Hello list ! It may sound noobish but is there a way to filter traffic based on regular expression matching ? My os is Centos 5 and i''m currently using shorewall 3.4.2-6 installed from rpm. The issue i have is that yahoo messenger keeps using nonstandard ports to connect. Lately i blocked yahoo messenger and it connects to port 25 to get outside the corporate network. I could block the ssl port but it will break ssl sites and i need to block only certain hosts that it connects to. Regular expression matching of hostnames that the application connects to will help me get this policy working whatever ports will this application use, i guess. I use a local http proxy but the messenger application gets around it because i allow mail ports (25, 143, 101) to access the internet from the lan. Any suggestions will be appreciated ! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 5/23/07, daniel@xma.ro <daniel@xma.ro> wrote:> Hello list ! > > It may sound noobish but is there a way to filter traffic based on regular > expression matching ?This is not a shorewall issue. The only way to block any of these applications (IM/P2P) etc. is to run a transparent proxy on each of the open ports, and to block all other outgoing traffic. For instance, run squid, clamsmtp, et al. Disallow connections to raw IP''s in squid, and so on. With squid allow outbound access only to a white-list of sites. If possible, user education is a better choice. If you have control of the desktops, administrative policies to prevent installation would be useful. On top of this you''d have to block Meebo and other sites which proxy IM. In short, it''s a very tough war :-).. One in which you can win short battles, and never win the war, unless you''re absolutely ruthless in what you block and allow. Prasanna. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Prasanna Krishnamoorthy wrote:> On 5/23/07, daniel@xma.ro <daniel@xma.ro> wrote: > >> Hello list ! >> >> It may sound noobish but is there a way to filter traffic based on >> regular >> expression matching ? >> > > This is not a shorewall issue. > > The only way to block any of these applications (IM/P2P) etc. is to > run a transparent proxy on each of the open ports, and to block all > other outgoing traffic. >Not really, there''s a much more simple solution, take a look at this http://l7-filter.sourceforge.net/ The only problem is that you can''t use stock kernels and iptables, you need to compile your own. Hope it helps. Pablo. P.S.: this message may appear twice since I''ve sent it with the wrong account at first. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, May 23, 2007 at 02:11:29PM +0300, daniel@xma.ro wrote:> The issue i have is that yahoo messenger keeps using nonstandard ports to > connect. Lately i blocked yahoo messenger and it connects to port 25 to > get outside the corporate network.> Any suggestions will be appreciated !The problem of getting employees to use certain applications and not others cannot be solved by technical means, and attempting to do so will merely result in the users and admins working against each other, which is never productive. You need a different approach. Either (a) decide that this is a real problem, create a formal policy that these applications must not be used, and fire anybody caught using them, or (b) decide that it''s not a real problem and stop worrying about it. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, 2007-05-23 at 14:03 +0100, Andrew Suffield wrote:> > The problem of getting employees to use certain applications and not > others cannot be solved by technical means, and attempting to do so > will merely result in the users and admins working against each other, > which is never productive. You need a different approach. Either (a) > decide that this is a real problem, create a formal policy that these > applications must not be used, and fire anybody caught using them, or > (b) decide that it''s not a real problem and stop worrying about it.Amen! It never ceases to amaze me the way technology is contorted and twisted to try solve non-technical problems. People are either productive or not and should be judged by their supervisors on their productivity, not whether they are conforming to silly rules invented purely to try to make non-productive people productive. This sort of behaviour usually goes on in organizations where the management in place simply don''t have the backbone to make these judgement calls on people and need the breaking of these silly rules as excuses to clear out dead wood. ~sigh~ Back to your regularly scheduled packet blocking. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Thanks everybody for their input. Company policy is a big way to destroy morale and make people unproductive. The people that i''m trying to restrict are web programmers and know many ways to circumvent squid and acls. I do redirect all http traffic to a squid box but i cannot make a whitelist of websites. Besides all of this some people do need to maintain messenger contacts because they deal with sales. In a way this relates to shorewall because i''m also having some issues if i break the whole lan into multiple subnets. I did not thought of controlling the destination of the packets that go out on port 25 and this will be a start in refining the access control. I stumbled on layer 7 looking for a fix to this problem but i''m using an openvz kernel (see www.openvz.org) and i thought at using their userspace tools. I think i will give them a shot. Discussions with the management left me in charge to block messenger access and it will take longer until i reinstall all the workstations since they need some maintenance working and i thought it will be easier to control access from a firewall point of view, boy i was wrong. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, May 23, 2007 at 02:03:06PM +0100, Andrew Suffield wrote:> On Wed, May 23, 2007 at 02:11:29PM +0300, daniel@xma.ro wrote: > > The issue i have is that yahoo messenger keeps using nonstandard ports to > > connect. Lately i blocked yahoo messenger and it connects to port 25 to > > get outside the corporate network. >Umm, if your network allows outbound port 25 connections to any random host, then you have bigger problems. Your network should only allow port 25 connections to your own networks registered mail exchangers.> > Any suggestions will be appreciated ! > > The problem of getting employees to use certain applications and not > others cannot be solved by technical means, and attempting to do so > will merely result in the users and admins working against each other, > which is never productive. You need a different approach. Either (a) > decide that this is a real problem, create a formal policy that these > applications must not be used, and fire anybody caught using them, or > (b) decide that it''s not a real problem and stop worrying about it. >There is another component as well. It might be worthwhile to look at the "type" of employees that are causing the problems. By the type, I mean are the supposed to be creative for their jobs or not? For example, if your employee answers calls in a call center, you could probably argue that the employee should not be browsing the public Internet or anything like that. Of course, you could also argue that restricting your network in that fashion will lower morale. Same as if you did not allow any personal phone calls, even on breaks. However, if you are talking about software developers, they need to be creative and need lots more flexbility. In any case, if you *really* want to restrict that sort of thing, I recommend that you get one of those network filter appliances to block that sort of traffic from the parts of the network that you don''t want to be able to access those services. But, also consider setting up an Internet cafe or at least set aside a few machines so that people can do "recreational" browsing and such. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
daniel@xma.ro escribió:> Hello list ! > > It may sound noobish but is there a way to filter traffic based on regular > expression matching ?No, shorewall is the wrong tool for that, and Im not sure there is any tool for that , sure, squid prox has this capability. unfortuantely we tend to try to solve non technical problems with software.. This is problem falls IMHO in the "company policy and rules" section. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Christian Rodriguez wrote on 23/05/2007 11:39:34:> daniel@xma.ro escribió: > > Hello list ! > > > > It may sound noobish but is there a way to filter traffic based onregular> > expression matching ? > > No, shorewall is the wrong tool for that, and Im not sure there is any > tool for that , sure, squid prox has this capability. unfortuantely we > tend to try to solve non technical problems with software.. > > This is problem falls IMHO in the "company policy and rules" section. > >Sorry, "company policy and rules" are not enough - sometimes you need to take steps to enforce those policies. I would recommend REDIRECTing all tcp/80 traffic to a squid server and use dansguardian to filter your browser usage. You could even use acls in squid and dansguardian to tell who can browse what. my 2c, -- Eduardo Ferreira Icatu Holding S.A. (21) 3804-8606 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, 2007-05-23 at 11:51 -0300, Eduardo Ferreira wrote:> > > Sorry, "company policy and rules" are not enough - sometimes you need > to take steps to enforce those policies.Are these adults you are dealing with or children? I guess the general question is why do you care what people are doing on the Internet (assuming the activity is not illegal or immoral to humanity or the company policies) if they are doing their jobs and meeting their targets? When you treat people like they are children they are going to resent that and that damage is probably far worse than a few idle moments chatting or surfing. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, May 23, 2007 at 11:19:14AM -0400, Brian J. Murrell wrote:> When you treat people like they are children they are going to resent > that and that damage is probably far worse than a few idle moments > chatting or surfing.It''s worse than that. When your network admins are spending their time trying to find new and better ways to limit what the users can do, and the users are spending their time finding new and better ways to bypass the limits that the admins set, then you are all wasting your time *and* creating a culture where the admins do not exist to help the users get their jobs done. This never ends well. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> > Sorry, "company policy and rules" are not enough - sometimes you need >> to take steps to enforce those policies. > >Are these adults you are dealing with or children? > >I guess the general question is why do you care what people are doing on >the Internet (assuming the activity is not illegal or immoral to >humanity or the company policies) if they are doing their jobs and >meeting their targets? > >When you treat people like they are children they are going to resent >that and that damage is probably far worse than a few idle moments >chatting or surfing.I agree 100% with that, but ... there are situations where traffic does need to be controlled. Three reasons come to mind : 1) There are big security questions. Whilst this still comes down to "do you trust your users, and if not then why are they allowed on the network", when it comes to things like military or nuclear information (I''ve had dealing with both) then people get ''rather sensitive'' about what the network allows. However, once you get past a fairly low level then this sort of stuff tends to be on ''non connected'' networks. Oh yes, and in the past I''ve had ''interesting'' dealing with old fashioned ''security'' people who cannot get out of the old mindset of ''steel mesh cages and big locks'' ! 2) There are regulatory controls. For example, in financial services industries in several countries there is a legal requirement to log all communications with clients - so if a user goes off and chats with a customer (or potential customer) via IM then it can land the company in the brown stuff. Another example would be privacy legislation which in some cases effectively requires the company to log what it has done with someones personal data. 3) Because the auditors said so and management are too clueless to query them ! At my last job we came under Sarbanes Oxley because we were a subsiduary of a US group. The auditors used to come up with various things they ''expect'' to see on the computer systems - some of them really didn''t make sense for us, but the management just said "yes we''ll do it". We then got the job of implementing it - except where we could turn around and say that the system doesn''t support it (and I could have told you that if you''d asked) or it really isn''t a good idea because it <insert reason, usually it breaks something else> (and I could have told you that if you''d asked) ! The problem with IM is simply that it''s adapted to get through firewalls that have tried to block it, but some people really do need to block it. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Wed, May 23, 2007 at 05:23:37PM +0300, daniel@xma.ro wrote:> Company policy is a big way to destroy morale and make people > unproductive.Perhaps it''s time to find a new company, then? :P> The people that i''m trying to restrict are web programmers > and know many ways to circumvent squid and acls.Then it''s completely impossible to block them. They''ll just tunnel through anything you can set up. Any kind of http, dns, or even mail or ping access to the internet can be used by widely available applications to construct a tunnel, and these people will be quite capable of finding and using them. Furthermore, the entire exercise will waste impressive amounts of time on the part of everybody, and the final result will be slightly less secure and controlled than whatever you have at present. To round that off, the staff who were previously using this software to take a break (which tends to improve their creative efforts once they get back to work) will instead be expending their energy on working around the blocks. Nothing in this outcome is good.