Joseph DeGraw | 5 Feb 18:46 2015
Picon
Picon

Forwarding 81 to internal lan webserver

Hello,

I installed Shorewall for the first time last night and I am very 
impressed. I installed it to try and fix an issue that I really do not 
understand.

I have a typical 2 interface setup. I have comcast as my ISP. I did a 
redirect on port 2100 to my local computer to play a game and it works 
fine. So, I know redirect works ok.

Now, I have a client that I have designed a webpage for and it is hosted 
on one of my other local computers. Its ip is 10.0.1.33 I can access it 
fine locally. But what I wanted to do is redirect port 5000 on the FW to 
10.0.1.33:80 . This would let my client view their new website and 
critique it. However, What happens when they try 
(www.renuecomputers.com:5000) is that they end up at my company website 
(www.renuecomputers.com) so I tried having them test it by my external 
ip:5000 and I get the same outcome. They never make it to the internal 
computer (10.0.1.33) and end up at my website on the FW.

If I shutdown my company website (apache2) and have them try again then 
the browser errors out on the connection.

This is my rule for the redirect to my internal webserver:

DNAT net loc:10.0.1.33:80 tcp 5000

I did re-read the the docs on the two-interface setup and anything else 
I could find but really do not have a clue. Anyone ever experience 
something like this?
(Continue reading)

Gilbert Robert | 4 Feb 21:37 2015

ipsec and shorewall

Hi,

I would like to establish an IPSEC connection from one site to one site.
Site A is a Cisco ASA and site B is a Linux Debian Wheezy

On site A we don't have any access, but on site B we can do what we want.
I installed Shorewall 4.5.5.3 and openswan 1:2.6.37-3+deb7u1

I spent a lot of time trying to connect those 2 sites like this

site B                                                                           site A
[ 10.1.0.0 ] -----[ 10.1.0.1 / eth0 143.123.123.121/28 ] ..... [ 190.120.87.165 ]---[193.198.43.0]
                               eth0 143.123.123.122

This would be relatively simple if Site A did not want nat in the VPN. In fact they want to see only one source
address from the network B for example
the 143.123.123.122. They don't want to see rfc1918 addresses in subnet B.

I read and reread the pages of shorewall but I'm a little bit confused now.
I can establish IPsec phase I but the second not. Ipsec therefore works but it appears that phase II stuck.

My part of config:

interfaces
vpn	ppp0	-
net	eth0

hosts
vpn	eth0:193.198.43.0/24   ipsec

(Continue reading)

Andrew DeMaria | 1 Feb 00:36 2015
Picon

Cannot connect to remote PPTP vpn

Shorewall group,

I am having a hard time connecting to a remote PPTP from a LAN computer
and was hoping I could get some hints on what could be going wrong.

Here is what I know:

The remote VPN server is an Asus router. At time of writing it was
71.208.224.179.  It is setup for PPTP with 128 bit MPPE encryption.

I can connect on my android phone if I am on verizon's network, but I
cannot connect if I am on the LAN network.  Likewise I cannot connect on
my laptop on the LAN network.

I have run a tcpdump on the router while trying to connect to the VPN
from the LAN.  At a high level it seems that traffic is making it
through for the initial connection setup and there are also some further
PPP packets but it seems that the conversation just goes silent.

I have tried setting up shorewall in two different manners with the same
results:
-  Using AUTOHELPERS=Yes
-  Specifying HELPERS=amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
and using the following rule in conntrack:

?if __PPTP_HELPER
CT:helper:pptp:PO -   -   tcp 1723
?endif

Any ideas?
(Continue reading)

Jim Ham | 31 Jan 03:20 2015

Shorewall fails to start

it seems that the problems disappeared when I removed "required" from 
/etc/shorewall/interfaces. I had set:
net eth0 dhcp,required
loc eth1 dhcp,required
As soon as I removed "required" all is well.

Jim
> I have a two-interface solution, almost exactly as described in the examples. On boot shorewall starts
before eth0 (net) comes up, so fails to complete. To get things going I have to unplug, then replug eth0,
then issue "shoreline start". Now all works as it is supposed to. I'm running dnsmasq as well as shorewall.
If I simply start shorewall without unplugging/replugging, shorewall doesn't use eth0 at all.
>
> I tried putting "wait_interface="eth0 eth1" in /etc/default/shorewall, but this just causes
shorewall to hang the boot forever.
>
> I don't even see how shorewall is started. Debian is using runlevel 5 and shorewall doesn't appear in
rc5.d, although it's in init.d. Maybe someone can give me a clue on how to either delay shorewall's init, or
have shorewall wait for eth0 to fully configure. Or something else that will make this work.
>
> Debian Jessie, kernel 3.16.8-4
> shorewall 4.6.4.3
> eth0 (net) is connected to my DSL modem using DHCP. It normally gets an address of 192.168.1.65. I modified
/etc/shorewall/masq to exclude this subnet. My modem translates this to my external network static address.
> eth1 (loc) has a static IP and is connected to a switch. Its address is 192.168.0.1.

Jim Ham

--

-- 
Porcine Associates LLC
244 O'Connor St.
(Continue reading)

Gerhard Wiesinger | 28 Jan 09:39 2015

Logical names in rules

Hello,

I've set all ip addresses in /etc/hosts.

