Hi there, I''ve read Routing on One Interface, and Shorewall and Aliased Interfaces docs but I''m a little confused, and all my test attempts have mostly failed. Here is my setup: CentOS 4.2 ShoreWall 3.0.2 My server has a subnet 192.168.50.0/29 routed to it via 192.168.1.2. Currently 192.168.1.2 is setup on eth0. With no ShoreWall involved routing seems to work if I just setup each of the IPs in the subnet up as eth0:1, etc... What is the proper way to setup shorewall to protect this box. I want the default behavior of allow all out going traffic to the Internet, deny all incoming traffic from the Internet. Then I can selectively open ports for my web server, etc.. (IPs have been changed to protect the innocent) Any help would be greatly appreciated. - Justin ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Wednesday 07 December 2005 18:01, Justin wrote:> Hi there, > > I''ve read Routing on One Interface, and Shorewall and Aliased > Interfaces docs but I''m a little confused, and all my test attempts > have mostly failed. Here is my setup: > > CentOS 4.2 > ShoreWall 3.0.2 > > My server has a subnet 192.168.50.0/29 routed to it via 192.168.1.2. > Currently 192.168.1.2 is setup on eth0. With no ShoreWall involved > routing seems to work if I just setup each of the IPs in the subnet up > as eth0:1, etc... > > What is the proper way to setup shorewall to protect this box. I want > the default behavior of allow all out going traffic to the Internet, > deny all incoming traffic from the Internet. Then I can selectively > open ports for my web server, etc.. > > (IPs have been changed to protect the innocent) > > Any help would be greatly appreciated. >Justin -- I''ve spent my evenings, weekends and vacations writing Shorewall and it''s documentation. So if you can''t follow my instructions then it''s up to you to tell me what you''ve done and to describe how it doesn''t work (see http://www.shorewall.net/support.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanks for your great work with Shorewall and the documentation. I''ve setup a few installations and up to this point the documentation has guided me through each one with ease. I am extremely grateful for ShoreWall, it makes security accessible to users like me who have some idea about networking but are miles away from being an expert, and confused by iptables. Sorry for not better laying out the issue I am having, I''ve tried many of the configurations in document: "Shorewall and Aliased Interfaces" and was somewhat lost about which configuration caused what result. I''m trying to use example 5 on this page: http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html my configs are as follows: /etc/shorewall/interfaces___________________________ loc eth0 192.168.50.7,192.168.1.255 routeback /etc/shorewall/zones___________________________ fw firewall loc ipv4 /etc/shorewall/zones___________________________ fw firewall loc ipv4 /etc/shorewall/policy___________________________ loc all ACCEPT fw loc DROP info all all REJECT info /etc/shorewall/rules___________________________ SECTION NEW ACCEPT fw loc tcp ssh ACCEPT fw loc tcp smtp The problem is that the firewall doesn''t seem to block anything with this setup. I hope this helps explain where I''m coming from. Let me know if I should add more detail to any part. Thanks for your help! - Justin On 12/7/05, Tom Eastep <teastep@shorewall.net> wrote:> On Wednesday 07 December 2005 18:01, Justin wrote: > > Hi there, > > > > I''ve read Routing on One Interface, and Shorewall and Aliased > > Interfaces docs but I''m a little confused, and all my test attempts > > have mostly failed. Here is my setup: > > > > CentOS 4.2 > > ShoreWall 3.0.2 > > > > My server has a subnet 192.168.50.0/29 routed to it via 192.168.1.2. > > Currently 192.168.1.2 is setup on eth0. With no ShoreWall involved > > routing seems to work if I just setup each of the IPs in the subnet up > > as eth0:1, etc... > > > > What is the proper way to setup shorewall to protect this box. I want > > the default behavior of allow all out going traffic to the Internet, > > deny all incoming traffic from the Internet. Then I can selectively > > open ports for my web server, etc.. > > > > (IPs have been changed to protect the innocent) > > > > Any help would be greatly appreciated. > > > > Justin -- I''ve spent my evenings, weekends and vacations writing Shorewall and > it''s documentation. So if you can''t follow my instructions then it''s up to > you to tell me what you''ve done and to describe how it doesn''t work (see > http://www.shorewall.net/support.htm). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Wednesday 07 December 2005 20:09, Justin wrote:> Hi Tom, > > Thanks for your great work with Shorewall and the documentation. I''ve > setup a few installations and up to this point the documentation has > guided me through each one with ease. I am extremely grateful for > ShoreWall, it makes security accessible to users like me who have some > idea about networking but are miles away from being an expert, and > confused by iptables. > > Sorry for not better laying out the issue I am having, I''ve tried many > of the configurations in document: "Shorewall and Aliased Interfaces" > and was somewhat lost about which configuration caused what result. > I''m trying to use example 5 on this page: > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html my > configs are as follows: > > > /etc/shorewall/interfaces___________________________ > loc eth0 192.168.50.7,192.168.1.255 routeback > > /etc/shorewall/zones___________________________ > fw firewall > loc ipv4 > > /etc/shorewall/zones___________________________ > fw firewall > loc ipv4 > > /etc/shorewall/policy___________________________ > loc all ACCEPT > fw loc DROP info > all all REJECT info > > /etc/shorewall/rules___________________________ > SECTION NEW > ACCEPT fw loc tcp ssh > ACCEPT fw loc tcp smtp > > > The problem is that the firewall doesn''t seem to block anything with > this setup. I hope this helps explain where I''m coming from. Let me > know if I should add more detail to any part. > > Thanks for your help! >Justin, You are giving me bits and pieces of your config. If you understood which parts of your configuration were relevant to you your problem, you would fix them, right? Please a) /sbin/shorewall start (if Shorewall isn''t currently running) or /sbin/shorewall reset (if Shorewall is currently running); and b) Try what isn''t working the way that you expected; and c) collect and post the output of "shorewall dump" (as an attachment); and c) tell me extactly what you tried, what you expected to happen, and what really happened. These are the same instructions as are given in the URL I referred you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ve attached the dump file:
I have not changed the the ip addresses in the dump file, this is just
a different machine I''m using for testing.
The server has has the subnet 192.168.40.0/24 routed to it via 192.168.30.244.
Currently 192.168.30.244 is setup on eth0, and 192.168.40.1 is on
eth0:1 and 192.168.40.3 is on eth0:2
[root@tower shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:11:25:aa:27:e4 brd ff:ff:ff:ff:ff:ff
inet 192.168.30.244/24 brd 192.168.30.255 scope global eth0
inet 192.168.40.1/24 brd 192.168.40.255 scope global eth0:1
inet 192.168.40.3/24 brd 192.168.40.255 scope global secondary eth0:2
inet6 fe80::211:25ff:feaa:27e4/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:11:25:aa:27:e5 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root@tower shorewall]# ip route show
192.168.30.0/24 dev eth0 proto kernel scope link src 192.168.30.244
192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.1
169.254.0.0/16 dev eth0 scope link
default via 192.168.30.1 dev eth0
Here are the two things I tried that did not work as exptected:
1) telnet 192.168.40.3 80 from 192.168.30.250. I expected this to be
rejected, but it was let through.
2) ping www.yahoo.com from the shorewall box. I expected a ping
response, but got "ping: unknown host yahoo.com"
Thanks,
Justin
On 12/7/05, Tom Eastep <teastep@shorewall.net>
wrote:> On Wednesday 07 December 2005 20:09, Justin wrote:
> > Hi Tom,
> >
> > Thanks for your great work with Shorewall and the documentation.
I''ve
> > setup a few installations and up to this point the documentation has
> > guided me through each one with ease. I am extremely grateful for
> > ShoreWall, it makes security accessible to users like me who have some
> > idea about networking but are miles away from being an expert, and
> > confused by iptables.
> >
> > Sorry for not better laying out the issue I am having, I''ve
tried many
> > of the configurations in document: "Shorewall and Aliased
Interfaces"
> > and was somewhat lost about which configuration caused what result.
> > I''m trying to use example 5 on this page:
> > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html my
> > configs are as follows:
> >
> >
> > /etc/shorewall/interfaces___________________________
> > loc eth0 192.168.50.7,192.168.1.255 routeback
> >
> > /etc/shorewall/zones___________________________
> > fw firewall
> > loc ipv4
> >
> > /etc/shorewall/zones___________________________
> > fw firewall
> > loc ipv4
> >
> > /etc/shorewall/policy___________________________
> > loc all ACCEPT
> > fw loc DROP info
> > all all REJECT info
> >
> > /etc/shorewall/rules___________________________
> > SECTION NEW
> > ACCEPT fw loc tcp ssh
> > ACCEPT fw loc tcp smtp
> >
> >
> > The problem is that the firewall doesn''t seem to block
anything with
> > this setup. I hope this helps explain where I''m coming from.
Let me
> > know if I should add more detail to any part.
> >
> > Thanks for your help!
> >
>
> Justin,
>
> You are giving me bits and pieces of your config. If you understood which
> parts of your configuration were relevant to you your problem, you would
fix
> them, right?
>
> Please
>
> a) /sbin/shorewall start (if Shorewall isn''t currently running)
> or /sbin/shorewall reset (if Shorewall is currently running); and
> b) Try what isn''t working the way that you expected; and
> c) collect and post the output of "shorewall dump" (as an
attachment); and
> c) tell me extactly what you tried, what you expected to happen, and what
> really happened.
>
> These are the same instructions as are given in the URL I referred you.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
On Wednesday 07 December 2005 20:58, Justin wrote:> Here are the two things I tried that did not work as exptected: > 1) telnet 192.168.40.3 80 from 192.168.30.250. I expected this to be > rejected, but it was let through. > 2) ping www.yahoo.com from the shorewall box. I expected a ping > response, but got "ping: unknown host yahoo.com"Thanks -- it''s after 9pm here so I''ll look at your report in the morning. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 07 December 2005 20:58, Justin wrote:> 2) ping www.yahoo.com from the shorewall box. I expected a ping > response, but got "ping: unknown host yahoo.com"Here is the *first* record that I see in the log part of the "shorewall dump" output: Dec 7 19:58:07 fw2loc:DROP:IN= OUT=eth0 SRC=192.168.30.244 DST=192.168.30.250 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=62879 DF PROTO=UDP SPT=33078 DPT=53 LEN=51 Please use this information along with Shorewall FAQ 17 to determine the rule(s) that you are missing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 07 December 2005 20:58, Justin wrote:> Here are the two things I tried that did not work as exptected: > 1) telnet 192.168.40.3 80 from 192.168.30.250. I expected this to be > rejected, but it was let through.Here''s what happens to packets from eth0 that are to be forwarded by the firewall: Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 I don''t see anything there but an ACCEPT rule. So I''m assuming that buth 192.168.40.3 and 192.168.30.250 are in the ''loc'' zone. Is this not correct? (Hint: Under Shorewall 3, intra-zone traffic is ALWAYS accepted by Shorewall unless there is an explicit rule or policy to the contrary). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key