thr3ads.net - Shorewall users - Shorewall prevents all traffic flow! [Nov 2005]

If this information is useful, please help other people find it:
Share via:

Stephen Warren

2005-Nov-12 23:03 UTC

Shorewall prevents all traffic flow!

I''m setting up shorewall for the very first time. I''ve read
pretty much
all the docs/FAQs etc., but something is stumping me!

I''m running shorewall 3.0.0 on kernel 2.4.29 under User Mode Linux as 
provided by linode.com. The distro is Fedora Core 2 (yes really, with a 
2.4 kernel). All iptables support is compiled directly into the UML 
guest kernel; no modules.

My (virtual) machine has eth0 with 3 public IPs, and tun0, which is 
managed by OpenVPN 2.0.2 in server mode.

I have a custom set of iptables rules that do pretty much what shorewall 
will do for me, but I want to migrate to shorewall so I can have simpler 
config files, and learn about shorewall before deploying it on a much 
more complex box at home.

The problem is, that whenever I "service shorewall start", *all*
traffic
gets blocked, even on ports that I''ve explicitly opened in the rules 
file. Luckily, I can recover by:
service shorewall stop;/root/nat-setup.sh

Anyway, any help would be greatly appreciated. Config files are shown 
below. All other files are empty (well, comment lines only.)

zones:
fw      firewall
net     ipv4
vpn     ipv4

interfaces:
net     eth0            detect          norfc1918,routefilter,tcpflags
vpn     tun0            -               routeback

policy:
fw              all             ACCEPT
# client-to-client is in openvpn.conf anyway right now
vpn             vpn             ACCEPT
all             all             REJECT

rules:
SECTION NEW
ACCEPT all fw tcp 25 - #70.85.31.133
ACCEPT all fw tcp 80 - #70.85.31.133
ACCEPT all fw tcp 8022 - #70.85.31.133
Ping/ACCEPT all fw

tunnels:
openvpnserver:udp:1194  net     0.0.0.0/0

masq:
eth0                    tun0            70.85.31.134

routestopped:
tun0            -                       routeback

shorewall.conf:
STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATELOGBURSTLOGALLNEW=info
BLACKLIST_LOGLEVELMACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEIPSECFILE=zones
FWIP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=Yes
TC_ENABLED=Internal
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIXDISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTLSAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

`shorewall dump`:
Shorewall-3.0.0 Dump at wye.wwwdotorg.org - Fri Nov 11 19:32:11 EST 2005

Counters reset Fri Nov 11 19:31:59 EST 2005

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:filter:INPUT:''
     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
     0     0 eth0_in    all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 tun0_in    all  --  tun0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:filter:FORWARD:''
     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 tun0_fwd   all  --  tun0   *       0.0.0.0/0 
0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:filter:OUTPUT:''
     0     0 ACCEPT     all  --  *      lo      0.0.0.0/0 
0.0.0.0/0
     2   162 fw2net     all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
     0     0 fw2all     all  --  *      tun0    0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain Drop (0 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113
     0     0 dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 3 code 4
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 11
     0     0 dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           multiport dports 135,445
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:137 dpts:1024:65535
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           multiport dports 135,139,445
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:1900
     0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:53

Chain Reject (3 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113
     0     0 dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 3 code 4
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 11
     0     0 dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           multiport dports 135,445
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
     0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:137 dpts:1024:65535
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           multiport dports 135,139,445
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:1900
     0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:53

Chain all2all (4 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain dropBcast (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast

Chain dropInvalid (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID

Chain dropNotSyn (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:!0x16/0x02

Chain dynamic (4 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain eth0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 norfc1918  all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW
     0     0 tcpflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 all2all    all  --  *      tun0    0.0.0.0/0 
0.0.0.0/0

Chain eth0_in (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 norfc1918  all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW
     0     0 tcpflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 net2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2all (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2net (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     2   162 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:1194
     0     0 fw2all     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain logflags (5 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain net2fw (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:25
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:80
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:8022
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 8
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:1194
     0     0 all2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain norfc1918 (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 rfc1918    all  --  *      *       172.16.0.0/12 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 172.16.0.0/12
     0     0 rfc1918    all  --  *      *       192.168.0.0/16 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 192.168.0.0/16
     0     0 rfc1918    all  --  *      *       10.0.0.0/8 
0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           ctorigdst 10.0.0.0/8

Chain reject (9 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast
     0     0 DROP       all  --  *      *       70.85.31.255 
0.0.0.0/0
     0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
     0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0
     0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with tcp-reset
     0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-port-unreachable
     0     0 REJECT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-unreachable
     0     0 REJECT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
     0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain shorewall (0 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain smurfs (0 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       70.85.31.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       70.85.31.255 
0.0.0.0/0
     0     0 LOG        all  --  *      *       255.255.255.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
     0     0 LOG        all  --  *      *       224.0.0.0/4 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0

