Modify 'my configuration' to match reality

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1597 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-04 20:07:48 +00:00
parent 525541e549
commit 5388f7a631
2 changed files with 346 additions and 227 deletions

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-08-05</pubdate>
<pubdate>2004-09-04</pubdate>
<copyright>
<year>2001-2004</year>
@ -48,7 +48,7 @@
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.1.1. My configuration uses features not available in earlier Shorewall
2.1.7. My configuration uses features not available in earlier Shorewall
releases.</para>
</caution>
@ -64,9 +64,9 @@
<itemizedlist>
<listitem>
<para>I use one-to-one NAT for Ursa (my personal system that
dual-boots Mandrake 10.0 (Official) and Windows XP) - Internal address
192.168.1.5 and external address 206.124.146.178.</para>
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
9.1) - Internal address 192.168.1.5 and external address
206.124.146.178.</para>
</listitem>
<listitem>
@ -76,11 +76,10 @@
</listitem>
<listitem>
<para>I use SNAT through 206.124.146.179 for&nbsp; my SuSE 9.0 Linux
system <quote>Wookie</quote>, my Wife's Windows XP system
<quote>Tarry</quote>, and our&nbsp; dual-booting (Windows XP/SuSE 9.1)
laptop <quote>Tipper</quote> which connects through the Wireless
Access Point (wap) via a Wireless Bridge (wet).<note>
<para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (Windows
XP/SuSE 9.1) laptop <quote>Tipper</quote> which connects through the
Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
@ -96,17 +95,21 @@
<itemizedlist>
<listitem>
<para>I have Wookie (193.168.1.3) configured as a 3-port bridge. Squid
runs on this system and is configured as a transparent proxy.</para>
<para>I have Ursa (193.168.1.5/206.124.146.178) configured as a 2-port
bridge.</para>
</listitem>
<listitem>
<para>Squid runs on the firewall and is configured as a transparent
proxy.</para>
</listitem>
</itemizedlist>
<para>The firewall runs on a 256MB PII/233 with Debian Sarge
(Testing).</para>
<para>The firewall runs on a 384MB K-6/II with SuSE 9.1.</para>
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
<para>Ursa runs Samba for file sharing with the Windows systems..</para>
<para>The wireless network connects to Wookie's eth2 via a LinkSys
<para>The wireless network connects to Ursa's eth0 via a LinkSys
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
@ -142,8 +145,9 @@
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
access.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with IPSEC for tunnel mode
road warrior access from Tipper.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -156,6 +160,7 @@
<blockquote>
<programlisting>LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
@ -165,17 +170,19 @@ MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK= #I run Debian which doesn't use service locks
SUBSYSLOCK=
STATEDIR=/var/state/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall
RESTOREFILE=standard
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
@ -183,6 +190,9 @@ DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLISTNEWONLY=Yes
DYNAMIC_ZONES=No
DISABLE_IPV6=Yes
PKTTYPE=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
@ -197,7 +207,12 @@ TCP_FLAGS_DISPOSITION=DROP
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=info</programlisting></para>
OMAK=&lt;ip address of tipper while we are at our second home&gt;
LOG=info
EXT_IF=eth1
INT_IF=eth0
DMZ_IF=eth2
</programlisting></para>
</blockquote>
</section>
@ -209,8 +224,10 @@ LOG=info</programlisting></para>
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Plano
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
omak Omak Our Laptop at our second home
tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</blockquote>
</section>
@ -221,12 +238,12 @@ tx Texas Peer Network in Plano
<para>This is set up so that I can start the firewall before bringing
up my Ethernet interfaces.</para>
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 dhcp
dmz eth1 -
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -235,18 +252,32 @@ dmz eth1 -
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
tx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; texas:192.168.8.0/22
tx texas:192.168.8.0/22
omak $EXT_IF:$OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Ipsec File</title>
<blockquote>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
omak yes mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Routestopped File</title>