> Discussions with the management left me in charge to block messenger > access and it will take longer until i reinstall all the workstations > since they need some maintenance working and i thought it will be easier > to control access from a firewall point of view, boy i was wrong.You need to go back to the management and tell them that this is the wrong approach. In no way will pursuing this course of action increase the profitability of the business, even in the short term, and it''s quite likely to decrease productivity - tell them that explicitly. Either the staff using these applications are a real threat to the bottom line by not doing what they are told in this respect, in which case you have both grounds and an urgent need to fire them, or they aren''t, in which case it''s a waste of time and money to try and stop them. It''s up to management to figure out which category each employee is in. There are no recorded instances in history where physically chaining staff to their desks has improved the company''s profit. This is the same thing. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Well, i didn''t grow up with messenger at my fingertips and that didn''t kill me. I think it''s wrong to consider that someone will lose productivity if it''s cut off from modern ways of communicating. I for one do not use messenger anymore at my workplace since the general manager requested that i block IM access. And normal mail like yahoo mail and others is still functional. The baddest thing that IM brings is exactly the inerruption of workflow. If you have an ideea and someone buzzes you most of the time you lose it if you stop what you were thinking and start chattting with that person. Getting back to the original problem, my best approach that i could come up with is splitting the lan in multiple subnets with different access rights. Say, the developers subnet does not have access to IM and some sites (IM proxying sites and others) and the sales peoples subnet has full access to internet. We have a fileserver on the corporate network which runs a samba domain controller but i stumbled on some problems regarding subnets. I have only one nic which connects all the workstations to the internet. I run the samba domain controller in a virtual machine using openvz. The problem is that i cannot have many subnets connecting to the shorewall box because shorewall does not accepts the routeback parameter if an interface sits on more subnets. I was thinking at (as the documentation states) using multiple subnets on the same interface. I create the aliases and the zones but i need that some of the subnets to talk to each other hence i need to use the routeback option for the lan interface. the error messaage goes like this : Validating interfaces file... ERROR: The routeback option may not be specified on a multi-zone interface Does someone made a similar setup and can give a few tips ? ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
> Well, i didn''t grow up with messenger at my fingertips and that didn''t > kill me. I think it''s wrong to consider that someone will lose > productivity if it''s cut off from modern ways of communicating. > > I for one do not use messenger anymore at my workplace since the general > manager requested that i block IM access. And normal mail like yahoo mail > and others is still functional. The baddest thing that IM brings is > exactly the inerruption of workflow. If you have an ideea and someone > buzzes you most of the time you lose it if you stop what you were thinking > and start chattting with that person. > > Getting back to the original problem, my best approach that i could come > up with is splitting the lan in multiple subnets with different access > rights. > > Say, the developers subnet does not have access to IM and some sites (IM > proxying sites and others) and the sales peoples subnet has full access to > internet. > > We have a fileserver on the corporate network which runs a samba domain > controller but i stumbled on some problems regarding subnets. > > I have only one nic which connects all the workstations to the internet. > > I run the samba domain controller in a virtual machine using openvz. The > problem is that i cannot have many subnets connecting to the shorewall box > because shorewall does not accepts the routeback parameter if an interface > sits on more subnets. > > I was thinking at (as the documentation states) using multiple subnets on > the same interface. > > I create the aliases and the zones but i need that some of the subnets to > talk to each other hence i need to use the routeback option for the lan > interface. > > the error messaage goes like this : > > Validating interfaces file... > ERROR: The routeback option may not be specified on a multi-zone > interface > > Does someone made a similar setup and can give a few tips ? >I hit the send button too soon :) The samba domain controller is connecting to the shorewall box through a virtual ppp interface that is on one subnet. Virtual network = 192.168.100.0 local subnet1 = 192.168.0.0 local subnet2 = 192.168.1.0 The problem is that both the local subnets are able to talk with the virtual subnet but not with each other. (i presume because of the routeback option) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian wrote on 23/05/2007 12:19:14:> On Wed, 2007-05-23 at 11:51 -0300, Eduardo Ferreira wrote: > > > > > > Sorry, "company policy and rules" are not enough - sometimes you need > > to take steps to enforce those policies. > > Are these adults you are dealing with or children? >No, they are not children. Actually, my company does not enforce any policy regarding which web sites people can go or not. None - you can go to any site, xxx, hatred, politics, anywhere. But I do use dansguardian to filter malicious websites out.> I guess the general question is why do you care what people are doing on > the Internet (assuming the activity is not illegal or immoral to > humanity or the company policies) if they are doing their jobs and > meeting their targets?As I said above, I don''t care. I think this is a problem of management. Every year I am audited by an independent firm - every year I am harassed about filtering at least p0rn. My answer is always "if someone is not working or is losing time in the internet, this is a problem of his/her manager".> > b. >another 2c, -- Eduardo Ferreira Icatu Holding S.A. (21) 3804-8606 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
daniel@xma.ro wrote:> > Validating interfaces file... >> ERROR: The routeback option may not be specified on a multi-zone >> interface >> > > Does someone made a similar setup and can give a few tips ?You can setup routeback yourself, ''echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter'' is the way to do it I think. You can also control most of the other settings in the shorewall interfaces file. It''s also referenced in /etc/sysctl.conf but I don''t actually know exactly when/how that file is used. http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-12.html has some info on the control files. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
> daniel@xma.ro wrote: > >> > Validating interfaces file... >>> ERROR: The routeback option may not be specified on a multi-zone >>> interface >>> >> > Does someone made a similar setup and can give a few tips ? > > You can setup routeback yourself, ''echo 1 > > /proc/sys/net/ipv4/conf/<interface>/rp_filter'' is the way to do it I > think. You can also control most of the other settings in the > shorewall interfaces file. > > It''s also referenced in /etc/sysctl.conf but I don''t actually know > exactly when/how that file is used. > > http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-12.html has some > info on the control files. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Thanks for pointing this out ! I will try this tomorrow when i return to work. Maybe this will be included in shorewall also since i''m using multiple subnets on the same interface and it will be used more with the virtualization thing taking off. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
daniel@xma.ro escribió: The people that i''m trying to restrict are web programmers> and know many ways to circumvent squid and acls.Then is worse, web developers know how this stuff works, every single thing you try can be by passed. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>> daniel@xma.ro wrote: >> >>> > Validating interfaces file... >>>> ERROR: The routeback option may not be specified on a multi-zone >>>> interface >>>> >>> > Does someone made a similar setup and can give a few tips ? >> >> You can setup routeback yourself, ''echo 1 > >> /proc/sys/net/ipv4/conf/<interface>/rp_filter'' is the way to do it I >> think. You can also control most of the other settings in the >> shorewall interfaces file. >> >> It''s also referenced in /etc/sysctl.conf but I don''t actually know >> exactly when/how that file is used. >> >> http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-12.html has some >> info on the control files. >>I checked but in sysctl.conf and this is what i''ve found sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 net.ipv4.conf.default.proxy_arp = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 1 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 4294967295 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 268435456 It seems that rp_filter is all ready set and i checked it in the proc file also : cat /proc/sys/net/ipv4/conf/eth1/rp_filter 1 [root@corporate etc]# Any hints on what could be wrong ? My shorewall files are configured like so: interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 82.76.51.255 - eth1 192.168.0.255,192.168.1.255,192.168.2.255 loc_v venet0 192.168.100.255 routeback hosts: #ZONE HOST(S) OPTIONS loc eth1:192.168.0.0/24 wox eth1:192.168.1.0/24 prg eth1:192.168.2.0/24 zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 loc_v ipv4 wox ipv4 prg ipv4 masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC eth0 eth1 eth0 venet0 eth0 eth1:1 eth0 eth1:2 policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw net ACCEPT loc_v net ACCEPT loc fw ACCEPT loc_v fw ACCEPT loc loc_v ACCEPT loc_v loc ACCEPT fw loc ACCEPT fw loc_v ACCEPT #alte retele (alias-uri) wox net ACCEPT wox loc_v ACCEPT wox loc ACCEPT wox fw ACCEPT prg loc_v ACCEPT prg loc ACCEPT prg net ACCEPT prg fw ACCEPT loc wox ACCEPT loc_v wox ACCEPT loc prg ACCEPT loc_v prg ACCEPT fw wox ACCEPT fw prg ACCEPT #sfarsit alte retele net all REJECT all all REJECT rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW # redirectionam toate request-urile primite pe portul 80 catre proxy DNAT loc loc_v:192.168.100.7:3128 tcp www - # acceptam conexiuni ssh din internet numai de la ip-ul meu ACCEPT net:86.124.248.188 fw tcp 22 # permitem accesul la mail ACCEPT loc net:85.9.58.105 tcp 25 ACCEPT loc net:85.9.58.105 tcp 110 ACCEPT loc net:85.9.58.105 tcp 143 ACCEPT loc:192.168.0.38 net tcp 443 ACCEPT loc net:212.146.105.119 tcp 21 ACCEPT wox loc:192.168.0.5 ACCEPT loc:192.168.0.5 wox ACCEPT loc:192.168.0.24 net tcp 5001 #REJECT fw net tcp 80 - Thank you for your patience ! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>>> daniel@xma.ro wrote: >>> >>>> > Validating interfaces file... >>>>> ERROR: The routeback option may not be specified on a multi-zone >>>>> interface >>>>> >>>> > Does someone made a similar setup and can give a few tips ? >>> >>> You can setup routeback yourself, ''echo 1 > >>> /proc/sys/net/ipv4/conf/<interface>/rp_filter'' is the way to do it I >>> think. You can also control most of the other settings in the >>> shorewall interfaces file. >>> >>> It''s also referenced in /etc/sysctl.conf but I don''t actually know >>> exactly when/how that file is used. >>> >>> http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-12.html has some >>> info on the control files. >>> > > I checked but in sysctl.conf and this is what i''ve found > > sysctl.conf(5) for more details. > > # Controls IP packet forwarding > net.ipv4.ip_forward = 1 > > net.ipv4.conf.default.proxy_arp = 0 > # Enables source route verification > net.ipv4.conf.all.rp_filter = 1 > net.ipv4.conf.default.send_redirects = 1 > net.ipv4.conf.all.send_redirects = 0 > > # Controls source route verification > net.ipv4.conf.default.rp_filter = 1 > > # Do not accept source routing > net.ipv4.conf.default.accept_source_route = 0 > > # Controls the System Request debugging functionality of the kernel > kernel.sysrq = 1 > > # Controls whether core dumps will append the PID to the core filename > # Useful for debugging multi-threaded applications > kernel.core_uses_pid = 1 > > # Controls the use of TCP syncookies > net.ipv4.tcp_syncookies = 1 > > # Controls the maximum size of a message, in bytes > kernel.msgmnb = 65536 > > # Controls the default maxmimum size of a mesage queue > kernel.msgmax = 65536 > > # Controls the maximum shared segment size, in bytes > kernel.shmmax = 4294967295 > > # Controls the maximum number of shared memory segments, in pages > kernel.shmall = 268435456 > > It seems that rp_filter is all ready set and i checked it in the proc file > also : > > cat /proc/sys/net/ipv4/conf/eth1/rp_filter > 1 > [root@corporate etc]# > > Any hints on what could be wrong ? > > My shorewall files are configured like so: > > interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 82.76.51.255 > - eth1 192.168.0.255,192.168.1.255,192.168.2.255 > loc_v venet0 192.168.100.255 routeback > > hosts: > > #ZONE HOST(S) OPTIONS > loc eth1:192.168.0.0/24 > wox eth1:192.168.1.0/24 > prg eth1:192.168.2.0/24 > > zones: > > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > > fw firewall > net ipv4 > loc ipv4 > loc_v ipv4 > wox ipv4 > prg ipv4 > > masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) > IPSEC > > eth0 eth1 > eth0 venet0 > eth0 eth1:1 > eth0 eth1:2 > > policy: > > #SOURCE DEST POLICY LOG > LIMIT:BURST > # LEVEL > > fw net ACCEPT > loc_v net ACCEPT > > loc fw ACCEPT > loc_v fw ACCEPT > > loc loc_v ACCEPT > loc_v loc ACCEPT > > fw loc ACCEPT > fw loc_v ACCEPT > > #alte retele (alias-uri) > wox net ACCEPT > wox loc_v ACCEPT > wox loc ACCEPT > wox fw ACCEPT > > prg loc_v ACCEPT > prg loc ACCEPT > prg net ACCEPT > prg fw ACCEPT > > loc wox ACCEPT > loc_v wox ACCEPT > > loc prg ACCEPT > loc_v prg ACCEPT > > fw wox ACCEPT > fw prg ACCEPT > #sfarsit alte retele > > net all REJECT > all all REJECT > > rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT(S) PORT(S) > DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > > # redirectionam toate request-urile primite pe portul 80 catre proxy > DNAT loc loc_v:192.168.100.7:3128 tcp www - > > # acceptam conexiuni ssh din internet numai de la ip-ul meu > ACCEPT net:86.124.248.188 fw tcp 22 > > # permitem accesul la mail > ACCEPT loc net:85.9.58.105 tcp 25 > ACCEPT loc net:85.9.58.105 tcp 110 > ACCEPT loc net:85.9.58.105 tcp 143 > > ACCEPT loc:192.168.0.38 net tcp 443 > > ACCEPT loc net:212.146.105.119 tcp 21 > > ACCEPT wox loc:192.168.0.5 > ACCEPT loc:192.168.0.5 wox > > ACCEPT loc:192.168.0.24 net tcp 5001 > > Thank you for your patience ! > >Well, no one has an answer to this problem ? I can''t believe i''m the only one hitting this wall... ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/