Thibault Hild
2011-Nov-18 17:08 UTC
Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
Hello Thomas and Shorewall users, I''m using shorewall under a gentoo distribution and lately the shorewall package evolved from revision 4.4.15.1-r1 to revision 4.4.23.2. I''m using this platform as a one arm router/firewall between 3 zones. 3 IPv4 addresses are associated to the available ethernet port. The 3 zones are named red, green and blue. red is the zone between the firewall and my ADSL box. green is the zone with most access rights to the outside and blue has some time based restrictions. Connections from green and blue zones to the internet is done through masquerading as the ADSL box only accept connections from the gentoo platform. I want to control access from other computers to the outside by blocking direct access to the ADSL box. I can only use one physical network due to the configuration of my home place. This configuration seems to be working well with shorewall 4.4.15 but as this revision is subject to the "2011-08-07 Nasty bug" issue described in http://www.shorewall.net/Notices.html, I wanted to upgrade the shorewall gentoo package to revision 4.4.23.2 (which is considered stable by the gentoo team). After upgrading to this new revision, neither green or blue zones have access to the outside anymore, all packets are dropped. I suspect that my configuration has a flow and was probably working because of this "nasty bug". I''ve already also ensured that "IP_FORWARDING=On" was kept during the upgrade. I''ve attached the output of "shorewall dump" while trying to access www.google.com from a computer in the green zone after the upgrade. Thank you for reading me up to this point. Any help will be greatly appreciated. Thibault Hild ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Tom Eastep
2011-Nov-20 21:10 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
On Nov 18, 2011, at 9:08 AM, Thibault Hild wrote:> > > I''ve attached the output of "shorewall dump" while trying to access www.google.com from a computer in the green zone after the upgrade.There was no attachment. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Thibault Hild
2011-Nov-21 07:57 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
Sorry for the missing attachment, here is the file. Thibault On Sun, Nov 20, 2011 at 10:10 PM, Tom Eastep <teastep@shorewall.net> wrote:> > On Nov 18, 2011, at 9:08 AM, Thibault Hild wrote: > > > > I''ve attached the output of "shorewall dump" while trying to access > www.google.com from a computer in the green zone after the upgrade. > > > There was no attachment. > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Tom Eastep
2011-Nov-21 13:39 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
On Mon, 2011-11-21 at 08:57 +0100, Thibault Hild wrote:> Sorry for the missing attachment, here is the file.Add the ''routefilter'' option for eth0 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Thibault Hild
2011-Nov-21 14:13 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
Thank you Tom for the hint. I will try the ''routefilter'' option this evening. By the way, why is this option not needed in revision 4.4.15 ? Thibault On Mon, Nov 21, 2011 at 2:39 PM, Tom Eastep <teastep@shorewall.net> wrote:> On Mon, 2011-11-21 at 08:57 +0100, Thibault Hild wrote: > > Sorry for the missing attachment, here is the file. > > Add the ''routefilter'' option for eth0 in /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Tom Eastep
2011-Nov-21 14:27 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
On Nov 21, 2011, at 6:13 AM, Thibault Hild wrote:> Thank you Tom for the hint. > I will try the ''routefilter'' option this evening. > > By the way, why is this option not needed in revision 4.4.15 ?To avoid connection tracking attacks from IP spoofing, Shorewall now prevents hairpinning (routing a packet out of the same interface it entered on) when neither ''routeback'' nor ''routefilter'' is specified. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Thibault Hild
2011-Nov-21 18:23 UTC
Re: Shorewall 4.4.15 configuration not working anymore with revision 4.4.23
Tom, It works like a charm :). Thank you so much for your time and support. Shorewall is really a nice piece of software. It helped me each time I had to configure iptables rules. Thibault On Mon, Nov 21, 2011 at 3:27 PM, Tom Eastep <teastep@shorewall.net> wrote:> > On Nov 21, 2011, at 6:13 AM, Thibault Hild wrote: > > Thank you Tom for the hint. > I will try the ''routefilter'' option this evening. > > By the way, why is this option not needed in revision 4.4.15 ? > > > To avoid connection tracking attacks from IP spoofing, Shorewall now > prevents hairpinning (routing a packet out of the same interface it entered > on) when neither ''routeback'' nor ''routefilter'' is specified. > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d