<blockquote>
<programlisting>#INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
$DMZ_IF 206.124.146.177
$INT_IF -
$EXT_IF $OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -289,15 +320,26 @@ eth2 -
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT # For testing fw-&gt;fw rules
loc net ACCEPT # Allow all net traffic from local net
$FW loc ACCEPT # Allow local access from the firewall
$FW tx ACCEPT # Allow firewall access to texas
loc tx ACCEPT # Allow local net access to texas
loc fw REJECT $LOG # Reject loc-&gt;fw and log
net all DROP $LOG 10/sec:40 # Rate limit and
# DROP net-&gt;all
all all REJECT $LOG # Reject and log the rest
fw fw ACCEPT
loc net ACCEPT
fw sec ACCEPT
omak fw ACCEPT
fw omak ACCEPT
omak loc ACCEPT
loc omak ACCEPT
omak net NONE
net omak NONE
omak dmz NONE
dmz omak NONE
omak tx NONE
tx omak NONE
$FW loc ACCEPT #Firewall to Local
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
dmz tx ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -318,8 +360,8 @@ all all REJECT $LOG # Reje
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
eth0:2 eth2 206.124.146.179
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF:2 eth2 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
@ -354,6 +396,7 @@ eth0:2 eth2 206.124.146.179
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
ipsec:noah net $OMAK omak
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -449,10 +492,10 @@ REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
DROP loc:!192.168.1.0/24 net
#QUEUE loc net udp
#QUEUE loc fw udp
#QUEUE loc net tcp
#
# SQUID
#
REDIRECT loc 3128 tcp 80
###############################################################################################################################################################################
# Local Network to Firewall
#
@ -471,15 +514,24 @@ ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,cvspserver,f
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
#
# Drop ping to firewall and local
#
DropPing net fw
DropPing net loc
###############################################################################################################################################################################
# Internet to DMZ
#
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.1
78
ACCEPT net dmz tcp smtp,smtps,www,ftp,imaps,domain,https,cvspserver -
ACCEPT net dmz udp domain
ACCEPT net dmz udp 33434:33436
Mirrors net dmz tcp rsync
#ACCEPT:$LOG net dmz tcp 32768:61000 20
ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
AllowPing net dmz
###############################################################################################################################################################################
#
# Net to Local
@ -487,12 +539,13 @@ Mirrors net dmz tcp rsync
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
DNAT net:!$TEXAS loc:192.168.1.4 gre -
ACCEPT net loc:192.168.1.5 tcp 22
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
DNAT net loc:192.168.1.8 tcp 4000:4100 - 206.124.146.179
#
# Real Audio
#
@ -513,8 +566,6 @@ ACCEPT dmz net tcp smtp,domain,www,81,https,whois,echo,2702,21,2703,ssh,80
ACCEPT dmz net udp domain
REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
@ -532,13 +583,15 @@ REJECT dmz fw tcp auth
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
ACCEPT net dmz udp 33434:33435
ACCEPT net:$OMAK fw udp ntp
ACCEPT net:$OMAK fw tcp 22 #SSH from Omak
###############################################################################################################################################################################
# Firewall to Internet
#
@ -557,10 +610,6 @@ ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
###############################################################################################################################################################################
# Ping
#
ACCEPT all all icmp 8
###############################################################################################################################################################################
ACCEPT tx loc:192.168.1.5 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
@ -600,10 +649,10 @@ iface eth1 inet static
</section>
<section>
<title>Bridge (Wookie) Configuration</title>
<title>Bridge (Ursa) Configuration</title>
<para>As mentioned above, Wookie acts as a bridge. It's view of the
network is diagrammed in the following figure.</para>
<para>As mentioned above, Ursa acts as a bridge. It's view of the network
is diagrammed in the following figure.</para>
<graphic fileref="images/network1.png" />
@ -629,9 +678,9 @@ iface eth1 inet static
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
WiFi WireLess Wireless Network
net Internet The Big Bad Internet
WiFi Wireless Wireless Network
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
</blockquote>
@ -642,15 +691,15 @@ WiFi WireLess Wireless Network
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
fw fw ACCEPT
loc net ACCEPT
net loc ACCEPT
net fw ACCEPT
loc fw ACCEPT
loc WiFi ACCEPT
fw WiFi ACCEPT
fw net ACCEPT
loc net NONE
loc WiFi NONE
net fw ACCEPT
net WiFi ACCEPT
net loc NONE
WiFi net ACCEPT
fw loc ACCEPT
fw net ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
@ -664,7 +713,7 @@ all all REJECT info
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- br0 192.168.1.255
- br0 192.168.1.255 dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -674,9 +723,9 @@ all all REJECT info
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
loc br0:eth1:192.168.1.0/24
net br0:eth1
loc br0:eth0
WiFi br0:eth2 maclist
WiFi br0:eth0 maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -685,33 +734,18 @@ WiFi br0:eth2 maclist
<title>rules</title>
<blockquote>
<para>The first rule allows a transparent WWW proxy (Squid) to run on
my bridge/firewall. Squid listens on port 3128.</para>
<para>The remaining rules protect the local systems and bridge from
the WiFi network. Note that we don't restrict WiFi→net traffic since
the only directly-accessible system in the net zone is the firewall
(Wookie and the Firewall are connected by a cross-over cable).</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
REDIRECT loc 3128 tcp www - !192.168.1.0/24
ACCEPT WiFi loc udp 137:139
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
ACCEPT WiFi loc tcp 22,80,137,139,445,631,901,3389
ACCEPT WiFi loc udp 1024: 137
ACCEPT WiFi loc udp 177
ACCEPT loc WiFi udp 137:139
ACCEPT loc WiFi tcp 137,139,445
ACCEPT loc WiFi udp 1024: 137
ACCEPT loc WiFi tcp 6000:6010
ACCEPT WiFi fw tcp ssh,137,139,445
ACCEPT WiFi fw udp 137:139,445
ACCEPT WiFi fw udp 1024: 137
ACCEPT WiFi fw udp ntp
ACCEPT WiFi loc udp 177,123
ACCEPT WiFi loc:192.168.1.4 tcp 1723
ACCEPT WiFi loc:192.168.1.4 47
ACCEPT WiFi loc tcp 5900:5909
ACCEPT WiFi fw tcp ssh,80,111,137,139,445,9100:9104
ACCEPT WiFi fw udp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -731,10 +765,10 @@ br0 0.0.0.0/0 routeback
<blockquote>
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
br0:eth2 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
br0:eth2 00:04:59:0e:85:b9 #WAP11
br0:eth2 00:06:D5:45:33:3c #WET11
br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
br0:eth0 00:A0:1C:DB:0C:A0 192.168.1.7 #Work Laptop
br0:eth0 00:04:59:0e:85:b9 #WAP11
br0:eth0 00:06:D5:45:33:3c #WET11
br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -769,7 +803,6 @@ do_stop() {
brctl delbr br0
ip link set eth0 down
ip link set eth1 down
ip link set eth2 down
}
do_start() {
@ -777,11 +810,9 @@ do_start() {
echo "Starting Bridge"
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
}
case "$1" in
@ -812,7 +843,7 @@ exit 0</programlisting>
<programlisting>BOOTPROTO='static'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.3'
IPADDR='192.168.1.5'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
REMOTE_IPADDR=''

View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2004-04-03</pubdate>
<pubdate>2004-08-25</pubdate>
<copyright>
<year>2001-2004</year>
@ -27,7 +27,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -48,12 +49,13 @@
<title>Check the Errata</title>
<para>Check the <ulink url="errata.htm">Shorewall Errata</ulink> to be
sure that there isn&#39;t an update that you are missing for your
version of the firewall.</para>
sure that there isn't an update that you are missing for your version of
the firewall.</para>
</section>
<section>
<title>Try Searching the Shorewall Site and Mailing List Archives</title>
<title>Try Searching the Shorewall Site and Mailing List
Archives</title>
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
and Mailing List Archives search facility</ulink> can locate documents
@ -66,7 +68,7 @@
Errors</title>
<para>If you receive an error message when starting or restarting the
firewall and you can&#39;t determine the cause, then do the following:</para>
firewall and you can't determine the cause, then do the following:</para>
<itemizedlist>
<listitem>
@ -74,7 +76,7 @@
</listitem>
<listitem>
<para><command>shorewall debug start 2&#62; /tmp/trace</command></para>
<para><command>shorewall debug start 2&gt; /tmp/trace</command></para>
