Shorewall users - Sep 2012 - ipsec and snat

Hi!

I have a shorewall firewall that connects two private subnets via ipsec
and also has a dmz.

private net                                  private remote net
Zone: int                                    Zone: vpn
10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
                 /      \  -  - ipsec -  -   /
                /
             DMZ
        1.2.3.0/24

Connecting the two subnets works fine. There are ipsec policies that
match my two private subnets.

However, I''d like to make a single exception and allow one host in the
DMZ to make dns requests to one host in the remote net (via ipsec). I''d
like to use SNAT to map its address to an address in the internal net.

There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no"
in
masq in order to make the SNAT filter work:
-------------------- 8< --------------------
outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S) IPSEC   MARK
eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
-------------------- 8< --------------------

(This includes a "policy match dir out pol none" filter, which matches
the packets from my DMZ host when they fist pass the POSTROUTING chain,
before they are rewritten using SNAT.)

Unfortunately the other shorewall policies and rules still won''t work
because the calls to the dmz2vpn chains also include "policy match dir
out pol ipsec", which won''t match because there is no security
policy
for the DMZ.

Do you have any hints how to solve this?

Thanks in advance,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/04/2012 05:56 AM, Alexander ''Leo'' Bergolth
wrote:
> Hi!
> 
> I have a shorewall firewall that connects two private subnets via ipsec
> and also has a dmz.
> 
> private net                                  private remote net
> Zone: int                                    Zone: vpn
> 10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
>                  /      \  -  - ipsec -  -   /
>                 /
>              DMZ
>         1.2.3.0/24
> 
> Connecting the two subnets works fine. There are ipsec policies that
> match my two private subnets.
> 
> However, I''d like to make a single exception and allow one host in
the
> DMZ to make dns requests to one host in the remote net (via ipsec).
I''d
> like to use SNAT to map its address to an address in the internal net.
> 
> There is no ipsec policy for the DMZ net, so I have to use
"IPSEC=no" in
> masq in order to make the SNAT filter work:
> -------------------- 8< --------------------
> outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S) IPSEC   MARK
> eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
> -------------------- 8< --------------------
> 
> (This includes a "policy match dir out pol none" filter, which
matches
> the packets from my DMZ host when they fist pass the POSTROUTING chain,
> before they are rewritten using SNAT.)
> 
> Unfortunately the other shorewall policies and rules still won''t
work
> because the calls to the dmz2vpn chains also include "policy match dir
> out pol ipsec", which won''t match because there is no
security policy
> for the DMZ.
> 
> Do you have any hints how to solve this?
Try adding this to /etc/shorewall/hosts:

dmz	ethX:10.0.1.9	ipsec

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/04/2012 05:54 PM, Tom Eastep wrote:
> On 09/04/2012 05:56 AM, Alexander ''Leo'' Bergolth wrote:
>> I have a shorewall firewall that connects two private subnets via ipsec
>> and also has a dmz.
>>
>> private net                                  private remote net
>> Zone: int                                    Zone: vpn
>> 10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
>>                  /      \  -  - ipsec -  -   /
>>                 /
>>              DMZ
>>         1.2.3.0/24
>>
>> Connecting the two subnets works fine. There are ipsec policies that
>> match my two private subnets.
>>
>> However, I''d like to make a single exception and allow one
host in the
>> DMZ to make dns requests to one host in the remote net (via ipsec).
I''d
>> like to use SNAT to map its address to an address in the internal net.
>>
>> There is no ipsec policy for the DMZ net, so I have to use
"IPSEC=no" in
>> masq in order to make the SNAT filter work:
>> -------------------- 8< --------------------
>> outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S) IPSEC  
MARK
>> eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
>> -------------------- 8< --------------------
>>
>> (This includes a "policy match dir out pol none" filter,
which matches
>> the packets from my DMZ host when they fist pass the POSTROUTING chain,
>> before they are rewritten using SNAT.)
>>
>> Unfortunately the other shorewall policies and rules still
won''t work
>> because the calls to the dmz2vpn chains also include "policy match
dir
>> out pol ipsec", which won''t match because there is no
security policy
>> for the DMZ.
>>
>> Do you have any hints how to solve this?
> 
> Try adding this to /etc/shorewall/hosts:
> 
> dmz	ethX:10.0.1.9	ipsec
I think this does the opposite of what I want.

It adds entries like:
-------------------- 8< --------------------
   21  1617 net2dmz    0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0   
policy match dir out pol none     0     0 net2dmz    0    --  *      vlan2  
0.0.0.0/0            10.0.1.9            policy match dir out pol ipsec
-------------------- 8< --------------------
... i.e. it adds "policy match dir out pol ipsec" matches to all
xxx2dmz calls
for that host. This won''t work because there is no ipsec policy for the
dmz zone.
(Only for zone int to zone vpn and back.)

I think I''d need some way to change the "policy match dir out pol
ipsec" matches
that are currently attached to all calls to dmz2vpn to "policy match dir
out pol none".

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at   fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/05/2012 05:22 AM, Alexander ''Leo'' Bergolth
wrote:
> On 09/04/2012 05:54 PM, Tom Eastep wrote:
>> On 09/04/2012 05:56 AM, Alexander ''Leo'' Bergolth
wrote:
>>> I have a shorewall firewall that connects two private subnets via
ipsec
>>> and also has a dmz.
>>>
>>> private net                                  private remote net
>>> Zone: int                                    Zone: vpn
>>> 10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
>>>                  /      \  -  - ipsec -  -   /
>>>                 /
>>>              DMZ
>>>         1.2.3.0/24
>>>
>>> Connecting the two subnets works fine. There are ipsec policies
that
>>> match my two private subnets.
>>>
>>> However, I''d like to make a single exception and allow one
host in the
>>> DMZ to make dns requests to one host in the remote net (via ipsec).
I''d
>>> like to use SNAT to map its address to an address in the internal
net.
>>>
>>> There is no ipsec policy for the DMZ net, so I have to use
"IPSEC=no" in
>>> masq in order to make the SNAT filter work:
>>> -------------------- 8< --------------------
>>> outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S) IPSEC  
MARK
>>> eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
>>> -------------------- 8< --------------------
>>>
>>> (This includes a "policy match dir out pol none" filter,
which matches
>>> the packets from my DMZ host when they fist pass the POSTROUTING
chain,
>>> before they are rewritten using SNAT.)
>>>
>>> Unfortunately the other shorewall policies and rules still
won''t work
>>> because the calls to the dmz2vpn chains also include "policy
match dir
>>> out pol ipsec", which won''t match because there is no
security policy
>>> for the DMZ.
>>>
>>> Do you have any hints how to solve this?
>>
>> Try adding this to /etc/shorewall/hosts:
>>
>> dmz	ethX:10.0.1.9	ipsec
> 
> I think this does the opposite of what I want.
> 
> It adds entries like:
> -------------------- 8< --------------------
>    21  1617 net2dmz    0    --  *      vlan2   0.0.0.0/0           
0.0.0.0/0           policy match dir out pol none     0     0 net2dmz    0    --
*      vlan2   0.0.0.0/0            10.0.1.9            policy match dir out pol
ipsec
> -------------------- 8< --------------------
> ... i.e. it adds "policy match dir out pol ipsec" matches to all
xxx2dmz calls
> for that host. This won''t work because there is no ipsec policy
for the dmz zone.
> (Only for zone int to zone vpn and back.)
> 
> I think I''d need some way to change the "policy match dir out
pol ipsec" matches
> that are currently attached to all calls to dmz2vpn to "policy match
dir out pol none".
The original DNS request from 1.2.3.4 isn''t a dmz->vpn request;
it''s
probably a dns->net request. So you may need something like:

	DNS(ACCEPT)	dmz:1.2.3.4	net:<DNS Server IP>

if you don''t currently allow dmz->net DNS requests.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/05/2012 04:45 PM, Tom Eastep wrote:
> On 09/05/2012 05:22 AM, Alexander ''Leo'' Bergolth wrote:
>> On 09/04/2012 05:54 PM, Tom Eastep wrote:
>>> On 09/04/2012 05:56 AM, Alexander ''Leo'' Bergolth
wrote:
>>>> I have a shorewall firewall that connects two private subnets
via ipsec
>>>> and also has a dmz.
>>>>
>>>> private net                                  private remote net
>>>> Zone: int                                    Zone: vpn
>>>> 10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
>>>>                  /      \  -  - ipsec -  -   /
>>>>                 /
>>>>              DMZ
>>>>         1.2.3.0/24
>>>>
>>>> Connecting the two subnets works fine. There are ipsec policies
that
>>>> match my two private subnets.
>>>>
>>>> However, I''d like to make a single exception and allow
one host in the
>>>> DMZ to make dns requests to one host in the remote net (via
ipsec). I''d
>>>> like to use SNAT to map its address to an address in the
internal net.
>>>>
>>>> There is no ipsec policy for the DMZ net, so I have to use
"IPSEC=no" in
>>>> masq in order to make the SNAT filter work:
>>>> -------------------- 8< --------------------
>>>> outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S)
IPSEC   MARK
>>>> eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
>>>> -------------------- 8< --------------------
>>>>
>>>> (This includes a "policy match dir out pol none"
filter, which matches
>>>> the packets from my DMZ host when they fist pass the
POSTROUTING chain,
>>>> before they are rewritten using SNAT.)
>>>>
>>>> Unfortunately the other shorewall policies and rules still
won''t work
>>>> because the calls to the dmz2vpn chains also include
"policy match dir
>>>> out pol ipsec", which won''t match because there
is no security policy
>>>> for the DMZ.
>>>>
>>>> Do you have any hints how to solve this?
>>>
>>> Try adding this to /etc/shorewall/hosts:
>>>
>>> dmz	ethX:10.0.1.9	ipsec
>>
>> I think this does the opposite of what I want.
>>
>> It adds entries like:
>> -------------------- 8< --------------------
>>    21  1617 net2dmz    0    --  *      vlan2   0.0.0.0/0           
0.0.0.0/0           policy match dir out pol none     0     0 net2dmz    0    --
*      vlan2   0.0.0.0/0            10.0.1.9            policy match dir out pol
ipsec
>> -------------------- 8< --------------------
>> ... i.e. it adds "policy match dir out pol ipsec" matches to
all xxx2dmz calls
>> for that host. This won''t work because there is no ipsec
policy for the dmz zone.
>> (Only for zone int to zone vpn and back.)
>>
>> I think I''d need some way to change the "policy match dir
out pol ipsec" matches
>> that are currently attached to all calls to dmz2vpn to "policy
match dir out pol none".
> 
> The original DNS request from 1.2.3.4 isn''t a dmz->vpn request;
it''s
> probably a dns->net request. So you may need something like:
> 
> 	DNS(ACCEPT)	dmz:1.2.3.4	net:<DNS Server IP>
> 
> if you don''t currently allow dmz->net DNS requests.
Yes, it''s a dmz2net request and that''s the problem.

The dmz2net policy is too permissive (it allows everything) and
shouldn''t be applied to that request.

I can, of course, explicitly deny everything but DNS requests for that
host to the vpn per separate rule but that looks quite dangerous and
error-prone.

I think the problem is that when the "policy match dir out pol ipsec"
rules are generated, only the destination zone is checked for an IPSEC
mark. And when the "policy match dir in pol ipsec" rules are
generated,
only the source zone is checked for IPSEC.
But in reality the ipsec security policies are applied to src-dst-pairs
and there is currently no way configure those src-dst-pairs in
shorewall. So the dmz2vpn (and of course the net2vpn) policies can never
match.

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/5/12 12:31 PM, Alexander ''Leo'' Bergolth wrote:
>>
>> The original DNS request from 1.2.3.4 isn''t a dmz->vpn
request; it''s
>> probably a dns->net request. So you may need something like:
>>
>> 	DNS(ACCEPT)	dmz:1.2.3.4	net:<DNS Server IP>
>>
>> if you don''t currently allow dmz->net DNS requests.
> 
> Yes, it''s a dmz2net request and that''s the problem.
> 
> The dmz2net policy is too permissive (it allows everything) and
> shouldn''t be applied to that request.
> 
> I can, of course, explicitly deny everything but DNS requests for that
> host to the vpn per separate rule but that looks quite dangerous and
> error-prone.
> 
> I think the problem is that when the "policy match dir out pol
ipsec"
> rules are generated, only the destination zone is checked for an IPSEC
> mark. And when the "policy match dir in pol ipsec" rules are
generated,
> only the source zone is checked for IPSEC.
> But in reality the ipsec security policies are applied to src-dst-pairs
> and there is currently no way configure those src-dst-pairs in
> shorewall. So the dmz2vpn (and of course the net2vpn) policies can never
> match.
I''m not going to require people to duplicate their IPSEC configuration
in the Shorewall configuration. If those policies can never match, then
you can specify NONE in /etc/shorewall/policy.

And if you really want 1.2.3.4 to use the tunnel, then you can make that
happen by adding two additional IPSEC policies.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/05/2012 11:44 PM, Tom Eastep wrote:
> On 9/5/12 12:31 PM, Alexander ''Leo'' Bergolth wrote:
>>> The original DNS request from 1.2.3.4 isn''t a dmz->vpn
request; it''s
>>> probably a dns->net request. So you may need something like:
>>>
>>> 	DNS(ACCEPT)	dmz:1.2.3.4	net:<DNS Server IP>
>>>
>>> if you don''t currently allow dmz->net DNS requests.
>>
>> Yes, it''s a dmz2net request and that''s the problem.
>>
>> The dmz2net policy is too permissive (it allows everything) and
>> shouldn''t be applied to that request.
>>
>> I can, of course, explicitly deny everything but DNS requests for that
>> host to the vpn per separate rule but that looks quite dangerous and
>> error-prone.
>>
>> I think the problem is that when the "policy match dir out pol
ipsec"
>> rules are generated, only the destination zone is checked for an IPSEC
>> mark. And when the "policy match dir in pol ipsec" rules are
generated,
>> only the source zone is checked for IPSEC.
>> But in reality the ipsec security policies are applied to src-dst-pairs
>> and there is currently no way configure those src-dst-pairs in
>> shorewall. So the dmz2vpn (and of course the net2vpn) policies can
never
>> match.
> 
> I''m not going to require people to duplicate their IPSEC
configuration
> in the Shorewall configuration.
Hmm. Maybe only an option to omit the ipsec matches would be sufficient?
But I''ll simply use a custom action as a workaround and put my
exceptions in there and call it like that:

DMZ2VPN		dmz	net:$VPN_NETS
> If those policies can never match, then
> you can specify NONE in /etc/shorewall/policy.
OK. Thanks.
> And if you really want 1.2.3.4 to use the tunnel, then you can make that
> happen by adding two additional IPSEC policies.
Of course.
But in my setup it will actually use the tunnel.
First 1.2.3.4 traverses the chains using the vpn2net shorewall policies
and rules. Then it will be SNAT''ed to 10.0.1.9 and after that, the
"normal" ipsec security policies for int to vpn will be applied and
the
chains will be traversed a second time. (I guess this time the int2vpn
policies and rules will be applied.)

Cheers,
--oeo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/