Klemens Rutz
2009-Feb-28 15:57 UTC
Rules to jump into <interface>_fwd chains missing in shorewall-perl 4.2.6
Hi,
playing around with the nosmurfs option I found out that the firewall script
contains
no rules to enter <interface>_fwd chains when generated shorewall-perl:
# grep eth0_fwd firewall
:eth0_fwd - [0:0]
-A eth0_fwd -m state --state NEW,INVALID -j smurfs
As a result the nosmurf option does not affect forwarded packages. This is
also true for
other interface options like e.g. tcpflags, maclist, etc.
The script created with shorewall-shell on the other hand contains rules to
jump into
the <interface>_fwd chains and I guess this is the desired behavior:
# grep eth0_fwd firewall
run_iptables -N eth0_fwd
run_iptables -A eth0_fwd -m state --state NEW,INVALID -j dynamic
run_iptables -A eth0_fwd -m state --state NEW,INVALID -s 0.0.0.0/0 -j
smurfs
run_iptables -A eth0_fwd -s 0.0.0.0/0 -o eth1 -d 0.0.0.0/0 -j all2all
run_iptables -A FORWARD -i eth0 -j eth0_fwd
In this example I used version 4.2.6 on CentOS 5.2 kernel 2.6.18-92.1.22.el5
and the setup
diff ./interfaces /usr/share/shorewall/configfiles/interfaces
11,12d10
< lan eth0 - nosmurfs
< net eth1 - nosmurfs
diff ./policy /usr/share/shorewall/configfiles/policy
12d11
< all all DROP info
diff ./zones /usr/share/shorewall/configfiles/zones
13,14d12
< lan ipv4
< net ipv4
And the only unavailable capabilities reported by Shorewall are
NEW_CONNTRACK_MATCHOLD_CONNTRACK_MATCHIPSET_MATCHIPP2P_MATCHOLD_IPP2P_MATCHKLUDGEFREECONNLIMIT_MATCHTIME_MATCHCAPVERSION=40205
I like Shorewall a lot. Many thanks for this great piece of work.
Regards,
Klemens
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
Tom Eastep
2009-Feb-28 16:47 UTC
Re: Rules to jump into <interface>_fwd chains missing in shorewall-perl 4.2.6
Klemens Rutz wrote:> Hi, > > playing around with the nosmurfs option I found out that the firewall script > contains > no rules to enter <interface>_fwd chains when generated shorewall-perl: > # grep eth0_fwd firewall > :eth0_fwd - [0:0] > -A eth0_fwd -m state --state NEW,INVALID -j smurfs > > As a result the nosmurf option does not affect forwarded packages. This is > also true for > other interface options like e.g. tcpflags, maclist, etc.Please see if the attached hack to /usr/share/shorewall-perl/Shorewall/Chains.pm corrects this for you. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep
2009-Feb-28 17:07 UTC
Re: Rules to jump into <interface>_fwd chains missing in shorewall-perl 4.2.6
Tom Eastep wrote:> Klemens Rutz wrote: >> Hi, >> >> playing around with the nosmurfs option I found out that the firewall script >> contains >> no rules to enter <interface>_fwd chains when generated shorewall-perl: >> # grep eth0_fwd firewall >> :eth0_fwd - [0:0] >> -A eth0_fwd -m state --state NEW,INVALID -j smurfs >> >> As a result the nosmurf option does not affect forwarded packages. This is >> also true for >> other interface options like e.g. tcpflags, maclist, etc. > > Please see if the attached hack to > /usr/share/shorewall-perl/Shorewall/Chains.pm corrects this for you.I''ve come up now with the correct patch -- please reverse the prior patch (if you''ve applied it) and apply this one. This will be released shortly as Shorewall-perl-4.2.6.1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Klemens Rutz
2009-Feb-28 17:46 UTC
Re: Rules to jump into <interface>_fwd chains missing in shorewall-perl 4.2.6
Tom Eastep wrote:> Tom Eastep wrote: > > Klemens Rutz wrote: > >> Hi, > >> > >> playing around with the nosmurfs option I found out that the firewall > >> script contains no rules to enter <interface>_fwd chains when > >> generated shorewall-perl: > >> # grep eth0_fwd firewall > >> :eth0_fwd - [0:0] > >> -A eth0_fwd -m state --state NEW,INVALID -j smurfs > >> > >> As a result the nosmurf option does not affect forwarded packages. > >> This is also true for other interface options like e.g. tcpflags, > >> maclist, etc. > > > > Please see if the attached hack to > > /usr/share/shorewall-perl/Shorewall/Chains.pm corrects this for you. > > I''ve come up now with the correct patch -- please reverse the prior patch > (if you''ve applied it) and apply this one. > > This will be released shortly as Shorewall-perl-4.2.6.1.Many thanks. Both patches have fixed the issue, the second obviously in line with the changed design in shorewall-perl... Regards, Klemens ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H