But I'm unable to use
SMTP(ACCEPT)  myzone             loc:smtp-server

    ERROR: Unknown Interface (smtp-server) 
/usr/share/shorewall/macro.SMTP (line 21)
       from /etc/shorewall/rules (line 157)

# IP addresses work well
SMTP(ACCEPT)  myzone             loc:192.168.99.100

I know that ipsets are working well but I would like to use some rules 
without ipsets.

On the other hand it works well with DNAT:
SMTP(DNAT)      myzone             loc:smtp-server

Any ideas how to use it?
If it is not possible any plans to implement it?

Thanx.

Ciao,
Gerhard

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
(Continue reading)

rogt3654 | 27 Jan 15:44 2015

shorewall + openvpn question -- ping rules are there, but still can't ping lan-to-lan

Hello

I have two machines connect over OpenVPN.

I'm adding Shorewall protection to them both.  I installed

shorewall6-lite version
4.6.6.1

yesterday on both machines.

I have the firewalls working ok for normal internet traffic with servers, LANs, etc.

But I'm stuck on a puzzle with the OpenVPN connection.

The overall setup looks like this

	SVR1
		eth0  XX.XX.XX.XX
		      192.168.1.1
		tun0  10.1.1.1

	SVR2
		eth0  YY.YY.YY.YY
		tun0  10.1.1.2
		eth1  192.168.2.1

With Shorewall in place, The VPN is up and I can ping VPN endpoint-to-endpoint in both directions.  I.e. both
of these work

(Continue reading)

Robin Helgelin | 25 Jan 19:33 2015
Picon

Slow DNAT/SNAT

Hi,

I’m investigating a setup with the returning data from a DNAT rule is going extremely slow.

Example rule looks like this:
DNAT		net		$DMZ_MAIL:22	tcp	9022	-	pu.bl.ic.ip

interfaces
net     eth0            detect          tcpflags,nosmurfs
loc     eth1            detect          routeback

masq
eth0			192.168.60.0/24	pu.bl.ic.ip

params:
DMZ_MAIL=loc:192.168.60.2

Using SCP copying files to the server gives as full speed as my internet permits. Receiving files throttles
the traffic at around 2-3KB/s.

regards,
Robin
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Shorewall-users mailing list
(Continue reading)

Tom Eastep | 23 Jan 20:34 2015
Picon

Shorewall 4.6.6.1

Shorewall 4.6.6.1 is now available for download.

Problems Corrected:

1)  Previously the SAVE and RESTORE actions were erroneously disallowed
    in the INPUT chain within the mangle file.

2)  The manpage descriptions of the mangle SAVE and RESTORE actions
    incorrectly required a slash (/) prior to the mask value.

3)  Race conditions could previously occur between the 'start' command
    and the 'enable' and 'disable' commands.

4)  The 'update' command incorrectly added the INLINE_MATCHES option
    to shorewall.conf with a default value of 'Yes'. This caused
    'start' to fail with invalid iptables rules when the alternate
    input format using ';' is used.

6)  Previously the LOCKFILE setting was not propagated to the generated
    script. So when the script was run directly, the script
    unconditionally used ${VARDIR}/lock.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

(Continue reading)

Gerhard Wiesinger | 23 Jan 14:59 2015

Multiple Zones

Hello,

Is it possible to specify multiple zones or define virtual zones to get 
better readibility?

e.g. following config (all can not be used because there exist more than 
the 3 zones):
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             dmz
SSH(ACCEPT)     loc             net

# Should be written as:
SSH(ACCEPT)     loc             $FW,dmz,net

# Or virtual zone:
fw-dmz-net: $FW,dmz,net
SSH(ACCEPT)     loc             fw-dmz-net

# or subtract it (% means subtract, just for illustration):
SSH(ACCEPT)     loc             all%dmz2%dmz3

# so can look like for generating the whole n x m product:
SSH(ACCEPT)     loc,dmz4             all%dmz2%dmz3

Any plan to implement such a feature if it is not possible?

Thnx.

Ciao,
Gerhard
(Continue reading)

Gerhard Wiesinger | 23 Jan 14:29 2015

Double logs

Hello,

I'm having a problem that I get doubled logs:
Jan 23 14:22:05 fw kernel: [63639.395178] SW:net2fw: ....
Jan 23 14:22:05 fw kernel: SW:net2fw: ...

I read already FAQ and logging of shorewall and debugged rsyslog.

It looks like that 2 messages are generated:
1.) via kernel logging (=> ends via $ModLoad imklog also in rsyslog)
2.) via syslog

I know I can filter in rsyslog one of the messages. But I want to avoid 
the generation of the 2 messages.

And: ULOG is due to IPv6 not an option

Any ideas why 2 messages are generated and how to avoid?

OS: Fedora 21 latest

Thank you.

Ciao,
Gerhard

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
(Continue reading)

Orlandinei Vujanski | 22 Jan 18:45 2015
Picon

block all IP addresses originating from the country of India

Good afternoon!
I need help.
I have to block all IP addresses originating from the country of India.
I already know the networks, are approximately 500 networks.
If I put each of the networks in the / etc / shorewall / rules, will be very large and confusing.
How could I make the networks stay in a separate file by country?
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

Gmane