thr3ads.net - Shorewall users - Newbie going through a probably stupid thing [May 2005]

If this information is useful, please help other people find it:
Share via:

Bob Alexander

2005-May-25 16:24 UTC

Newbie going through a probably stupid thing

Believe me:

Read the FAQ
Checked over and over

This might be toooooo stupid to be documented.

Please bear with me. Any help ?

Situation: single card standalone "firewall" (used like a
"personal
firewall"). Have sshd running on the FW. Want the sshd daemon to be 
accessible only from 2 LANs:

1) My other home LAN machine
2) IBM intranet machines (9.0.0.0)

Whatever I have tried if the rule is written like Any2FW or Net2FW it 
works but IBM2FW does not (the net2all chain is hit with it''s DROP
action).


Here follows my FW status.

Thank you very much for any  help,
Bob Alexander
> Shorewall-2.2.3 Status at t40 - Wed May 25 18:10:00 CEST 2005
> 
> Counters reset Wed May 25 18:04:14 CEST 2005
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>  1748  279K ACCEPT     all  --  lo     *       0.0.0.0/0           
0.0.0.0/0
>   251  168K eth0_in    all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 ppp0_in    all  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 ath0_in    all  --  ath0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
>     0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 ath0_fwd   all  --  ath0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
>     0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>     0     0 ACCEPT     udp  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>     0     0 ACCEPT     udp  --  *      ath0    0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>     0     0 fw2home    all  --  *      eth0    0.0.0.0/0           
192.168.174.242
>   254 27951 fw2net     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0
>     0     0 fw2net     all  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0
>     0     0 fw2net     all  --  *      ath0    0.0.0.0/0           
0.0.0.0/0
>     0     0 all2all    all  --  *      eth0    0.0.0.0/0           
9.132.183.77
>  1748  279K fw2fw      all  --  *      lo      0.0.0.0/0           
0.0.0.0/0
>     0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
>     0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain AllowICMPs (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 3 code 4
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 11
> 
> Chain Drop (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>    13  2382 RejectAuth  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>    13  2382 dropBcast  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 AllowICMPs  icmp --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 dropInvalid  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 DropSMB    all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 DropUPnP   all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 dropNotSyn  tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 DropDNSrep  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain DropDNSrep (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp spt:53
> 
> Chain DropPing (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 8
> 
> Chain DropSMB (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:135
>     0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpts:137:139
>     0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:445
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:135
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:139
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:445
> 
> Chain DropUPnP (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:1900
> 
> Chain IBM2fw (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:22
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain Reject (4 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 RejectAuth  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 dropBcast  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 AllowICMPs  icmp --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 dropInvalid  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 RejectSMB  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 DropUPnP   all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 DropDNSrep  all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain RejectAuth (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:113
> 
> Chain RejectSMB (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:135
>     0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpts:137:139
>     0     0 reject     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:445
>     0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:135
>     0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:139
>     0     0 reject     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:445
> 
> Chain all2all (10 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 Reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
>     0     0 reject     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain ath0_fwd (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
192.168.174.242
>     0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0
>     0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
9.132.183.77
> 
> Chain ath0_in (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>     0     0 net2fw     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain dropBcast (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>    12  2322 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0           PKTTYPE = broadcast
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0           PKTTYPE = multicast
> 
> Chain dropInvalid (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID
> 
> Chain dropNotSyn (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:!0x16/0x02
> 
> Chain dynamic (6 references)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain eth0_fwd (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 norfc1918  all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state NEW
>     0     0 tcpflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 all2all    all  --  *      eth0    192.168.174.242     
0.0.0.0/0
>     0     0 all2all    all  --  *      ppp0    192.168.174.242     
0.0.0.0/0
>     0     0 all2all    all  --  *      ath0    192.168.174.242     
0.0.0.0/0
>     0     0 all2all    all  --  *      eth0    192.168.174.242     
9.132.183.77
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
192.168.174.242
>     0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0
>     0     0 ACCEPT     all  --  *      ath0    0.0.0.0/0           
0.0.0.0/0
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
9.132.183.77
>     0     0 all2all    all  --  *      eth0    9.132.183.77        
192.168.174.242
>     0     0 all2all    all  --  *      eth0    9.132.183.77        