Chain tcpflags (2 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x3F/0x29
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x3F/0x00
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x06/0x06
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:0x03/0x03
     0     0 logflags   tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp spt:0 flags:0x16/0x02

Chain tun0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 all2all    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
     0     0 vpn2vpn    all  --  *      tun0    0.0.0.0/0 
0.0.0.0/0

Chain tun0_in (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
     0     0 vpn2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain vpn2fw (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:25
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:80
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:8022
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 8
     0     0 all2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain vpn2vpn (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Nov 11 19:24:06 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=14 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:08 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=15 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:09 filter:OUTPUT:IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 
LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=1152 DF PROTO=UDP SPT=1857 DPT=53 
LEN=53
Nov 11 19:24:09 mangle:POSTROUTING:IN= OUT=lo SRC=127.0.0.1 
DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=1152 DF PROTO=UDP 
SPT=1857 DPT=53 LEN=53
Nov 11 19:24:09 mangle:PREROUTING:IN=lo OUT= SRC=127.0.0.1 DST=127.0.0.1 
LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=1152 DF PROTO=UDP SPT=1857 DPT=53 
LEN=53
Nov 11 19:24:09 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=15 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:10 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=37752 DF PROTO=TCP 
SPT=34797 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 11 19:24:11 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=16 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:11 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=16 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:12 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=17 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:13 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=17 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:14 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=18 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:16 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=18 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:17 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=19 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:18 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=19 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:24:19 mangle:PREROUTING:IN=eth0 OUT= SRC=68.2.78.214 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=20 DF PROTO=UDP 
SPT=32916 DPT=1194 LEN=22
Nov 11 19:24:20 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=42 TOS=0x00 PREC=0x00 TTL=49 ID=20 DF PROTO=UDP 
SPT=32816 DPT=1194 LEN=22
Nov 11 19:32:01 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27856 DF PROTO=TCP 
SPT=44669 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 11 19:32:04 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27858 DF PROTO=TCP 
SPT=44669 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 11 19:32:10 mangle:PREROUTING:IN=eth0 OUT= SRC=63.147.78.76 
DST=70.85.31.133 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=27860 DF PROTO=TCP 
SPT=44669 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 10 packets, 552 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:nat:PREROUTING:''

Chain POSTROUTING (policy ACCEPT 40 packets, 3488 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:nat:POSTROUTING:''
     0     0 eth0_masq  all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 40 packets, 3488 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:nat:OUTPUT:''

Chain eth0_masq (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 SNAT       all  --  *      *       192.168.65.2 
0.0.0.0/0           to:70.85.31.134
     0     0 SNAT       all  --  *      *       192.168.65.0/24 
0.0.0.0/0           to:70.85.31.134
     0     0 SNAT       all  --  *      *       192.168.0.0/16 
0.0.0.0/0           to:70.85.31.134

Mangle Table

Chain PREROUTING (policy DROP 11 packets, 786 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     3   180 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:mangle:PREROUTING:''
     6   423 tcpre      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain INPUT (policy ACCEPT 485 packets, 58280 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:mangle:INPUT:''

Chain FORWARD (policy ACCEPT 89 packets, 12313 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:mangle:FORWARD:''
     0     0 tcfor      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 552 packets, 51569 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     4   324 tcout      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 641 packets, 63882 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW LOG flags 0 level 6 prefix 
`Shorewall:mangle:POSTROUTING:''
     4   324 tcpost     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain tcfor (1 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain tcout (1 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain tcpost (1 references)
  pkts bytes target     prot opt in     out     source 
destination

Chain tcpre (1 references)
  pkts bytes target     prot opt in     out     source 
destination

udp      17 109 src=127.0.0.1 dst=127.0.0.1 sport=1857 dport=53 
src=127.0.0.1 dst=127.0.0.1 sport=53 dport=1857 [ASSURED] use=1
tcp      6 431731 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=25585 dport=993 src=192.168.65.5 dst=209.213.198.25 sport=993 
dport=25585 [ASSURED] use=1
udp      17 175 src=63.147.78.76 dst=70.85.31.133 sport=32816 dport=1194 
src=70.85.31.133 dst=63.147.78.76 sport=1194 dport=32816 [ASSURED] use=1
tcp      6 49 TIME_WAIT src=63.147.78.76 dst=70.85.31.133 sport=44659 
dport=25 src=70.85.31.133 dst=63.147.78.76 sport=25 dport=44659 
[ASSURED] use=1
tcp      6 149398 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=64960 dport=8022 src=192.168.64.1 dst=209.213.198.25 sport=8022 
dport=64960 [ASSURED] use=1
tcp      6 431731 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=25579 dport=993 src=192.168.65.5 dst=209.213.198.25 sport=993 
dport=25579 [ASSURED] use=1
tcp      6 431731 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=25583 dport=993 src=192.168.65.5 dst=209.213.198.25 sport=993 
dport=25583 [ASSURED] use=1
tcp      6 431733 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=25577 dport=993 src=192.168.65.5 dst=209.213.198.25 sport=993 
dport=25577 [ASSURED] use=1
udp      17 175 src=68.2.78.214 dst=70.85.31.133 sport=32916 dport=1194 
src=70.85.31.133 dst=68.2.78.214 sport=1194 dport=32916 [ASSURED] use=1
tcp      6 431731 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=25584 dport=993 src=192.168.65.5 dst=209.213.198.25 sport=993 
dport=25584 [ASSURED] use=1
tcp      6 149378 ESTABLISHED src=209.213.198.25 dst=70.85.31.134 
sport=48008 dport=8022 src=192.168.64.1 dst=209.213.198.25 sport=8022 
dport=48008 [ASSURED] use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
     inet6 ::1/128 scope host
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
     link/void
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
     link/ether fe:fd:46:55:1f:85 brd ff:ff:ff:ff:ff:ff
     inet 70.85.31.133/24 brd 70.85.31.255 scope global eth0
     inet 70.85.31.134/24 brd 70.85.31.255 scope global secondary eth0:0
     inet 70.85.31.135/24 brd 70.85.31.255 scope global secondary eth0:1
     inet6 fe80::fcfd:46ff:fe55:1f85/64 scope link
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
     link/ipip 0.0.0.0 brd 0.0.0.0
7: gre0@NONE: <NOARP> mtu 1476 qdisc noop
     link/gre 0.0.0.0 brd 0.0.0.0
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
     link/[65534]
     inet 192.168.65.1 peer 192.168.65.2/32 scope global tun0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     RX: bytes  packets  errors  dropped overrun mcast
     592050     5812     0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     592050     5812     0       0       0       0
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
     link/void
     RX: bytes  packets  errors  dropped overrun mcast
     0          0        0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     0          0        0       0       0       0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
     RX: bytes  packets  errors  dropped overrun mcast
     0          0        0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     0          0        0       0       0       0
4: eth0: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
     link/ether fe:fd:46:55:1f:85 brd ff:ff:ff:ff:ff:ff
     RX: bytes  packets  errors  dropped overrun mcast
     111212172  860983   0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     93903553   328910   0       0       0       0
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
     RX: bytes  packets  errors  dropped overrun mcast
     0          0        0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     0          0        0       0       0       0
6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
     link/ipip 0.0.0.0 brd 0.0.0.0
     RX: bytes  packets  errors  dropped overrun mcast
     0          0        0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     0          0        0       0       0       0
7: gre0@NONE: <NOARP> mtu 1476 qdisc noop
     link/gre 0.0.0.0 brd 0.0.0.0
     RX: bytes  packets  errors  dropped overrun mcast
     0          0        0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     0          0        0       0       0       0
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
     link/[65534]
     RX: bytes  packets  errors  dropped overrun mcast
     7905       38       0       0       0       0
     TX: bytes  packets  errors  dropped carrier collsns
     4408       51       0       0       0       0

/proc

    /proc/version = Linux version 2.4.29-linode39-1um 
(root@nova1.theshore.net) (gcc version 3.3.3 20040412 (Red Hat Linux 
3.3.3-7)) #1 Wed Jan 19 12:22:14 EST 2005
    /proc/sys/net/ipv4/ip_forward = 1
    /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
    /proc/sys/net/ipv4/conf/all/proxy_arp = 0
    /proc/sys/net/ipv4/conf/all/arp_filter = 0
    /proc/sys/net/ipv4/conf/all/arp_ignore = 0
    /proc/sys/net/ipv4/conf/all/rp_filter = 1
    /proc/sys/net/ipv4/conf/all/log_martians = 0
    /proc/sys/net/ipv4/conf/default/proxy_arp = 0
    /proc/sys/net/ipv4/conf/default/arp_filter = 0
    /proc/sys/net/ipv4/conf/default/arp_ignore = 0
    /proc/sys/net/ipv4/conf/default/rp_filter = 0
    /proc/sys/net/ipv4/conf/default/log_martians = 0
    /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
    /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
    /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
    /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
    /proc/sys/net/ipv4/conf/eth0/log_martians = 0
    /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
    /proc/sys/net/ipv4/conf/lo/arp_filter = 0
    /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
    /proc/sys/net/ipv4/conf/lo/rp_filter = 0
    /proc/sys/net/ipv4/conf/lo/log_martians = 0
    /proc/sys/net/ipv4/conf/tun0/proxy_arp = 0
    /proc/sys/net/ipv4/conf/tun0/arp_filter = 0
    /proc/sys/net/ipv4/conf/tun0/arp_ignore = 0
    /proc/sys/net/ipv4/conf/tun0/rp_filter = 0
    /proc/sys/net/ipv4/conf/tun0/log_martians = 0

Routing Rules

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Table default:


Table local:

local 192.168.65.1 dev tun0  proto kernel  scope host  src 192.168.65.1
local 70.85.31.134 dev eth0  proto kernel  scope host  src 70.85.31.133
local 70.85.31.135 dev eth0  proto kernel  scope host  src 70.85.31.133
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
local 70.85.31.133 dev eth0  proto kernel  scope host  src 70.85.31.133
broadcast 70.85.31.255 dev eth0  proto kernel  scope link  src 70.85.31.133
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.65.2 dev tun0  proto kernel  scope link  src 192.168.65.1
192.168.65.0/24 via 192.168.65.2 dev tun0
70.85.31.0/24 dev eth0  proto kernel  scope link  src 70.85.31.133
169.254.0.0/16 dev eth0  scope link
192.168.0.0/16 via 192.168.65.2 dev tun0
default via 70.85.31.1 dev eth0

ARP

? (70.85.31.3) at 00:D0:BA:1F:B5:CF [ether] on eth0
? (70.85.31.2) at 00:02:FC:64:D8:AF [ether] on eth0
? (70.85.31.1) at 00:00:0C:07:AC:01 [ether] on eth0

Modules


Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Extended Multi-port Match: Not available
    Connection Tracking Match: Available
    Packet Type Match: Available
    Policy Match: Not available
    Physdev Match: Not available
    IP range Match: Not available
    Recent Match: Available
    Owner Match: Available
    Ipset Match: Not available
    CONNMARK Target: Not available
    Connmark Match: Not available
    Raw Table: Not available
    CLASSIFY Target: Not available

-- 
Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO
swarren@wwwdotorg.org     http://www.wwwdotorg.org/pgp.html

Tom Eastep

2005-Nov-12 23:45 UTC

head link

Re: Shorewall prevents all traffic flow!

On Saturday 12 November 2005 15:03, Stephen Warren wrote:
>
> The problem is, that whenever I "service shorewall start", *all*
traffic
> gets blocked, even on ports that I''ve explicitly opened in the
rules
> file. Luckily, I can recover by:
> service shorewall stop;/root/nat-setup.sh
Please read http://www.shorewall.net/starting_and_stopping_shorewall.htm and 
note the ''clear'' command. It could help you in the future.
>
> Anyway, any help would be greatly appreciated. Config files are shown
> below. All other files are empty (well, comment lines only.)
Please:

a) Do NOT set LOGALLNEW in shorewall.conf. It logs so much that
''shorewall
dump'' is almost useless.
b) Start shorewall
c) Try to pass some traffic that you believe that the Shorewall-generated 
ruleset is blocking.
d) Capture the output of ''shorewall dump'' as you did before.
e) Compress the output of ''shorewall dump'' using bzip2 or
gzip.
f) Forward the compressed dump as an attachment.

This will allow me to see how traffic is traversing the ruleset and why it 
isn''t being passed. By including the output as a compressed attachment,
your
mailer won''t fold it into an unreadable pretzel as it did with this
copy.

Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Stephen Warren

2005-Nov-13 00:03 UTC

head link

Re: Shorewall prevents all traffic flow!

Tom Eastep wrote:> On Saturday 12 November 2005 15:03, Stephen Warren wrote:
> 
>>The problem is, that whenever I "service shorewall start",
*all* traffic
>>gets blocked, even on ports that I''ve explicitly opened in the
rules
>>file. Luckily, I can recover by:
>>service shorewall stop;/root/nat-setup.sh
> 
> Please read http://www.shorewall.net/starting_and_stopping_shorewall.htm
and
> note the ''clear'' command. It could help you in the
future.
Hmm. Note sure I want to do that - my nat-setup.sh script sets up a ton 
of SNAT/DNAT stuff I want too...
> Please:
> 
> a) Do NOT set LOGALLNEW in shorewall.conf. It logs so much that
''shorewall
> dump'' is almost useless.
> b) Start shorewall
> c) Try to pass some traffic that you believe that the Shorewall-generated 
> ruleset is blocking.
> d) Capture the output of ''shorewall dump'' as you did
before.
> e) Compress the output of ''shorewall dump'' using bzip2 or
gzip.
> f) Forward the compressed dump as an attachment.
Here it is. I attempted to connect via both port 25, then port 8022, 
both TCP. I let each connect attempt run 10 seconds before CTRL-C''ing
them.

