Shorewall users - Jan 2005 - Traceroute unblocking, single interface, policy drop

I have a shorewall 2.0.14 running on a single interface machine (nwww in
the log below) that is attempting to be well screwed down. The policy
file reads:-

#SOURCE         DEST            POLICY          LOG LEVEL
LIMIT:BURST
fw              net             DROP            info
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

In the rules file I have:

AllowTrcrt      net             fw
AllowTrcrt      fw              net
ACCEPT          fw              net             icmp    11
ACCEPT          net             fw              icmp    11

Yet traceroute requests are not honoured coming into this box:-

Jan 10 11:37:00 nwww kernel: Shorewall:net2all:DROP:IN=eth0
OUTMAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00
TTL=1
ID=40996 PROTO=UDP SPT=40971 DPT=33459 LEN=18
Jan 10 11:37:05 nwww kernel: Shorewall:net2all:DROP:IN=eth0
OUTMAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00
TTL=1
ID=40997 PROTO=UDP SPT=40971 DPT=33460 LEN=18

where 212.x.x.x is the box whose rules are as above and 82.x.x.x is the
box doing the traceroute query.

What have I missed?

Dirk

On Mon, 2005-01-10 at 11:42 +0000, Dirk Koopman wrote:
> In the rules file I have:
> 
> AllowTrcrt      net             fw
> AllowTrcrt      fw              net
> ACCEPT          fw              net             icmp    11
> ACCEPT          net             fw              icmp    11
> 
> Yet traceroute requests are not honoured coming into this box:-
> 
> Jan 10 11:37:00 nwww kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00 TTL=1
> ID=40996 PROTO=UDP SPT=40971 DPT=33459 LEN=18
> Jan 10 11:37:05 nwww kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00 TTL=1
> ID=40997 PROTO=UDP SPT=40971 DPT=33460 LEN=18
Changing the rules to:-

AllowTrcrt	all		all
ACCEPT		all		all		icmp	11

Fixes the problem. As this is a single interface box, this then begs the
question as to why? Is there a downside that I have not recognised?

Dirk

On Mon, 2005-01-10 at 12:01 +0000, Dirk Koopman wrote:
> On Mon, 2005-01-10 at 11:42 +0000, Dirk Koopman wrote:
> > In the rules file I have:
> > 
> > AllowTrcrt      net             fw
> > AllowTrcrt      fw              net
> > ACCEPT          fw              net             icmp    11
> > ACCEPT          net             fw              icmp    11
> > 
> > Yet traceroute requests are not honoured coming into this box:-
> > 
> > Jan 10 11:37:00 nwww kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
> MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00
TTL=1
> > ID=40996 PROTO=UDP SPT=40971 DPT=33459 LEN=18
> > Jan 10 11:37:05 nwww kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
> MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00 PREC=0x00
TTL=1
> > ID=40997 PROTO=UDP SPT=40971 DPT=33460 LEN=18
> 
> Changing the rules to:-
> 
> AllowTrcrt	all		all
> ACCEPT		all		all		icmp	11
> 
> Fixes the problem. As this is a single interface box, this then begs the
> question as to why? Is there a downside that I have not recognised?
Oops, sorry, it doesn''t: finger / eye / brain malfunction 

ACCEPT	all	all

does though, but then that isn''t surprising :-(

I see you use:-

 Processing /usr/share/shorewall/action.AllowTrcrt...
   Rule "ACCEPT - - udp 33434:33454" added.
   Rule "ACCEPT - - icmp 8" added.

But I am only 9 hops away. In the modern internet, it is not unusual to
have 15+ hops and traceroute defaults to a maximum of 30. As each hop
consumes three UDP ports then the range in AllowTrcrt is not enough. It
will fail on the last test of the 6th hop. On the basis of allowing 30
full hop probes from a standard traceroute 33434:33524 would be better. 

Where can I change this definition of AllowTrcrt (rather than do it with
explicit ACCEPTs)?

