Shorewall users - Nov 2006 - Please help me.

Hi I am beginner for Shorewall


I would like to master this program.
 
Please point out about my problems.

I installed shorewall 3.2 with rpm package in FedoraCore5 
I could  start shorewall daemon.

Basically,
I would like to make my setting as all-free-pass then 
add-policy--bit-by-bit type of firewall.

I am totally blind of shorewall''s setting  please somebody show me a
good examples.


<Now Problem is(when shorewall starts)>

1) I can not log-in "shorewall router"  from eth0 (I can log in from
node 1 or 2 )
2) rules(config file) or policy(config file) not seems working correctly.
                                      ( it should be my poor understanding )
 

##  MY NETWORK is like followings  ####

 
 internet 210.166.212.13(GW)
     |
     |
     |eth0:210.166.212.14 255.255.255.252 
   Router (Server) with shorewall-3.2 
     |eth1:210.166.212.41 255.255.255.248
     |
     |
     |
     |
    HUB---------
     |         |
  node 1     node2 


node1(Server )
210.166.212.42 255.255.255.248 210.166.212.41(GW)
node2(Server )
210.166.212.43 255.255.255.248 210.166.212.41(GW)



<<SHOREWALL BOX>> 
210.166.212.14 FOR NET 
255.255.255.252 SUBNETMASK
210.166.212.13 GATEWAY 

<<FOR NODE SERVERS NETWORK>>
210.166.212.40 NETWORKADDRESS
210.166.212.41 GATEWAY
42-46 can be used for node Server 
210.166.212.47 BROADCAST ADDRESS
255.255.255.248 NETMASK 

##  MY CONFIG is like followings  ####



######################
# /etc/shorewall/zone#
######################

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
prox    ipv4
node1   ipv4
node2   ipv4


#############################
# /etc/shorewall/interfaces #
#############################

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect         
dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
loc     eth1            detect          tcpflags,detectnets,nosmurfs

########################
# /etc/shorewall/policy#
########################
prox            $FW             ACCEPT
loc             net             ACCEPT
loc             $FW             REJECT          info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
loc             all             REJECT          info
prox            node1           ACCEPT          info
$FW             net             REJECT          info
$FW             loc             REJECT          info
$FW             all             REJECT          info

#
# Policies for traffic originating from the Internet zone (net)
#
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info


# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info



########################
# /etc/shorewall/hosts #
########################
#ZONE            HOST(S)        OPTIONS
prox             eth0:210.143.96.70
node1            eth1:210.166.212.42
node2            eth1:210.166.212.43

###############################
# /etc/shorewall/routestopped #
###############################
#INTERFACE      HOST(S)         OPTIONS
eth1    210.166.212.40/29       routeback




Thanks for reading.

Takuya Sada

sada@prox.ad.jp


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

sada wrote:
> I could  start shorewall daemon.
Please note that Shorewall is not a daemon. From the Shorewall home page:

	"Shorewall is not a daemon. Once Shorewall has configured Netfilter,
	it''s job is complete and there is no Shorewall code left running in
the
	system".
> 
> Basically,
> I would like to make my setting as all-free-pass then 
> add-policy--bit-by-bit type of firewall.
I recommend the other approach -- make shorewall restrictive then gradually
relax the rules. You are less likely to end up with "holes" in your
firewall.
> ##  MY CONFIG is like followings  ####
> 
> 
> 
> ######################
> # /etc/shorewall/zone#
> ######################
> 
> #ZONE   TYPE    OPTIONS                 IN                      OUT
> #                                       OPTIONS                 OPTIONS
> fw      firewall
> net     ipv4
> loc     ipv4
> prox    ipv4
> node1   ipv4> 
> 1) I can not log-in "shorewall router"  from eth0 (I can log in
from node 1 or 2 )
Since you did not include your rules, we can''t comment on that. How are
you
trying to "log in"? SSH?

> node2   ipv4
> 
> 
> #############################
> # /etc/shorewall/interfaces #
> #############################
> 
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0            detect         
dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
> loc     eth1            detect          tcpflags,detectnets,nosmurfs
> 
> ########################
> # /etc/shorewall/hosts #
> ########################
> #ZONE            HOST(S)        OPTIONS
> prox             eth0:210.143.96.70
> node1            eth1:210.166.212.42
> node2            eth1:210.166.212.43
The ''prox'' zone is a sub-zone of the ''net''
zone yet you have ''net'' defined
before ''prox'' in /etc/shorewall/zones. You should have:

######################
# /etc/shorewall/zone#
######################

#ZONE   	TYPE    OPTIONS                 IN                      OUT
	#                                       OPTIONS                 OPTIONS
fw      	firewall
net     	ipv4
loc     	ipv4
prox:net    	ipv4 # <==========================node1   	ipv4
node2   	ipv4

If you have further problems, please submit the information requested at
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> sada wrote:
>> 1) I can not log-in "shorewall router"  from eth0 (I can log
in from node 1 or 2 )
> 
> Since you did not include your rules, we can''t comment on that.
How are you
> trying to "log in"? SSH?
>
Sorry -- I meant to delete that. I assume that you are trying to log in from the
''prox'' zone (host 210.143.96.70)? If so, the change that I
recommended in my
previous post should fix the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642