</listitem>
<listitem>
@ -86,8 +88,8 @@
</listitem>
<listitem>
<para>If you still can&#39;t determine what&#39;s wrong then see the
<ulink url="support.htm">support page</ulink>.</para>
<para>If you still can't determine what's wrong then see the <ulink
url="support.htm">support page</ulink>.</para>
</listitem>
</itemizedlist>
@ -103,11 +105,11 @@ Terminated</programlisting>
<para>A search through the trace for <quote>No chain/target/match by
that name</quote> turned up the following:</para>
<programlisting>+ echo &#39;Adding Common Rules&#39;
<programlisting>+ echo 'Adding Common Rules'
+ add_common_rules
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
++ sed &#39;s/!/! /g&#39;
++ sed 's/!/! /g'
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
</programlisting>
@ -129,18 +131,18 @@ iptables: No chain/target/match by that name
external IP address does not mean that the request will be associated
with the external interface or the <quote>net</quote> zone. Any
traffic that you generate from the local network will be associated
with your local interface and will be treated as loc-&#62;fw traffic.</para>
with your local interface and will be treated as loc-&gt;fw
traffic.</para>
</listitem>
<listitem>
<para><emphasis role="bold">IP addresses are properties of systems,
not of interfaces</emphasis>. It is a mistake to believe that your
firewall is able to forward packets just because you can ping the IP
address of all of the firewall&#39;s interfaces from the local
network. The only conclusion you can draw from such pinging success is
that the link between the local system and the firewall works and that
you probably have the local system&#39;s default gateway set
correctly.</para>
address of all of the firewall's interfaces from the local network.
The only conclusion you can draw from such pinging success is that the
link between the local system and the firewall works and that you
probably have the local system's default gateway set correctly.</para>
</listitem>
<listitem>
@ -148,8 +150,9 @@ iptables: No chain/target/match by that name
interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is
the IP address of your internal interface then you can write
<quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a
rule but you may not write <quote><emphasis role="bold">loc:192.168.1.254</emphasis></quote>.
Similarly, it is nonsensical to add 192.168.1.254 to the <emphasis
rule but you may not write <quote><emphasis
role="bold">loc:192.168.1.254</emphasis></quote>. Similarly, it is
nonsensical to add 192.168.1.254 to the <emphasis
role="bold">loc</emphasis> zone using an entry in
<filename>/etc/shorewall/hosts</filename>.</para>
</listitem>
@ -178,7 +181,8 @@ iptables: No chain/target/match by that name
<title>Your Network Environment</title>
<para>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:</para>
actually an ill-conceived network setup. Here are several popular
snafus:</para>
<itemizedlist>
<listitem>
@ -201,11 +205,25 @@ iptables: No chain/target/match by that name
role="bold">arp_filter</emphasis> option in <filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
for all interfaces connected to the common hub/switch. Using such a
setup with a production firewall is strongly recommended against.</para>
setup with a production firewall is strongly recommended
against.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>New Device Doesn't Work?</title>
<para>If you have just added a new device such as VOIP and it doesn't
work, be sure that you have assigned it an IP address in your local
network and that its default gateway has been set to the IP address of
your internal interface. For many of these devices, the simplest solution
is to run a DHCP server; running it on your firewall is fine — be sure to
set the <emphasis role="bold">dhcp</emphasis> option on your internal
interface in <ulink
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
</section>
<section>
<title>Connection Problems</title>
@ -218,22 +236,23 @@ iptables: No chain/target/match by that name
<para>I also recommend against setting all of your policies to ACCEPT in
an effort to make something work. That robs you of one of your best
diagnostic tools - the <quote>Shorewall</quote> messages that Netfilter
will generate when you try to connect in a way that isn&#39;t permitted by
will generate when you try to connect in a way that isn't permitted by
your rule set.</para>
<para>Check your log (<quote><command>/sbin/shorewall show log</command></quote>).
