Shorewall users - Nov 2006 - Two Shorewall 3.2 Issues

Updates are available at
http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.5/

1)  If a DNAT or REDIRECT rule was used where the effective policy
    between the source and final destination zones is ACCEPT, the ACCEPT
    part of the rule was not generated. This could lead to confusing
    results if there was a DROP or REJECT rule following.

2)  If "all+" appeared in a rule then "all" appearing in
following rules
    was treated like "all+".

    For both problems, either:

    a) Replace /usr/share/shorewall/compiler and
       /usr/share/shorewall/functions with the ''compiler'' and
       ''functions'' files from the errata/Shorewall/
sub-directory.

    b) Patch /usr/share/shorewall/compiler and
       /usr/share/shorewall/functions with the patch-3.2.5-4.diff patch
       from the errata/patches directory.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

why don''t you release 3.2.6?

Tom Eastep wrote:
> Updates are available at
> http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.5/
> 
> 1)  If a DNAT or REDIRECT rule was used where the effective policy
>     between the source and final destination zones is ACCEPT, the ACCEPT
>     part of the rule was not generated. This could lead to confusing
>     results if there was a DROP or REJECT rule following.
> 
> 2)  If "all+" appeared in a rule then "all" appearing
in following rules
>     was treated like "all+".
> 
>     For both problems, either:
> 
>     a) Replace /usr/share/shorewall/compiler and
>        /usr/share/shorewall/functions with the ''compiler''
and
>        ''functions'' files from the errata/Shorewall/
sub-directory.
> 
>     b) Patch /usr/share/shorewall/compiler and
>        /usr/share/shorewall/functions with the patch-3.2.5-4.diff patch
>        from the errata/patches directory.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
  Levente                               "Si vis pacem para bellum!"

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hopefully this hasn''t been asked a number of times.. I did some
searching,
and didn''t come up with anything initially.

I have a machine which is to act as a reverse proxy for ftp traffic.  It 
sits in the dmz, and receives ftp traffic from the net.  Its job is to 
pass along that traffic to the firewall (which leads to a ftp server 
inside) using just its ip address.   (So the firewall rule can be opened 
to just the reverse proxy server, and not ANY. ).  It has a single 
interface.  The process is to work like this:

[net]
[firewall - allow ANY ftp]
[shorewall]
[firewall - allow ftp coming only from shorewall] 
[internal ftp server]

Here is my info (modified sightly to make safe to broadcast):

Shorewall interface:
inet addr:175.31.30.10  Bcast:175.31.30.255  Mask:255.255.255.0
Gateway: 175.31.30.1

Interfaces:
net     eth0    175.31.30.255

Policy:
fw             net             ACCEPT          info
all            all             REJECT          info

Masq:  (not sure if this is necessary..)
eth0                    0.0.0.0/0       175.31.30.10


Zones:
fw      firewall
net     ipv4


Rules:
ACCEPT    net     fw      icmp    8 
ACCEPT    fw      net     icmp    8
FTP/DNAT       net             net:10.111.46.4
FTP/ACCEPT     fw              net
ACCEPT          net             fw         tcp     22


When I try to ftp to the box from the outside (72.36.210.44), the 
connection is refused, and the following is in the log:

Nov 10 16:25:17 revproxy kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
SRC=72.36.210.44 DST=10.111.46.4 LEN=60 TOS=0x10 PREC=0x00 TTL=48 
ID=61493 DF PROTO=TCP SPT=51483 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0A

Hopefully I was clear enough .. if clarification is needed, just say the 
word.  Thanks for your time, and thanks for shorewall.

-Bill

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Updates are available at
> http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.5/
> 
> 1)  If a DNAT or REDIRECT rule was used where the effective policy
>     between the source and final destination zones is ACCEPT, the ACCEPT
>     part of the rule was not generated. This could lead to confusing
>     results if there was a DROP or REJECT rule following.
> 
> 2)  If "all+" appeared in a rule then "all" appearing
in following rules
>     was treated like "all+".
Please disregard this second item. While there was a bug involving
"all+", the
bug has no external effects. I saw the problem in a trace and jumped to
conclusions about its impact.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

kog@subfusion.net wrote:
> Hopefully this hasn''t been asked a number of times.. I did some
searching,
> and didn''t come up with anything initially.
This is actually Shorewall FAQ #2 but it is disguised enough that you probably
didn''t recognize it.
> 
> Here is my info (modified sightly to make safe to broadcast):
So you believe in "security by obscurity"...
> Masq:  (not sure if this is necessary..)
> eth0                    0.0.0.0/0       175.31.30.10
It *is* necessary.
> 
> When I try to ftp to the box from the outside (72.36.210.44), the 
> connection is refused, and the following is in the log:
> 
> Nov 10 16:25:17 revproxy kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
> SRC=72.36.210.44 DST=10.111.46.4 LEN=60 TOS=0x10 PREC=0x00 TTL=48 
> ID=61493 DF PROTO=TCP SPT=51483 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0A
From the answer to Shorewall FAQ 17 (Why are these packets being
Dropped/Rejected?/How do I decode Shorewall log messages?):

	If the chain is FORWARD and the IN and OUT interfaces are the same, then
        you probably need the ''routeback'' option on that
interface in
        /etc/shorewall/interfaces or you need the ''routeback''
option in the
        relevant entry in /etc/shorewall/hosts.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Farkas Levente wrote:
> why don''t you release 3.2.6?
> 
>
Note that the second problem listed turned out to be a non-issue. It''s
not that
3.2.5 is unusually buggy; I''ve just started announcing known problems
when they
are discovered.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

That did the trick!  Many, many thanks.  FTP Doesn''t work unless
it''s
passive - but as I understand it the FTP macro should handle active ftp - 
so it''s probable something to do with the firewall sandwich that the 
shorewall instance is in the middle of.

Again, many thanks..

Bill

On Fri, 10 Nov 2006, Tom Eastep wrote:
> kog@subfusion.net wrote:
>> Hopefully this hasn''t been asked a number of times.. I did
some searching,
>> and didn''t come up with anything initially.
>
> This is actually Shorewall FAQ #2 but it is disguised enough that you
probably
> didn''t recognize it.
>
>>
>> Here is my info (modified sightly to make safe to broadcast):
>
> So you believe in "security by obscurity"...
>
>> Masq:  (not sure if this is necessary..)
>> eth0                    0.0.0.0/0       175.31.30.10
>
> It *is* necessary.
>
>>
>> When I try to ftp to the box from the outside (72.36.210.44), the
>> connection is refused, and the following is in the log:
>>
>> Nov 10 16:25:17 revproxy kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0
>> SRC=72.36.210.44 DST=10.111.46.4 LEN=60 TOS=0x10 PREC=0x00 TTL=48
>> ID=61493 DF PROTO=TCP SPT=51483 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0A
>
> From the answer to Shorewall FAQ 17 (Why are these packets being
> Dropped/Rejected?/How do I decode Shorewall log messages?):
>
> 	If the chain is FORWARD and the IN and OUT interfaces are the same, then
>        you probably need the ''routeback'' option on that
interface in
>        /etc/shorewall/interfaces or you need the
''routeback'' option in the
>        relevant entry in /etc/shorewall/hosts.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

kog@subfusion.net wrote:
> That did the trick!  Many, many thanks.  FTP Doesn''t work unless
it''s
> passive - but as I understand it the FTP macro should handle active ftp - 
> so it''s probable something to do with the firewall sandwich that
the
> shorewall instance is in the middle of.
Both passive and active should work -- see http://www.shorewall.net/FTP.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Right, yeah.. It''s probably a setting on one of the other firewalls.

Thanks!



On Fri, 10 Nov 2006, Tom Eastep wrote:
> kog@subfusion.net wrote:
>> That did the trick!  Many, many thanks.  FTP Doesn''t work
unless it''s
>> passive - but as I understand it the FTP macro should handle active ftp
-
>> so it''s probable something to do with the firewall sandwich
that the
>> shorewall instance is in the middle of.
>
> Both passive and active should work -- see
http://www.shorewall.net/FTP.html
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642