Shorewall users - Feb 2005 - Odd proxy problems

Hi people,

I am running the latest version of Debian ''Sarge''. I have
installed hopefully the latest version of
shorewall, as followed by the website. The firewall has been installed with no
problems, runs ok,
but I have found a strange problem, maybe it me *shrug*

My setup:

Internet<-->cablemodem<-->Debainfirewall<-->hub<-->windowspc

I am cable, and get my IP from dhcp. eth0 on the firewall, gets a public IP and
has a private IP of
192.168.10.45. eth1 has the IP 192.168.20.1 and the windows pc has 192.168.20.2.

The problem:

The firewall starts fine, I have setup masq so I can use my windows computer. I
can ssh into debian
with no problems, I can ping a traceroutes to other computers on the internet, I
can connect to
various irc server around the world, but I can''t access any of my email
account, not sure why. Also,
I cant access any remote website, unless I have use a proxy server, enabled in
IE, then it works
fine, remove the proxy, and its dead.

These are my settings:-

Interfaces:

##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0  detect  dhcp,routefilter,norfc1918,tcpflags
loc eth1  detect  tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


masq:

#############################################################################
#INTERFACE  SUBNET  ADDRESS  PROTO PORT(S) IPSEC
eth0   eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


policy:

###############################################################################
#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
loc  net  ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw  net  ACCEPT
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

rules:

##############################################################################
#ACTION  SOURCE  DEST  PROTO DEST SOURCE ORIGINAL  RATE USER/
#       PORT PORT(S) DEST   LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT  fw  net  tcp 53
ACCEPT  fw  net  udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT  loc  fw  tcp 22
#
# Allow Ping To And From Firewall
#
ACCEPT  loc  fw  icmp 8
ACCEPT  net  fw  icmp 8
ACCEPT  fw  loc  icmp
ACCEPT  fw  net  icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Zones:

#ZONE DISPLAY  COMMENTS
net Net  Internet
loc Local  Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

As you can see, I have not altered many of the default settings. I was under the
impression, that
anything from loc --> net was accepted without any problems.

Am I missing anything or have I messed up?

Thanks

Kevin

any messages in dmesg? traceroute works through the firewall but tcp 
packets to port 25 don''t? that''s strange

Jan

Tech-Mind wrote:
> Hi people,
> 
> I am running the latest version of Debian ''Sarge''. I have
installed
> hopefully the latest version of shorewall, as followed by the website. 
> The firewall has been installed with no problems, runs ok, but I have 
> found a strange problem, maybe it me *shrug*
> 
> My setup:
> 
>
Internet<-->cablemodem<-->Debainfirewall<-->hub<-->windowspc
> 
> I am cable, and get my IP from dhcp. eth0 on the firewall, gets a public 
> IP and has a private IP of 192.168.10.45. eth1 has the IP 192.168.20.1 
> and the windows pc has 192.168.20.2.
> 
> The problem:
> 
> The firewall starts fine, I have setup masq so I can use my windows 
> computer. I can ssh into debian with no problems, I can ping a 
> traceroutes to other computers on the internet, I can connect to various 
> irc server around the world, but I can''t access any of my email
account,
> not sure why. Also, I cant access any remote website, unless I have use 
> a proxy server, enabled in IE, then it works fine, remove the proxy, and 
> its dead.
> 
> These are my settings:-
> 
> Interfaces:
> 
>
##############################################################################
> 
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth0  detect  dhcp,routefilter,norfc1918,tcpflags
> loc eth1  detect  tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> masq:
> 
>
#############################################################################
> 
> #INTERFACE  SUBNET  ADDRESS  PROTO PORT(S) IPSEC
> eth0   eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> policy:
> 
>
###############################################################################
> 
> #SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
> loc  net  ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw  net  ACCEPT
> net  all  DROP  info
> # THE FOLLOWING POLICY MUST BE LAST
> all  all  REJECT  info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> rules:
> 
>
##############################################################################
> 
> #ACTION  SOURCE  DEST  PROTO DEST SOURCE ORIGINAL  RATE USER/
> #       PORT PORT(S) DEST   LIMIT GROUP
> #
> # Accept DNS connections from the firewall to the network
> #
> ACCEPT  fw  net  tcp 53
> ACCEPT  fw  net  udp 53
> #
> # Accept SSH connections from the local network for administration
> #
> ACCEPT  loc  fw  tcp 22
> #
> # Allow Ping To And From Firewall
> #
> ACCEPT  loc  fw  icmp 8
> ACCEPT  net  fw  icmp 8
> ACCEPT  fw  loc  icmp
> ACCEPT  fw  net  icmp
> #
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Zones:
> 
> #ZONE DISPLAY  COMMENTS
> net Net  Internet
> loc Local  Local Networks
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> As you can see, I have not altered many of the default settings. I was 
> under the impression, that anything from loc --> net was accepted 
> without any problems.
> 
> Am I missing anything or have I messed up?
> 
> Thanks
> 
> Kevin
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Tech-Mind wrote:
> 
> As you can see, I have not altered many of the default settings. I was
> under the impression, that anything from loc --> net was accepted
> without any problems.
> 
> Am I missing anything or have I messed up?
> 
>
Please look at http://shorewall.net/support.htm for instructions for
creating a proper problem report. In particular, please pay attention to
the bullet that begins "THIS IS IMPORTANT!".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

AllowDNS loc fw

on /etc/shorewall/rules

(asuming you have BIND or dnsmasq already up)






On Fri, 11 Feb 2005 19:44:06 -0000, Tech-Mind <techmind@kitsonik.com>
wrote:
> Hi people,
> 
> I am running the latest version of Debian ''Sarge''. I have
installed hopefully the latest version of
> shorewall, as followed by the website. The firewall has been installed with
no problems, runs ok,
> but I have found a strange problem, maybe it me *shrug*
> 
> My setup:
> 
>
Internet<-->cablemodem<-->Debainfirewall<-->hub<-->windowspc
> 
> I am cable, and get my IP from dhcp. eth0 on the firewall, gets a public IP
and has a private IP of
> 192.168.10.45. eth1 has the IP 192.168.20.1 and the windows pc has
192.168.20.2.
> 
> The problem:
> 
> The firewall starts fine, I have setup masq so I can use my windows
computer. I can ssh into debian
> with no problems, I can ping a traceroutes to other computers on the
internet, I can connect to
> various irc server around the world, but I can''t access any of my
email account, not sure why. Also,
> I cant access any remote website, unless I have use a proxy server, enabled
in IE, then it works
> fine, remove the proxy, and its dead.
> 
> These are my settings:-
> 
> Interfaces:
> 
>
##############################################################################
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth0  detect  dhcp,routefilter,norfc1918,tcpflags
> loc eth1  detect  tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> masq:
> 
>
#############################################################################
> #INTERFACE  SUBNET  ADDRESS  PROTO PORT(S) IPSEC
> eth0   eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> policy:
> 
>
###############################################################################
> #SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
> loc  net  ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw  net  ACCEPT
> net  all  DROP  info
> # THE FOLLOWING POLICY MUST BE LAST
> all  all  REJECT  info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> rules:
> 
>
##############################################################################
> #ACTION  SOURCE  DEST  PROTO DEST SOURCE ORIGINAL  RATE USER/
> #       PORT PORT(S) DEST   LIMIT GROUP
> #
> # Accept DNS connections from the firewall to the network
> #
> ACCEPT  fw  net  tcp 53
> ACCEPT  fw  net  udp 53
> #
> # Accept SSH connections from the local network for administration
> #
> ACCEPT  loc  fw  tcp 22
> #
> # Allow Ping To And From Firewall
> #
> ACCEPT  loc  fw  icmp 8
> ACCEPT  net  fw  icmp 8
> ACCEPT  fw  loc  icmp
> ACCEPT  fw  net  icmp
> #
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Zones:
> 
> #ZONE DISPLAY  COMMENTS
> net Net  Internet
> loc Local  Local Networks
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> As you can see, I have not altered many of the default settings. I was
under the impression, that
> anything from loc --> net was accepted without any problems.
> 
> Am I missing anything or have I messed up?
> 
> Thanks
> 
> Kevin
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

What is the purpose of the private IP on eth0?  I don''t think you want
that.
If you have an additional network at 192.168.10 I think it would be best to
install another NIC in your firewall.

- Bob Coffman




-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of
Tech-Mind
Sent: Friday, February 11, 2005 2:44 PM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Odd proxy problems


Hi people,

I am running the latest version of Debian ''Sarge''. I have
installed
hopefully the latest version of
shorewall, as followed by the website. The firewall has been installed with
no problems, runs ok,
but I have found a strange problem, maybe it me *shrug*

My setup:

Internet<-->cablemodem<-->Debainfirewall<-->hub<-->windowspc

I am cable, and get my IP from dhcp. eth0 on the firewall, gets a public IP
and has a private IP of
192.168.10.45. eth1 has the IP 192.168.20.1 and the windows pc has
192.168.20.2.

The problem:

The firewall starts fine, I have setup masq so I can use my windows
computer. I can ssh into debian
with no problems, I can ping a traceroutes to other computers on the
internet, I can connect to
various irc server around the world, but I can''t access any of my email
account, not sure why. Also,
I cant access any remote website, unless I have use a proxy server, enabled
in IE, then it works
fine, remove the proxy, and its dead.

These are my settings:-

Interfaces:

############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth0  detect  dhcp,routefilter,norfc1918,tcpflags
loc eth1  detect  tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


masq:

############################################################################
#
#INTERFACE  SUBNET  ADDRESS  PROTO PORT(S) IPSEC
eth0   eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


policy:

############################################################################
###
#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
loc  net  ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw  net  ACCEPT
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

rules:

############################################################################
##
#ACTION  SOURCE  DEST  PROTO DEST SOURCE ORIGINAL  RATE USER/
#       PORT PORT(S) DEST   LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT  fw  net  tcp 53
ACCEPT  fw  net  udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT  loc  fw  tcp 22
#
# Allow Ping To And From Firewall
#
ACCEPT  loc  fw  icmp 8
ACCEPT  net  fw  icmp 8
ACCEPT  fw  loc  icmp
ACCEPT  fw  net  icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Zones:

#ZONE DISPLAY  COMMENTS
net Net  Internet
loc Local  Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

As you can see, I have not altered many of the default settings. I was under
the impression, that
anything from loc --> net was accepted without any problems.

Am I missing anything or have I messed up?

Thanks

Kevin






_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Hi,

Sorry about that. Here''s the info:

debian:~# shorewall version
2.2.0

debian:~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:84:77:66:c2 brd ff:ff:ff:ff:ff:ff
    inet 81.103.12.184/24 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:84:77:66:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global eth1

debian:~# ip route show
192.168.20.0/24 dev eth1  proto kernel  scope link  src 192.168.20.1
81.103.12.0/24 dev eth0  proto kernel  scope link  src 81.103.12.184
default via 81.103.12.254 dev eth0

For /sbin/shorewall status please see attached file. 

Installed following --> two-interfaces quickguide

Now, I can''t access any remote service/server from my windows computer,
but can still ssh.

Any help would be very grateful

Thanks

Kevin

Tech-Mind wrote:
> Hi,
> 
> Sorry about that. Here''s the info:
> 
In the Two-interface quickstart guide, one of the steps flagged with a
red arrow is:

"If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:

    *

      NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)
    *

      IP_FORWARDING=On"

You didn''t do that -- as a consequence, your firewall is not
forwarding.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi,
> 
>    *
> 
>      NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)
>    *
> 
Was unable to find the above setting in the shorewall.conf

>      IP_FORWARDING=On"
Found this one, and set it ''On''

Still unable to forward from windows

Any ideas?

Thanks

Kev

Tech-Mind wrote:
> Hi,
> 
>>
>>    *
>>
>>      NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)
>>    *
>>
> 
> Was unable to find the above setting in the shorewall.conf
Exactly what do you think that "Shorewall versions earlier than 1.4.6"
means? Hint: You are running Shorewall version 2.2.0.
> 
> 
>>      IP_FORWARDING=On"
> 
> 
> Found this one, and set it ''On''
> 
> Still unable to forward from windows
> 
> Any ideas?
Well, given that you missed the above red-arrow step, it is likely that
you missed more (For example, have you set the Windows box''s default
gateway to the internal IP address of the firewall (192.168.20.1)?).

I suggest that you go back through them and check them again.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Tech-Mind wrote:
>>
>>Any ideas?
> 
> 
> Well, given that you missed the above red-arrow step, it is likely that
> you missed more (For example, have you set the Windows box''s
default
> gateway to the internal IP address of the firewall (192.168.20.1)?).
> 
> I suggest that you go back through them and check them again.
FWIW, from looking at the status output that you posted, I don''t see
anything else wrong with your Shorewall configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi folks,

Well the problem has been all sorted, everything works great now. I got a bit
pissed off on Sunday,
and decided to do a complete re-install of Sarge. Drastic, I know. Set
everything up as per
instructions, and now it works, no idea why it did not work *shrug*, guess I
missed a setting or
something.

Just want to say a BIG thankyou to everyone you sent me a email both on the list
and in private for
all in valuable help.

Thankyou

Kev