If you don&#39;t see Shorewall messages, then your problem is probably NOT
a Shorewall problem. If you DO see packet messages, it may be an
indication that you are missing one or more rules -- see <ulink
url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
<para>Check your log (<quote><command>/sbin/shorewall show
log</command></quote>). If you don't see Shorewall messages, then your
problem is probably NOT a Shorewall problem. If you DO see packet
messages, it may be an indication that you are missing one or more rules
-- see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
<para>While you are troubleshooting, it is a good idea to clear two
variables in <filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
variables in
<filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
<para><programlisting>LOGRATE=
LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
messages being generated (be sure to restart shorewall after clearing
these variables).</para>
LOGBURST=""</programlisting>This way, you will see all of the log messages
being generated (be sure to restart shorewall after clearing these
variables).</para>
<example>
<title>Log Message</title>
@ -244,13 +263,14 @@ LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
PREC=0x00 TTL=63 ID=5805 DF
PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
<para>Let&#39;s look at the important parts of this message:</para>
<para>Let's look at the important parts of this message:</para>
<itemizedlist>
<listitem>
<para>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the <quote>all</quote>-&#62;<quote>all</quote>
REJECT policy (see <ulink url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
chain -- the packet was rejected under the
<quote>all</quote>-&gt;<quote>all</quote> REJECT policy (see <ulink
url="FAQ.htm#faq17">FAQ 17</ulink>).</para>
</listitem>
<listitem>
@ -258,7 +278,8 @@ LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
</listitem>
<listitem>
<para>OUT=eth1 - if accepted, the packet would be sent on eth1</para>
<para>OUT=eth1 - if accepted, the packet would be sent on
eth1</para>
</listitem>
<listitem>
@ -266,7 +287,8 @@ LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
</listitem>
<listitem>
<para>DST=192.168.1.3 - the packet is destined for 192.168.1.3</para>
<para>DST=192.168.1.3 - the packet is destined for
192.168.1.3</para>
</listitem>
<listitem>
@ -279,7 +301,8 @@ LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
</itemizedlist>
<para>In this case, 192.168.2.2 was in the <quote>dmz</quote> zone and
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the rule:</para>
192.168.1.3 is in the <quote>loc</quote> zone. I was missing the
rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
@ -290,26 +313,27 @@ ACCEPT dmz loc udp 53</programlisting>
<section>
<title>Ping Problems</title>
<para>Either can&#39;t ping when you think you should be able to or are
able to ping when you think that you shouldn&#39;t be allowed?
Shorewall&#39;s <quote>Ping</quote> Management is <ulink url="ping.html">described
<para>Either can't ping when you think you should be able to or are able
to ping when you think that you shouldn't be allowed? Shorewall's
<quote>Ping</quote> Management is <ulink url="ping.html">described
here</ulink>. Here are a couple of tips:</para>
<itemizedlist>
<listitem>
<para>Remember that Shorewall doesn&#39;t automatically allow ICMP
type 8 (<quote>ping</quote>) requests to be sent between zones. If you
want pings to be allowed between zones, you need a rule of the form:</para>
<para>Remember that Shorewall doesn't automatically allow ICMP type 8
(<quote>ping</quote>) requests to be sent between zones. If you want
pings to be allowed between zones, you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT&#x00A0;&#x00A0; <emphasis>&#60;source zone&#62;</emphasis>&#x00A0;&#x00A0; <emphasis>&#60;destination zone&#62;</emphasis>&#x00A0;&#x00A0;&#x00A0; icmp&#x00A0;&#x00A0;&#x00A0; echo-request</programlisting>
ACCEPT&nbsp;&nbsp; <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;destination zone&gt;</emphasis>&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; echo-request</programlisting>
<para>The ramifications of this can be subtle. For example, if you
have the following in <filename><ulink url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
have the following in <filename><ulink
url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL
10.1.1.2&#x00A0;&#x00A0;&#x00A0; eth0&#x00A0;&#x00A0;&#x00A0; 130.252.100.18</programlisting>
10.1.1.2&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 130.252.100.18</programlisting>
<para>and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
@ -339,17 +363,19 @@ DROP net fw icmp echo-request</programlist
<orderedlist>
<listitem>
<para>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn&#39;t in any zone
(using an <ulink url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
sending the packets or the destination host isn't in any zone
(using an <ulink
url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
file are you?); or</para>
</listitem>
<listitem>
<para>the source and destination hosts are both connected to the
same interface and you don&#39;t have a policy or rule for the
source zone to or from the destination zone or you haven&#39;t set
the <emphasis role="bold">routeback</emphasis> option for the
interface in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
same interface and you don't have a policy or rule for the source
zone to or from the destination zone or you haven't set the
<emphasis role="bold">routeback</emphasis> option for the
interface in <ulink
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
</listitem>
</orderedlist>
</listitem>
@ -364,11 +390,11 @@ DROP net fw icmp echo-request</programlist
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of
routing is that in order for two hosts to communicate, the routing
between them must be set up <emphasis role="bold">in both directions</emphasis>.
So when setting up routing between <emphasis role="bold">A</emphasis>
and <emphasis role="bold">B</emphasis>, be sure to verify that the
route from <emphasis role="bold">B</emphasis> back to <emphasis
role="bold">A</emphasis> is defined.</para>
between them must be set up <emphasis role="bold">in both
directions</emphasis>. So when setting up routing between <emphasis
role="bold">A</emphasis> and <emphasis role="bold">B</emphasis>, be
sure to verify that the route from <emphasis role="bold">B</emphasis>
back to <emphasis role="bold">A</emphasis> is defined.</para>
</listitem>
<listitem>
@ -380,15 +406,17 @@ DROP net fw icmp echo-request</programlist
<listitem>
<para>Do you have your kernel properly configured? <ulink
url="kernel.htm">Click here to see my kernel configuration</ulink>.</para>
url="kernel.htm">Click here to see my kernel
configuration</ulink>.</para>
</listitem>
<listitem>
<para>Shorewall requires the <quote>ip</quote> program. That program
is generally included in the <quote>iproute</quote> package which
should be included with your distribution (though many distributions
don&#39;t install iproute by default). You may also download the
latest source tarball from <ulink url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
don't install iproute by default). You may also download the latest
source tarball from <ulink
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
.</para>
</listitem>
@ -404,17 +432,77 @@ DROP net fw icmp echo-request</programlist
<section>
<title>Still Having Problems?</title>
<para>See the <ulink url="support.htm">Shorewall Support Page</ulink>.</para>
<para>See the <ulink url="support.htm">Shorewall Support
Page</ulink>.</para>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook Conversion</revremark></revision></revhistory></para>
<para><revhistory>
<revision>
<revnumber>1.9</revnumber>
<date>2004-08-25</date>
<authorinitials>TE</authorinitials>
<revremark>Advice for the networking-challenged.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2004-04-03</date>
<authorinitials>TE</authorinitials>
<revremark>Point out that firewall addresses are in the $FW
zone.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-02</date>
<authorinitials>TE</authorinitials>
<revremark>Add hint about testing from inside the
firewall.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-01-06</date>
<authorinitials>TE</authorinitials>
<revremark>Add pointer to Site and Mailing List Archives
Searches.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-01-01</date>
<authorinitials>TE</authorinitials>
<revremark>Added information about eliminating ping-generated log
messages.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-22</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook Conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article>