Hi, I installed shorewall 3.0.7-1 on my Debian box and pretty much ran it out of the box after adding a few macros. I''m running it on a gateway between the net and my local lan. The other day, without thinking, I logged into my work network using a VPN client and it worked. However, I never opened up any of the VPN ports. In particular, as a secure connection using a token, it turns out that ISAKMP port 500 is wide open. Is that the default behavior of shorewall? (I would have assumed that I need to open this port manually). Thanks, Chad ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote: Please configure your mailer to break lines at some reasonable width. Your whole post is one long line!> I installed shorewall 3.0.7-1 on my Debian box and pretty much ran it out of the box> Is that the default behavior of shorewall? (I would have assumed that > I need to open this port manually).There is no "out of the box" Shorewall configuration. As released from by shorewall.net, Shorewall won''t even start until you configure it. If you install Shorewall using the QuickStart Guides at http://www.shorewall.net/shorewall_quickstart_guide.htm, it will accept no connections from the net. If you didn''t do that, then there is no way for us to know what your configuration looks like. Please see http://www.shorewall.net/support.htm#Guidelines if you want us to evaluate your situation further. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Post your configuration files (perhaps with IP addresses removed/obfuscated and we''ll see where the hole lies! Feel free to contact me off-list. Regards, Jan Mulders On 24/09/06, Tom Eastep <teastep@shorewall.net> wrote:> > C. Albers wrote: > > Please configure your mailer to break lines at some reasonable width. > Your whole post is one long line! > > > I installed shorewall 3.0.7-1 on my Debian box and pretty much ran it > out of the box > > > Is that the default behavior of shorewall? (I would have assumed that > > I need to open this port manually). > > There is no "out of the box" Shorewall configuration. As released from > by shorewall.net, Shorewall won''t even start until you configure it. > > If you install Shorewall using the QuickStart Guides at > http://www.shorewall.net/shorewall_quickstart_guide.htm, it will accept > no connections from the net. If you didn''t do that, then there is no way > for us to know what your configuration looks like. Please see > http://www.shorewall.net/support.htm#Guidelines if you want us to > evaluate your situation further. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sorry about the linefeeds or lack thereof. I guess yahoo''s new beta
mail
isn''t quite up to par.
You are right, Tom. I didn''t actually start shorewall out of the box.
I also
didn''t follow #4 of the Support guides. Sorry about that.
Following those guidelines, here we go:
shorewall version => 3.0.7
ip addr show
<begin>
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 576 qdisc pfifo_fast qlen 1000
link/ether 00:11:2f:71:fe:87 brd ff:ff:ff:ff:ff:ff
inet 69.86.213.18/22 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 576 qdisc pfifo_fast qlen 1000
link/ether 00:60:97:96:af:3d brd ff:ff:ff:ff:ff:ff
4: wifi0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 199
link/ieee802.11 00:0f:cb:b1:bd:eb brd ff:ff:ff:ff:ff:ff
5: eth2_temp: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ieee1394 00:e0:18:00:00:95:90:29 brd ff:ff:ff:ff:ff:ff:ff:ff
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: ath0: <BROADCAST,MULTICAST,UP> mtu 2290 qdisc noqueue
link/ether 00:0f:cb:b1:bd:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global ath0
inet6 fe80::20f:cbff:feb1:bdeb/64 scope link
valid_lft forever preferred_lft forever
<end ip route show>
ip route show
<begin>
192.168.2.0/24 dev ath0 proto kernel scope link src 192.168.2.1
69.86.XXX.0/22 dev eth0 proto kernel scope link src XX.XX.XX.XX
default via 69.86.XXX.1 dev eth0
</end ip route show>
(I XX''d out my actual ip address)
Anyway, here''s how I installed shorewall.
1) I actually followed your two-interfaces guide.
http://www.shorewall.net/two-interface.htm
In my case, eth0 connects to the internet, and ath0
connects to my wireless lan network
2) to set this up I copied the config files from
/usr/share/doc/shorewall/examples/two-interfaces
3) For added security, I added my external ip address to the masq config file,
which, as
I understand it effectively enables SNAT
4) I added a few macros (SVN, SSH) to allow both internal and external clients
to connect to my gateway.
5) I adjusted the policy file to allow my firewall to access the internet too.
5) I didn''t touch any other config files, unless instructed by your
two-interface guide.
Curiously, when I do a shorewall dump, I see a lot of messages that show
information about upd
connections from and to port 500 to my companies authentification server.
I''ll send the dump
file as requested, since I don''t exactly fall inside the #3 flowchart
position on the support guide.
Your help is greatly appreciated, Tom.
Thanks,
Chad
----- Original Message ----
From: Tom Eastep <teastep@shorewall.net>
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Sent: Sunday, September 24, 2006 5:17:53 PM
Subject: Re: [Shorewall-users] Shorewall and UDP port 500
C. Albers wrote:
Please configure your mailer to break lines at some reasonable width.
Your whole post is one long line!
> I installed shorewall 3.0.7-1 on my Debian box and pretty much ran it out
of the box
> Is that the default behavior of shorewall? (I would have assumed that
> I need to open this port manually).
There is no "out of the box" Shorewall configuration. As released from
by shorewall.net, Shorewall won''t even start until you configure it.
If you install Shorewall using the QuickStart Guides at
http://www.shorewall.net/shorewall_quickstart_guide.htm, it will accept
no connections from the net. If you didn''t do that, then there is no
way
for us to know what your configuration looks like. Please see
http://www.shorewall.net/support.htm#Guidelines if you want us to
evaluate your situation further.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote:> I''ll send the dump > file as requested, since I don''t exactly fall inside the #3 flowchart position on the support guide.I guess that I need to change the flowchart to say that "connection problems" include the case where a connection is accepted when the user doesn''t think that it should be... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Okay. Attached is the gzip shorewall dump file. Thanks, Chad --- Tom Eastep <teastep@shorewall.net> wrote:> C. Albers wrote: > > I''ll send the dump > > file as requested, since I don''t exactly fall > inside the #3 flowchart position on the support > guide. > > I guess that I need to change the flowchart to say > that "connection > problems" include the case where a connection is > accepted when the user > doesn''t think that it should be... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys -- and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote:> Okay. > > Attached is the gzip shorewall dump file.Chad, Could you please make some VPN attempts and take a dump without restarting Shorewall in between? I can''t see any evidence of the problem you mentioned in your original post. Regards, Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Paul, Sorry about that. This dump has the udp log messages in it that relate to the ipsec connections over port 500 and port 10000 - which theorectically, should be closed, until I open them in the rules config file. The log messages occur after the "Chain tcpre" section. Thanks for your help, Chad --- Paul Gear <pgear@redlands.qld.edu.au> wrote:> C. Albers wrote: > > Okay. > > > > Attached is the gzip shorewall dump file. > > Chad, > > Could you please make some VPN attempts and take a > dump without > restarting Shorewall in between? I can''t see any > evidence of the > problem you mentioned in your original post. > > Regards, > Paul > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys -- and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote:> Hi Paul, > > Sorry about that. This dump has the udp log messages > in it that relate to the ipsec connections over port > 500 and port 10000 - which theorectically, should be > closed, until I open them in the rules config file. > > The log messages occur after the "Chain tcpre" > section.Chad, those are not log messages, they are connection tracking table entries. Connections which show up in the conntrack table *are* passing successfully through your rules. The entries *before* tcpre are your logs, and there are no UDP packet log entries there (although that''s not entirely surprising if they are accepted). If you are running your VPN termination point on your firewall, we would expect to see some accepted UDP packets in the net2fw chain, which we don''t. In fact, you''ve basically got nothing much happening there. Try this: 1. run ''shorewall clear'' (to reset your counters) 2. save your ''shorewall dump'' output in a file 3. make a VPN connection through your firewall 4. save your ''shorewall dump'' output to a different file 5. diff the files That should give you at least some indication as to where the packets are being seen. If you can''t solve it that way, send us both files and we''ll see what we can see. My gut leads me to guess that there is another path through your network and the traffic is not touching this firewall at all. Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Paul Gear wrote:> > Try this: > 1. run ''shorewall clear'' (to reset your counters)Please make that "shorewall reset" -- "shorewall clear" opens your firewall to the world.