0.0.0.0/0
>     0     0 all2all    all  --  *      ppp0    9.132.183.77        
0.0.0.0/0
>     0     0 all2all    all  --  *      ath0    9.132.183.77        
0.0.0.0/0
> 
> Chain eth0_in (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>    13  2382 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>    13  2382 norfc1918  all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state NEW
>   235  165K tcpflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 home2fw    all  --  *      *       192.168.174.242     
0.0.0.0/0
>   251  168K net2fw     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 IBM2fw     all  --  *      *       9.132.183.77        
0.0.0.0/0
> 
> Chain fw2fw (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>  1739  279K ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     9   545 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 all2all    all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain fw2home (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain fw2net (3 references)
>  pkts bytes target     prot opt in     out     source              
destination
>   237 26925 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0
>    17  1026 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain home2fw (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain icmpdef (0 references)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain logflags (5 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain net2all (7 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>    13  2382 Drop       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     1    60 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
>     1    60 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain net2fw (3 references)
>  pkts bytes target     prot opt in     out     source              
destination
>   238  166K ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     254  --  *      *       0.0.0.0/0           
0.0.0.0/0
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:5900
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:63572
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:63572
>    13  2382 DropPing   all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>    13  2382 net2all    all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain norfc1918 (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 RETURN     all  --  *      *       192.168.174.240/29  
0.0.0.0/0
>     0     0 RETURN     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           ctorigdst 192.168.174.240/29
>     0     0 rfc1918    all  --  *      *       172.16.0.0/12       
0.0.0.0/0
>     0     0 rfc1918    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           ctorigdst 172.16.0.0/12
>     0     0 rfc1918    all  --  *      *       192.168.0.0/16      
0.0.0.0/0
>     0     0 rfc1918    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           ctorigdst 192.168.0.0/16
>     0     0 rfc1918    all  --  *      *       10.0.0.0/8          
0.0.0.0/0
>     0     0 rfc1918    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           ctorigdst 10.0.0.0/8
> 
> Chain ppp0_fwd (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
192.168.174.242
>     0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0
>     0     0 ACCEPT     all  --  *      ath0    0.0.0.0/0           
0.0.0.0/0
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0           
9.132.183.77
> 
> Chain ppp0_in (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID,NEW
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpts:67:68
>     0     0 net2fw     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain reject (11 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0           PKTTYPE = broadcast
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0           PKTTYPE = multicast
>     0     0 DROP       all  --  *      *       9.132.182.255       
0.0.0.0/0
>     0     0 DROP       all  --  *      *       255.255.255.255     
0.0.0.0/0
>     0     0 DROP       all  --  *      *       224.0.0.0/4         
0.0.0.0/0
>     0     0 REJECT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           reject-with tcp-reset
>     0     0 REJECT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
>     0     0 REJECT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-host-unreachable
>     0     0 REJECT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-host-prohibited
> 
> Chain rfc1918 (6 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
>     0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Chain shorewall (0 references)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain smurfs (0 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 LOG        all  --  *      *       9.132.182.255       
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
>     0     0 DROP       all  --  *      *       9.132.182.255       
0.0.0.0/0
>     0     0 LOG        all  --  *      *       255.255.255.255     
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
>     0     0 DROP       all  --  *      *       255.255.255.255     
0.0.0.0/0
>     0     0 LOG        all  --  *      *       224.0.0.0/4         
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
>     0     0 DROP       all  --  *      *       224.0.0.0/4         
0.0.0.0/0
> 
> Chain tcpflags (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 logflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x3F/0x29
>     0     0 logflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x3F/0x00
>     0     0 logflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x06/0x06
>     0     0 logflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x03/0x03
>     0     0 logflags   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp spt:0 flags:0x16/0x02
> 
> May 25 17:37:57 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44517 DF
PROTO=TCP SPT=32810 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:42:06 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17373 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:42:09 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17374 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:42:15 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17375 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:42:27 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17376 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:42:51 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17377 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:43:39 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17378 DF
PROTO=TCP SPT=32812 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:46:29 localhost Shorewall:net2fw:ACCEPT:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49273 DF
PROTO=TCP SPT=32813 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:50:19 localhost Shorewall:net2fw:ACCEPT:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=8953 DF
PROTO=TCP SPT=32814 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:50:44 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57680 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:50:47 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57681 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:50:53 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57682 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:51:05 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57683 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:51:29 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57684 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:52:17 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57685 DF
PROTO=TCP SPT=32815 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 17:53:22 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9860 DF
PROTO=TCP SPT=32816 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 18:00:19 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11175 DF
PROTO=TCP SPT=32817 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 18:00:22 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11176 DF
PROTO=TCP SPT=32817 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 18:00:28 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11177 DF
PROTO=TCP SPT=32817 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> May 25 18:04:15 localhost Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=9.132.183.77 DST=9.132.182.82 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48930 DF
PROTO=TCP SPT=32819 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 404 packets, 53981 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain POSTROUTING (policy ACCEPT 318 packets, 19195 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain OUTPUT (policy ACCEPT 318 packets, 19195 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Mangle Table
> 
> Chain PREROUTING (policy ACCEPT 43168 packets, 14M bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain INPUT (policy ACCEPT 43164 packets, 14M bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain OUTPUT (policy ACCEPT 40074 packets, 6259K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain POSTROUTING (policy ACCEPT 40074 packets, 6259K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> tcp      6 429651 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=49539
dport=631 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=49539 use=1
> tcp      6 431894 ESTABLISHED src=9.132.182.82 dst=206.124.146.177
sport=54222 dport=80 src=206.124.146.177 dst=9.132.182.82 sport=80 dport=54222
[ASSURED] use=1
> tcp      6 431883 ESTABLISHED src=9.132.182.82 dst=206.124.146.177
sport=54223 dport=80 src=206.124.146.177 dst=9.132.182.82 sport=80 dport=54223
[ASSURED] use=1
> tcp      6 431829 ESTABLISHED src=9.132.182.82 dst=216.239.59.103
sport=58764 dport=80 src=216.239.59.103 dst=9.132.182.82 sport=80 dport=58764
[ASSURED] use=1
> udp      17 54 src=9.132.182.82 dst=9.64.163.21 sport=32769 dport=53
src=9.64.163.21 dst=9.132.182.82 sport=53 dport=32769 [ASSURED] use=1
> tcp      6 6 CLOSE src=127.0.0.1 dst=127.0.0.1 sport=38687 dport=10000
src=127.0.0.1 dst=127.0.0.1 sport=10000 dport=38687 [ASSURED] use=1
> tcp      6 431806 ESTABLISHED src=9.132.182.82 dst=206.124.146.177
sport=35073 dport=80 src=206.124.146.177 dst=9.132.182.82 sport=80 dport=35073
[ASSURED] use=1
> tcp      6 431806 ESTABLISHED src=9.132.182.82 dst=206.124.146.177
sport=35071 dport=80 src=206.124.146.177 dst=9.132.182.82 sport=80 dport=35071
[ASSURED] use=1
> tcp      6 431829 ESTABLISHED src=9.132.182.82 dst=216.239.59.103
sport=58763 dport=80 src=216.239.59.103 dst=9.132.182.82 sport=80 dport=58763
[ASSURED] use=1
> udp      17 54 src=127.0.0.1 dst=127.0.0.1 sport=32771 dport=53
src=127.0.0.1 dst=127.0.0.1 sport=53 dport=32771 [ASSURED] use=1
> tcp      6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=38688
dport=10000 src=127.0.0.1 dst=127.0.0.1 sport=10000 dport=38688 [ASSURED] use=1
> 
> IP Configuration
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:09:6b:53:12:f1 brd ff:ff:ff:ff:ff:ff
>     inet 9.132.182.82/24 brd 9.132.182.255 scope global eth0
> 
> IP Stats
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     RX: bytes  packets  errors  dropped overrun mcast   
>     5958637    36424    0       0       0       0      
>     TX: bytes  packets  errors  dropped carrier collsns 
>     5958637    36424    0       0       0       0      
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:09:6b:53:12:f1 brd ff:ff:ff:ff:ff:ff
>     RX: bytes  packets  errors  dropped overrun mcast   
>     8655889    6994     0       0       0       0      
>     TX: bytes  packets  errors  dropped carrier collsns 
>     381569     3735     0       0       0       0      
> 
> /proc
> 
>    /proc/sys/net/ipv4/ip_forward = 1
>    /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
>    /proc/sys/net/ipv4/conf/all/proxy_arp = 0
>    /proc/sys/net/ipv4/conf/all/arp_filter = 0
>    /proc/sys/net/ipv4/conf/all/rp_filter = 1
>    /proc/sys/net/ipv4/conf/all/log_martians = 0
>    /proc/sys/net/ipv4/conf/default/proxy_arp = 0
>    /proc/sys/net/ipv4/conf/default/arp_filter = 0
>    /proc/sys/net/ipv4/conf/default/rp_filter = 1
>    /proc/sys/net/ipv4/conf/default/log_martians = 0
>    /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
>    /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
>    /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
>    /proc/sys/net/ipv4/conf/eth0/log_martians = 0
>    /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
>    /proc/sys/net/ipv4/conf/lo/arp_filter = 0
>    /proc/sys/net/ipv4/conf/lo/rp_filter = 0
>    /proc/sys/net/ipv4/conf/lo/log_martians = 0
> RTNETLINK answers: Invalid argument
> Dump terminated
> 
> Routing Table
> 
> 9.132.182.0/24 dev eth0  proto kernel  scope link  src 9.132.182.82 
> default via 9.132.182.1 dev eth0 
> 
> ARP
> 
> ? (9.132.182.1) at 00:00:0C:07:AC:00 [ether] on eth0
> 
> Modules
> 
> ipt_REJECT              6912  4 
> ipt_LOG                 7232  10 
> ipt_state               1920  17 
> ipt_pkttype             1664  4 
> ipt_recent             11276  0 
> ipt_iprange             1792  0 
> ipt_multiport           2496  0 
> ipt_conntrack           2560  4 
> ip_nat_irc              2432  0 
> ip_nat_ftp              3136  0 
> ip_conntrack_irc       72080  1 ip_nat_irc
> ip_conntrack_ftp       73040  1 ip_nat_ftp
> ip_conntrack           45208  7
ipt_state,ipt_conntrack,ip_nat_irc,ip_nat_ftp,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp
> ip_tables              22336  11
ipt_REJECT,ipt_LOG,ipt_state,ipt_pkttype,ipt_recent,ipt_iprange,ipt_multiport,ipt_conntrack,iptable_mangle,iptable_nat,iptable_filter

