Shorewall users - Dec 2006 - Connection fails with fw to net rule in 3.0.4 (zones/hosts setup)

I am stymied by this scenario under Mandriva Corporate Server 4.0 and
Shorewall 3.0.4.  This is my first run at Shorewall 3.x, so perhaps the
note about mishandling things applies and I just don''t see what it is
I didn''t do correctly.

I want a user with a primary group membership of "root" to be able to
contact the net zone (one-armed firewall setup) to obtain security
updates.

Under 2.x I simply used the ACCEPT $FW net tcp 443 - - - :root rule
below.  Under 3.x, for some reason, I cannot connect to the net zone
without having also ACCEPT net $FW tcp 443, which is NOT what I want.
I do not want anyone from the net to be able to get access.  I want
the return traffic allowed because it is related to the outgoing
access, but it is not.  Even though all my policies are DROP or
REJECT and are all setup up to log, the Shorewall log contains no
record of the dropped https connection attempt.  Running shorewall
clear allows the https connection to succeed.

I have a zones/hosts setup and that configuration changed in 3.x, and
I think I did it correctly (shorewall.conf with IPSECFILE=zones).  Why
are the drops/rejects not logged, how can I get them logged, and what
on earth is borken in the configuration?  Any suggestions would be
very nice.  I don''t really want to have to drop the firewall to apply
security updates and I don''t want open ports on the net side.

BTW, even taking off :root does not work, so that is not the piece
that is messed up.  My zones setup is a bit more complicated than
the example in the zones file, but I have tried different variations
on the theme there too.

The attached status.txt is taken after attempting to contact
212.85.147.126 from 192.168.128.7 via https.  Hopefully I''m not
missing something obvious so that I''m pinging the list unecessarily.
I''ve been using Shorewall 2.x for ages with an almost identical
configuration.

Is there some data that I should have included that I missed?

Rule set for https:

ACCEPT $FW      dnd     tcp     443     -       -       -       -
ACCEPT $FW      srv     tcp     443     -       -       -       -
ACCEPT $FW      net     tcp     443     -       -       -       :root
ACCEPT cte      $FW     tcp     443     -       -       -       -
ACCEPT dnd      $FW     tcp     443     -       -       -       -
ACCEPT kil      $FW     tcp     443     -       -       -       -
ACCEPT loc      $FW     tcp     443     -       -       -       -
ACCEPT srv      $FW     tcp     443     -       -       -       -
ACCEPT vpn      $FW     tcp     443     -       -       -       -

Zones:

fw              firewall        -               -                       -
net             ipv4            -               -                       -
cte:net         ipv4            -               -                       -
kil:net         ipv4            -               -                       -
vpn:net         ipv4            -               -                       -
loc:net         ipv4            -               -                       -
bak:loc,net     ipv4            -               -                       -
dom:loc,net     ipv4            -               -                       -
srv:loc,net     ipv4            -               -                       -
dnd             ipv4            -               -                       -

Hosts:

net     eth0:0.0.0.0/0  -
cte
eth0:192.168.44.204,192.168.44.206,192.168.44.215,192.168.44.218,192.168.44.
219,192.168.44.220,192.168.44.221       -
kil     eth0:192.168.4.0/24,192.168.5.0/24,192.168.7.0/24,192.168.8.0/24
-
vpn     eth0:192.168.133.0/24   -
loc     eth0:192.168.128.0/24   -
bak     eth0:192.168.128.107    -
dom     eth0:192.168.128.9,192.168.9.30,192.168.9.31
srv     eth0:192.168.128.5,192.168.128.7,192.168.128.8,192.168.128.28   -
dnd     eth1:192.168.127.0/24   -

Interfaces:

-       eth0    detect
-       eth1    detect

Policy:

loc     all     CONTINUE
net     all     CONTINUE
bak     all     REJECT  $LOG
cte     all     REJECT  $LOG
dnd     all     REJECT  $LOG
dom     all     DROP    $LOG
kil     all     DROP    $LOG
srv     all     REJECT  $LOG
vpn     all     DROP    $LOG
$FW     all     REJECT  $LOG
all     all     REJECT  $LOG

--- 
Kevin R. Bulgrien
VertexRSI



CONFIDENTIAL/PROPRIETARY 

Unless otherwise indicated, all information (including attachments)
contained in this e-mail communication is confidential and proprietary
information exclusively owned by the sender and/or its related or affiliated
companies and shall not, without the prior written consent of the sender, be
used, disclosed, distributed or reproduced, in whole or in part, by anyone
other than the individual or entity to whom this communication is addressed
exclusively for the purpose expressly indicated in this communication.

This e-mail communication is intended for the use of the individual or
entity to whom it is addressed.  If you are not the intended recipient of
this communication, you are hereby notified that any use, dissemination,
distribution or copying of this communication is strictly prohibited.  If
you have received this communication in error, please destroy any copies,
electronic, paper or otherwise that you may have.
  


begin 600 status.txt.bz2
M0EIH.3%!62936?&G(,L``";?@``20&-_L`T`#``NY9_`(`!J$J:I^IJ>IZCT
MGDC)IY"#U''J!JGBADT:`#0-`:$87M4I.LBA,QPV(XU?YW821>V3XY0+AP<D(
M=S,48,2ABB#FF]@&9:!PG)-Q`8(07%TB/!0C]"&L4FKIE2>=-]OI8L?G](.?
4SN;%B*(DKVL_B[DBG"A(>-.098``
end

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV