surfer | 16 Jul 22:04 2014
Picon

lsm-script <at> "/MyNetwork.html" doesn't appear to use the configuration it creates

I'm configuring Shorewall to manage a Comcast dynamic connection.

I'm following http://shorewall.net/MyNetwork.html

Setting up the lsm-script in /lib.private the instructions show

	/lib.private

		start_lsm() {
		...
		   cat <<EOF > /etc/lsm/shorewall.conf
		...
		EOF
		...
		   /usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
		}

The script populates "shorewall.conf", but then execs lsm using "lsm.conf".

Seems like you'd use what you just populated.

Is this a mistake, or intended?

Jerry

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
(Continue reading)

surfer | 15 Jul 22:05 2014
Picon

/stoppedrules leaves INPUT from net <- ACCEPT after shorewall stop

I'm defining my stoppedrules

I set up a simple one to only allow SSH/VPN access from my HomeIPs

	/stoppedrules
		#ACTION   SOURCE                   DEST   PROTO     DEST      SOURCE
		#                                                 PORT(S)   PORT(S)
		 ACCEPT   EXT_IF:my.home.ip.x/29   $FW    tcp       22
		 ACCEPT   EXT_IF:my.home.ip.x/29   $FW    tcp,udp   1194      1194

After restart

	systemctl start shorewall-lite.service
	systemctl stop shorewall-lite.service
	iptables -L -n
		Chain INPUT (policy DROP)
		target     prot opt source               destination         
		ACCEPT     tcp  --  my.home.ip.x/29      0.0.0.0/0            multiport dports 22
		ACCEPT     tcp  --  my.home.ip.x/29      0.0.0.0/0            tcp spt:1194 dpt:1194
		ACCEPT     udp  --  my.home.ip.x/29      0.0.0.0/0            udp spt:1194 dpt:1194
		ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

		Chain FORWARD (policy DROP)
		target     prot opt source               destination         

		Chain OUTPUT (policy DROP)
		target     prot opt source               destination         

I notice INPUT from the entire net is allowed

(Continue reading)

Vieri Di Paola | 15 Jul 09:32 2014
Picon

cannot ping host in another zone

Hi,

Something went wrong this weekend and my shorewall server stopped replying to pings. Someone forcefully rebooted it (it's running on a degraded RAID1 set) and now communication between 2 zones is unsuccessful (the other zones seem to work fine).

I'm attaching a shorewall dump of when I was unsuccessfully trying to ping 10.215.5.95 in the "caib" zone from the firewall itself.

Any ideas why it's failing?

Thanks,

Vieri
Attachment (dump.fw1.gz): application/gzip, 78 KiB
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
surfer | 15 Jul 02:25 2014
Picon

Shorewall config for Mailserver-on-LAN , over a VPN to staticIPs on a VPS?


Hi

I've been having a heck of a time getting this straight, and could use a hand.  Any help would be appreciated!

I have a hosted VPS that's connected to my home/ofc over a VPN.

The VPN endpoint boxes are the VPS and my home/ofc firewall.

Both boxes are running Shorewall.

And, I have a mail server on another machine on my home/ofc's lan.

I've got all simple pinging/communication between machines/lan across the VPN like I need.

I need to get the firewall rules working, especially DNAT & masq, for the mailserver

Here's a diagram of what I've got in place

	---------------------
(1)	VPS + Shorewall firewall
	 eth0: A.A.A.1/32
	       B.B.B.1/32
	       C.C.C.1/32
	 tun0: 172.20.0.1/24
	 loc:  192.168.0.1/24
	---------------------
	       |
	       |
	---------------------
(2)	HOME/OFC FIREWALL + Shorewall firewall
	 eth0: D.D.D.2/29
	 eth1: 192.168.1.2/24
	 tun0: 172.20.0.2/24
	 loc:  127.0.0.1/8
	---------------------
	       |
	       |
	---------------------
(3)	HOME/OFC LAN MAILSERVER
	 eth0: 192.168.1.50/24
	 loc:  127.0.0.1/8
	---------------------

I need to
 (1) open the VPS's port 25 to the net
 (2) translate the inbound traffic from the net to the mail server
 (3) translate the mailserver's outbound mail traffic to appear to only/always originate from A.A.A.1

To do that, following Shorewall docs as best as I could, I set up this config

	Shorewall  <at>  VPS

		/zones
			#ZONE           TYPE               OPTIONS
			fw              firewall
			net             ipv4
			loc             ipv4
			vpn1            ipv4

		/interfaces
			#ZONE           INTERFACE          OPTIONS
			net             eth0               tcpflags,routefilter=1
			loc             lo
			-               tun+               -

		/hosts
			#ZONE           HOST(S)            OPTIONS
			vpn1            tun+:172.20.0.0/24

		/rules
			?SECTION NEW
			...
			DNAT     net     loc:192.168.0.1/24     tcp     25,587     -     A.A.A.1
			...

	Shorewall  <at>  HOME/OFC FIREWALL

		/zones
			#ZONE           TYPE               OPTIONS
			fw              firewall
			net             ipv4
			int             ipv4
			loc             ipv4
			vpn1            ipv4

		/interfaces
			#ZONE           INTERFACE          OPTIONS
			net             eth0               tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
			int             eth1               logmartians=1,routefilter=1
			loc             lo
			-               tun+               -
		/hosts
			#ZONE           HOST(S)            OPTIONS
			vpn1            tun+:172.20.0.0/24

		/masq
			#INTFC:DEST     SOURCE           ADDRESS     PROTO     PORT(S)     IPSEC     MARK     USER/
			#                                                                                     GROUP
			eth0            192.168.1.50     A.A.A.1     tcp       25,587

When I compile the firewalls I get no errors.

But after reloading the firewalls, if I try to telnet in from an external site (IP = X.X.X.15), I get

	telnet -4 A.A.A.1 25
		Trying A.A.A.1...   

and no farther.  Just sits there :-/

a tcpdump on the VPS's external interface is seeing the traffic inbound

	tcpdump -i eth0 -vvv -n | egrep "A.A.A.1"
		tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
		    X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x576f (correct), seq 2016956801, win 32768, options
[mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
		    X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x5763 (correct), seq 2016956801, win 32768, options
[mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0

I must have missed something in the setup. :-/

Any help here?  How to I get this traffic INBOUND, over the VPN and to/from the mailserver?

Cheers,

Jerry

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
ARUN CHAKRAPANI RAO | 11 Jul 21:19 2014
Picon

Can shorewall block specific url

Hi,
 Please do forgive me if this is the wrong place to as this Q?
We are an isp looking for a tool which can block specific url instead of the domain itself.
for example
https://twitter.com/canweblockurl

The reason being, we get mails from the Government ordering us to block specific url's.
We are about to evaluate Shorewall, wanted to know from any one of you as to whether this is possible.

If this is not the tool, anybody can guide as to which open source is stable enought to do this job along with the firewall ?

Thanks in Advance
Arun
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Mallory, Danny | 10 Jul 17:21 2014

Logging question

Hello
I just upgraded from Debian 6(squeeze) to Debian 7(Wheezy) and my logging does not seem to be working
anymore.  "shorewall show log" looks normal pointing to /var/log/messages but I get no logging of drops or
rejects anymore. It appears to be doing kernel level logging as the messages are showing up via dmesg but
not in any real log file. Is this a known issue? 

Here are a couple of telnet test and output showing up in dmesg. 

[ 2624.917558] Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:50:56:ab:29:5a:a4:4c:11:e5:6b:00:08:00 SRC=10.132.230.254 DST=10.132.194.109 LEN=60
TOS=0x00 PREC=0x00 TTL=62 ID=11800 DF PROTO=TCP SPT=54655 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 
[ 2625.919632] Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:50:56:ab:29:5a:a4:4c:11:e5:6b:00:08:00 SRC=10.132.230.254 DST=10.132.194.109 LEN=60
TOS=0x00 PREC=0x00 TTL=62 ID=28097 DF PROTO=TCP SPT=54656 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 

nothing in /var/log/messages (or any other log file) 

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended
recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the
message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons other than the intended
recipient. Thank you.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
ray klassen | 10 Jul 17:41 2014
Picon

KLIPS openswan l2tp tunnels

I have 30 odd permanent vpns running pure ipsec over KLIPS, the openswan option erroneously called 2.4 kernel in the shorewall documentation. It still works way better than NETKEY. Switching over to KLIPS from NETKEY after using it for years solved innumerable problems with workstations not staying connected to the samba 3.x domain. I only include this bit of info here to avoid people replying to me with "switch over to NETKEY and come out of the dark ages." It's not going to happen.

But now I want to implement l2tp/ipsec and shorewall documentation suffers as regards this configuration and any help would be appreciated. Basically incoming lt2p traffic authenticates fine as regards ipsec, but then there is nothing. dmesg reports martians on interface ipsec0 and xl2tpd never processes the request.

my tunnels file includes a reference to
l2tp  L2TP     0.0.0.0/0  VPN
So that VPN is the gateway zone.



and I've got the rules set like so.

L2TP(REJECT):info    SHAW     $FW
REJECT          $FW     SHAW     udp     -       1701
# l2tp over the IPsec VPN
ACCEPT          VPN     $FW     udp     1701

As I understand it with KLIPS, you don't declare that the zone is ipsec, because the traffic is delivered unencrypted to the kernel from an 'interface' ipsec0. interfaces declares ipsec+ to be part of the VPN zone, so, per the above rule, the $FW system should accept traffic from VPN on udp 1701 but isn't.







------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Michael Johannes | 9 Jul 18:28 2014
Picon

Using Shorewall as a gateway EC2 Instance on Ubuntu in AWS: Rule/Policy Problem

I have a question about a secure way to firewall and route traffic from an EC2 instance in AWS. The setup is
different from any other shorewall configuration i have used (OpenWRT, OpenVPN, etc). 
In this case there are two subnets in one VPC 
VPC - 10.252.0.0/16 
1) Public - 10.252.128.0/17 
2) Private - 10.252.0.0/17 
I have created an instance in the Public subnet with an elastic IP 54.x.x.100 which is NAT'ed to the eth0
interface on that server: 
NAT/GW/VPN Shorewall Server: 
10.252.128.200 (1 interface - ETH0) 
Traffic flows in and out to the internet without issue. The IGW (internet gateway) on AWS is properly
configured. The route tables are correct. 
In the private subnet, there is a test windows server with IP address 10.252.0.10. It is currently
configured to use the Shorewall Server as it's gateway. When I configure the Shorewall policy file to use
ALL to ALL ACCEPT (I know this is not secure - obviously...) it works. Traffic comes in and out to
10.252.0.10. With Shorewall simply passing packets with no firewalling, everything works as expected. 
But when I try to secure it, I end up with this error in the log no matter how many rules I try to use: 
kernel: [ 5138.802818] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
So instead of a typical configuration with an eth1 (loc) and eth0 (net) interface, there is only one
'physical' interface which is eth0 
The masq file looks like this: 
#MASQ 
eth0	0.0.0.0/0  #--> allow any server to be masq'd as eth0 
How can I keep the correct Shorewall policy (all all REJECT info) while using the rules file to allow traffic
in/out through the same eth0 interface? 
I cannot do the following like I could on a physical server (which would work) 
loc net ACCEPT 
Mike

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Kay Obermueller | 9 Jul 18:19 2014
Picon

shorewall-4.4.12.2 on OS X 10.6.8 as administrative system for OpenWRT

Hello,
I try to use a Mac OS X 10.6.8 machine to administrate a router with
OpenWRT. I created two export directories, one according to
http://shorewall.net/CompiledPrograms.html and another one copied over
from another Linux machine where it was working with the router before
to find out how to get this going.
When I try:
# make compile
in both directories it complains (with and without a path to iptables in
shorewall.conf):
"Can't find iptables executable"
Of course it can't on a Mac. But how is this supposed to work on OS X?
Many thanks in advance.

Kay

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Jan Lühr | 9 Jul 11:49 2014
Picon

Limiting Bandwith per ip?

Hello folks,

I'm new on shorewall while using shorewall4 and shorewall6 on Debian
Wheezy (4.5.5.3)
Beeing confused about http://shorewall.net/simple_traffic_shaping.html
I'd like to ask:

Shorewall4 and 6 are used on a central Router on our network, while
doing Masquerading for IPv4. How can I limit the total bandwith per
client-IP-Adresse to 5 MBit/s?

Keep smiling
yanosz

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Db Clinton | 8 Jul 19:08 2014
Picon

Interfaces arguments won't compile

Hi,
Shorewall on a new installation isn't compiling and reports this error:

ERROR: Invalid BROADCAST address /etc/shorewall/interfaces (line 2)

I've read that until version 4.2.x there was a bug that could lead to this error, but I'm using 4.4.26.1-1. And in any case, I haven't got a BROADCAST column. The problem goes away when I remove all arguments (tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0) from the interface entry. Any one argument will make the compile fail. As I'd like to use arguments, does anyone have any idea what I should be doing differently?
Thanks,
David
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

Gmane