Dale Greenway | 4 Aug 06:44 2014

Pinging from IP aliases?

Hello.

I'm installing Shorewall on my hosted server.

I'm doing stuff step by step so I can understand what does what.  I have some trouble with Pings coming from
private IP aliases.

The server has 2 IPs on its one interface

eth0
  X.15.9.149
  172.16.1.10

The shorewall config that matters is

  /etc/shorewall/interfaces
    net   eth0   tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0

  /etc/shorewall/zones
    fw    firewall
    net   ipv4

  /etc/shorewall/rules
    ...
    Ping(ACCEPT)   $FW   net
    ...

When I do a 

ping google-public-dns-a.google.com
(Continue reading)

merc1984 | 3 Aug 19:03 2014

Suspected Trojan


Lately I've been noticing that something is hammering away trying to get
out ports 25 and 110.  Since I don't use those and they are closed, I am
suspicious.  https://pastee.org/k73u8  The destination IP isn't running
POP or SMTP either.

Unfortunately, Shorewall doesn't have a mechanism to associate a PID to
an attempt, maybe because the info just isn't there.  I do find that it
is possible to turn on UID reporting, so I added (uid) to each INFO in
the policy file and restarted Shorewall, but I'm still not getting the
UID.
#SOURCE DEST    POLICY          LOG             LIMIT:         
CONNLIMIT:
#                               LEVEL           BURST           MASK
net     $FW     DROP            info(uid)
net     local   DROP            info(uid)
$FW     net     DROP            info(uid)
$FW     local   DROP            info(uid)
local   net     DROP            info(uid)
local   $FW     DROP            info(uid)
#
# THE FOLLOWING POLICY MUST BE LAST
#       
net     all     DROP            info(uid)
all     all     DROP            info(uid)
#LAST LINE -- DO NOT REMOVE

I need to put these 25 and 110 accesses with a PID to try and identify
this trojan.  I'm trying # netstat -apn|grep -w DPT=25 but that hasn't
caught anything yet, and it's not a real solution long-term.
(Continue reading)

Mike Coan | 1 Aug 16:02 2014

Names of network interface cards

List members

Currently using Shorewall 4.5.11 on opensuse 12.3

Building a new firewall using opensuse 13.1.  After installing opensuse 
13.1 I notice that the two NICs are named

enp0s9  and enp0s18  as opposed to
eth0 and eth1

I can manually rename them to eth0 and eth1 and proceed.  In fact, I may 
have done that with 12.3 but I don't remember.

Two questions.

1) In my Shorewall config files can I replace eth0 with enp0s9 and eth1 
with enp0s18 and have things work

2) Is there any benefit to using the new naming scheme?

I guess there is a third question.  My firewall is pretty simple. 
Should I define the interfaces in the params file (e.g. $INT_IF and 
$EXT_IF) to make it easier to handle changes like this in the future?

Mike
--

-- 
Michael A. Coan
Woodlawn Foundation, Inc.
56 Harrison Street, Suite 401
New Rochelle, NY 10801-6560
(Continue reading)

Tom Eastep | 31 Jul 15:57 2014
Picon

Re: Multi VLAN Forward Problem

On 7/31/2014 3:21 AM, Georg Bixa wrote:
> Am 2014-07-31 um 06:18 schrieb Tom Eastep:

>>
>> I would like to understand why this happened. Would you be willing to
>> send me your /etc/shorewall contents so that I could try to reproduce
>> the problem? If so, please:
>>
>> a) shorewall show -f capabilities > /etc/shorewall/capabilities
>> b) tar up the contents of /etc/shorewall
>> c) rm /etc/shorewall/capabilities
>> d) Send the tarball to me privately.
>>
>> While I'm no longer producing patches for Shorewall 4.4, I would like to
>> be sure that the problem isn't present in the latest 4.5 and 4.6
>> releases.
>>
>> Thanks!
>> -Tom
> 
> Of course. I attached the tarball as asked. if you need any further
> information, just email me, i would be happy to assist.
> 

Thanks Georg.

It appears that the problem does not exist in the current versions. I
commented out your net->ene policy, and I see the following in the
generated script:

(Continue reading)

Paul | 31 Jul 06:32 2014
Picon

Auto Response

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Georg Bixa | 30 Jul 14:16 2014

Multi VLAN Forward Problem

Hello! I am using shorewall for some years now, but i ran into trouble 
with the following multi VLAN setup:

The network had two VLANs (vlan21 and vlan22) which are masqueraded by 
the firewall to a public subnet. vlan22 was running fine, but pakets on 
vlan21 did not get an answer.
I setup another vlan (vlan23) to test so parameters, but that shut 
vlan22 down. Now vlan23 is working but vlan21 and vlan22 are not.

I did some tcpdump and found out that the packets are correctly 
masqueraded and sent out but the response is not forwarded with the 
following errors:

Jul 30 12:26:33 viegw kernel: [99036.969653]
Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan21 MAC= SRC=85.25.
182.38 DST=192.168.21.2 LEN=84 TOS=0x00 PREC=0x00 TTL=49 ID=31228
PROTO=ICMP TYPE=0 CODE=0 ID=2970 SEQ=55

Jul 30 12:26:34 viegw kernel: [99037.160452]
Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan22 MAC= SRC=85.25.
182.36 DST=192.168.22.2 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=36303
PROTO=ICMP TYPE=0 CODE=0 ID=2964 SEQ=59

I have checked routing and config files but did not come up with a 
solution for days.
Any help would be much appreciated!
(i have attached a shorewall dump.)

Best regards,

Georg
Attachment (shorewall_dump.txt.gz): application/gzip, 11 KiB
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
surfer | 27 Jul 19:35 2014
Picon

executing a shorewalls script in lib.private from cmd line?

Reading

	http://shorewall.net/shorewall_extension_scripts.htm

I'm installing a number of convenience scripts in

	/lib.private

It's clear how they're referenced/invoked in the various shorewall stages.

Is it possible to invoke a single script from the shorewall cmd line?

e.g., if

	/lib.private
		...
		setup_sysctls() {
			echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
		}
		...

is there a shell cmd to effectively

	shorewall 'EXEC a PRIVATE SCRIPT' setup_sysctls

?

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Mr. WebLover | 27 Jul 00:45 2014
Picon

Routing / Masq Problem

Hi  <at>  all,

i have a problem how to configure shorewall for a specivic scenario
and i hope someone can help me.

I have a dsl line as default route (ppp0), a local network at eth0
and now a LTE router on eth1

eth0 network 192.168.115.0/24
eth1 network 192.168.2.0/24 (192.168.2.1 = lte router / 192.168.2.2 = eth1)

Now to my problem.
I'm running a openvpn server on port 1197 (udp) with local ip 192.168.2.2

In the lte router i forward packages from incoming port 1197 to 
192.168.2.2 port 1197

If i start an external openvpn (client) connection to the lte router i 
see with tcpdump,
that the package arrives at the server side with destination 192.168.2.2 
but and that is the problem
it comes with the public ip as source (from the client side) .
That is ok in the incoming direction. But for the outgoing direction, 
from openvpn server
back to the public ip (openvpn client) i have a routing problem.
With the public ip it would be routed over the default gateway (ppp0) 
and not over the eth1 interface.

Is there a way to mark (masq ?) the incoming packages from eth1 so, that 
they would be routed back over that interface ?
how can i do this ...

Sorry, for my bad english.

Best regards,
MrWeb

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Niels Penneman | 26 Jul 13:54 2014

Shorewall with DHCP: finding the subnet the host is on

Hi,

In a setup with a dedicated server that's connected to the public
internet, I intend to split the different services that run on this
server over a number of virtual machines.

The server has one single 'global' IPv4 address and a whole subnet of
IPv6 addresses. In the future I may want to occasionally allocate a
publicly accessible IPv6 address to a VM, but for now I'm relying on NAT
with IPv4 only.

My goal is to make the VMs portable with respect to network
configuration, so that I can easily test them on different machines.
Therefore I've set up DHCP for all VMs. The DHCPv4 server is running
directly on the server, and it's pushing settings like the default
gateway, NTP server, etc. to the VMs.

I run Shorewall on the physical server, and I would also like to run
Shorewall on the individual VMs. Configuring Shorewall with DHCP is not
so straightforward though, especially because I'd like to differentiate
between traffic coming from subnet the VM is on (as a nested zone that
represents the internal network), and traffic coming from WAN (through
NAT on the physical server).

I've seen that in recent versions Shorewall can detect the default
gateway (findgw script) and the IP address but I don't see a variable to
get the subnet mask. If there is one, you can stop reading here and just
tell me which one it is!

I know what the subnet is going to be on the server, but if I move a VM
to my desktop to play around with it, I do not want to reconfigure it.
Hence, I cannot hardwire the subnet into the Shorewall configuration. I
see many different ways to tackle this issue but I'd like some input to
see which is the best way to go forward.

What I've come up with so far are the following:

1. Shorewall is started by the DHCP client AFTER the DHCP client gets a
lease from the DHCP server. The DHCP client writes DHCP options like
default gateway, subnet, etc. to a file which gets included from the
Shorewall params file. The Shorewall configuration can hence rely on a
gateway and subnet variable to define a nested zone for the internal
network. The DHCP client reconfigures Shorewall when the IP changes
(hypothetically speaking since it will never happen in my setup) and
stops Shorewall when the lease is released. This does not necessarily
imply that the server is wide open before Shorewall starts. It's easy to
use some tricks to only let DHCP traffic pass before Shorewall runs and
after Shorewall stops using plain iptables or another mechanism. I have
tried this and it works but it comes with some security implications:
the DHCP client must be able to update a Shorewall-readable
configuration file AND must be able to control Shorewall. The latter is
not a good thing.

2. I could try to write an extension script for Shorewall that much like
findgw reads the default gateway, queries the DHCP configuration to find
the subnet, and then uses this in the definition of a nested zone that
represents the internal network. The problem here is that I have never
written extension scripts. I have tried Googling a bit but so far I
still have no idea where to start.

3. The most vague idea of all. I have read that Shorewall supports
dynamic zones using ipset. If it is possible to make a nested zone
dynamic, perhaps the DHCP client can configure this zone to contain the
subnet that represents the internal network whenever it gets an IP, and
deconfigure it when it loses the IP.

All of the above would enable Shorewall to learn more about DHCP
parameters other than the subnet as well (e.g. NTP server). Information
regarding the above ideas as well as new ideas are welcome. Thanks!

Niels

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Tom Eastep | 25 Jul 21:38 2014
Picon

Shorewall 4.6.2.2

Version 4.6.2.2 is now available for download.

Problems Corrected:

1)  The compiler now correctly detects the IPv6 "Header Match"
    capability when LOAD_MODULES_ONLY=No.

2)  The compiler now correctly detects the IPv6 "Ipset Match"
    capability on systems running a 3.14 or later kernel.

3)  The compiler now correctly detects "Arptables JF" capability when
    LOAD_MODULES_ONLY=No.

3)  The tcfilter manpages previously failed to mention that
    BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Juan Pablo Sandoval Rivera | 25 Jul 05:28 2014
Picon

internet access from win7 (openvpn) through server (openvpn + shorewall)?

Good day list

I have the NEXT case, and one for win7 connecting openvpn and can access the intranet (- redirect gatewey def1), I can access internal resources machine.
Peroal do this win7 machine stops sailing, as I set to navigate using shorewall? get out to the internet using the remote dns server (where the shorewall and openvpnserver)
Without making any kind of modification to the routing on win7

Thank you


--
TRAIning and Support in unIx/linuX
Attachment (configs.tgz): application/x-gzip, 35 KiB
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

Gmane