Sorry about the munging - the first time I attempted to post to the 
list, I had attached the file, but on the resend, just cut/paste it:-(

-- 
Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO
swarren@wwwdotorg.org     http://www.wwwdotorg.org/pgp.html

--------------070404090609090906040807
Content-Type: application/octet-stream;
 name="swdump.txt.bz2"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="swdump.txt.bz2"

QlpoOTFBWSZTWRrtV8MAIgHfgH/4aPf/9///3+r////gYBMcHugHX3fXO9AYPtgrWW2VVKlK
e2l00CgoLYNJEKiVVFVFsaVDSTRqntU0fqnpHppqbR6iYIekGQYTBA0YATAQGSMiJ6mhqaAA
BoGgAAAAAAAA1U9T/VQGgAAAAAAAAAAAAAEhFRD0U9QPSD1NDagAAADQAGgDQACJQQTQI0aB
MRJ5PU1PIJo00aNomTZQaNGJkyAqSIE0AQ0JPRDT0KbUHqajNEeo9CZPU09Q0Bp+qeoZUkkg
DSvw/Xjqn9e/j3WVmlqPbLI1UbRBxtskVzjNupv6bwx4qIkyDBQY3BhJAZBjhGxqNRiiI5Go
4xpwkGnG2QbYlIyGJ+6DkygOVDc0wsYwGEaBsE8MNXIBkaWwkgsyausqVRNvI47klgDVQhhG
gyBIoigV/Qfh8Pm8/103+5ljXEUMHCkQEz8cTBAiMBbrBWnMeegVRINbdUaAkHtRZ3J1jJCb
/6H3jyENPt3cv3d2d+TaZMKRCFGZBSDsBEUDMCKhxAVuMeSKmhzPeEaGxsqdtsNDJVH4D163
8qaVrWjFkrANFQqqhSEGQkmAB7yoPU9eznXj+OWK5AD2FAUfKujFbCdHqTaqG1rYTaxAeaCg
mxUIHOC8Omm0IAdZ4l+EVHsDoBOIRGBIRGAMUaCuc1QNkAOczNp+NjQANGAHSZhCOgyJmdrI
R5jJJsT0J5JDYdTAFOA4aSY50uMrQyzYafVNglGMDGDDG10EC/fEQ5hiSCqfIAw+N2h5HgPH
dlSlKni8GGsrqmb8CPVusx7/Aqzb7OXI/ALY69a8HDCQk74FM2SARHLeabSWQ369krsKVVCo
Eb2sQ4UVyHskIQgN0y4JLULKIAC941SWEhQSSSQSSCU4Ws84FomohAH8TImgUoLtoZDzmZy3
7YMWZmZlILlQIXimgdjcykkkkkgbb17JY13N9nUgVOVLl7o4gmbmnR3Q5p49VDv3eO2zZKHF
DE8+tA1m9zpcin3EXLmiUWVMN9p4EaaVUFwTC089zkCQBGIwBDoVDh1OceUBYEC4ilqOtFEg
+QHVMTf+Pz4wwG/WW4K8XpDzkh2ueM6Xnj9HzDuWHHx168MuK23ljvw+ReuOWjSYZM7aW6G6
RxUu7aVSuobzabd03OxoaaBXs87qTF5ssqqq07XcdnvjlM6dbNNKuat9h+E7ZIefnI7NTKTH
p0NW/HKN26YYceFd3dfv2YcLL38MPDRuH3B5Nl/eSy39HbJDxHcGM8ta5XteuOp9UkMozkZr
KSlGx2qe7nhsOlS9t1NN2WUYW7bXvDl8tBpg359o1mkToMOkltekNZWFaZG8c1K30PfMPcLX
qTcqG7XrmpDusVtNJtOO/xGZCxlhJQ3j0r5urds6c85KZ6RIom9UPLbj23FR+IUhPkiUIohi
pxOwh1HWMCBA8R9Z4HpUF1Ai5dfd1lfzKcsg8QS8UOWKiPSwogNJCFwjZVugQkt9wHEm02KO
MskKbQjOD5ZCjAyFbixKtMSqlQ2NMiqg44isAugZKD5fbzpVUR97WapSpeDbTSpqjSF575+9
OXfbzytaVmaDcTAaELqNUthWmFzsBfDiC4444ylKVmJ7Sjmkoe14Z+txK+Wg2VLNvP1F3GrL
Rh8oqN/UAPt/MmqhSQpD5xMBPYqI5mZxpRkcgHxdZQU3RMIOJFjMpLGRRFXuYpgbpbDHGJvh
cImXUUauTvCD7GwpqUbg/SAb4vo88UlUI9GfXpF48dIBXVUIpa7BtJtNoJFlqArtNSAK+VQY
qC83PIQhOBdzU9j4RIwL+sU6nVgJ2yVMMmCWWXaeFSmmGFW+i+Ko2GDT17n1vncV9gKy9rF5
tvHDIhJId/jBSN5PXKR4NufIiUHXUEqPs2xKo5pQms6QLyYUzDQw1GbFmihIhoZMyxWxwYQd
7kzyY0mKVRU8DG2xj4m4GFBAlR+Y3Z4DaSY68UDIcCAWdkNTY4YySSSSSVmdMjsMzKqBur2u
oyryQ5poJcvGpWWXntkXyaYrWuWpamshg7Np59GRGbNrPe2HAtEZnHnDRGrYt0DpUnjORA2Y
objZUWLk3LRKMeUy3Ou3uSprjBopsTVrSyKmpw3bgHaYNKLbnxqBykdeHcHqZ398lSGti5aX
lGjWyS8o7Tete9jPusYYZdfdBmVMjVlxsoNqnGchwV4uaSKNCYReyum0LDt6TElTCHJWhpDy
Y6zoLY4ZkOoruaXXlm1qjqymdWux0zt2tLaKyaHHF0y/VImfQ0a7ZVdIl2ZXTuC7wDSPM6KF
YFjEIgZ5nA1KGLo2W1lVxTVgb2OC8Zc8eeJiwpkayMImUhL1oMGTcVebODAaGxEzMu3Js042
lXWxzDVq2kbZR5w7g688Lq5KUkpyQq3vlbfsTAo52mTGMrbzoqDOp16s11pGr4ujHPhN3bWB
sFRMcC1djKbl8EtznczYeNyM4NN/So0QJAJsZQj2sDMq5FGGlNZtm9ThHYRzcbQlpfDlxa5q
w6b25Oy9jGmN1WrXYTeN5aJaDkvvSzia9+7YLmLZykJ+PbvlbSrEKHWHQL5JKqpiZyAIqlcs
kWsuM6gTQE1SEAAoFrG0UO8mZka+o2XCstBSlNOnt7/duHunzjQ9z89fXT0U1or4h1dHFyc3
VZ0cv1Rx21JJ/LHOaqxLYpO29rEMQhChiWsljRpXsQLEb/xams6zE4tg7Txbc9mUePqUPm6V
DlhqROxNBI/c0QsdT+YneRpJ9syiczCWnwXYQUmUUQhDWQrCBaiFAcpCio3EAy8vLP8S5nIz
mEylLpe2UFiyYyj/oiyGDaHv6plgOfEH+7Yb3xj6ln89uJN/6l5AN6VHRd59wH2h9LTh6AT8
AT2HSQhcDcCmrqZnKSF5Wd00ULCZGJHA+IWSR3xRGUlOJimhHxPiNyXg6EOALCaTvSmidVuZ
H5VnPvjIqKkND1DHcm6LEXu5keJaSMGhUdysx3O+X7itvu/Jy8a7ngcCLbE2ENsekU3rx90e
TyS7r3snoO3ElU/1MW4hSHU3vUOgcWpKqmdqmgwh+I3UwQ6XIEo6EeBqTgjtLJ23YSSb2T71
EZzAjQipIqfJ5Fr5om/ANSzBhH4iyO5Lu46lnY1baSKQojqDdE6yioKnHpSqxMCO9zI3yYIs
RRYv4GkkmJGzRVUhjE3PrGx+ujvrAjI7RvwkRkBZgGgJQDButxxPySntux6ILCDIazlFmkqL
7lzmovjIYxLypEqCyh9hgnoTVjJHQjgRsYEYGksR/odgzLuUqNoeafKmkmBwTdJI3R2JY/B5
Mo3Cw9WwufaxHsfD0SbX5f4x5/oKkfiKi1j+yKax/Kfwy4P6Q+1Y+jc/9eLOROfCNkRqAfdo
qE/auYSz6h+g9ZJA+ryyhScGM+wsFq5AsoUVItjY7u2xyRzb1DZlJ8VERaPuj7Oz285CvRHP
Pxkh6GW6NyMheP3utl0P2HH+3zW4SN0TjzkhbMYw9vpek+/tqExQ/JKQMMI1kfuDjgSayMEl
hlDLormPrl57M5IefMk15xOLCgawbUXdYTjIZQS5H9UyJanoUpW2JeRRUNXQ0Te018uxKfmq
E2xX8QDZ+AjUReRgutSe4jBx6yQqd53KWjui2ywzeWEhZj76Z9rAinGTCej1Xf/IbetY/v13
BhVhsIXYMiYKedNY1Bcd8Nx10ExnYBYpN4L96nOAaAXjoUQXVIJCAwgSRploZ75Ic93bJCk3
XVYF2Ft098ofpg8osij+/SRPFoHCN46G2E/ylojxO4YyP2zurhMCSx99Bc8TXRHfhnGLtiqv
IrvFNRj/51h6Qulgroyd6fRm1sglloiYBYegoeZEruEHWj/JUL1XK3iPQtwPsPixPIxPJ6Uo
fCvpHJ39wO0jwAx7Qo8RpzAHxUBpUzVCFAEwVD9a/op6NSD85UBOLO83NBttInmGJw2GzhHz
oemT5HSwbZF0k3xQ4PLmAJkpGjRI0kCMH3TIolYncDbEbyPXRUhmntX3xtJsmV5OoerXERMo
Yvpo+mdYs2FfBKvFJ7qlnKHAbSVDWYxHPyksN8Yu6SqRdD0nifK2a9MQSioe8VqU6h0u2RkS
QdAIrETAKYJFQwBbk2danZ4GCfZwUd5UpmI0G9IqSN7XBfInVKn8cnMaRwvm/hOqPnkRY+MP
NwSwRFgHSb/2VBt4HK9KnuaswMHYSOy8ie+azcimWoqlQpjIWDKSC5kRNkgEejcGABsVDDCk
GR+dCyoa2lpHu39ZIe+SHB9WaRw4jlrG0bZoipFYJTvXlLpTowMGDCJQwKVSyFKoUuJhE6s1
G53rFDlAKpk4lFQ6B91TwLBOBsYxkkkkhCMHEzAIZJ3ouHMsLyLx5ZSQ00lSilGyipEsyD0q
Nwoo/HXhdBiofpB5YHIeQzGE6DIFsqR5m0k53yFJUr27S7bCO8Wls5G6GoV7nj8vBBzALqjk
vPCSMRzAdQBRUgtFGIqy75uY6SZBcMA3YJcrGLSQyyySQvI9EiWZJcrOdQ6SGXOSzPfS2yb1
p0nkPGSFyOCoSjlQJCLOSEJSBCgvFHUqGaj0ZxrEOtNqAIzJIIJ0A3To3hhRbTByZs8lFm6F
zlJDK8kKNcsrsthiwkSpsWLU0gxMlKUFSlSUaF+EkMInws1kU+ko+zoirRzSUMYm3fw/2xcS
cu5AzzCCpeJ5sDlSF96ocNYCa7hwU2sq21A2H1SQtI7T1hwn5pR3xSTyDvnXvlSlVTijV+d6
PbyHvcE/Ri+fsHCSPN17p67SQzDgtBE7iCm8A6FGm4PqkSSN26WBk76lPzLHmZ1GQ42PhpxP
7r+vZ83riv2CT9uxPaB1nMe2mng9idY+jwUfg9IgH/xdyRThQkBrtV8M
--------------070404090609090906040807--

Stephen Warren

2005-Nov-13 00:07 UTC

head link

Re: Shorewall prevents all traffic flow!

Stephen Warren wrote:> Here it is. I attempted to connect via both port 25, then port 8022, 
> both TCP. I let each connect attempt run 10 seconds before
CTRL-C''ing them.
Sigh. I keep forgetting about the bad interaction between PGP-signing 
and attachements.

At least, my mail client (which generated the mail) won''t validate the 
GPG signature, although I can typically view the attachment OK, although 
not in this case... Anyone know how to fix Firefox/Engimail so that it 
works correctly?

Anyway, here it is again, unsigned.

-- 
Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO
swarren@wwwdotorg.org     http://www.wwwdotorg.org/pgp.html

Tom Eastep

2005-Nov-13 00:21 UTC

head link

Re: Shorewall prevents all traffic flow!

On Saturday 12 November 2005 16:07, Stephen Warren
wrote:> Stephen Warren wrote:
> > Here it is. I attempted to connect via both port 25, then port 8022, 
> > both TCP. I let each connect attempt run 10 seconds before
CTRL-C''ing them.
> 
> Sigh. I keep forgetting about the bad interaction between PGP-signing 
> and attachements.
> 
> At least, my mail client (which generated the mail) won''t validate
the
> GPG signature, although I can typically view the attachment OK, although 
> not in this case... Anyone know how to fix Firefox/Engimail so that it 
> works correctly?
> 
> Anyway, here it is again, unsigned.
> 
From your swdump:

Chain PREROUTING (policy DROP 575 packets, 40527 bytes)
 pkts bytes target     prot opt in     out     source               destination
   17  1332 tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Your script is setting the PREROUTING Mangle table policy to DROP! (why?????)
And Shorewall isn''t setting it back to ACCEPT.

In your /etc/shorewall/init, add:

	run_iptables -t mangle -P PREROUTING ACCEPT

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Stephen Warren

2005-Nov-13 00:32 UTC

head link

Re: Shorewall prevents all traffic flow!

Tom Eastep wrote:> From your swdump:
> 
> Chain PREROUTING (policy DROP 575 packets, 40527 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>    17  1332 tcpre      all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> Your script is setting the PREROUTING Mangle table policy to DROP!
(why?????) And Shorewall isn''t setting it back to ACCEPT.
> 
> In your /etc/shorewall/init, add:
> 
> 	run_iptables -t mangle -P PREROUTING ACCEPT
Thanks. That fixed it.

I was under the impression that starting shorewall would zap and 
reprogram all aspects of iptables, thus undoing anything I''d setup 
manually in my equivalent script.

In my script (which I wrote a long time ago as an alternative to using 
something like shorewall), I have everything dropped, so that I can then 
add some rules to allow specific ports.

-- 
Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO
swarren@wwwdotorg.org     http://www.wwwdotorg.org/pgp.html

Tom Eastep

2005-Nov-13 05:18 UTC

head link

Re: Shorewall prevents all traffic flow!

On Saturday 12 November 2005 16:32, Stephen Warren
wrote:> Tom Eastep wrote:
> > From your swdump:
> > 
> > Chain PREROUTING (policy DROP 575 packets, 40527 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> >    17  1332 tcpre      all  --  *      *       0.0.0.0/0           
0.0.0.0/0
> > 
> > Your script is setting the PREROUTING Mangle table policy to DROP!
(why?????) And Shorewall isn''t setting it back to ACCEPT.
> > 
> > In your /etc/shorewall/init, add:
> > 
> > 	run_iptables -t mangle -P PREROUTING ACCEPT
> 
> Thanks. That fixed it.
> 
> I was under the impression that starting shorewall would zap and 
> reprogram all aspects of iptables, thus undoing anything I''d setup
> manually in my equivalent script.
I agree that Shorewall should undo silly things like that -- I''ll
include
that in the next release.
> 
> In my script (which I wrote a long time ago as an alternative to using 
> something like shorewall), I have everything dropped, so that I can then 
> add some rules to allow specific ports.
> 
It is pretty well agreed among experienced Netfilter users that there is no good
reason to use any policy except ACCEPT in the mangle, nat and raw tables. A
policy
of DROP or REJECT in the filter table is considered prudent (Shorewall uses
DROP).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-Nov-13 05:40 UTC

head link

Re: Shorewall prevents all traffic flow!

On Saturday 12 November 2005 21:18, Tom Eastep wrote:> On Saturday 12 November 2005 16:32, Stephen Warren wrote:
> > 
> > I was under the impression that starting shorewall would zap and 
> > reprogram all aspects of iptables, thus undoing anything I''d
setup
> > manually in my equivalent script.
> 
> I agree that Shorewall should undo silly things like that -- I''ll
include
> that in the next release.
> 
> > 
> > In my script (which I wrote a long time ago as an alternative to using
> > something like shorewall), I have everything dropped, so that I can
then
> > add some rules to allow specific ports.
There is an updated ''firewall'' script in the errata directory
at
http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.0/errata/

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Paul Gear

2005-Nov-14 01:47 UTC

head link

Re: Shorewall prevents all traffic flow!

Stephen Warren wrote:> ...
> Sigh. I keep forgetting about the bad interaction between PGP-signing
> and attachements.
>
> At least, my mail client (which generated the mail) won''t validate
the
> GPG signature, although I can typically view the attachment OK, although
> not in this case... Anyone know how to fix Firefox/Engimail so that it
> works correctly?
Upgrade your copy of Enigmail - signing & attachments work fine for me
on SuSE 9.3, MozillaThunderbird-1.0-5, Enigmail 0.92.0.0.  See attached
for an example.

Paul

Cristian Rodriguez

2005-Nov-14 02:39 UTC

head link

Re: Re: Shorewall prevents all traffic flow!

Paul Gear wrote:> Stephen Warren wrote:
>> ...
>> Sigh. I keep forgetting about the bad interaction between PGP-signing
>> and attachements.
>>
>> At least, my mail client (which generated the mail) won''t
validate the
>> GPG signature, although I can typically view the attachment OK,
although
>> not in this case... Anyone know how to fix Firefox/Engimail so that it
>> works correctly?
> 
> Upgrade your copy of Enigmail - signing & attachments work fine for me
> on SuSE 9.3, MozillaThunderbird-1.0-5, Enigmail 0.92.0.0.  See attached
> for an example.
> 
> Paul
> 
Working fine here too... SUSE 10.0 Thunderbird version 1.0.6 (20050715)
enigmail 0.93.0.0

Shorewall users - Nov 2005 - Shorewall prevents all traffic flow!

Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Shorewall prevents all traffic flow!

Re: Re: Shorewall prevents all traffic flow!