Hi, I''m running shorewall 4.0.13 on Ubuntu 8, and everything has been smooth and easy so far. Thanks a lot. Shorewall runs on my home server, which acts both as a firewall/router as well as an application server. It''s got two active ethernet ports for zones local and network, and (due to VMware2 on the server) some virtual network ports. However, after playing around with shorewall''s settings I found that mDNS didn''t work anymore. I''ve got the avahi on the server, and both the server itself as well as clients on my network couldn''t resolve .local domains anymore. The was nothing in the shorewall logs (I''ve got the last REJECT rule log with level INFO), but I made sure that the logging worked by accessing some strange ports somewhere, which promptly showed up in the log files. Nothing wrong with logging. After some serious frustration I switched off shorewall completely, allowing all traffic between all hosts. e voilá, mDNS worked like a charm. One of my tweaks of the shorewall settings was to enable the perl compiler, which was said to generate more effective and compact rules. Switching it back to "shell" in fact helped me with my mDNS problems, it''s working again now. So, what did I do wrong here? I enabled multicasting in shorewall.conf and had an "allow all" rule for ICMP. Are you aware of any issues regarding mDNS? For the record: mDNS uses UDP port 5353 along with multicasts to 254.0.0.251. Avahi responds to these packets, announcing itself as a mDNS enabled host. Any help is appreciated. Regards, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Christian Aust wrote:> The was nothing in the shorewall logs > (I''ve got the last REJECT rule log with level INFO), but I made sure > that the logging worked by accessing some strange ports somewhere, > which promptly showed up in the log files. Nothing wrong with logging.Shorewall suppresses policy logging of packets with a multicast destination address. This is necessary to keep us from being overrun with excited problem reports stating that the user''s firewall is under attack from his cable modem, networked printer, IP-enabled refrigerator, etc.> > So, what did I do wrong here? I enabled multicasting in shorewall.confThe setting of that option is very unlikely to be relevant in your case.> and had an "allow all" rule for ICMP.I know of no connection between ICMP and mDNS... Are you aware of any issues> regarding mDNS?No.> > For the record: mDNS uses UDP port 5353 along with multicasts to > 254.0.0.251. Avahi responds to these packets, announcing itself as a > mDNS enabled host. > > Any help is appreciated. Regards,It is difficult to help when you have said nothing about your Shorewall configuration other than you are using Shorewall-perl. Please see http://www.shorewall.net/support.htm#Guidelines. But for starters, have you enabled UDP port 5353 from the local net to the firewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom, Am 10.08.2008 um 22:09 schrieb Tom Eastep:>> So, what did I do wrong here? I enabled multicasting in >> shorewall.conf > > The setting of that option is very unlikely to be relevant in your > case.RTFM, I see. OK. :-)> It is difficult to help when you have said nothing about your > Shorewall configuration other than you are using Shorewall-perl. > Please see http://www.shorewall.net/support.htm#Guidelines. > But for starters, have you enabled UDP port 5353 from the local net > to the firewall?you''re right. Here''s parts of my config (please see below for my comments) # === shorewall.conf ==STARTUP_ENABLED=Yes VERBOSITY=2 SHOREWALL_COMPILER=shell LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVELMACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/ash SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILEIPSECFILE=zones LOCKFILEDROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none" RSH_COMMAND=''ssh ${root}@${system} ${command}'' RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=INTERNAL TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=No BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIXDISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTLSAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=Yes IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=1 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=Yes DONT_LOADBLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE # === zones ==fw firewall net ipv4 # loc ipv4 # #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE # === interfaces ==loc eth0 detect dhcp net eth1 detect dhcp,norfc1918,routefilter,tcpflags loc ppp+ - routeback loc vmnet+ detect routeback #LAST LINE -- DO NOT REMOVE # === policy ==$FW all ACCEPT loc fw ACCEPT net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE # === rules ==#SECTION ESTABLISHED #SECTION RELATED SECTION NEW DNAT net loc:10.110.1.3 udp - 5060:5069 ACCEPT loc:10.110.1.3 net udp - 5060:5069 ACCEPT loc:10.110.1.3 net udp - 7078:7087 ACCEPT loc:10.110.1.3 net tcp 10000 SSH/ACCEPT net $FW SSH/ACCEPT loc all HTTP/ACCEPT net $FW HTTP/ACCEPT all net HTTPExt/ACCEPT all net HTTPS/ACCEPT all net Ping/ACCEPT all all FTP/ACCEPT net:92.51.129.12 $FW FTP/ACCEPT loc all IMAP/ACCEPT loc all IMAPS/ACCEPT loc all SMTP/ACCEPT net $FW SMTP/ACCEPT loc net:92.51.129.12 SMTPS/ACCEPT loc net:92.51.129.12 NTP/ACCEPT loc all ACCEPT loc net tcp 1863,5190,5050,5222,5223,5678 ACCEPT loc net udp - 16393:16402 ACCEPT all net:92.51.129.12 tcp 8443 Rsync/ACCEPT loc all RDP/ACCEPT loc all ACCEPT loc net tcp 8620 ACCEPT loc net tcp 6667 SNMP/ACCEPT loc all ACCEPT all all udp 5353 AllowICMPs/ACCEPT all all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # === masq ==eth1 eth0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE> christian@cobalt:~\ shorewall version > 4.0.13 > christian@cobalt:~\ sudo shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > christian@cobalt:~\ uname -a > Linux cobalt.intern 2.6.24-19-server #1 SMP Sat Jul 12 00:40:01 UTC > 2008 i686 GNU/LinuxAFAICS I''ve got a policy of ACCEPT loc->fw which should allow UDP/5353 from local to the firewall. However, reading this I''m not quite sure about the correctness of my zones config: Since $FW seems to be a default zone, do I need to define the zone "fw"? I assume I''ve got that from a tutorial somewhere but never bothered because it eventually worked. I appreciate your comments. Regards, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Christian Aust wrote:> Tom, > > Am 10.08.2008 um 22:09 schrieb Tom Eastep: > >>> So, what did I do wrong here? I enabled multicasting in >>> shorewall.conf >> The setting of that option is very unlikely to be relevant in your >> case. > > RTFM, I see. OK. :-) > >> It is difficult to help when you have said nothing about your >> Shorewall configuration other than you are using Shorewall-perl. >> Please see http://www.shorewall.net/support.htm#Guidelines. >> But for starters, have you enabled UDP port 5353 from the local net >> to the firewall? > > > you''re right. Here''s parts of my config (please see below for my > comments)Now please actually READ the link that I referred you to. In part, the text there says: - Please do not include Shorewall configuration files unless you have been specifically asked to do so. The output of shorewall dump collected as described above is much more useful. Your configuration files reflect your firewall the way that you think it should be (or the way that you hope that it is). The output of ''shorewall dump'' tells us exactly what your firewall is actually doing. This is reinforced by the fact that with the rules you posted, you should have no problem with mDNS in the local network yet you claim that you are. So something is wrong here.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Am 12.08.2008 um 01:45 schrieb Tom Eastep:> This is reinforced by the fact that with the rules you posted, you > should have no problem with mDNS in the local network yet you claim > that you are. So something is wrong here....Please find attached two Shorewall dumps, one from a Shorewall configuration compiled using the shell compiler, the other one using perl. With the shell configuration, mDNS works (I can ping a host on the .local. domain), with the perl-generated configuration, it doesn''t as the ping times out. This is reproducible in both directions: With the perl configuration, neither can I ping a mDNS host from the server running shorewall, nor can I ping the server from outside using it''s .local. hostname. Pinging using the standard DNS name works, though. Regards, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Christian Aust wrote:> Am 12.08.2008 um 01:45 schrieb Tom Eastep: > >> This is reinforced by the fact that with the rules you posted, you >> should have no problem with mDNS in the local network yet you claim >> that you are. So something is wrong here.... > > > Please find attached two Shorewall dumps, one from a Shorewall > configuration compiled using the shell compiler, the other one using > perl. With the shell configuration, mDNS works (I can ping a host on the > .local. domain), with the perl-generated configuration, it doesn''t as > the ping times out.As I told you earlier, the MULTICAST option doesn''t apply to your setup. Please turn it off and mDNS will begin working. When MULTICAST=Yes, multicast packets to/from the firewall must be explicitly ACCEPTed via rules. They do not pass through the policy-generated Netfilter rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/