> 2. save your ''shorewall dump'' output in a file > 3. make a VPN connection through your firewall > 4. save your ''shorewall dump'' output to a different file > 5. diff the files > > That should give you at least some indication as to where the packets > are being seen. If you can''t solve it that way, send us both files and > we''ll see what we can see.-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Paul Gear wrote: > >> Try this: >> 1. run ''shorewall clear'' (to reset your counters) > > Please make that "shorewall reset" -- "shorewall clear" opens your > firewall to the world.Whoops! :-) Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I have attached both dump files. I don''t find diff''ing the files very informative. Maybe you can see something that I can''t. As far as your gut feeling goes, I have no idea how my VPN traffic could not touch my firewall and get out on the internet. There''s only one way out of my internal lan: forwarding through my linux router''s eth0 interface, which shorewall is protecting. Let me know what you see. Thanks for your help, Chad --- Paul Gear <pgear@redlands.qld.edu.au> wrote:> > My gut leads me to guess that there is another path > through your network > and the traffic is not touching this firewall at > all. > > Paul >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote:> I have attached both dump files. I don''t find > diff''ing > the files very informative. Maybe you can see > something that I can''t. > > As far as your gut feeling goes, I have no idea how my > VPN traffic could not touch my firewall and get out on > the internet. There''s only one way out of my internal > lan: forwarding through my linux router''s eth0 > interface, which shorewall is protecting. > > Let me know what you see. Thanks for your help,Chad -- I''ve been following this thread and I must confess that I don''t understand what problem you are reporting. When you "made some VPN attempts", what was the SOURCE IP and what was the DESTINATION IP? (I assume that the protocol was UDP and the DPT was 500?). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> C. Albers wrote: >> I have attached both dump files. I don''t find >> diff''ing >> the files very informative. Maybe you can see >> something that I can''t. >> >> As far as your gut feeling goes, I have no idea how my >> VPN traffic could not touch my firewall and get out on >> the internet. There''s only one way out of my internal >> lan: forwarding through my linux router''s eth0 >> interface, which shorewall is protecting. >> >> Let me know what you see. Thanks for your help, > > Chad -- I''ve been following this thread and I must confess that I don''t > understand what problem you are reporting. When you "made some VPN > attempts", what was the SOURCE IP and what was the DESTINATION IP? (I > assume that the protocol was UDP and the DPT was 500?).The reason that I ask is that the only UDP port 500 connection that is active in the "AfterVPN" dump originated from inside your firewall (192.168.2.254) with a destination on the net (204.26.5.165). Since you ACCEPT loc->net traffic by policy, I hope it isn''t surprising that such a connection would be accepted. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom, The problem isn''t so much that I have made a connection from loc->net on UDP port 500 (and 10000), but the other way around, net->loc. If I understanding your firewall correctly, the rules in the rules config file are exceptions to a net->loc DROP policy. For example, as an exception, I have opened port 22 to allow incoming ssh connection. However, I have not opened UDP port 500 (and 10000) for returning VPN traffic. In theory, then, I shouldn''t be able to connect to my VPN at all, because a response from my VPN server would be blocked by the firewall and never reach my VPN client. The mystery then is why am I able to connect to my VPN server when I have not opened UDP port 500 for incoming traffic. Why hasn''t my firewall blocked this traffic, when, by default(and without a rule exception), it should be blocked? Let me know if I''m making sense, Chad> > Chad -- I''ve been following this thread and I must > confess that I don''t > > understand what problem you are reporting. When > you "made some VPN > > attempts", what was the SOURCE IP and what was the > DESTINATION IP? (I > > assume that the protocol was UDP and the DPT was > 500?). > > The reason that I ask is that the only UDP port 500 > connection that is > active in the "AfterVPN" dump originated from inside > your firewall > (192.168.2.254) with a destination on the net > (204.26.5.165). Since you > ACCEPT loc->net traffic by policy, I hope it isn''t > surprising that such > a connection would be accepted. > > -Tom__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
C. Albers wrote:> Hi Tom, > > The problem isn''t so much that I have made a > connection > from loc->net on UDP port 500 (and 10000), but the > other way around, net->loc. If I understanding your > firewall correctly, the rules in the rules config file > are exceptions to a net->loc DROP policy. For > example, > as an exception, I have opened port 22 to allow > incoming ssh connection. However, I have not opened > UDP port 500 (and 10000) for returning VPN traffic. > In theory, then, I shouldn''t be able to connect to my > VPN at all, because a response from my VPN server > would be blocked by the firewall and never reach my > VPN client. > > The mystery then is why am I able to connect to my VPN > server when I have not opened UDP port 500 for > incoming traffic. Why hasn''t my firewall blocked this > traffic, when, by default(and without a rule > exception), it should be blocked? > > Let me know if I''m making sense,You are misunderstanding the concept of a stateful firewall. In a stateful firewall (like the one configured by Shorewall), any packet that is part of an ESTABLISHED connection is automatically passed by the firewall. A connection becomes ESTABLISHED when a response packet is received (reaching ESTABLISHED state has nothing to do with the underlying protocol''s idea of a connection). Your rules and policies govern connections, not packets. So when you say that you have a loc->net ACCEPT policy that means that you are allowing connections to be established from the loc->net zones. And responses to ACCEPTed connection requests are always accepted as are each successive response packet. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> C. Albers wrote: >> Hi Tom, >> >> The problem isn''t so much that I have made a >> connection >> from loc->net on UDP port 500 (and 10000), but the >> other way around, net->loc. If I understanding your >> firewall correctly, the rules in the rules config file >> are exceptions to a net->loc DROP policy. For >> example, >> as an exception, I have opened port 22 to allow >> incoming ssh connection. However, I have not opened >> UDP port 500 (and 10000) for returning VPN traffic. >> In theory, then, I shouldn''t be able to connect to my >> VPN at all, because a response from my VPN server >> would be blocked by the firewall and never reach my >> VPN client. >> >> The mystery then is why am I able to connect to my VPN >> server when I have not opened UDP port 500 for >> incoming traffic. Why hasn''t my firewall blocked this >> traffic, when, by default(and without a rule >> exception), it should be blocked? >> >> Let me know if I''m making sense, > > You are misunderstanding the concept of a stateful firewall. > > In a stateful firewall (like the one configured by Shorewall), any packet that > is part of an ESTABLISHED connection is automatically passed by the firewall. A > connection becomes ESTABLISHED when a response packet is received (reaching > ESTABLISHED state has nothing to do with the underlying protocol''s idea of a > connection).BTW -- I''m was not yelling "established" in the above text -- it''s capitalized in the iptables syntax and there is an ESTABLISHED section in the Shorewall rules file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thanks, Tom, for taking the time to clear this up for me. I really appreciate the help. Chad --- Tom Eastep <teastep@shorewall.net> wrote:> C. Albers wrote: > > Hi Tom, > > > > The problem isn''t so much that I have made a > > connection > > from loc->net on UDP port 500 (and 10000), but the > > other way around, net->loc. If I understanding > your > > firewall correctly, the rules in the rules config > file > > are exceptions to a net->loc DROP policy. For > > example, > > as an exception, I have opened port 22 to allow > > incoming ssh connection. However, I have not > opened > > UDP port 500 (and 10000) for returning VPN > traffic. > > In theory, then, I shouldn''t be able to connect to > my > > VPN at all, because a response from my VPN server > > would be blocked by the firewall and never reach > my > > VPN client. > > > > The mystery then is why am I able to connect to my > VPN > > server when I have not opened UDP port 500 for > > incoming traffic. Why hasn''t my firewall blocked > this > > traffic, when, by default(and without a rule > > exception), it should be blocked? > > > > Let me know if I''m making sense, > > You are misunderstanding the concept of a stateful > firewall. > > In a stateful firewall (like the one configured by > Shorewall), any packet that > is part of an ESTABLISHED connection is > automatically passed by the firewall. A > connection becomes ESTABLISHED when a response > packet is received (reaching > ESTABLISHED state has nothing to do with the > underlying protocol''s idea of a > connection). > > Your rules and policies govern connections, not > packets. So when you say that > you have a loc->net ACCEPT policy that means that > you are allowing connections > to be established from the loc->net zones. And > responses to ACCEPTed connection > requests are always accepted as are each successive > response packet. > > HTH, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys -- and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV