Hello All, I know that this should be a trivial issue, but I''m stuck. I''m totally new to Shorewall and although I''ve read all about the zones, they''re still a bit confusing for me. What I''m attempting to do is run an FTP server on an internal machine. I''ve read the example guide and troubleshooting guide, but I can''t figure it out. My setup: net zone is on an extrenal NIC with a routable IP. I can connect to other services on the box from the inside and outside so network connectivity is good. My FTP server is running on 10.0.50.10 inside. LAN clients can connect to the FTP server therefore the FTP server itself is set up correctly. When I run shorewall clear, I can connect to the FTP server from the outside so it seems to be a Shorewall configuration issue for sure. My Rules: I feel pretty confident that I fall into example #3: Example 3. Server running behind a Masquerading Gateway Suppose that you run an FTP server on 192.168.1.5 in your local zone using the standard port (21). You need this rule: #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION FTP/DNAT net loc:192.168.1.5 However, after changing the IP to 10.0.50.10, no go. A typical log entry when trying to connect looks like this: Dec 15 10:36:29 munged kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:95:c5:29:43:00:90:1a:40:df:45:08:00 SRC=209.5.161.208 DST=10.0.50.10 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=52574 DF PROTO=TCP SPT=34883 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 From this I can see that it is the net2all chain that''s dropping the packet which seems to indicate an incoming issue, but I don''t know how to fix it. Links, tips, everything appreciated. Thanks! Jon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > When I run shorewall clear, I can connect to the FTP server from the > outside so it seems to be a Shorewall configuration issue for sure. > > A typical log entry when trying to connect looks like this: > > Dec 15 10:36:29 munged kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:11:95:c5:29:43:00:90:1a:40:df:45:08:00 SRC=209.5.161.208 > DST=10.0.50.10 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=52574 DF PROTO=TCP > SPT=34883 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0Your report doesn''t make a lot of sense. In particular, your statement that "When I run shorewall clear, I can connect to the FTP server from the outside" suggests that DNAT is not required. Do you have another router in front of the Shorewall box? -Tom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom Thanks for replying - especially given your current state of internet connectivity. Maybe I''m misunderstanding the DNAT thing. I thought it would be required to translate from the external nic to the internal but even as I write this I can see how little sense that makes. I guess what I need to to simply allow TCP 21 connections from both the net and loc zones. Can''t believe that I can''t figure it out but I inherited these boxes and we all probably know it''s impossible to get up to speed fast enough. J Sent from the road... +1.403.770.2837 -----Original Message----- From: Tom Eastep <tom.eastep@hp.com> Date: Saturday, Dec 16, 2006 3:45 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue> >> > When I run shorewall clear, I can connect to the FTP server from the > outside so it seems to be a Shorewall configuration issue for sure. > >> A typical log entry when trying to connect looks like this: > > Dec 15 10:36:29 munged kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom Thanks for replying - especially given your current state of internet connectivity. Maybe I''m misunderstanding the DNAT thing. I thought it would be required to translate from the external nic to the internal but even as I write this I can see how little sense that makes. I guess what I need to to simply allow TCP 21 connections from both the net and loc zones. Can''t believe that I can''t figure it out but I inherited these boxes and we all probably know it''s impossible to get up to speed fast enough. J Sent from the road... +1.403.770.2837 -----Original Message----- From: Tom Eastep <tom.eastep@hp.com> Date: Saturday, Dec 16, 2006 3:45 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue> >> > When I run shorewall clear, I can connect to the FTP server from the > outside so it seems to be a Shorewall configuration issue for sure. > >> A typical log entry when trying to connect looks like this: > > Dec 15 10:36:29 munged kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon wrote:> Hi Tom > > Thanks for replying - especially given your current state of internet connectivity. > > Maybe I''m misunderstanding the DNAT thing. I thought it would be required to translate from the external nic to the internal but even as I write this I can see how little sense that makes. > > I guess what I need to to simply allow TCP 21 connections from both the net and loc zones. Can''t believe that I can''t figure it out but I inherited these boxes and we all probably know it''s impossible to get up to speed fast enough. >Be sure that it is actually the internal server that you are connecting to when you "shorewall clear" and not an FTP server running on the Shorewall box itself. -Tom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
