Hi, folks. I''m experiencing a problem with direct SSH access to my shorewall (on debian sarge) based firewall. The version of shorewall is 3.0.5_1 (from debian unstable). The firewall is bridge based, then configured according to the two-interface setup, as recommended in the documentation. All seems to work well (thanks Tom et al.), apart from SSH access from the net side of things (I''ve only tested this protocol, as it''s the only one I need. I assume others will share the same fate). DNATs work just fine (from port "xyz22" to port 22 on another machine). The relevant policy ine is: net all DROP info Only certain IP address need to have access to the SSH port, subsequently, I''m using the following exceptions to the net2all rule in the rules file: SSH/ACCEPT net:a.b.c.d $FW SSH/ACCEPT net:e.f.g.h $FW However, this doesn''t seem to work, as is illustrated below: Apr 10 11:09:13 localhost kernel: Shorewall:net2all:DROP:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=w.x.y.z DST=192.168.0.254 LEN=64 TOS=0x00 PREC=0x00 TTL=59 ID=11584 DF PROTO=TCP SPT=52511 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 Inevitably, I''ve missed something somewhere, but I really can''t figure out what that something might be... Thanks, in advance. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 10 April 2006 03:24, John Kirkland wrote:> Hi, folks. > > I''m experiencing a problem with direct SSH access to my shorewall (on > debian sarge) based firewall. The version of shorewall is 3.0.5_1 (from > debian unstable). > > The firewall is bridge based, then configured according to the > two-interface setup, as recommended in the documentation. > > All seems to work well (thanks Tom et al.), apart from SSH access from > the net side of things (I''ve only tested this protocol, as it''s the only > one I need. I assume others will share the same fate). > > DNATs work just fine (from port "xyz22" to port 22 on another machine). > > The relevant policy ine is: > > net all DROP info > > Only certain IP address need to have access to the SSH port, > subsequently, I''m using the following exceptions to the net2all rule in > the rules file: > > SSH/ACCEPT net:a.b.c.d $FW > SSH/ACCEPT net:e.f.g.h $FW > > However, this doesn''t seem to work, as is illustrated below: > > Apr 10 11:09:13 localhost kernel: Shorewall:net2all:DROP:IN=br0 OUT=br0 > PHYSIN=eth0 PHYSOUT=eth1 SRC=w.x.y.z DST=192.168.0.254 LEN=64 TOS=0x00 > PREC=0x00 TTL=59 ID=11584 DF PROTO=TCP SPT=52511 DPT=22 WINDOW=65535 > RES=0x00 SYN URGP=0 > > Inevitably, I''ve missed something somewhere, but I really can''t figure > out what that something might be... >Please see http://www.shorewall.net/support.htm for instructions about reporting these sorts of connection problems. We need to see more than just your obfuscated rules and the obfuscated event. I can tell you however that the above logged packet isn''t addressed to your firewall -- it is being forwarded by your firewall to 192.168.0.254 (because OUT=br0 PHYSOUT=eth1). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ve just had a very similar problem. Does your server only have one IP? What I did, was forward traffic to an IP it was meant to be listening and ACCEPT''ing on, but when I shorewall restart''ed, it didn''t come up in ifconfig. Have a poke around in ifconfig to double-check the IP you''re connecting to, is actually there. Regards, Jan On 10/04/06, Tom Eastep <teastep@shorewall.net> wrote:> > On Monday 10 April 2006 03:24, John Kirkland wrote: > > Hi, folks. > > > > I''m experiencing a problem with direct SSH access to my shorewall (on > > debian sarge) based firewall. The version of shorewall is 3.0.5_1 (from > > debian unstable). > > > > The firewall is bridge based, then configured according to the > > two-interface setup, as recommended in the documentation. > > > > All seems to work well (thanks Tom et al.), apart from SSH access from > > the net side of things (I''ve only tested this protocol, as it''s the only > > one I need. I assume others will share the same fate). > > > > DNATs work just fine (from port "xyz22" to port 22 on another machine). > > > > The relevant policy ine is: > > > > net all DROP info > > > > Only certain IP address need to have access to the SSH port, > > subsequently, I''m using the following exceptions to the net2all rule in > > the rules file: > > > > SSH/ACCEPT net:a.b.c.d $FW > > SSH/ACCEPT net:e.f.g.h $FW > > > > However, this doesn''t seem to work, as is illustrated below: > > > > Apr 10 11:09:13 localhost kernel: Shorewall:net2all:DROP:IN=br0 OUT=br0 > > PHYSIN=eth0 PHYSOUT=eth1 SRC=w.x.y.z DST=192.168.0.254 LEN=64 TOS=0x00 > > PREC=0x00 TTL=59 ID=11584 DF PROTO=TCP SPT=52511 DPT=22 WINDOW=65535 > > RES=0x00 SYN URGP=0 > > > > Inevitably, I''ve missed something somewhere, but I really can''t figure > > out what that something might be... > > > > Please see http://www.shorewall.net/support.htm for instructions about > reporting these sorts of connection problems. We need to see more than > just > your obfuscated rules and the obfuscated event. I can tell you however > that > the above logged packet isn''t addressed to your firewall -- it is being > forwarded by your firewall to 192.168.0.254 (because OUT=br0 > PHYSOUT=eth1). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
Jan Mulders wrote:> I''ve just had a very similar problem. > > Does your server only have one IP? > > What I did, was forward traffic to an IP it was meant to be listening > and ACCEPT''ing on, but when I shorewall restart''ed, it didn''t come up in > ifconfig. > > Have a poke around in ifconfig to double-check the IP you''re connecting > to, is actually there. > > Regards, ><snip> Hi, again. Thanks, BTW, Tom for the hint. It pointed me in the correct direction. NOTE: I''ve since changed the way things work, but I''ll describe things in the present tense. To expand on the setup being used: The router is a Vigor 2600. This seems to have many facilities, almost all of which aren''t used. It''s IP address is 192.168.0.66. I have an ADSL connection, with a fixed I/P address. The bridge on the firewall has the address 192.168.0.254. The Vigor has this address placed in its DMZ, ensuring that incoming requests are passed on immediately to the bridged firewall. This is why the destination described by the original log entry was targetted at 192.168.0.254, as the Vigor had made this so. The net2all policy was catching this, and in my setup, dropping it. This is, of course, the same for all services, trying to access the firewall directly. ... Anyway, I couldn''t see a way of fixing this on the Vigor, or on the firewall, after doing much reading of the documentation. I ended up reconfiguring the firewall to operate in non-bridged mode, using a standard two-interface setup, with the Vigor having an I/P address of 192.168.1.1, eth0 (net side) having and address of 192.168.1.254 and eth1 (loc side) having 192.168.0.254. With this setup all seems to work well. I''d very much like to use a bridged setup (because it is, I believe the "proper way"), but right now, I can''t figure out how to get it to work properly, and the new setup works as desired. Having said that, if anyone does have any ideas on using the Vigor/Shorewall/Bridge method, then I''d be most happy to hear about it. Thanks. -- John Kirkland ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi John> [...] > Anyway, I couldn''t see a way of fixing this on the Vigor, or on the > firewall, after doing much reading of the documentation. I ended up > reconfiguring the firewall to operate in non-bridged mode, using a > standard two-interface setup, with the Vigor having an I/P address of > 192.168.1.1, eth0 (net side) having and address of 192.168.1.254 and > eth1 (loc side) having 192.168.0.254. With this setup all seems to work > well. > > I''d very much like to use a bridged setup (because it is, I believe the > "proper way"), but right now, I can''t figure out how to get it to work > properly, and the new setup works as desired. Having said that, if > anyone does have any ideas on using the Vigor/Shorewall/Bridge method, > then I''d be most happy to hear about it.I share your dislike of this double-nat setup, though it probably works fine. For some types of ADSL, you should be able to setup the Vigor to just be a modem, not a router, and then let your linux-machine be the only router. (PPPoE/bridged-ethernet types of ADSL usually fall into this category). For other types of ADSL, you can get a small subnet of public IP-addresses (at least 4), and setup the Vigor as a plain, non-nat router. (This is typical for PPPoA types of ADSL). Another option -- if you are feeling really adventurous -- is to get an ADSL-modem for your linux-machine, and drop the Vigor entirely. I don''t know anything about the bridged mode that you tried at first. Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642