Jerry Vonau

2005-May-25 16:49 UTC

head link

Re: Newbie going through a probably stupid thing

----- Original Message -----
From: "Bob Alexander" <bob@ngi.it>
To: <shorewall-users@lists.shorewall.net>
Sent: Wednesday, May 25, 2005 11:24
Subject: [Shorewall-users] Newbie going through a probably stupid
thing

> Believe me:
>
> Read the FAQ
> Checked over and over
>
> This might be toooooo stupid to be documented.
>
> Please bear with me. Any help ?
>
> Situation: single card standalone "firewall" (used like a
"personal
> firewall"). Have sshd running on the FW. Want the sshd daemon to be
> accessible only from 2 LANs:
>
> 1) My other home LAN machine
> 2) IBM intranet machines (9.0.0.0)
>
> Whatever I have tried if the rule is written like Any2FW or Net2FW
it> works but IBM2FW does not (the net2all chain is hit with it''s DROP
action).>
>
> Here follows my FW status.
>
> Thank you very much for any  help,
> Bob Alexander
>Bob:

Mind posting the config files?
Sometimes it just the ordering of enteries in the files.
Have a look at:
http://www.shorewall.net/Multiple_Zones.html

Note the part in nested zones area about the ordering of the subzone
enteried
in the zones file.

Jerry Vonau

Keith Edmunds

2005-May-25 16:49 UTC

head link

Re: Newbie going through a probably stupid thing

Bob Alexander wrote:> Situation: single card standalone "firewall" (used like a
"personal
> firewall"). Have sshd running on the FW. Want the sshd daemon to be 
> accessible only from 2 LANs:
> 
> 
> 
> 1) My other home LAN machine
> 
> 2) IBM intranet machines (9.0.0.0)
In /etc/shorewall/rules:

AllowSSH	net:1.2.3.4	fw
AllowSSH	net:9.0.0.0/8	fw

(assuming your LAN machine is 1.2.3.4)

I would actually put the following in /etc/shorewall/params:

LANPC=net:1.2.3.4
IBM=net:9.0.0.0/8

and then /etc/shorewall/rules becomes:

AllowSSH	$LANPC	fw
AllowSSH	$IBM	fw

Now, when you read the one interface quickstart document, what part of 
it didn''t make sense?

-- 
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |    http://www.TheLinuxConsultancy.co.uk    
|
+---------------------------------------------------------------------+

Eduardo Ferreira

2005-May-25 16:52 UTC

head link

Re: Newbie going through a probably stupid thing

Bob Alexander wrote on 25/05/2005 13:24:30:> Situation: single card standalone "firewall" (used like a
"personal
> firewall"). Have sshd running on the FW. Want the sshd daemon to be 
> accessible only from 2 LANs:
> 
> 1) My other home LAN machine
> 2) IBM intranet machines (9.0.0.0)
> 
> Whatever I have tried if the rule is written like Any2FW or Net2FW it 
> works but IBM2FW does not (the net2all chain is hit with it''s DROP
action).> 
> > Chain eth0_in (1 references)
> >  pkts bytes target     prot opt in     out     source 
> destination 
> >    13  2382 dynamic    all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state INVALID,NEW 
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           udp dpts:67:68 
> >    13  2382 norfc1918  all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state NEW 
> >   235  165K tcpflags   tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> >     0     0 home2fw    all  --  *      *       192.168.174.242 
> 0.0.0.0/0 
> >   251  168K net2fw     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> >     0     0 IBM2fw     all  --  *      *       9.132.183.77 
> 0.0.0.0/0 
> > The rule in eth0_in chain that calls IBM2fw chain is misplaced.  Probably, 
it is appended after shorewall processes the rules file. 
net2fw calls net2all that drops every packet.  IBM2fw is never
inspected.> > Chain net2all (7 references)
> >  pkts bytes target     prot opt in     out     source 
> destination 
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state RELATED,ESTABLISHED 
> >    13  2382 Drop       all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> >     1    60 LOG        all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
> >     1    60 DROP       all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> > 
> > Chain net2fw (3 references)
> >  pkts bytes target     prot opt in     out     source 
> destination 
> >   238  166K ACCEPT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           state RELATED,ESTABLISHED 
> >     0     0 ACCEPT     254  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:5900 
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           udp dpt:63572 
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
> 0.0.0.0/0           tcp dpt:63572 
> >    13  2382 DropPing   all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> >    13  2382 net2all    all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0 
> > 

hope it helps,

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Alexander Wilms

2005-May-25 16:58 UTC

head link

Re: Newbie going through a probably stupid thing

On Wednesday 25 May 2005 18:24, Bob Alexander wrote:

Hi Bob,

you defined ''net'' before ''IBM'' in
/etc/shorewall/zones
But your ''home'' zone is correctly before
''net''

So just define ''IBM'' before ''net'' .

