Paul Gear | 31 Jan 03:59 2007
Picon

Re: Factorize/include params file

Tom Eastep wrote:
> Tristan DEFERT wrote:
>> Hi list,
>> I manage several shorewall firewalls with rules common beetween them.
>> I wrote a script for synching rules beetween them, on a dedicaced
>> network interface.
> ...
> http://www.shorewall.net/configuration_file_basics.htm#INCLUDE

Another option might be my shoregen script:
http://shorewall.svn.sourceforge.net/viewvc/shorewall/trunk/contrib/shoregen/

--

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  Providers of on-line music services (such as iTunes)
intentionally cripple their software to make sure you keep buying from
them.  Find out more: http://defectivebydesign.org/

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
(Continue reading)

jon | 31 Jan 20:50 2007
Picon

Single Site Being Rejected

Hi All,

Ran across a weird one today that I can't wrap my head around.

This is a pretty standard two-NIC setup with eth0 being the WAN and eth1 
being LAN-side. A workstation on the LAN side (10.0.50.144 assigned by 
DHCP) cannot go to a particular website at 161.184.172.35. This 
workstation can surf to any other website I can think of, and pings to 
the troublesome website return the proper IP address. Shorewall rejects 
requests to go to that website under the all2all policy:

Jan 31 12:37:15 d205-206-104-186 kernel: 
Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144 
DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF 
PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

I've attached my status file gzipped as indicated.

I didn't build this box so "totally out there" postulations are welcome 
and I will investigate them all.

Thanks!

Jon

--

-- 
Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
http://www.jonwatson.ca
+1.403.770.2837

(Continue reading)

Tom Eastep | 31 Jan 21:04 2007
Picon

Re: Single Site Being Rejected

jon wrote:
> Hi All,
> 
> Ran across a weird one today that I can't wrap my head around.
> 
> This is a pretty standard two-NIC setup with eth0 being the WAN and eth1
> being LAN-side. A workstation on the LAN side (10.0.50.144 assigned by
> DHCP) cannot go to a particular website at 161.184.172.35. This
> workstation can surf to any other website I can think of, and pings to
> the troublesome website return the proper IP address. Shorewall rejects
> requests to go to that website under the all2all policy:
> 
> Jan 31 12:37:15 d205-206-104-186 kernel:
> Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144
> DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF
> PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
> 
> I've attached my status file gzipped as indicated.
> 
> I didn't build this box so "totally out there" postulations are welcome
> and I will investigate them all.
>

The destination host (161.184.172.35) is defined to be in the 'admin'
zone and loc->admin connections are disallowed by your configuration.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
(Continue reading)

Brian J. Murrell | 31 Jan 21:24 2007
Picon

multi-isp and the MUST have masq entries

I'm just starting to experiment with multi-isp configuration and at the
part of the doc (http://www.shorewall.net/MultiISP.html) that specifies:

        Regardless of whether you have masqueraded hosts or not, YOU
        MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq:

        #INTERFACE       SUBNET            ADDRESS
        eth0             130.252.99.27     206.124.146.176
        eth1             206.124.146.176   130.252.99.27

If this is a MUST requirement for all multi-isp set ups, then can
shorewall not figure this out for itself and install it without the user
having to specify it?

Just trying to reduce steps required to set this up in order to reduce
possible points of erroneous configuration.

b.

--

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
(Continue reading)

Tom Eastep | 31 Jan 22:12 2007
Picon

Re: multi-isp and the MUST have masq entries

Brian J. Murrell wrote:
> I'm just starting to experiment with multi-isp configuration and at the
> part of the doc (http://www.shorewall.net/MultiISP.html) that specifies:
> 
>         Regardless of whether you have masqueraded hosts or not, YOU
>         MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq:
>         
>         #INTERFACE       SUBNET            ADDRESS
>         eth0             130.252.99.27     206.124.146.176
>         eth1             206.124.146.176   130.252.99.27
> 
> If this is a MUST requirement for all multi-isp set ups, then can
> shorewall not figure this out for itself and install it without the user
> having to specify it?

Not really.

a) Shorewall couldn't determine where to put them in the masq file and the
file is order-sensitive.

b) Shorewall could redundantly add them, not realizing that the same traffic
 is adequately covered by other masq rules such as:

	eth0	0.0.0.0/0	206.124.146.177 #The different ADDRESS is
                                                #intentional

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
(Continue reading)

Bryan Vukich | 31 Jan 22:14 2007
Picon

Re: multi-isp and the MUST have masq entries

Shorewall isn't psychic.

In the absolute simplest circumstances, yes a script could figure out
what you probably want based on how your interfaces are configured.

But those are trivial to set up anyhow.

What if you have multiple subnets on your local network?  What if you
have multiple IP addresses on your Internet facing interfaces?  There is
no way a script could accurately guess what you want in those
situations.

Thank you,

Bryan Vukich

On Wed, 2007-01-31 at 15:24 -0500, Brian J. Murrell wrote:
> I'm just starting to experiment with multi-isp configuration and at the
> part of the doc (http://www.shorewall.net/MultiISP.html) that specifies:
> 
>         Regardless of whether you have masqueraded hosts or not, YOU
>         MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq:
>         
>         #INTERFACE       SUBNET            ADDRESS
>         eth0             130.252.99.27     206.124.146.176
>         eth1             206.124.146.176   130.252.99.27
> 
> If this is a MUST requirement for all multi-isp set ups, then can
> shorewall not figure this out for itself and install it without the user
> having to specify it?
(Continue reading)

Brian J. Murrell | 31 Jan 22:35 2007
Picon

Re: multi-isp and the MUST have masq entries

On Wed, 2007-01-31 at 13:12 -0800, Tom Eastep wrote: 
> Brian J. Murrell wrote:
> > I'm just starting to experiment with multi-isp configuration and at the
> > part of the doc (http://www.shorewall.net/MultiISP.html) that specifies:
> > 
> >         Regardless of whether you have masqueraded hosts or not, YOU
> >         MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq:
> >         
> >         #INTERFACE       SUBNET            ADDRESS
> >         eth0             130.252.99.27     206.124.146.176
> >         eth1             206.124.146.176   130.252.99.27
> > 
> > If this is a MUST requirement for all multi-isp set ups, then can
> > shorewall not figure this out for itself and install it without the user
> > having to specify it?
> 
> Not really.
> 
> a) Shorewall couldn't determine where to put them in the masq file and the
> file is order-sensitive.

OK.  That brings up a question then: where should they go normally?  It
seems that they are just a safety check that a locally generated packet
has the right source address for the interface it's bound for.  Does
order really matter in this case?

Given the configuration at hand at
http://www.shorewall.net/MultiISP.html:

#INTERFACE SUBNET ADDRESS 
(Continue reading)


Gmane