Shorewall users - Jan 2007 - can you see something wrong in this dump file? (gzipped)

Hi,

I''ve inherited a gibraltar installation acting as router. It''s
using
shorewall 1.3.12!

Now I''m trying to accomplish the same result with a new Debian Etch
installation that comes with shorewall 3.2.6.

I''ve reviewed the whole Shorewall documentation using the setup guide
as
primary reference. I''ve compared the existing configuration with the
necessary changes written in "Upgrade Issues". We use the new
''shorewall.conf'' with a new ''zones'' file.
The rest happens to be the same as
we had in gibraltar because we don''t use IPSEC or other particular
settings.
I only needed to change IP_FORWARD=On in shorewall.conf.

Ok, what''s the problem then? Well I''m really confused,
actually in the last
test i did (the dump file is from that one), seems to me that shorewall is
working as expected, because in the log  I don''t see messages that are
not
supposed to be there.
The fact remains that  I''m not able to connect to the net.

I can ssh from fw to loc and dmz (our web server and cacheing dns server:
192.168.101.9), and from loc to dmz (although both very slowly) however I
can''t get any connection to the internet (ssh ssh 69.50.193.108 from
192.168.102.7), nor I get any answer from the dns server in the dmz, to my
dns queries (dig @192.168.101.9 www.tolkesekretariatet.dk still from
192.168.102.7).

I''m wondering if masquerading might be the problem and I hope that some
of
you guys can see from the dump if shorewall is really working correctly as I
suppose now. If this is true I will have to look elsewhere to find the cause
of the problem. And that might be still a bigger trouble for me, so actually
I''m hoping I''ve missed something in Shorewall configuration or
that you are
able to point me in the right direction.

Thanks for any help
/pnp


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Paolo Nesti Poggi wrote:
> I''m wondering if masquerading might be the problem and I hope that
some of
> you guys can see from the dump if shorewall is really working correctly as
I
> suppose now. If this is true I will have to look elsewhere to find the
cause
> of the problem. And that might be still a bigger trouble for me, so
actually
> I''m hoping I''ve missed something in Shorewall
configuration or that you are
> able to point me in the right direction.
The IP address that you have in the ADDRESS column of
/etc/shorewall/masq (84.63.114.214) is not an address of any interface
on your firewall.

Also:

a) You appear to need the ''dhcp'' option on eth2.
b) Why are you using outgoing SNAT on the Proxy ARPed public IP
addresses in your DMZ?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> -----Oprindelig meddelelse-----
> Fra: shorewall-users-bounces@lists.sourceforge.net
> [mailto:shorewall-users-bounces@lists.sourceforge.net]På vegne af Tom
> Eastep
>
> The IP address that you have in the ADDRESS column of
> /etc/shorewall/masq (84.63.114.214) is not an address of any interface
> on your firewall.
Actually I saw the 2) note about this on FAQ #15, and on a second check, I
don''t know how, I concluded that my configuration of the file was
correct!

So I understand I should use example 1 or 2 from the masq file

eth0	eth1
eth0	eth2

or

eth0	192.168.101.0/24
eth0	192.168.102.0/24

that in our setup should be interchangeable.

Probably I was fooled by the fact that so it was in the old file we
currently use (gibraltar based, shorewall 1.3.2, and who knows why it
works), and I thought it was following example 5 (as a "special case"
of it
actually, only the second half).
>
> Also:
>
> a) You appear to need the ''dhcp'' option on eth2.
Yes, that''s correct!
> b) Why are you using outgoing SNAT on the Proxy ARPed public IP
> addresses in your DMZ?
Hmmm. Now I see it mentioned in the dump file. I guess it comes from the
wrong configuration of the /etc/shorewall/masq file you pointed out.
Maybe it''s on purpose but I don''t know. The 3 boxes on
proxyarp are a
private experiment done by some guy, with thin clients and more, and it is
out of my reach, what he''s doing with them.

I thank you a lot for your very prompt reply. I''ll leave my  neighbours
internetting alone a couple of days, then I''ll test this in practice
again
and I''ll let you know how it''s sorting out.

/Paolo

>
> -Tom

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Paolo Nesti Poggi wrote:
> 
>> -----Oprindelig meddelelse-----
>> Fra: shorewall-users-bounces@lists.sourceforge.net
>> [mailto:shorewall-users-bounces@lists.sourceforge.net]På vegne af Tom
>> Eastep
> 
>> The IP address that you have in the ADDRESS column of
>> /etc/shorewall/masq (84.63.114.214) is not an address of any interface
>> on your firewall.
> 
> Actually I saw the 2) note about this on FAQ #15, and on a second check, I
> don''t know how, I concluded that my configuration of the file was
correct!
> 
> So I understand I should use example 1 or 2 from the masq file
> 
> eth0	eth1
> eth0	eth2
> 
> or
> 
> eth0	192.168.101.0/24
> eth0	192.168.102.0/24
> 
> that in our setup should be interchangeable.
With the proxy ARP that is going on, they are NOT interchangable;
that''s
what I pointed out in my b) note below.
> 
> Probably I was fooled by the fact that so it was in the old file we
> currently use (gibraltar based, shorewall 1.3.2, and who knows why it
> works),
It will work if you:

1) Change the ADDRESS to 84.63.114.115 (the address of eth0); or
2) Add 84.63.114.214 as an address on eth0; or
c) Set ADD_SNAT_ALIASES=Yes in shorewall.conf so Shorewall will add the
address for you.

and I thought it was following example 5 (as a "special case" of
it
> actually, only the second half).
> 
>> Also:
>>
>> a) You appear to need the ''dhcp'' option on eth2.
> 
> Yes, that''s correct!
> 
>> b) Why are you using outgoing SNAT on the Proxy ARPed public IP
>> addresses in your DMZ?
> 
> Hmmm. Now I see it mentioned in the dump file. I guess it comes from the
> wrong configuration of the /etc/shorewall/masq file you pointed out.
You need to use the private network address in the SUBNET column rather
than the interface name.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom,
you really can''t imagine how happy I am, it worked at last and it works
like
a charm!
Now I have a step by step documentation of how to set up a router based on
Debian Etch.
I think I''ll be able to find a wiki where to publish it, for other
noobs
like me.

For now it''s in Danish when translated I''ll post a link to it
here, if it''s
appropriate?

Some more comments follow among the lines below
> >
> > So I understand I should use example 1 or 2 from the masq file
> >
> > eth0	eth1
> > eth0	eth2
> >
> > or
> >
> > eth0	192.168.101.0/24
> > eth0	192.168.102.0/24
> >
> > that in our setup should be interchangeable.
>
> With the proxy ARP that is going on, they are NOT interchangable;
that''s
> what I pointed out in my b) note below.
> >
> > Probably I was fooled by the fact that so it was in the old file we
> > currently use (gibraltar based, shorewall 1.3.2, and who knows why it
> > works),
>
> It will work if you:
>
> 1) Change the ADDRESS to 84.63.114.115 (the address of eth0); or
I actually didn''t understand this. Where do you get that address from
(84.63.114.115 )? Or is it a typo?
Our external address is 84.63.114.214 the gateway is 84.63.114.213,
broadcast is 80.63.114.215

> 2) Add 84.63.114.214 as an address on eth0; or
sorry, I don''t understand when you say "add an address": do
you mean in some
shorewall configuration file or in the box as basic configuration.
Being on Debian with have already

iface eth0 inet static
        address 80.63.114.214
        network 80.63.114.212
        broadcast 80.63.114.215
        netmask 255.255.255.252
        gateway 80.63.114.213

in /etc/network/interfaces
> c) Set ADD_SNAT_ALIASES=Yes in shorewall.conf so Shorewall will add the
> address for you.
>
>
> You need to use the private network address in the SUBNET column rather
> than the interface name.


So being in doubt about the first 2 options I followed the third one
setting:

ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf

and the settings below in /etc/shorewall/masq :

#INTERFACE      SUBNET             ADDRESS         PROTO   PORT(S) IPSEC
eth0            192.168.101.0/24   80.63.114.214
eth0            192.168.102.0/24   80.63.114.214

Adding ADD_SNAT_ALIASES=Yes and using the network address instead of the
interface was enough to make it work for me - without the external IP
address under the ADDRESS column (I''m almost sure).
However I left that address in place in case it was needed by the guy using
proxyarp (I''m still considering all this a kind of woodo but
I''m on the
mend). I''ll surely hear something from him if it''s not okay ;)

Thank you so much again for having taken the time to look at the dump, and
for providing such a great tool.
/Paolo
> -Tom
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV