Bob Alexander
2004-Dec-21 17:57 UTC
Defining "trusted" hosts/nets on a single interface system
Ok, I give up. I tried, really hard, before asking but I must be the most stupid shorewall user on the planet :( My laptop runs a single eth0 interface and knows Net and Firewall as zones and the default "inbound" policies are Net->Any DROP and >ny->Any REJECT. Now at home I have my trusted 192.168.174.240/29 subnet which hosts my very trusted 192.168.174.242 host and I would like to accept quite a few protocols coming from that node/subnet (ftp clients and windows printer sharing amongst others). I therefore tried defining a new ZONE called HomeLan and then a new "Zone Hosts" for zone HomeLan on eth0 with 192.168.174.240/29. I then defined a new default policy with source HomeLan, dest Firewall Policy ACCEPT and placed it right under the first entry (FW->Net Accept) Now if I try an ftp from 192.168.174.242 to my firewall I get: Dec 21 18:48:06 localhost Shorewall:net2all:DROP:IN=eth0 OUT= SRC=192.168.174.242 DST=192.168.174.244 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=45825 DF PROTO=TCP SPT=1050 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 What is it that I am not understanding ?? A second related question: did I interpret correctly the fact that if I want to reinstate the norfc1918 option on my eth0 network and still be able to accept packets from my home LAN I need to list all the lines as computed by the wonderful shorewall iprange in the /etc/shorewall/norfc1918 file ? Thank you very much Bob t40:/etc/shorewall# shorewall iprange 192.168.0.0-192.168.174.239 192.168.0.0/17 192.168.128.0/19 192.168.160.0/21 192.168.168.0/22 192.168.172.0/23 192.168.174.0/25 192.168.174.128/26 192.168.174.192/27 192.168.174.224/28 t40:/etc/shorewall# shorewall iprange 192.168.174.248-192.168.255.255 192.168.174.248/29 192.168.175.0/24 192.168.176.0/20 192.168.192.0/18
Tom Eastep
2004-Dec-21 18:29 UTC
Re: Defining "trusted" hosts/nets on a single interface system
On Tue, 2004-12-21 at 18:57 +0100, Bob Alexander wrote:> > Now if I try an ftp from 192.168.174.242 to my firewall I get: > > Dec 21 18:48:06 localhost Shorewall:net2all:DROP:IN=eth0 OUT= > SRC=192.168.174.242 DST=192.168.174.244 LEN=48 TOS=0x00 PREC=0x00 > TTL=128 ID=45825 DF PROTO=TCP SPT=1050 DPT=21 WINDOW=65535 RES=0x00 SYN > URGP=0 > > What is it that I am not understanding ?? >Display your /etc/shorewall/zones file and read: # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # # See http://www.shorewall.net/Documentation.htm#Nested Go to http://www.shorewall.net/Documentation.htm#Nested and read this: Such overlapping/nested zones are allowed and Shorewall processes zones in the order that they appear in the /etc/shorewall/zones file. So if you have nested zones, you want the sub-zone to appear before the super-zone... Now consider your new zone. It is a sub-zone of the ''net'' zone, right? -- does it appear in /etc/shorewall/zones before ''net? I''m betting that it does not.> A second related question: did I interpret correctly the fact that if I > want to reinstate the norfc1918 option on my eth0 network and still be > able to accept packets from my home LAN I need to list all the lines as > computed by the wonderful shorewall iprange in the > /etc/shorewall/norfc1918 file ?Well, I would: a) copy /usr/share/shorewall/rfc1918 to /etc b) Add this AT THE FRONT of /etc/shorewall/rfc198: 192.168.174.240/29 RETURN -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Bob Alexander
2004-Dec-21 19:37 UTC
Re: Defining "trusted" hosts/nets on a single interface system
Tom Eastep wrote:> On Tue, 2004-12-21 at 18:57 +0100, Bob Alexander wrote: > > >>Now if I try an ftp from 192.168.174.242 to my firewall I get: >> >>Dec 21 18:48:06 localhost Shorewall:net2all:DROP:IN=eth0 OUT= >>SRC=192.168.174.242 DST=192.168.174.244 LEN=48 TOS=0x00 PREC=0x00 >>TTL=128 ID=45825 DF PROTO=TCP SPT=1050 DPT=21 WINDOW=65535 RES=0x00 SYN >>URGP=0 >> >>What is it that I am not understanding ?? >> > > > Display your /etc/shorewall/zones file and read: > > # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE > NESTED OR > # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. > # > # See http://www.shorewall.net/Documentation.htm#Nested > > > Go to http://www.shorewall.net/Documentation.htm#Nested and read this: > > Such overlapping/nested zones are allowed and Shorewall > processes zones in the order that they appear in > the /etc/shorewall/zones file. So if you have nested zones, you > want the sub-zone to appear before the super-zone... > > Now consider your new zone. It is a sub-zone of the ''net'' zone, right? > -- does it appear in /etc/shorewall/zones before ''net? I''m betting that > it does not. > > >>A second related question: did I interpret correctly the fact that if I >>want to reinstate the norfc1918 option on my eth0 network and still be >>able to accept packets from my home LAN I need to list all the lines as >>computed by the wonderful shorewall iprange in the >>/etc/shorewall/norfc1918 file ? > > > Well, I would: > > a) copy /usr/share/shorewall/rfc1918 to /etc > b) Add this AT THE FRONT of /etc/shorewall/rfc198: > > 192.168.174.240/29 RETURN > > -TomWell Tom, my admiration keep on growing. Really thank you. So the order of zones is relevant. Got that now. Good night. Bob