www connection requests EXCEPT those toyour> own http server (10.0.0.102) to a Squid transparent proxy running on the > firewall and listening on port 3128. Squid will of course require accessto> remote web servers. > > In /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCEORIGINAL> # PORT(S) DEST > REDIRECT loc 3128 tcp www - > !10.0.0.102 > ACCEPT fw net tcp www > > The firewall is running Apache. 10.0.0.102 is on the internal NIC. Iwanted> to redirect all www connection requests to 3128 except my own http serveron> 10.0.0.102. > > Did I understand that right? IS the ! Required?You understand correcly and yes, the "!" is required.> > How is the rest of the configuration? > > I am getting "Destination host unreachable" when I ping 10.0.0.102 orpublic> IP from 10.0.0.103 (in the ADM zone). > > No DNS resolving either from that IP. > > Does anyone have a working config of what I am attempting to do that I can > learn from?Please post the output of "shorewall status" as an attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 14:54 -0500, Greg Shepherd wrote:> I modified the address to include the !. I missed that detail. > > Here is the shorewall status file you requests. > > The public interface is currently 192.168.1.80. Later, this will change to a > public address when it is deployed.You have no adm->fw policy and you have no adm->loc rules so I don''t know how you expect to allow any adm->fw traffic given that the applicable policy for adm->fw is all2all which appears to be REJECT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 12:02 -0800, Tom Eastep wrote:> On Sun, 2004-12-19 at 14:54 -0500, Greg Shepherd wrote: > > I modified the address to include the !. I missed that detail. > > > > Here is the shorewall status file you requests. > > > > The public interface is currently 192.168.1.80. Later, this will change to a > > public address when it is deployed. > > You have no adm->fw policy and you have no adm->loc rules so I don''tI of course meant "...no adm->fw rules...". What I think you want is to replace your ''adm->net CONTINUE'' policy with: ADM all ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-19 at 12:10 -0800, Tom Eastep wrote:> On Sun, 2004-12-19 at 12:02 -0800, Tom Eastep wrote: > > On Sun, 2004-12-19 at 14:54 -0500, Greg Shepherd wrote: > > > I modified the address to include the !. I missed that detail. > > > > > > Here is the shorewall status file you requests. > > > > > > The public interface is currently 192.168.1.80. Later, this will change to a > > > public address when it is deployed. > > > > You have no adm->fw policy and you have no adm->loc rules so I don''t > > I of course meant "...no adm->fw rules...". What I think you want is to > replace your ''adm->net CONTINUE'' policy with: > > ADM all ACCEPTBTW -- all of this is covered at http://shorewall.net/whitelisting_under_shorewall.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key