# shorewall version 3.2.1 SNAT is enabled. Setting up DNAT to do port forwarding -- this example looked exactly like what I wanted: (FAQ 1c) From the internet, I want to connect to port 1022 on my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022 However, I am testing this before putting the firewall in place on the internet, so my zones are configured as follows: Zone Interface Address ==== ========= ======net public 10.10.1.1 loc private 192.168.1.1 My test PC in the net zone has address 10.10.1.2, and I have configured a route on the private host at 192.168.1.3 so it can find the 10.10.1.0 network. Now, from 10.10.1.2... When I Access Shorewall ============= ========10.10.1.1:1022 Forwards the packet (as expected) 192.168.1.3 Forwards the packet (NOT expected) And if I specify DNAT:info, the first attempt is logged, but nothing appears for the second attempt, even though it was apparently passed through. If I change the rule to... #ACTION SOURCE DEST PROTO DEST PORT SRC PRT ORIG DEST DNAT net loc:192.168.1.3:22 tcp 1022 - 10.10.1.1 ...then requests to 192.168.1.3 are NOT forwarded (as expected). Now I understand that in a "real" situation, it''s quite unlikely that a host on the internet could address a packet to a private IP address and route it thru the public address of a particular shorewall firewall, but I suspect it could be done. So this feels like a security hole. Or maybe its WAD and I just can''t see why. Your thoughts? ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
YNG wrote:> # shorewall version > 3.2.1 > > SNAT is enabled. Setting up DNAT to do port forwarding -- this example > looked exactly like what I wanted: > > (FAQ 1c) From the internet, I want to connect to port 1022 on my firewall > and have the firewall forward the connection to port 22 on local system > 192.168.1.3. How do I do that? > In /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST PORT > DNAT net loc:192.168.1.3:22 tcp 1022 > > However, I am testing this before putting the firewall in place on the > internet, so my zones are configured as follows: > > Zone Interface Address > ==== ========= ======> net public 10.10.1.1 > loc private 192.168.1.1 > > My test PC in the net zone has address 10.10.1.2, and I have configured a > route on the private host at 192.168.1.3 so it can find the 10.10.1.0 > network. Now, from 10.10.1.2... > > When I Access Shorewall > ============= ========> 10.10.1.1:1022 Forwards the packet (as expected) > 192.168.1.3 Forwards the packet (NOT expected) > > And if I specify DNAT:info, the first attempt is logged, but nothing appears > for the second attempt, even though it was apparently passed through. > > If I change the rule to... > > #ACTION SOURCE DEST PROTO DEST PORT SRC PRT ORIG DEST > DNAT net loc:192.168.1.3:22 tcp 1022 - 10.10.1.1 > > ...then requests to 192.168.1.3 are NOT forwarded (as expected). > > Now I understand that in a "real" situation, it''s quite unlikely that a host > on the internet could address a packet to a private IP address and route it > thru the public address of a particular shorewall firewall, but I suspect it > could be done. So this feels like a security hole. Or maybe its WAD and I > just can''t see why. Your thoughts?It works as expected. In any production environment, you would hopefully do one or more of the following: a) Code the rule as you show above. b) Specify ''norfc1918'' on the Firewall''s External Interface (you can''t do that now because your external interface has an RFC1918 address -- ok, you could if you copied /usr/share/shorewall/rfc1918 to /etc/shorewall and modified it as described in the FAQs). c) Specify DETECT_DNAT_ADDRS=Yes in shorewall.conf Any of the three will close this "security hole". Also, regarding what gets logged for DNAT (and REDIRECT) rules, there is an element of Shorewall FAQ 52 in your questions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> > c) Specify DETECT_DNAT_ADDRS=Yes in shorewall.conf >And before someone replies complaining that they can''t find that option in their shorewall.conf, the option is DETECT_DNAT_IPADDRS -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks for the clear explanation, Tom. This has made for an interesting first experience with the product. I''m glad I was mistaken about the security hole. -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, August 17, 2006 7:11 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT Security Hole? YNG wrote:> # shorewall version > 3.2.1 > > SNAT is enabled. Setting up DNAT to do port forwarding -- this example > looked exactly like what I wanted: > > (FAQ 1c) From the internet, I want to connect to port 1022 on my firewall > and have the firewall forward the connection to port 22 on local system > 192.168.1.3. How do I do that? > In /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST PORT > DNAT net loc:192.168.1.3:22 tcp 1022 > > However, I am testing this before putting the firewall in place on the > internet, so my zones are configured as follows: > > Zone Interface Address > ==== ========= ======> net public 10.10.1.1 > loc private 192.168.1.1 > > My test PC in the net zone has address 10.10.1.2, and I have configured a > route on the private host at 192.168.1.3 so it can find the 10.10.1.0 > network. Now, from 10.10.1.2... > > When I Access Shorewall > ============= ========> 10.10.1.1:1022 Forwards the packet (as expected) > 192.168.1.3 Forwards the packet (NOT expected) > > And if I specify DNAT:info, the first attempt is logged, but nothingappears> for the second attempt, even though it was apparently passed through. > > If I change the rule to... > > #ACTION SOURCE DEST PROTO DEST PORT SRC PRT ORIG DEST > DNAT net loc:192.168.1.3:22 tcp 1022 - 10.10.1.1 > > ...then requests to 192.168.1.3 are NOT forwarded (as expected). > > Now I understand that in a "real" situation, it''s quite unlikely that ahost> on the internet could address a packet to a private IP address and routeit> thru the public address of a particular shorewall firewall, but I suspectit> could be done. So this feels like a security hole. Or maybe its WAD andI> just can''t see why. Your thoughts?It works as expected. In any production environment, you would hopefully do one or more of the following: a) Code the rule as you show above. b) Specify ''norfc1918'' on the Firewall''s External Interface (you can''t do that now because your external interface has an RFC1918 address -- ok, you could if you copied /usr/share/shorewall/rfc1918 to /etc/shorewall and modified it as described in the FAQs). c) Specify DETECT_DNAT_ADDRS=Yes in shorewall.conf Any of the three will close this "security hole". Also, regarding what gets logged for DNAT (and REDIRECT) rules, there is an element of Shorewall FAQ 52 in your questions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642