HTH
Alex
> Believe me:
>
> Read the FAQ
> Checked over and over
>
> This might be toooooo stupid to be documented.
>
> Please bear with me. Any help ?
>
> Situation: single card standalone "firewall" (used like a
"personal
> firewall"). Have sshd running on the FW. Want the sshd daemon to be
> accessible only from 2 LANs:
>
> 1) My other home LAN machine
> 2) IBM intranet machines (9.0.0.0)
>
> Whatever I have tried if the rule is written like Any2FW or Net2FW it
> works but IBM2FW does not (the net2all chain is hit with it''s DROP
action).
>
>
> Here follows my FW status.
>
> Thank you very much for any  help,
> Bob Alexander

David Hoffman

2005-May-25 20:13 UTC

head link

Re: Newbie going through a probably stupid thing

At 5:49 PM +0100 5/25/05, Keith Edmunds wrote:>Bob Alexander wrote:
>>Situation: single card standalone "firewall" (used like a
"personal
>>firewall"). Have sshd running on the FW. Want the sshd daemon to be
>>accessible only from 2 LANs:
>>
>>
>>
>>1) My other home LAN machine
>>
>>2) IBM intranet machines (9.0.0.0)
>
>In /etc/shorewall/rules:
>
>AllowSSH	net:1.2.3.4	fw
>AllowSSH	net:9.0.0.0/8	fw
>
>(assuming your LAN machine is 1.2.3.4)
>
>I would actually put the following in /etc/shorewall/params:
>
>LANPC=net:1.2.3.4
>IBM=net:9.0.0.0/8
>
>and then /etc/shorewall/rules becomes:
>
>AllowSSH	$LANPC	fw
>AllowSSH	$IBM	fw
>
>Now, when you read the one interface quickstart document, what part 
>of it didn''t make sense?
>
>--
>Keith Edmunds
What''s the point of the question at the end? Is that a jab, or are 
you really interested in seeing if the documentation could use some 
useful tweaking?

--
DAvid

Keith Edmunds

2005-May-25 22:22 UTC

head link

Re: Newbie going through a probably stupid thing

David Hoffman wrote:> What''s the point of the question at the end? Is that a jab, or are
> you really interested in seeing if the documentation could use some 
> useful tweaking?
The latter. The OP said he had read all the docs (I''m paraphrasing as I
don''t have the original message in front of me so apologies if I
don''t
recall it correctly). I think the quickstart guides are very clear when 
configuring a basic setup, which the OP wanted.

If I''d wanted to "jab" I''d have just pointed him at
the quickstart guide
and told him to read it but, as it was, I gave him detailed instructions 
on how to fix the problem (well, I assumed he had interfaces defined 
correctly, I confess), and I also hinted of a way of making the 
configuration easier by defining symbols in the params file. Either he 
didn''t read the quickstart guide, which is contrary to what he implied,
or he didn''t understand it, hence my question.

Or maybe I have missed the point completely?

-- 
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |    http://www.TheLinuxConsultancy.co.uk    
|
+---------------------------------------------------------------------+

Bob Alexander

2005-May-26 07:47 UTC

head link

Re: Newbie going through a probably stupid thing

Alexander Wilms wrote:> On Wednesday 25 May 2005 18:24, Bob Alexander wrote:
> 
> Hi Bob,
> 
> you defined ''net'' before ''IBM'' in
/etc/shorewall/zones
> But your ''home'' zone is correctly before
''net''
> 
> So just define ''IBM'' before ''net'' .
> 
> HTH
> Alex
Thank you to all and particularly to Alex. Your hint is just what I needed.

Now some replies to other thread''s questions.

I am used to employ the Webmin interface to Shorewall and that might 
"abstract" a little too much.

I find the basic setup guide to be perfect and in fact the basic setup 
just worked fine for me.

The concept of having a " subnet" to be treated differently does not 
seem evident in that documentation.

I was not even finding the required syntax to define host ranges or 
subnets. Is 9.0.0.0/8 correct ?

The "FW" I have is just my personal laptop and gets a dynamic address 
from DHCP.

Now the more important question:

I wrongly believed that the ordering of the zones file was irrelevant. 
The solution Alex gave me indicates that this is not true.

How does the ordering of the zones reflect into the ordering of the rules ?

I am really grateful to Tom for this great product and above all his and 
this community''s GREAT OUTSTANDING WORLD CLASS support !!!!

Love you all ! :)

Bob

Alexander Wilms

2005-May-26 08:25 UTC

head link

Re: Newbie going through a probably stupid thing

>
> I am used to employ the Webmin interface to Shorewall and that might
> "abstract" a little too much.Yes, I think so too. As far as I know, the webmin interface is far behind 
shorewall development.
There was a discussion here on the list a couple of weeks (month?) ago about 
this issue and how to get them into sync. I don''t know the progress of
this
module, but I heard nothing about it anymore, so I think it''s still too
much
behind.
>
> I find the basic setup guide to be perfect and in fact the basic setup
> just worked fine for me.
>
> The concept of having a " subnet" to be treated differently does
not
> seem evident in that documentation.The isssue is, that you have multiple subnets in your net zone. In this case 
the order IS relevant. 
Taken from Tom''s context sensitive :-) online help in
/etc/shorewall/zones:

# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.

IMHO, another reason not to use any other frontend than plain vi/joe/et al.
His comments in the files where always good to see quickly if I''m on
the right
way.
>
> I was not even finding the required syntax to define host ranges or
> subnets. Is 9.0.0.0/8 correct ?Again, if you were editing the files directly, you would find examples IN the 
file. e.g. in /etc/shorewall/hosts. Take a look.

I''m not Tom, so I would have to search now in the Documentation to show
you
the syntax examples, but I''m sure there are.
>
> The "FW" I have is just my personal laptop and gets a dynamic
address
> from DHCP.
>
> Now the more important question:
>
> I wrongly believed that the ordering of the zones file was irrelevant.
> The solution Alex gave me indicates that this is not true.
>
> How does the ordering of the zones reflect into the ordering of the rules ?Just take a look at your "shorewall status" output that you sent.
Since SSHd is running on the firewall you''ll take a look first at the
INPUT
chain. There you see the target ''eth0_in''. Since your relevant
interface is
eth0 the packet''s are jumping to this target. So scroll down to find
this
''eth0_in'' chain. 

Chain eth0_in (1 references)
pkts bytes target     prot opt in     out     source               destination  
     
<snip>

     0     0 home2fw    all  --  *      *       192.168.174.242      0.0.0.0/0  
       
   251  168K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0  
       
     0     0 IBM2fw     all  --  *      *       9.132.183.77         0.0.0.0/0

Above are (only) the relevant lines of your shorewall status output. And here 
we go: Do you see now the ordering and how I knew your zone order?



>
> I am really grateful to Tom for this great product and above all his and
> this community''s GREAT OUTSTANDING WORLD CLASS support !!!!
>
> Love you all ! :)Eh, don''t ask me to be your valentine. ;-)

HTH,
Alex
>
> Bob
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Bob Alexander

2005-May-26 08:49 UTC

head link

Re: Newbie going through a probably stupid thing

Alexander Wilms wrote:> 
>      0     0 home2fw    all  --  *      *       192.168.174.242     
0.0.0.0/0
>    251  168K net2fw     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>      0     0 IBM2fw     all  --  *      *       9.132.183.77        
0.0.0.0/0
> 
> Above are (only) the relevant lines of your shorewall status output. And
here
> we go: Do you see now the ordering and how I knew your zone order?
> 
Very interesting ... yes I definitely believe I have to get weaned from 
Webmin-Shorewall !!

I will study through the files. Is the Shorewall status the right place 
where the "compiled" chains/rules are all collected ?
> Eh, don''t ask me to be your valentine. ;-)
> 
I would never dare since my wife and children would get quite upset :)

Bob Alexander

Apparently Analagous Threads

Search for more reasonably related threads

Shorewall users - May 2005 - Newbie going through a probably stupid thing

Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Re: Newbie going through a probably stupid thing

Apparently Analagous Threads