Shorewall users - Nov 2011 - Shorewall 4.4.15 configuration not working anymore with revision 4.4.23

Hello Thomas and Shorewall users,

I''m using shorewall under a gentoo distribution and lately the
shorewall
package evolved from revision 4.4.15.1-r1 to revision 4.4.23.2.

I''m using this platform as a one arm router/firewall between 3 zones.
3 IPv4 addresses are associated to the available ethernet port.

The 3 zones are named red, green and blue.
red is the zone between the firewall and my ADSL box.
green is the zone with most access rights to the outside and blue has some
time based restrictions.
Connections from green and blue zones to the internet is done through
masquerading as the ADSL box only accept connections from the gentoo
platform. I want to control access from other computers to the outside by
blocking direct access to the ADSL box. I can only use one physical network
due to the configuration of my home place.

This configuration seems to be working well with shorewall 4.4.15 but as
this revision is subject to the "2011-08-07 Nasty bug" issue described
in
http://www.shorewall.net/Notices.html, I wanted to upgrade the shorewall
gentoo package to revision 4.4.23.2 (which is considered stable by the
gentoo team).

After upgrading to this new revision, neither green or blue zones have
access to the outside anymore, all packets are dropped. I suspect that my
configuration has a flow and was probably working because of this "nasty
bug".
I''ve already also ensured that "IP_FORWARDING=On" was kept
during the
upgrade.

I''ve attached the output of "shorewall dump" while trying to
access
www.google.com from a computer in the green zone after the upgrade.


Thank you for reading me up to this point. Any help will be greatly
appreciated.

Thibault Hild


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Nov 18, 2011, at 9:08 AM, Thibault Hild wrote:
> 
> 
> I''ve attached the output of "shorewall dump" while
trying to access www.google.com from a computer in the green zone after the
upgrade.

There was no attachment.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Sorry for the missing attachment, here is the file.

Thibault

On Sun, Nov 20, 2011 at 10:10 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>
> On Nov 18, 2011, at 9:08 AM, Thibault Hild wrote:
>
>
>
> I''ve attached the output of "shorewall dump" while
trying to access
> www.google.com from a computer in the green zone after the upgrade.
>
>
> There was no attachment.
>
> -Tom
>
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Mon, 2011-11-21 at 08:57 +0100, Thibault Hild wrote:
> Sorry for the missing attachment, here is the file.
Add the ''routefilter'' option for eth0 in
/etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Thank you Tom for the hint.
I will try the ''routefilter'' option this evening.

By the way, why is this option not needed in revision 4.4.15 ?

Thibault

On Mon, Nov 21, 2011 at 2:39 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On Mon, 2011-11-21 at 08:57 +0100, Thibault Hild wrote:
> > Sorry for the missing attachment, here is the file.
>
> Add the ''routefilter'' option for eth0 in
/etc/shorewall/interfaces.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Nov 21, 2011, at 6:13 AM, Thibault Hild wrote:
> Thank you Tom for the hint.
> I will try the ''routefilter'' option this evening.
> 
> By the way, why is this option not needed in revision 4.4.15 ?
To avoid connection tracking attacks from IP spoofing, Shorewall now prevents
hairpinning (routing a packet out of the same interface it entered on) when
neither ''routeback'' nor ''routefilter'' is
specified.

-Tom 

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Tom,

It works like a charm :).

Thank you so much for your time and support.
Shorewall is really a nice piece of software. It helped me each time I had
to configure iptables rules.

Thibault

On Mon, Nov 21, 2011 at 3:27 PM, Tom Eastep <teastep@shorewall.net> wrote:
>
> On Nov 21, 2011, at 6:13 AM, Thibault Hild wrote:
>
> Thank you Tom for the hint.
> I will try the ''routefilter'' option this evening.
>
> By the way, why is this option not needed in revision 4.4.15 ?
>
>
> To avoid connection tracking attacks from IP spoofing, Shorewall now
> prevents hairpinning (routing a packet out of the same interface it entered
> on) when neither ''routeback'' nor
''routefilter'' is specified.
>
> -Tom
>
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d