Tom Eastep | 1 Aug 01:32 2011
Picon

Re: Newb setup problem:


On Jul 31, 2011, at 11:14 AM, Andrew Silverman wrote:

> I figured out how to fix it the "right" way. :-)
> 
> There's a great walkthrough of analysis tools for SELinux audit logs and how to create new permissions
policies from them here: http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072
> 
> After that, it was cookbook.  Had to do it once for Shorewall6, which worked on the first try, and then again
for radvd - it was making some system call that its default policy wasn't covering for some reason.

It would be great if you would share exactly what you did so everyone who encounters this problem doesn't
have to go through the learning curve that you did.

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
Das | 1 Aug 01:35 2011
Picon

WARNING: Cannot set Martian logging on wlan0

Hi,

>From what I read at Shorewall's docs;

http://www.shorewall.net/configuration_file_basics.htm

It's my understanding when you receive this warning when you
start/restart Shorewall this is because you have more then one adapter
listed in the interfaces and since it is not active then this is the
normal response from Shorewall, is this correct?

If this is correct I noticed using kernel version 2.6.36.4 it does not
give me any such warnings, but with kernel 3.0 it does.

I'm not sure why from one kernel version to another you get the
message or you don't, as I'm not aware of any kernel
differences/options that should cause this behaviour. Why would this
happen this way?

THANKS

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
Andrew Silverman | 1 Aug 03:56 2011

Re: Newb setup problem:

Yeah, definitely, later tonight if I have a few minutes I'll write up the exact steps. I imagine once you have
the policy package you could probably install it automatically in future builds for distros with SELinux enabled.

Andy

On Jul 31, 2011, at 4:36 PM, "Tom Eastep" <teastep <at> shorewall.net> wrote:

> 
> On Jul 31, 2011, at 11:14 AM, Andrew Silverman wrote:
> 
>> I figured out how to fix it the "right" way. :-)
>> 
>> There's a great walkthrough of analysis tools for SELinux audit logs and how to create new permissions
policies from them here: http://wiki.centos.org/HowTos/SELinux#head-aa437f65e1c7873cddbafd9e9a73bbf9d102c072
>> 
>> After that, it was cookbook.  Had to do it once for Shorewall6, which worked on the first try, and then again
for radvd - it was making some system call that its default policy wasn't covering for some reason.
> 
> 
> It would be great if you would share exactly what you did so everyone who encounters this problem doesn't
have to go through the learning curve that you did.
> 
> Thanks,
> -Tom
> 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
(Continue reading)

Ryan Joiner | 1 Aug 05:56 2011

Re: Problem With OpenVPN Connectivity

On 7/30/2011 5:01 AM, Simon Matter wrote:
>>
>> This thread on OpenVPN has made me wonder if I have this setup correctly.
>> (I'm not exactly a shorewall-noobie,
>> but I find much of the shorewall talk difficult to follow.)
>>
>> I have a VPN zone:
>> ----------------------------------
>> vpn     ipv4
>> ----------------------------------
>> and a VPN interface
>> ----------------------------------
>> vpn     tun0    detect
>> ----------------------------------
>> and the following VPN rules
>> ----------------------------------
>> ACCEPT         vpn             loc              udp     1194 # OpenVPN
>> ACCEPT         loc              vpn             udp     1194 # OpenVPN
>> ACCEPT         vpn             $FW            udp     1194 # OpenVPN
>> ----------------------------------
>>
>> This seems to work OK.
>> But is it the correct/best way to set it up?
>>
>
> I'm not exactly sure what you are asking but did you read this?
>
> http://www.shorewall.net/OPENVPN.html
>
> Simon
(Continue reading)

Andrew Silverman | 1 Aug 18:40 2011

Re: Newb setup problem:

Ok, so here's the detailed version of the fix for getting shorewall6 running
at boot time on an SELinux machine.  (This is probably equally valid for
shorewall IPv4 too, but I'm using it only for IPv6 at the moment...)  This
is on a vanilla CentOS 6.0 setup.

The problem (restated):
- My IPv6 config requires running a few lines to set up the Hurricane
Electric 6in4 tunnel after NetworkManager brings up the interfaces, pretty
much straight out of the HE "example" configs, e.g. (addresses obscured for
obvious reasons)
    ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local xx.xx.xx.xx ttl
255
    ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6
    ip addr add 2001:xxx:b:5fd::1/64 dev eth1
    ip route add ::/0 dev he-ipv6

These lines were added to /etc/rc.d/rc.local so that they would be run after
all the other init scripts are completed.  This gets the tunnel going and
assigns the proper static addresses and routes to the LAN side physical
interface and to the tunnel pseudo-interface.

Now the problem is that after those lines, I want to do:
    /sbin/shorewall6 start (to start the firewall)
    radvd (to start the router advertisement daemon.)

Looking in the boot logs, I could see that shorewall6 was failing to start
after trying to read the /etc/shorewall6/params file, and then radvd fails
to start because it sees IPv6 forwarding has not been enabled.  But running
them both from a su prompt worked fine.  I had a suspicion that this was
some sort of permissions problem as a result, but I'm really barely even a
(Continue reading)

Tom Eastep | 1 Aug 20:31 2011
Picon

Re: Newb setup problem:

On Mon, 2011-08-01 at 09:40 -0700, Andrew Silverman wrote:
> Ok, so here's the detailed version of the fix for getting shorewall6 running
> at boot time on an SELinux machine.  (This is probably equally valid for
> shorewall IPv4 too, but I'm using it only for IPv6 at the moment...)  This
> is on a vanilla CentOS 6.0 setup.

Thanks, Andy!
> 
> The problem (restated):
> - My IPv6 config requires running a few lines to set up the Hurricane
> Electric 6in4 tunnel after NetworkManager brings up the interfaces, pretty
> much straight out of the HE "example" configs, e.g. (addresses obscured for
> obvious reasons)
>     ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local xx.xx.xx.xx ttl
> 255
>     ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6
>     ip addr add 2001:xxx:b:5fd::1/64 dev eth1
>     ip route add ::/0 dev he-ipv6
> 
> These lines were added to /etc/rc.d/rc.local so that they would be run after
> all the other init scripts are completed.  This gets the tunnel going and
> assigns the proper static addresses and routes to the LAN side physical
> interface and to the tunnel pseudo-interface.
> 
> Now the problem is that after those lines, I want to do:
>     /sbin/shorewall6 start (to start the firewall)
>     radvd (to start the router advertisement daemon.)
> 
> Looking in the boot logs, I could see that shorewall6 was failing to start
> after trying to read the /etc/shorewall6/params file, and then radvd fails
(Continue reading)

Andrew Silverman | 1 Aug 23:16 2011

Re: Newb setup problem:

Thanks for fixing my path typos. :-)

-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net] 
Sent: Monday, August 01, 2011 11:32 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] Newb setup problem:

On Mon, 2011-08-01 at 09:40 -0700, Andrew Silverman wrote:
> Ok, so here's the detailed version of the fix for getting shorewall6 
> running at boot time on an SELinux machine.  (This is probably equally 
> valid for shorewall IPv4 too, but I'm using it only for IPv6 at the 
> moment...)  This is on a vanilla CentOS 6.0 setup.

Thanks, Andy!
> 
> The problem (restated):
> - My IPv6 config requires running a few lines to set up the Hurricane 
> Electric 6in4 tunnel after NetworkManager brings up the interfaces, 
> pretty much straight out of the HE "example" configs, e.g. (addresses 
> obscured for obvious reasons)
>     ip tunnel add he-ipv6 mode sit remote xx.xx.xx.xx local 
> xx.xx.xx.xx ttl
> 255
>     ip addr add 2001:xxx:a:xxx::2/64 dev he-ipv6
>     ip addr add 2001:xxx:b:5fd::1/64 dev eth1
>     ip route add ::/0 dev he-ipv6
> 
> These lines were added to /etc/rc.d/rc.local so that they would be run 
> after all the other init scripts are completed.  This gets the tunnel 
(Continue reading)

Tom Eastep | 2 Aug 16:03 2011
Picon

Shorewall 4.4.22

We are pleased to announce that Shorewall 4.4.22 is now available for
download.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Under rare conditions, long port lists (>15 ports) could result in
    the following failure when optimization level 4 was enabled.

       Use of uninitialized value in numeric gt (>) 
       at /usr/share/shorewall/Shorewall/Chains.pm line 1264.

       ERROR: Internal error in
       Shorewall::Chains::decrement_reference_count at
       /usr/share/shorewall/Shorewall/Chains.pm line 1264

2)  All corrections included in Shorewall 4.4.21.1.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

(Continue reading)

Tom Eastep | 2 Aug 18:37 2011
Picon

[PATCH] Nasty bug

A bug in recent versions of Shorewall can result in rules that are wider
in scope than intended. 

If a zone name begins with 'all', then rules referring to that zone are
incorrectly handled as if the keyword 'all' had been entered rather than
the zone name.

Shorewall releases affected are 4.4.13 - 4.4.22.

The attached patch applies to all of these releases.

a) Save the patch
b) As root, execute this command:

    patch /usr/share/shorewall/Shorewall/Rules.pm < ALL.patch

The patch will apply with an offset on releases prior to 4.4.22.

Example (4.4.13):

	patch /usr/share/shorewall/Shorewall/Rules.pm < ~/ALL.patch
	patching file /usr/share/shorewall/Shorewall/Rules.pm
	Hunk #1 succeeded at 1548 (offset -704 lines).

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
(Continue reading)

Hill, John | 2 Aug 20:11 2011

Shorewall restore message

I promise I have read and searched and cannot find where I missed the boat. I know somewhere I failed to see what I need to do but I can’t find it.

 

Using 4.2.22 with patch.

 

I have 2 blacklists (nets and hosts) both have src,dst

 

--set option depreciated, please use –match-set

 

I get this 4 times every time I start or restore Shorewall.

I see the code written in the .iptables-restore-input file

 

What did I miss?

 

--john

 

 

John R. Hill

Director Of Technologies

812-314-8920 option #3

 

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1

Gmane