Shorewall users - Mar 2007 - IPSEC NAT-T IKE fails when policy is $FW 2 net REJECT.

Hello Tom et al,

When running Shorewall 3.0.7 with OpenSwan 2.4.5 (Netkey) on an Ubuntu
Edgy system IKE was failing with the following error:

"earth-moon" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
ERROR: "earth-moon" #1: sendto on eth0 to 172.31.2.11:4500 failed in
STATE_MAIN_I2. Errno 1: Operation not permitted

The error is generated after NAT discovery has determined that there
is a NAT in place and IKE attempts to switch from port 500 to 4500.  I
noted an entry in the output fw2net chain that allowed isakmp (port
500) but didn''t see a companion entry for port 4500 (There are entries
for both port 500 and 4500 in the input net2fw chain).

This led me to the following code snippet in setup_one_ipsec( ):

  run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options

  if [ $kind = ipsec ]; then
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
  else
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500 $options
  fi

To get a successful IKE on port 4500 I replaced the above snippet
with:

  if [ $kind = ipsec ]; then
    run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
  else
    run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 4500
$options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500 $options
  fi

Is this reasonable or am I way out in left field?

regards :-)
BruceS

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner@norsteadfarm.ca>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Thu, 2007-03-22 at 19:08 -0300, Bruce S. Skinner wrote:
> 
> To get a successful IKE on port 4500 I replaced the above snippet
> with:
> 
>   if [ $kind = ipsec ]; then
>     run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500
$options
>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
>   else
>     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 500
$options
>     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 4500
$options
The above rule should read:

run_iptables -A $outchain  -p udp $(dest_ip_range $1) --dport 4500
$options
>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500
$options
>   fi
> 
> Is this reasonable or am I way out in left field?
Except for the incorrect range selection, it looks correct.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Thu, 2007-03-22 at 15:14 -0700, Tom Eastep wrote:
> On Thu, 2007-03-22 at 19:08 -0300, Bruce S. Skinner wrote:
> 
> > 
> > To get a successful IKE on port 4500 I replaced the above snippet
> > with:
> > 
> >   if [ $kind = ipsec ]; then
> >     run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500
$options
> >     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
> >   else
> >     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport
500 $options
> >     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport
4500 $options
> 
> The above rule should read:
> 
> run_iptables -A $outchain  -p udp $(dest_ip_range $1) --dport 4500
> $options
> 
> >     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
> >     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport
4500 $options
> >   fi
> > 
> > Is this reasonable or am I way out in left field?
> 
> Except for the incorrect range selection, it looks correct.
I''ve also uploaded fixes for this problem for Shorewall 3.2 and 3.4.

Thanks again, Bruce
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> writes:
> On Thu, 2007-03-22 at 19:08 -0300, Bruce S. Skinner wrote:
>
>> 
>> To get a successful IKE on port 4500 I replaced the above snippet
>> with:
>> 
>>   if [ $kind = ipsec ]; then
>>     run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500
$options
>>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
>>   else
>>     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 500
$options
>>     run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport
4500 $options
>
> The above rule should read:
>
> run_iptables -A $outchain  -p udp $(dest_ip_range $1) --dport 4500
> $options
>
>>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500
$options
>>     run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500
$options
>>   fi
>> 
>> Is this reasonable or am I way out in left field?
>
> Except for the incorrect range selection, it looks correct.
Oops, my typo in the email.
>
> Thanks,
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner@norsteadfarm.ca>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

My thanks to you Tom.  Shorewall is a great tool.  

I''ve read your ruminations in the shorewall-devel list about the
adoption rate of Shorewall.  I wouldn''t be so sure that shorewall
isn''t getting lots of use.  It''s part of lot''s of
distros and "it just
works".  I use it on about a dozen machines (and I wouldn''t care
to
say how many machines are behind those dozen...), because of its
reliablity, flexibility, and it''s easy to understand.

regards :-)
BruceS

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner@norsteadfarm.ca>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Bruce S. Skinner wrote:
>I''ve read your ruminations in the shorewall-devel list about the
>adoption rate of Shorewall.  I wouldn''t be so sure that shorewall
>isn''t getting lots of use.  It''s part of lot''s of
distros and "it just
>works".  I use it on about a dozen machines (and I wouldn''t
care to
>say how many machines are behind those dozen...), because of its
>reliablity, flexibility, and it''s easy to understand.
It''s installed on every Linux box I set up now irrespective of its 
role. Now I''ve done a few in different configs, it''s almost
trivial
to set up to control access to a server or whatever - and an 
important factor, I know it will be simple enough for someone to 
follow should I not be around (the rules file is quite easy to 
follow).

As for Debian, they have the popularity contest which I believe is 
supposed to gather stats on what people are running. I don''t know how 
it works, does anyone know if it would pick up something like 
Shorewall which is only actually executed occasionally but is 
effectively ''in use'' just about the whole time a machine is
running ?

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 23, 2007 at 08:04:42AM +0000, Simon Hobson
wrote:
> As for Debian, they have the popularity contest which I believe is 
> supposed to gather stats on what people are running. I don''t know
how
> it works, does anyone know if it would pick up something like 
> Shorewall which is only actually executed occasionally but is 
> effectively ''in use'' just about the whole time a machine
is running ?
Yes. It looks at the atime stamps for stuff that''s been run in the
past 30 days; frequency doesn''t matter. Also it reports on stuff
that''s installed, regardless of usage.

Current results: of approximately 30000 installations currently
sending popularity-contest results, about 1000 have shorewall
installed and about 600 are using it regularly. A few well-known
packages with similar popularity (in the 500-700 bracket): valgrind,
lprng, timidity, fvwm, dovecot.

The Debian popcon results are usually a moderately good predictor of
what sysadmins are running on all linux-based platforms, excluding
large corporate server farms (and ignoring desktop users who don''t
have a proper sysadmin). Shorewall is likely to be used on a similar
fraction of the linux hosts run by real sysadmins - that''s a pretty
large number.

Users are like ants. There''s always lots more hiding under the ground
(and if you start digging, they get everywhere and ruin a perfectly
good lunch; leave them alone).

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 23, 2007 at 08:04:42AM +0000, Simon Hobson
wrote:
> 
> It''s installed on every Linux box I set up now irrespective of its
> role. Now I''ve done a few in different configs, it''s
almost trivial
> to set up to control access to a server or whatever - and an 
> important factor, I know it will be simple enough for someone to 
> follow should I not be around (the rules file is quite easy to 
> follow).
> 
I have to agree here.  I installshorewall on every single Linux machine
I setup.  Even on machines which are themselves already behind another
machine running shorewall.  About the only problem I have run into is
forgetting that I need to open a port both on the boundry machine and on
the DMZ or internal machine.  But that is OK by me.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 23, 2007 at 10:07:39AM +0000, Andrew Suffield
wrote:
> 
> Yes. It looks at the atime stamps for stuff that''s been run in the
> past 30 days; frequency doesn''t matter. Also it reports on stuff
> that''s installed, regardless of usage.
> 
> Current results: of approximately 30000 installations currently
> sending popularity-contest results, about 1000 have shorewall
> installed and about 600 are using it regularly. A few well-known
> packages with similar popularity (in the 500-700 bracket): valgrind,
> lprng, timidity, fvwm, dovecot.
> 
I think that the shorewall numbers (in terms of recently used vs. total
installed) can be a bit deceiving.  I would wager that shorewall is more
often installed on servers, which are more likely to be on 24/7.  If
they get to uptimes of 30+ days (which I would wager happens often),
then shorewall starts showing up as installed but not recently used.  I
would consider that a good thing :-)

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi,

Thank you shorewall developers .... your scripts are runable in embedded
linx devices .... saves me a lot of config time .....

Realy nice .....

Have a nice day

greets


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 23, 2007 at 10:07:39AM +0000, Andrew Suffield
wrote:
> On Fri, Mar 23, 2007 at 08:04:42AM +0000, Simon Hobson wrote:
> > As for Debian, they have the popularity contest which I believe is 
> > supposed to gather stats on what people are running. 
> 
> Yes. It looks at the atime stamps for stuff that''s been run in the
> past 30 days; frequency doesn''t matter. Also it reports on stuff
> that''s installed, regardless of usage.
I have shorewall only installed on my firewall/gateway protecting my home
network and not on the other linux machines just because I felt that I was
"safe enough" and the tradeoff in headaches and over-administration
would not be worth it.

That firewall is at 112 days'' uptime and that is because of a power
outage that lasted longer than my UPS batteries.  I think I''ve run
shorewall once in that timeframe (other than at boottime) to change a DNAT
record.  Otherwise, it just works.

I don''t know if I''m a typical Shorewall user or not.  I
discovered it in June when I moved and setup my network.  It was exactly what I
wanted (command-line, no/low overhead) and i haven''t looked back since.

I will probably get it up and running on my newly-migrated laptop, mostly
because of the recent Linux Journal article (which mentioned Shorewall) made the
argument many on this list are that "all hosts should have it".  I
still probably will not install on my RFC1918 desktop, but my laptop, which will
head to hotspots and such, probably ought to have a bit better measure of
protection.

Thanks Tom for a great program, and thank you Shorewall-users for insightful and
helpful comments.

K


-- 
In Vino Veritas
http://astroturfgarden.com



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 23, 2007 at 04:13:20PM +0100, Peter Wagner
wrote:
> 
> Thank you shorewall developers .... your scripts are runable in embedded
> linx devices .... saves me a lot of config time .....
This doesn''t surprise me, since it''s basically just some
scripts manipulating the IPTables for you, which is what makes it so good.  This
reminds me, however, is there anyone that provides "shrink-wrap"
solutions with Shorewall/IPtables in an embedded device?  I have noticed
products like routerboard.com and gumstix.com, which look interesting,
especially the latter as a modular, tailor-made solution, and it would be great
to be able to plug one of these in, configure the appropriate IPs and what-not
and have it just work.

Might save me some on my power bill, rather than running a full-on computer.

K

-- 
In Vino Veritas
http://astroturfgarden.com



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Sat, Mar 24, 2007 at 11:27:47AM -0400, ktneely@astroturfgarden.com
wrote:
> 
> This doesn''t surprise me, since it''s basically just some
scripts
> manipulating the IPTables for you, which is what makes it so good.
> This reminds me, however, is there anyone that provides
"shrink-wrap"
> solutions with Shorewall/IPtables in an embedded device?  I have
> noticed products like routerboard.com and gumstix.com, which look
> interesting, especially the latter as a modular, tailor-made solution,
> and it would be great to be able to plug one of these in, configure
> the appropriate IPs and what-not and have it just work.  
> 
> Might save me some on my power bill, rather than running a full-on
computer.
> 
I rolled my own (I know, not pre-packaged) with a Mini-ITX machine.  It
uses an embedded Via CPU (600 MHz) with no fans that draws 11 Watts at a
full load.  Even counting the hard drive power, I am certain it is not
over 20 Watts.  The bonus is that I can use it to also be a backup MX,
serve up a few web pages and be a shell server for me, so that I can
login and check mail while I''m away.  But it''s primary
function remains
that of firewall.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV