gmane.comp.security.shorewall

Error starting shorewall with Multi ISP

Adrian Chapela — 2008-12-01T08:30:13

Hello, I have configured a Multi ISP recently but It didn't start, it shown me the error: ERROR: Unable to determine the MAC address of 192.168.22.254 through interface eth0 ip addr show output: inet 192.168.21.219/24 brd 192.168.21.255 scope global eth0 (real Ip) inet 192.168.22.220/24 brd 192.168.22.255 scope global eth0 (Virtual Ip) inet 192.168.21.220/24 brd 192.168.21.255 scope global secondary eth0 (Virtual Ip) configuration: ISP1 2 2 main eth0:192.168.21.220 192.168.21.254 track lan,lan2 ISP2 3 3 main eth0:192.168.22.220 192.168.22.254 track lan,lan2 The first provider is installed OK. What could be the error ? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywh

lo

Tom Allison — 2008-11-30T15:10:54

Found an error I didn't expect on bind starting. "command channel listening on 127.0.0.1#953" So.... I should be setting up an interface for 'lo' as well? Haven't found anyone mentioning the lo interface. I just assumed that lo would have been given a default ACCEPT policy. Just checking before I start trying to configure all this into the files. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

logging

Tom Allison — 2008-11-30T01:00:32

OK, I got the note about using the policy "redundancy" to separate the logging rules. Making great progress. Shorewall is relatively intuitive if you are familiar with the whole iptables thing. But it has been a few years since I wrote my own firewalls. 'nuther question: I have this: Nov 29 19:38:01 voyager kernel: Shorewall:mangle:PREROUTING:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:19:e3:d6:1c:50:08:00 SRC=192.168.1.102 DST=224.0.0.251 LEN=118 TOS=0x18 PREC=0x00 TTL=255 ID=51329 PROTO=UDP SPT=5353 DPT=5353 LEN=98 Nov 29 19:38:01 voyager kernel: Shorewall:nat:PREROUTING:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:19:e3:d6:1c:50:08:00 SRC=192.168.1.102 DST=224.0.0.251 LEN=118 TOS =0x18 PREC=0x00 TTL=255 ID=51329 PROTO=UDP SPT=5353 DPT=5353 LEN=98 From what I can figure out this is a macbook that is sending out some kind of Multicast DNS. Never heard of it. It's not handled by the DNS macro. I guess this is part of Bonjour (which I'm liking less and less all the time -- why must they reinvent eve

policy question

Tom Allison — 2008-11-29T23:18:56

Isn't the following redundant: net $FW DROP info net loc DROP info net all DROP info in that the last rule (net all) will DROP everything and therefore the only additional input for this interraction would be under rules. similarly loc net ACCEPT loc $FW REJECT loc all REJECT doesn't require the "loc $FW REJECT" line for the same reasons. True? Another question: I initially tried setting up my interfaces such that: net eth1 detect dhcp... loc eth0 detect dhcp... but no DHCP entry in rules. I got a lot of blocked UDP port 53 traffic. Where does the dhcp option come in (with the manpage instruction to include this) and how does that fit in with the DHCP rule. Do they both need to be present? redundant? Or is there something else in the background? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Mo

Shorewall Shell 4.2.2 vs Shorewall Perl 4.2.2

Adrian Chapela — 2008-11-28T10:23:54

Hello again, testing my config files to do a change from Shorewall shell 4.0 to Shorewall Perl 4.2.2 (because I need the feature of ISP's sharing a interface). In my first tests I have saw some problems with my old shorewall.conf but now all is OK. My problem is the next, I tested the next: shorewall try -C perl . -> All work OK. shorewall try -C shell . -> The next output error is showed: Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ERROR: Invalid TARGET in rule "COMMENT Needed ICMP types " /sbin/shorewall: line 384: 16011 Terminado $command $SHOREWALL_SHELL $sc $< at > What could be the reason ? I only install shorewall-common and shorewall-perl, could be this the reason ? With shorewall perl all is running very fast and the log in the screen is very small compared with shorewall shell 4.0, is this normal ? Thank you! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your

Multi-ISP,4 routers sharing one ethernet interface

Adrian Chapela — 2008-11-27T15:46:26

Hello, I want to do a configuration with 5 ISP, 4 of them sharing one ethernet interface. I am using Debian, is there any package in debian with this functionality ? If no, What is the version which I need ? In Docs you say shorewall-perl 4.1.2 but I only can download 4.2 tree, is it ok to do what I want ? Thank you! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

DHCP

Tom Allison — 2008-11-26T23:22:39

Hello, I'm trying to get a Shorewall installation on Debian and am running into some problems that actually related to DHCP, or at least that's my theory. I'm writing to this list in hopes that enough people have already been through this that they know an answer. The problem I have is that the DHCP server doesn't know what interface to listen to and, more importantly, not to listen to. The problem I have is that on the one subnet I have two DHCP servers in violent contention with each other and typically within minutes my entire network is fubar. What's worse is this new DHCP server is much faster at responding. Because of the rather nasty effect it has on the subnet, testing is very limited this time of year as term papers come due and email, web, and printers are of absolute importance. I think there is a way to configure this under the dhcp server configuration but I'm curious what the shorewall people have to say about this one. Also, there is a lot of martian traffic. But I won't r

shorewall newbie Revisit: new IP

Phillipus Gunawan — 2008-11-25T19:27:19

Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip As suggested and as I am still a newbie here, I change the IP for eth0 and eth1, but unfortunately, still same result, but I hope to get a light this time Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.4 connected to a router, act as gateway for other hosts eth1 -> 10.1.2.1 connected to wireless router eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG Shorewall configuration Interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - loc eth0 10.255.255.255 loc eth1 10.255.255.255 Masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth0 Policy all all ACCEPT Zones fw firewall net ipv4 loc ipv4 ~# shorewall check Checking... Initializing

shorewall newbie Revisit: new IP

Phillipus Gunawan — 2008-11-26T06:18:05

Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip As suggested and as I am still a newbie here, I change the IP for eth0 and eth1, but unfortunately, still same result, but I hope to get a light this time I did not attached the result of the dump result, as it it delay this message to be added On Policy, I simply put "ALL ALL ACCEPT" just for a starter, to get this shorewall working is my priority I am using eth0 and connect from other host (e.g. 10.1.1.5, winXp) and set the gateway and DNS as 10.1.1.4 No connection, only able to ping 10.1.1.4 .... Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.4 connected to a router, act as gateway for other hosts eth1 -> 10.1.2.1 connected to wireless router, not connected at the moment, just trying to get wired connection working eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip f

shorewall newbie Revisit

Phillipus Gunawan — 2008-11-25T02:22:24

Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip I also will repeat the post earlier for better understanding my question (hey, I am looking for the answers.....) Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.1 connected to a router, act as gateway for other hosts eth1 -> 10.1.1.4 connected to wireless router eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG Shorewall configuration Interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect routefilter loc eth0 10.1.1.255 loc eth1 10.1.1.255 Masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth0 Policy $FW net ACCEPT $FW loc ACCEPT net $FW ACCEPT net loc ACCEPT loc $FW ACCEPT loc

shorewall newbie

Phillipus Gunawan — 2008-11-24T20:06:03

Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG eth1 -> 10.1.1.1 connected to a router, act as gateway for other hosts eth2 -> 10.1.1.4 connected to wireless router Problem 1 Ignoring the use of eth1, I install Debian with eth2 plugged When Im using eth2, I can log in to my box (using webmin) to configure the debian either using 10.1.1.1 or 10.1.1.4 address, I can ping other host (e.g 10.1.1.5). But when I use eth2, I cant ping or do anything, the ping result from Debian: From 10.1.1.4 Host Unreachable What mistake I did? Why I can't use eth1 connected with other hosts? Problem 2 PPPoE up and running, I can ping any web address from Debian (e.g. www.yahoo.com) But Im not able to make other host (e.g. 10.1.1.5) connect to internet via gateway on eth1 nor eth2 Again, ignoring the use of eth2 and I can configure eth1 to talk with other hosts, how I can make Shorewall working to share

Help - I need to allow my normal user for useShorewall, how?

Manuel Gomez — 2008-11-23T23:52:39

Hi, i would like to use shorewall commands with sudo, but i don't know how change /etc/sudoers/ for allow it. What could i change? Thank you very much, I appreciate your help. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

SNAT/masquerade + overs rulez

Galia Lisovskaya — 2008-11-22T22:21:34

Hi all, I get trobles for add SNAT/masquerade in work configuration (it's OpenVZ hardware node). In near future, I want add traffic shaping for VZ containers, and physical hosts, and whrite how-to about this. it's 2 external links with NAT: eth0 Link encap:Ethernet HWaddr 00:80:48:48:22:5F inet addr:xxx.xxx.xxx Bcast:255.255.255.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr 00:0C:76:E4:75:14 inet addr:10.0.5.10 Bcast:10.0.5.255 Mask:255.255.255.0 eth1 is intenal and external link (on next hope, is DSL router with ip 10.0.5.1) ========interfaces============= #ZONE INTERFACE BROADCAST OPTIONSnet loci eth1 detect venet venet0 - routeback akado eth0 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ========================== =========providers============= # Shorewall version 4 - Providers File #################################################################################

add route

Fabio Correa — 2008-11-21T12:38:03

------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Multi-ISP problem: cannot reach my FW from one ofthe ISP

Davide Ferrari — 2008-11-21T10:59:50

Hi I using Shorewall 3.4.8 (quite old I know) and I set up a multi-ISP configuration, and it works nice, I can route part of the traffic (to our production site) through one ISP and the rest of the traffic through the other ISP. I'm doing this using route_rules, something like this: eth0 1.1.1.1/24 ISP2 1002 lo 1.1.1.1/24 ISP2 1003 eth0 - ISP1 1005 lo - ISP1 1006 and this is how my providers looks like ISP1 1 1 main eth1 172.10.1.1 track,balance eth0 ISP2 2 2 main eth2 10.0.0.1 track,balance eth0 so assuming the IP are real :), if I try to connect to an IP of 1.1.1.1/24 I pass through ISP2, and if I try to connect to whatever public Internet IP it uses ISP1. Fine. Now, the problem is that, even if I open the icmp 8 for both pro

Shorewall fails after CentOS update

J and T — 2008-11-20T19:23:14

Feature request: Check UIDs/GIDs in shorewallcheck

Brad — 2008-11-20T04:27:29

Paritioning fw into zoneas

Lukas Haase — 2008-11-19T15:56:34

Hi, I have a system with Linux VServers and the Hostsystem has different network interfaces (I virtualize servers from 3 different networks on this hostsystem [1]). Now I (also) want to deny traffic from one VServer to another, i.e. from one interface to another. I can do this by filtering the "lo"-Interface with iptables with the specific local IP addresses. But I want to do this with Shorewall and to "abstrahate" this process in terms of zones: I want one zone for each network and interface. The problem: Parts of the zones are on the firewall itself (zone "fw"). There is a hosts file where I can define nested zones constisting on single addresses...but this works NOT for the fw zone :-( :-( Is there a possibility to partition the fw-zone into different (sub)zones? Thank you, Luke [1] I know I should not do this anyway. But in this case it's OK for me because all of them are my private servers in different "zones"

SYN DoS

Rodolfo Pilas — 2008-11-18T15:42:25

Proxyarp setup problem

Michael Bernhard Arp Sørensen — 2008-11-18T08:05:49

Misdirection of packets in wireless router

Simon Gomizelj — 2008-11-17T19:56:15

I'm new to shorewall or any ip-config/network type configuration, so I applogize ahead for any misstakes in terms. I've decsided that I will turn an old desktop of mine into a wireless router and torrent box. I installed shorewall and looked as the documentation and the sample two-interface configuration. The wireless card is a madwifi one (ath_pci) and I can connect to it and get an ip from it from dnsmasq. An ethernet port gets the internet. Now, when I wireless connect to my desktop router, I have complete access to the local network. I can ping the box and ssh into it. The box gets internet and can torrent (I made the suggested modifications from the guide). However when I try to ping anything, say google.com, I get rejected and lines like this in my log: So something is misconfigured because its looking in $FW for google. When I change the policy line from: to Suddenly the machine can get google's ip, but it still can't ping it. I don't know what files would be important to post here, or what wo