Dirk Koopman wrote:
> On Mon, 2005-01-10 at 12:01 +0000, Dirk Koopman wrote:
> 
>>On Mon, 2005-01-10 at 11:42 +0000, Dirk Koopman wrote:
>>
>>>In the rules file I have:
>>>
>>>AllowTrcrt      net             fw
>>>AllowTrcrt      fw              net
>>>ACCEPT          fw              net             icmp    11
>>>ACCEPT          net             fw              icmp    11
>>>
>>>Yet traceroute requests are not honoured coming into this box:-
>>>
>>>Jan 10 11:37:00 nwww kernel: Shorewall:net2all:DROP:IN=eth0
OUT>>>MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00
PREC=0x00 TTL=1
>>>ID=40996 PROTO=UDP SPT=40971 DPT=33459 LEN=18
>>>Jan 10 11:37:05 nwww kernel: Shorewall:net2all:DROP:IN=eth0
OUT>>>MAC=<macaddr> SRC=82.x.x.x DST=212.x.x.x LEN=38 TOS=0x00
PREC=0x00 TTL=1
>>>ID=40997 PROTO=UDP SPT=40971 DPT=33460 LEN=18
>>
>>Changing the rules to:-
>>
>>AllowTrcrt	all		all
>>ACCEPT		all		all		icmp	11
>>
>>Fixes the problem. As this is a single interface box, this then begs the
>>question as to why? Is there a downside that I have not recognised?
> 
> 
> Oops, sorry, it doesn''t: finger / eye / brain malfunction 
> 
> ACCEPT	all	all
> 
> does though, but then that isn''t surprising :-(
> 
> I see you use:-
> 
>  Processing /usr/share/shorewall/action.AllowTrcrt...
>    Rule "ACCEPT - - udp 33434:33454" added.
>    Rule "ACCEPT - - icmp 8" added.
> 
> But I am only 9 hops away. In the modern internet, it is not unusual to
> have 15+ hops and traceroute defaults to a maximum of 30. As each hop
> consumes three UDP ports then the range in AllowTrcrt is not enough. It
> will fail on the last test of the 6th hop. On the basis of allowing 30
> full hop probes from a standard traceroute 33434:33524 would be better. 
> 
> Where can I change this definition of AllowTrcrt (rather than do it with
> explicit ACCEPTs)? 
Copy /usr/share/shorewall/action.AllowTrcrt to /etc/shorewall and change
the copy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Mon, 2005-01-10 at 07:30 -0800, Tom Eastep wrote:
> > 
> >  Processing /usr/share/shorewall/action.AllowTrcrt...
> >    Rule "ACCEPT - - udp 33434:33454" added.
> >    Rule "ACCEPT - - icmp 8" added.
> > 
> > But I am only 9 hops away. In the modern internet, it is not unusual
> to
> > have 15+ hops and traceroute defaults to a maximum of 30. As each
> hop
> > consumes three UDP ports then the range in AllowTrcrt is not enough.
> It
> > will fail on the last test of the 6th hop. On the basis of allowing
> 30
> > full hop probes from a standard traceroute 33434:33524 would be
> better. 
> > 
> > Where can I change this definition of AllowTrcrt (rather than do it
> with
> > explicit ACCEPTs)? 
> 
> Copy /usr/share/shorewall/action.AllowTrcrt to /etc/shorewall and
> change
> the copy.
> 
Thank you. Done.

As the original, issued, version says that it is good for 20 hops,
should you actually have:

ACCEPT - - udp 33434:33494  

rather than 33434:33454? Every probe in a traceroute will use one port,
ie: 

 djk@dirk3 djk]$ traceroute www.shorewall.net
traceroute to www.rettc.com (216.211.130.20), 30 hops max, 38 byte
packets
 1  gate (192.168.1.254)  0.660 ms  0.123 ms  0.131 ms
           uses udp port: 33434     33435     33436
 2  gauss-dsl.zen.net.uk (62.3.82.18)  16.300 ms  48.941 ms  15.972 ms
           uses udp port:              33437      33438      33439

etc. Each traceroute "hop" actually uses three udp ports because it
does
three udp TTL probes (as default) and not one, which I think is the
assumption. 

Dirk

Dirk Koopman wrote:
> On Mon, 2005-01-10 at 07:30 -0800, Tom Eastep wrote:
> 
>>> Processing /usr/share/shorewall/action.AllowTrcrt...
>>>   Rule "ACCEPT - - udp 33434:33454" added.
>>>   Rule "ACCEPT - - icmp 8" added.
>>>
>>>But I am only 9 hops away. In the modern internet, it is not unusual
>>
>>to
>>
>>>have 15+ hops and traceroute defaults to a maximum of 30. As each
>>
>>hop
>>
>>>consumes three UDP ports then the range in AllowTrcrt is not enough.
>>
>>It
>>
>>>will fail on the last test of the 6th hop. On the basis of allowing
>>
>>30
>>
>>>full hop probes from a standard traceroute 33434:33524 would be
>>
>>better. 
>>
>>>Where can I change this definition of AllowTrcrt (rather than do it
>>
>>with
>>
>>>explicit ACCEPTs)? 
>>
>>Copy /usr/share/shorewall/action.AllowTrcrt to /etc/shorewall and
>>change
>>the copy.
>>
> 
> 
> Thank you. Done.
> 
> As the original, issued, version says that it is good for 20 hops,
> should you actually have:
> 
> ACCEPT - - udp 33434:33494  
> 
> rather than 33434:33454? Every probe in a traceroute will use one port,
> ie: 
> 
>  djk@dirk3 djk]$ traceroute www.shorewall.net
> traceroute to www.rettc.com (216.211.130.20), 30 hops max, 38 byte
> packets
>  1  gate (192.168.1.254)  0.660 ms  0.123 ms  0.131 ms
>            uses udp port: 33434     33435     33436
>  2  gauss-dsl.zen.net.uk (62.3.82.18)  16.300 ms  48.941 ms  15.972 ms
>            uses udp port:              33437      33438      33439
> 
> etc. Each traceroute "hop" actually uses three udp ports because
it does
> three udp TTL probes (as default) and not one, which I think is the
> assumption. 
I''ve expanded to 30 hops and 33434:33524 in both 2.0 and 2.2

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key