They''re one and the same. There''s only one box and it runs both Shorewall and the FTP server. Problem is that no one (internally or externally) can get at the FTP server with Shorewall running. I didn''t explain this very well, didi I? J Sent from the road... +1.403.770.2837 -----Original Message----- From: Tom Eastep <tom.eastep@hp.com> Date: Saturday, Dec 16, 2006 4:48 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue Jon wrote:> Hi Tom > >> Thanks for replying - especially given your current state of internet connectivity. > >> Maybe I''m misunderstanding the DNAT thing. I thought it would be required to translate from the external nic to the internal but even as I write this I can see how little sense that makes. > >> I guess what I need to to simply allow TCP 21 connections from both the net and loc zones. Can''t believe that I can''t figure it out but I inherited these boxes and we all probably know it''s impossible to get up to speed fast enough. > > >Be sure that it is actually the internal server that you are connecting to when you "shorewall clear" and not an FTP server running on the >Shorewall box itself. > >-Tom > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon <me <at> jonwatson.ca> writes:> > They''re one and the same. There''s only one box and it runs both Shorewall andthe FTP server. Problem is that> no one (internally or externally) can get at the FTP server with Shorewallrunning.> > I didn''t explain this very well, didi I?No. And I don''t understand how you concluded that you fall into example 3. What you need is: FTP/ACCEPT net $FW FTP/ACCEPT loc $FW (assuming that you have a local interface). -Tom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Saturday 16 December 2006 15:06, Jon wrote:> They''re one and the same. There''s only one box and it runs both Shorewall > and the FTP server. Problem is that no one (internally or externally) can > get at the FTP server with Shorewall running. > > I didn''t explain this very well, didi I?You don''t want a dnat rule then, you just want an ACCEPT rule. -- John Andersen - NORCOM http://www.norcomsoftware.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Because I was confused about DNAT. So...knowing what I know now...amd I looking at a net to fw rule to do what I need? I''m not sure how to refer to the box itself. Thanks for the help! J Sent from the road... +1.403.770.2837 -----Original Message----- From: Tom Eastep <tom.eastep@hp.com> Date: Saturday, Dec 16, 2006 7:21 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue Jon <me <at> jonwatson.ca> writes:> >> > They''re one and the same. There''s only one box and it runs both Shorewall and the FTP server. Problem is that > no one (internally or externally) can get at the FTP server with Shorewall running. > > I didn''t explain this very well, didi I? > >No. And I don''t understand how you concluded that you fall into example >3. What you need is: > >FTP/ACCEPT net $FW >FTP/ACCEPT loc $FW (assuming that you have a local interface). > >-Tom > > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thanks. I feel kind of lame for not realizing what I was asking but sometimes you''re just too close to the thing. Thanks! J Sent from the road... +1.403.770.2837 -----Original Message----- From: John Andersen <jsa@norcomix.dyndns.org> Date: Saturday, Dec 16, 2006 7:26 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue On Saturday 16 December 2006 15:06, Jon wrote:> They''re one and the same. There''s only one box and it runs both Shorewall > and the FTP server. Problem is that no one (internally or externally) can > get at the FTP server with Shorewall running. > >> I didn''t explain this very well, didi I? > >You don''t want a dnat rule then, you just want an >ACCEPT rule. > >-- >John Andersen - NORCOM >http://www.norcomsoftware.com/ > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon <me <at> jonwatson.ca> writes:> > Because I was confused about DNAT. > > So...knowing what I know now...amd I looking at a net to fw rule to do what Ineed? I''m not sure how to refer to> the box itself.Then maybe you should consult the Shorewall introductory documentation. -Tom ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Well that certainly sets the tone. I''m happy to see that our decision to discontinue Shorewall in future builds wasn''t in error. I think I''ve been quite civil even to the point of being apologetic. You are being just plain rude, Tom. I believe the level of detail in my original post, although incorrect, did serve to show that I had read the docs. I was struggling with a conceptual issue which I have now resolved despite your apparent reluctance to be helpful. Thankfully another on the list isn''t burdened by whatever ails you. OSS has enough of a battle for acceptance and the lack of support from authors is one thing that always comes up. To date I have almost always been able to show that the author is usually more than willing to help and get OSS by the gatekeepers. You are not helping the battle. J Sent from the road... +1.403.770.2837 -----Original Message----- From: Tom Eastep <tom.eastep@hp.com> Date: Saturday, Dec 16, 2006 8:12 pm Subject: Re: [Shorewall-users] FTP/DNAT Issue Jon <me <at> jonwatson.ca> writes:> >> > Because I was confused about DNAT. > > So...knowing what I know now...amd I looking at a net to fw rule to do what I need? I''m not sure how to refer to > the box itself. > >Then maybe you should consult the Shorewall introductory documentation. > >-Tom > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Good god! Of all the lists I''m a member of, Tom''s shorewall support list is easily among the finest. His responses are sharp, pertinent, usually solve the problem immediately and are faster than a speeding bullet! On 16 Dec 2006 20:32:00 -0700, Jon <me@jonwatson.ca> wrote:> You are being just plain rude, Tom....> Thankfully another on the list isn''t burdened by whatever ails you.Tom, please disregard this. All of us who read the list know how patient you are with everyone who comes here.> -----Original Message----- > From: Tom Eastep <tom.eastep@hp.com> > >Then maybe you should consult the Shorewall introductory documentation.Jon, on most other lists, *that* would have been "RTFM Noob". You sir, have no idea what''s rude, and what''s not. And if you didn''t know how to refer to the firewall, you *do* need to read the *excellent* documentation. Thanks for the great work Tom! If you''re ever in Bangalore, India, dinner''s on me! Prasanna. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Prasanna Krishnamoorthy wrote:> > Tom, please disregard this. All of us who read the list know how > patient you are with everyone who comes here. >Yes we do. I mean how many times can you answer the same question with a smile on your face? Tom does it admirably. I''d be swearing at people. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I''m happy to see that Tom has a great following that will come to his defence. Shorewall is a great product, no doubt, and I have the utmost respect for OSS authors. I just have no respect for people who are rude to their users. There''s no call for that. J Prasanna Krishnamoorthy wrote:> Good god! Of all the lists I''m a member of, Tom''s shorewall support > list is easily among the finest. His responses are sharp, pertinent, > usually solve the problem immediately and are faster than a speeding > bullet! > > On 16 Dec 2006 20:32:00 -0700, Jon <me@jonwatson.ca> wrote: >> You are being just plain rude, Tom. > ... >> Thankfully another on the list isn''t burdened by whatever ails you. > > Tom, please disregard this. All of us who read the list know how > patient you are with everyone who comes here. > >> -----Original Message----- >> From: Tom Eastep <tom.eastep@hp.com> >>> Then maybe you should consult the Shorewall introductory documentation. > > Jon, on most other lists, *that* would have been "RTFM Noob". You sir, > have no idea what''s rude, and what''s not. And if you didn''t know how > to refer to the firewall, you *do* need to read the *excellent* > documentation. > > Thanks for the great work Tom! If you''re ever in Bangalore, India, > dinner''s on me! > > Prasanna. > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Shit. I am a total ass. I didn''t see this response from Tom:>> No. And I don''t understand how you concluded that you fall into example >> 3. What you need is: >> >> FTP/ACCEPT net $FW >> FTP/ACCEPT loc $FW (assuming that you have a local interface). >> >> -TomI was on the road and taking email from a device that I''ve set to only download the first X number of bytes from the server. As this bit of Tom''s email was at the end of the email I didn''t see it. That''s not an excuse, that''s an explanation. Tom, I''m sorry for flaming you. You gave me the answer I was looking for as soon as you understood what my problem was. I apologize profusely for the ass I''ve made of myself on your mailing list. Jon -- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon wrote:>I''m happy to see that our decision to discontinue Shorewall in future >builds wasn''t in error. I think I''ve been quite civil even to the point of >being apologetic. You are being just plain rude, Tom.This is quite an interesting statement. First, Shorewall has some of the best documentation I have ever seen. There are somewhere around 100 well-written and organized FAQs. There is a huge mailing list archive where nearly every question has been asked and answered at least a dozen times. There are numerous links to other websites with vast amounts of networking information. Honestly, approximately 90% of what I know about networking was learnt by either reading Shorewall''s documentation or reading articles that its documentation links to. In addition to making great documentation, the Shorewall team has made asking for help extremely easy. They have an easy-to-follow flowchart that will tell you exactly what to do if you need help. There are simple commands for dumping all the information you will need to submit with any problem report, and when they receive a request for help, they are some of the most responsive people I have ever seen. Sadly, most problem reports are missing required information or have inaccurate descriptions. I would like to point out that Tom answered Jon''s question on a Saturday evening, approximately 36 hours after the original (incomplete/inaccurate) request for help was received:>What you need is: > >FTP/ACCEPT net $FW >FTP/ACCEPT loc $FW (assuming that you have a local interface). > >-TomI marvel at Tom''s level of support. Most problem reports follow this pattern: 1. User submits vague description of problem. 2. Tom promptly replies with a few questions and/or a request for the information http://shorewall.net/support.htm#Guidelines. 3. The user provides follow-up (usually takes a day or so). 4. Tom has an answer. I''ve seen bug fixes released within minutes on the weekend. Try and get that from anyone else. Perhaps the most revealing insight into Tom''s dedication to the good of humanity is found at http://shorewall.net/shorewall_index.htm#Donations. Tom doesn''t even accept donations for Shorewall. If you use it and like it, donate to the Alzheimer''s Association or the Starlight Children''s Foundation.>From the bottom of my heart; thank you, Tom. If you are ever in the Boise,ID area, dinner is on me. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Russel wrote:> This is quite an interesting statement.Yes, in light of my most recent post to the mailing list I fully understand why you find that interesting. In this instance I have acted like those mailing list people that I despise. J -- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> I''m happy to see that Tom has a great following that will come to his > defence. Shorewall is a great product, no doubt, and I have the utmost > respect for OSS authors. I just have no respect for people who are rude > to their users. There''s no call for that. >We can be rude sometimes,. you probably have no idea how frustrating this work is sometimes. look, Tom has used his job email to read this list, while the power was down in his town, just TO HELP YOU and others. So, the next time, you may try to elaborate a better question or being constructive telling us what is broken in the documentation or how it can be improved, otherwise you are not helping at all. Thanks. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV