Shorewall users - Nov 2009 - WG: Policy make troubles once multiple zones are applied

OK - I figured out what it is but maybe someone can give an explanation
here.

If I use he multiple zones configuration I have to do in addition

Hosts

v3005	vlan3005:0.0.0.0/0

And of course this seems to be very logic since this means all ip´s on the
internet. 

But I am still confused a lot why this is the first time I have to do it
after using Shorewall over years without to be forced to say 0.0.0.0/0. 

If I use non-multiple configuration it works perfectly as well without the
need to configure 0.0.0.0/0 but the broadcast of the subnet, linked to the
next-hop pointing Shorewall to the public internet. 

So from my side there stays nothing against configuring 0.0.0.0/0 in
multiple zones but I am still interested why the need occurs in my special
environment. 

Any help would be appreciated. 


Cheers
Mike



-----Ursprüngliche Nachricht-----
Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Samstag, 21. November 2009 01:17
An: ''Shorewall Users''
Betreff: Policy make troubles once multiple zones are applied


Hi all,

I am running into some curious problems with hosts and interfaces.

My interface vlan3005 has the ip 62.101.100.2/30

I don’t have a zone net and no zone fw. One could say my zone v3005 is
representing net. I do not have a 0.0.0.0/0 route in main table but 

ip route show table 22
default via 62.101.100.1 dev vlan3005

and

32764:  from all iif vlan3005 lookup 22 
32765:  from 62.101.100.2 lookup 22

Interfaces

-	vlan3005		62.101.100.3

Hosts

v3005	vlan3005:62.101.100.0/30

Rules

ACCEPT  v3005           fw              tcp     22

Policy

fw	v3005		ACCEPT

If I now try to ''ssh 62.101.100.2'' from outside

Nov 21 01:15:50 ffmfw01 [  867.692419] Shorewall:INPUT:DROP:IN=vlan3005
OUTMAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=109.5.122.3
DST=62.101.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=42964 DF PROTO=TCP
SPT=52142 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

And if I try to ''ping 109.5.122.3 -I vlan3003'' 

ping: sendmsg: Operation not permitted

Nov 21 01:20:02 ffmfw01 [ 1119.354729] Shorewall:OUTPUT:DROP:INOUT=vlan3005
SRC=62.101.100.2 DST=109.5.122.3 LEN=84 TOS=0x00 PREC=0x00
TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=46625 SEQ=1

But if I apply the following changes to the above outlined config everything
works well for ping from fw to internet and ssh from internet to fw as well.

Interfaces

vlan3005	vlan3005		62.101.100.3

Hosts

#v3005	vlan3005:62.101.100.0/30

I am running Shorewall 3.4.8.

Since I´ve managed multiple zones a hundret times and since it makes really
no sense to me why it works if multiple zone is switched off with exactly
the same policies and rules I appreciate any help on this. 


Cheers
Mike







------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Michael Weickel - iQom Business Services GmbH wrote:
> OK - I figured out what it is but maybe someone can give an explanation
> here.
> 
> If I use he multiple zones configuration I have to do in addition
> 
> Hosts
> 
> v3005	vlan3005:0.0.0.0/0
> 
> And of course this seems to be very logic since this means all ip´s on the
> internet. 
> 
> But I am still confused a lot why this is the first time I have to do it
> after using Shorewall over years without to be forced to say 0.0.0.0/0. 
> 
> If I use non-multiple configuration it works perfectly as well without the
> need to configure 0.0.0.0/0 but the broadcast of the subnet, linked to the
> next-hop pointing Shorewall to the public internet. 
> 
> So from my side there stays nothing against configuring 0.0.0.0/0 in
> multiple zones but I am still interested why the need occurs in my special
> environment. 
> 
> Any help would be appreciated. 
I suspect that in the past you have been specifying a zone name rather
than ''-'' in the ZONE column of /etc/shorewall/interfaces in
addition to
an entry in /etc/shorewall/hosts. That has the same effect as putting
0.0.0.0/0 in the /etc/shorewall/hosts file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Yes, you are right with this. Thanks for the answer. 

I have another question to your http://www.shorewall.net/VPNBasics.html

There you wrote that - at some point - you want to get rid of the tunnel
file since rule can cover all of our needs. 

I tried it and figured out that I was not able to manage it. 

As I understood the following row in tunnel file

ipsec		net		10.20.30.40 

means, that remote host 10.20.30.40 is allowed to access fw by udp 500 as
well as esp 50 and ah 51 without specifying any additional rule. 

I tried it as following in the tunnel. 

ipsec                   v3005   0.0.0.0/0

and hosts

v3005   vlan3005:0.0.0.0/0                      ipsec

but message in log appears 

Nov 29 03:05:25 ffmfw01 kernel: [ 3449.115968]
Shorewall:INPUT:DROP:IN=vlan3005
OUTMAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=80.186.95.14
DST=217.112.144.33 LEN=372 TOS=0x00 PREC=0x00 TTL=114 ID=107 PROTO=UDP
SPT=4076 DPT=500 LEN=352

My interface

-       vlan3005        217.112.144.39  $WAN_OPTS

And my params

WAN_OPTS=tcpflags,norfc1918,routefilter,nosmurfs,logmartians

If I additionally specify in rules

ACCEPT      lv3005   fw              udp     500         -
217.112.144.33

everything is fine. 

BTW. Linking to http://ipsec.math.ucla.edu/services/ipsec-windows.html in
http://www.shorewall.net/IPSEC-2.6.html does not work anymore. 


-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net] 
Gesendet: Samstag, 21. November 2009 16:59
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Policy make troubles once multiple zones
are applied

Michael Weickel - iQom Business Services GmbH wrote:
> OK - I figured out what it is but maybe someone can give an explanation
> here.
> 
> If I use he multiple zones configuration I have to do in addition
> 
> Hosts
> 
> v3005	vlan3005:0.0.0.0/0
> 
> And of course this seems to be very logic since this means all ip´s on the
> internet. 
> 
> But I am still confused a lot why this is the first time I have to do it
> after using Shorewall over years without to be forced to say 0.0.0.0/0. 
> 
> If I use non-multiple configuration it works perfectly as well without the
> need to configure 0.0.0.0/0 but the broadcast of the subnet, linked to the
> next-hop pointing Shorewall to the public internet. 
> 
> So from my side there stays nothing against configuring 0.0.0.0/0 in
> multiple zones but I am still interested why the need occurs in my special
> environment. 
> 
> Any help would be appreciated. 
I suspect that in the past you have been specifying a zone name rather
than ''-'' in the ZONE column of /etc/shorewall/interfaces in
addition to
an entry in /etc/shorewall/hosts. That has the same effect as putting
0.0.0.0/0 in the /etc/shorewall/hosts file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Michael Weickel - iQom Business Services GmbH wrote:
> Yes, you are right with this. Thanks for the answer. 
> 
> I have another question to your http://www.shorewall.net/VPNBasics.html
> 
> There you wrote that - at some point - you want to get rid of the tunnel
> file since rule can cover all of our needs. 
> 
> I tried it and figured out that I was not able to manage it. 
If you want to do IPSEC, why aren''t you following the IPSEC HOWTO?

	http://www.shorewall.net/IPSEC-2.6.html

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

I did, but sometimes you are in the middle of a well working area and at
some point events occure which you do not understand very well. 

To be honest I do not have any troubles but to be able to understand more
than is written in the HOWTO or lets say to understand exactly how it is
meant is much better in a critical environment. 

-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net] 
Gesendet: Sonntag, 29. November 2009 03:52
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Policy make troubles once multiple zones
are applied

Michael Weickel - iQom Business Services GmbH wrote:
> Yes, you are right with this. Thanks for the answer. 
> 
> I have another question to your http://www.shorewall.net/VPNBasics.html
> 
> There you wrote that - at some point - you want to get rid of the tunnel
> file since rule can cover all of our needs. 
> 
> I tried it and figured out that I was not able to manage it. 
If you want to do IPSEC, why aren''t you following the IPSEC HOWTO?

	http://www.shorewall.net/IPSEC-2.6.html

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Michael Weickel - iQom Business Services GmbH wrote:
> Yes, you are right with this. Thanks for the answer. 
> 
> I have another question to your http://www.shorewall.net/VPNBasics.html
> 
> There you wrote that - at some point - you want to get rid of the tunnel
> file since rule can cover all of our needs. 
> 
> I tried it and figured out that I was not able to manage it. 
> 
> As I understood the following row in tunnel file
> 
> ipsec		net		10.20.30.40 
> 
> means, that remote host 10.20.30.40 is allowed to access fw by udp 500 as
> well as esp 50 and ah 51 without specifying any additional rule. 
> 
> I tried it as following in the tunnel. 
> 
> ipsec                   v3005   0.0.0.0/0
> 
> and hosts
> 
> v3005   vlan3005:0.0.0.0/0                      ipsec
> 
> but message in log appears 
> 
> Nov 29 03:05:25 ffmfw01 kernel: [ 3449.115968]
> Shorewall:INPUT:DROP:IN=vlan3005 OUT>
MAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=80.186.95.14
> DST=217.112.144.33 LEN=372 TOS=0x00 PREC=0x00 TTL=114 ID=107 PROTO=UDP
> SPT=4076 DPT=500 LEN=352
> 
> My interface
> 
> -       vlan3005        217.112.144.39  $WAN_OPTS
> 
> And my params
> 
> WAN_OPTS=tcpflags,norfc1918,routefilter,nosmurfs,logmartians
> 
> If I additionally specify in rules
> 
> ACCEPT      lv3005   fw              udp     500         -
> 217.112.144.33
> 
> everything is fine. 
The zone mentioned in the tunnels file ZONE column *should not be the
IPSEC zone*. It should rather be the unencrypted zone where the remote
gatway resides. The IPSEC zone(s) should be listed in the GATEWAY ZONES
column.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july