forked from extern/shorewall_code
36aa2c8e88
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1020 lines
55 KiB
HTML
1020 lines
55 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<title>Shorewall FAQ</title>
|
||
|
||
|
||
|
||
<meta name="Microsoft Theme" content="none">
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||
bgcolor="#400169" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
|
||
|
||
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
|
||
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
|
||
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
|
||
|
||
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
|
||
but it doesn't work.<br>
|
||
</a></p>
|
||
|
||
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
|
||
port forwarding</a></p>
|
||
|
||
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
|
||
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
|
||
in my local network. <b>External clients can browse</b> http://www.mydomain.com
|
||
but <b>internal clients can't</b>.</a></p>
|
||
|
||
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
|
||
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
|
||
to hosts in Z. Hosts in Z cannot communicate with each other using
|
||
their external (non-RFC1918 addresses) so they <b>can't access
|
||
each other using their DNS names.</b></a></p>
|
||
|
||
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
|
||
Messenger </b>with Shorewall. What do I do?</a></p>
|
||
|
||
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
|
||
to check my firewall and it shows <b>some ports as 'closed'
|
||
rather than 'blocked'.</b> Why?</a></p>
|
||
|
||
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
|
||
of my firewall and it showed 100s of ports as open!!!!</a></p>
|
||
|
||
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
|
||
I <b> can't ping</b> through the firewall</a></p>
|
||
|
||
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
|
||
written and how do I <b>change the destination</b>?</a></p>
|
||
|
||
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
|
||
that work with Shorewall?</a></p>
|
||
|
||
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
|
||
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
|
||
work?</a></p>
|
||
|
||
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
|
||
on RedHat</b> I get messages about insmod failing -- what's
|
||
wrong?</a></p>
|
||
|
||
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
|
||
my interfaces </b>properly?</a></p>
|
||
|
||
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
|
||
it work with?</a></p>
|
||
|
||
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
|
||
support?</a></p>
|
||
|
||
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
|
||
|
||
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
|
||
|
||
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
|
||
and it has an internel web server that allows me to configure/monitor
|
||
it but as expected if I enable <b> rfc1918 blocking</b> for my
|
||
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
|
||
|
||
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
|
||
IP addresses, my ISP's DHCP server has an RFC 1918 address.
|
||
If I enable RFC 1918 filtering on my external interface, <b>my
|
||
DHCP client cannot renew its lease</b>.</a></p>
|
||
|
||
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
|
||
out to the net</b></a></p>
|
||
|
||
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
|
||
all over my console</b> making it unusable!<br>
|
||
</a></p>
|
||
<b>17</b>. <a href="#faq17">How do I find
|
||
out <b>why this traffic is</b> getting <b>logged?</b></a><br>
|
||
<br>
|
||
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased
|
||
ip addresses</b> with Shorewall, and maintain separate rulesets for
|
||
different IPs?</a><br>
|
||
<br>
|
||
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
|
||
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
|
||
<br>
|
||
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do
|
||
I have to change Shorewall to allow access to my server from the internet?<br>
|
||
<br>
|
||
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
|
||
</b>occasionally; what are they?<br>
|
||
</a><br>
|
||
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I
|
||
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
|
||
|
||
<hr>
|
||
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
|
||
my my personal PC with IP address 192.168.1.5. I've looked everywhere
|
||
and can't find how to do it.</h4>
|
||
|
||
<p align="left"><b>Answer: </b>The <a
|
||
href="Documentation.htm#PortForward"> first example</a> in the <a
|
||
href="Documentation.htm#Rules">rules file documentation</a> shows how to
|
||
do port forwarding under Shorewall. The format of a port-forwarding
|
||
rule to a local system is as follows:</p>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber1">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIG. DEST.</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><local IP address></i>[:<i><local
|
||
port</i>>]</td>
|
||
<td><i><protocol></i></td>
|
||
<td><i><port #></i></td>
|
||
<td> <br>
|
||
</td>
|
||
<td> <br>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
|
||
the rule is:</p>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber1">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIG. DEST.</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:192.168.1.5</td>
|
||
<td>udp</td>
|
||
<td>7777</td>
|
||
<td> <br>
|
||
</td>
|
||
<td> <br>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<div align="left"> <font face="Courier"> </font>If
|
||
you want to forward requests directed to a particular address ( <i><external
|
||
IP></i> ) on your firewall to an internal system:</div>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber1">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIG. DEST.</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><local IP address></i>[:<i><local
|
||
port</i>>]</td>
|
||
<td><i><protocol></i></td>
|
||
<td><i><port #></i></td>
|
||
<td>-</td>
|
||
<td><i><external IP></i></td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
|
||
but it doesn't work</h4>
|
||
|
||
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
|
||
|
||
<ul>
|
||
<li>You are trying to test from inside your firewall
|
||
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||
<li>You have a more basic problem with your local
|
||
system such as an incorrect default gateway configured (it should
|
||
be set to the IP address of your firewall's internal interface).</li>
|
||
|
||
</ul>
|
||
|
||
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
|
||
forwarding</h4>
|
||
<b>Answer: </b>To further diagnose this problem:<br>
|
||
|
||
<ul>
|
||
<li>As root, type "iptables -t nat -Z". This clears the
|
||
NetFilter counters in the nat table.</li>
|
||
<li>Try to connect to the redirected port from an external
|
||
host.</li>
|
||
<li>As root type "shorewall show nat"</li>
|
||
<li>Locate the appropriate DNAT rule. It will be in a chain
|
||
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes
|
||
the<68> ('net' in the above examples).</li>
|
||
<li>Is the packet count in the first column non-zero? If
|
||
so, the connection request is reaching the firewall and is being redirected
|
||
to the server. In this case, the problem is usually a missing or incorrect
|
||
default gateway setting on the server (the server's default gateway
|
||
should be the IP address of the firewall's interface to the server).</li>
|
||
<li>If the packet count is zero:</li>
|
||
|
||
<ul>
|
||
<li>the connection request is not reaching your server
|
||
(possibly it is being blocked by your ISP); or</li>
|
||
<li>you are trying to connect to a secondary IP address
|
||
on your firewall and your rule is only redirecting the primary IP address
|
||
(You need to specify the secondary IP address in the "ORIG. DEST." column
|
||
in your DNAT rule); or</li>
|
||
<li>your DNAT rule doesn't match the connection request
|
||
in some other way. In that case, you may have to use a packet sniffer
|
||
such as tcpdump or ethereal to further diagnose the problem.<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
</ul>
|
||
|
||
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
|
||
(IP 130.151.100.69) to system 192.168.1.5 in my local network.
|
||
External clients can browse http://www.mydomain.com but internal
|
||
clients can't.</h4>
|
||
|
||
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
|
||
|
||
<ul>
|
||
<li>Having an internet-accessible server in your
|
||
local network is like raising foxes in the corner of your hen
|
||
house. If the server is compromised, there's nothing between that
|
||
server and your other internal systems. For the cost of another
|
||
NIC and a cross-over cable, you can put your server in a DMZ
|
||
such that it is isolated from your local systems - assuming that
|
||
the Server can be located near the Firewall, of course :-)</li>
|
||
<li>The accessibility problem is best solved using
|
||
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
|
||
(or using a separate DNS server for local clients) such that www.mydomain.com
|
||
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
|
||
That's what I do here at shorewall.net for my local systems that use
|
||
static NAT.</li>
|
||
|
||
</ul>
|
||
|
||
<p align="left">If you insist on an IP solution to the accessibility problem
|
||
rather than a DNS solution, then assuming that your external
|
||
interface is eth0 and your internal interface is eth1 and that
|
||
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
|
||
the following:</p>
|
||
|
||
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
|
||
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
|
||
|
||
<div align="left">
|
||
<p align="left">b) In /etc/shorewall/rules, add:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber1">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIG. DEST.</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>loc:192.168.1.0/24</td>
|
||
<td>loc:192.168.1.5</td>
|
||
<td>tcp</td>
|
||
<td>www</td>
|
||
<td>-</td>
|
||
<td>130.151.100.69:192.168.1.254</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
|
||
<div align="left">
|
||
<p align="left">That rule only works of course if you have a static external
|
||
IP address. If you have a dynamic IP address and are running
|
||
Shorewall 1.3.4 or later then include this in /etc/shorewall/params:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<pre> ETH0_IP=`find_interface_address eth0`</pre>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">and make your DNAT rule:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber1">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ACTION</b></u></td>
|
||
<td><u><b>SOURCE</b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>PROTOCOL</b></u></td>
|
||
<td><u><b>PORT</b></u></td>
|
||
<td><u><b>SOURCE PORT</b></u></td>
|
||
<td><u><b>ORIG. DEST.</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>loc:192.168.1.0/24</td>
|
||
<td>loc:192.168.1.5</td>
|
||
<td>tcp</td>
|
||
<td>www</td>
|
||
<td>-</td>
|
||
<td>$ETH0_IP:192.168.1.254</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
|
||
client to automatically restart Shorewall each time that you
|
||
get a new IP address.</p>
|
||
</div>
|
||
|
||
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
|
||
subnet and I use static NAT to assign non-RFC1918 addresses to
|
||
hosts in Z. Hosts in Z cannot communicate with each other using
|
||
their external (non-RFC1918 addresses) so they can't access each
|
||
other using their DNS names.</h4>
|
||
|
||
<p align="left"><b>Answer: </b>This is another problem that is best solved
|
||
using Bind Version 9 "views". It allows both external and internal
|
||
clients to access a NATed host using the host's DNS name.</p>
|
||
|
||
<p align="left">Another good way to approach this problem is to switch from
|
||
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
|
||
addresses and can be accessed externally and internally using the
|
||
same address. </p>
|
||
|
||
<p align="left">If you don't like those solutions and prefer routing all
|
||
Z->Z traffic through your firewall then:</p>
|
||
|
||
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
|
||
(If you are running a Shorewall version earlier than 1.3.9).<br>
|
||
b) Set the Z->Z policy to ACCEPT.<br>
|
||
c) Masquerade Z to itself.<br>
|
||
<br>
|
||
Example:</p>
|
||
|
||
<p align="left">Zone: dmz<br>
|
||
Interface: eth2<br>
|
||
Subnet: 192.168.2.0/24</p>
|
||
|
||
<p align="left">In /etc/shorewall/interfaces:</p>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber2">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>ZONE</b></u></td>
|
||
<td><u><b>INTERFACE</b></u></td>
|
||
<td><u><b>BROADCAST</b></u></td>
|
||
<td><u><b>OPTIONS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>dmz</td>
|
||
<td>eth2</td>
|
||
<td>192.168.2.255</td>
|
||
<td>multi</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<p align="left">In /etc/shorewall/policy:</p>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber3">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>SOURCE </b></u></td>
|
||
<td><u><b>DESTINATION</b></u></td>
|
||
<td><u><b>POLICY</b></u></td>
|
||
<td><u><b>LIMIT:BURST</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>dmz</td>
|
||
<td>dmz</td>
|
||
<td>ACCEPT</td>
|
||
<td> <br>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<div align="left">
|
||
<pre align="left"> dmz dmz ACCEPT</pre>
|
||
</div>
|
||
|
||
<p align="left">In /etc/shorewall/masq:</p>
|
||
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber3" width="369">
|
||
<tbody>
|
||
<tr>
|
||
<td width="93"><u><b>INTERFACE </b></u></td>
|
||
<td width="31"><u><b>SUBNET</b></u></td>
|
||
<td width="120"><u><b>ADDRESS</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td width="93">eth2</td>
|
||
<td width="31">192.168.2.0/24</td>
|
||
<td width="120"> <br>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
|
||
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger
|
||
with Shorewall. What do I do?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>There is an <a
|
||
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
|
||
tracking/NAT module</a> that may help. Also check the Netfilter
|
||
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
|
||
</p>
|
||
|
||
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
|
||
to check my firewall and it shows some ports as 'closed' rather
|
||
than 'blocked'. Why?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
|
||
always rejects connection requests on TCP port 113 rather
|
||
than dropping them. This is necessary to prevent outgoing connection
|
||
problems to services that use the 'Auth' mechanism for identifying
|
||
requesting users. Shorewall also rejects TCP ports 135, 137 and
|
||
139 as well as UDP ports 137-139. These are ports that are used
|
||
by Windows (Windows <u>can</u> be configured to use the DCE cell locator
|
||
on port 135). Rejecting these connection requests rather than dropping
|
||
them cuts down slightly on the amount of Windows chatter on LAN segments
|
||
connected to the Firewall. </p>
|
||
|
||
<p align="left">If you are seeing port 80 being 'closed', that's probably
|
||
your ISP preventing you from running a web server in violation
|
||
of your Service Agreement.</p>
|
||
|
||
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
|
||
firewall and it showed 100s of ports as open!!!!</h4>
|
||
|
||
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
|
||
section about UDP scans. If nmap gets <b>nothing</b> back
|
||
from your firewall then it reports the port as open. If you
|
||
want to see which UDP ports are really open, temporarily change
|
||
your net->all policy to REJECT, restart Shorewall and do the
|
||
nmap UDP scan again.</p>
|
||
|
||
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
|
||
can't ping through the firewall</h4>
|
||
|
||
<p align="left"><b>Answer: </b>If you want your firewall to be totally open
|
||
for "ping": </p>
|
||
|
||
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
|
||
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
|
||
c) Add the following to /etc/shorewall/icmpdef:
|
||
</p>
|
||
|
||
<blockquote>
|
||
|
||
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
|
||
-j ACCEPT<br>
|
||
</p>
|
||
</blockquote>
|
||
For a complete description of Shorewall 'ping' management, see <a
|
||
href="ping.html">this page</a>.
|
||
|
||
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
|
||
and how do I change the destination?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
|
||
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
|
||
facility (see "man openlog") and you get to choose the log level (again,
|
||
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
|
||
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
|
||
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
|
||
When you have changed /etc/syslog.conf, be sure to restart syslogd
|
||
(on a RedHat system, "service syslog restart"). </p>
|
||
|
||
<p align="left">By default, older versions of Shorewall ratelimited log messages
|
||
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
|
||
-- If you want to log all messages, set: </p>
|
||
|
||
<div align="left">
|
||
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
|
||
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
|
||
</div>
|
||
|
||
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
|
||
with Shorewall?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>Here are several links that may be helpful:
|
||
</p>
|
||
|
||
<blockquote>
|
||
|
||
<p align="left"><a
|
||
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
|
||
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
|
||
<a
|
||
href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
|
||
href="http://www.logwatch.org"><br>
|
||
http://www.logwatch.org</a><br>
|
||
</p>
|
||
</blockquote>
|
||
I personnaly use Logwatch. It emails me a report each day from my various
|
||
systems with each report summarizing the logged activity on the corresponding
|
||
system.<2E>
|
||
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
|
||
stop', I can't connect to anything. Why doesn't that command work?</h4>
|
||
|
||
<p align="left">The 'stop' command is intended to place your firewall into
|
||
a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
|
||
are activated. If you want to totally open up your firewall, you
|
||
must use the 'shorewall clear' command. </p>
|
||
|
||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
|
||
I get messages about insmod failing -- what's wrong?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>The output you will see looks something like
|
||
this:</p>
|
||
|
||
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br> Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br> iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br> Perhaps iptables or your kernel needs to be upgraded.</pre>
|
||
|
||
<p align="left">This is usually cured by the following sequence of commands:
|
||
</p>
|
||
|
||
<div align="left">
|
||
<pre align="left"> service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</pre>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
|
||
for problems concerning the version of iptables (v1.2.3) shipped
|
||
with RH7.2.</p>
|
||
</div>
|
||
|
||
<h4 align="left"> </h4>
|
||
|
||
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
|
||
properly?</h4>
|
||
|
||
<p align="left">I just installed Shorewall and when I issue the start command,
|
||
I see the following:</p>
|
||
|
||
<div align="left">
|
||
<pre> Processing /etc/shorewall/shorewall.conf ...<br> Processing /etc/shorewall/params ...<br> Starting Shorewall...<br> Loading Modules...<br> Initializing...<br> Determining Zones...<br> Zones: net loc<br> Validating interfaces file...<br> Validating hosts file...<br> Determining Hosts in Zones...<br><b> Net Zone: eth0:0.0.0.0/0<br> Local Zone: eth1:0.0.0.0/0<br></b> Deleting user chains...<br> Creating input Chains...<br> ...</pre>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Why can't Shorewall detect my interfaces properly?</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
|
||
Net zone is defined as all hosts that are connected through eth0 and the
|
||
local zone is defined as all hosts connected through eth1</p>
|
||
</div>
|
||
|
||
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
|
||
with?</h4>
|
||
|
||
<p align="left">Shorewall works with any GNU/Linux distribution that includes
|
||
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
|
||
|
||
<h4 align="left">11. What Features does it have?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
|
||
Feature List</a>.</p>
|
||
|
||
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
|
||
find myself doing other things. I guess I just don't care enough if
|
||
Shorewall has a GUI to invest the effort to create one myself. There
|
||
are several Shorewall GUI projects underway however and I will publish
|
||
links to them when the authors feel that they are ready. </p>
|
||
|
||
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
|
||
|
||
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
|
||
(<a href="http://www.cityofshoreline.com">the city where
|
||
I live</a>) and "Fire<u>wall</u>". The full name of the product
|
||
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p>
|
||
|
||
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
|
||
and it has an internal web server that allows me to configure/monitor
|
||
it but as expected if I enable rfc1918 blocking for my eth0 interface
|
||
(the internet one), it also blocks the cable modems web server.</h4>
|
||
|
||
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
|
||
that will let all traffic to and from the 192.168.100.1 address
|
||
of the modem in/out but still block all other rfc1918 addresses?</p>
|
||
|
||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
|
||
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
|
||
following:</p>
|
||
|
||
<div align="left">
|
||
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">If you are running version 1.3.1 or later, simply add the
|
||
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<blockquote>
|
||
|
||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||
id="AutoNumber3">
|
||
<tbody>
|
||
<tr>
|
||
<td><u><b>SUBNET </b></u></td>
|
||
<td><u><b>TARGET</b></u></td>
|
||
</tr>
|
||
<tr>
|
||
<td>192.168.100.1</td>
|
||
<td>RETURN</td>
|
||
</tr>
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.<br>
|
||
</p>
|
||
|
||
<p align="left">Note: If you add a second IP address to your external firewall
|
||
interface to correspond to the modem address, you must also make
|
||
an entry in /etc/shorewall/rfc1918 for that address. For example,
|
||
if you configure the address 192.168.100.2 on your firewall, then
|
||
you would add two entries to /etc/shorewall/rfc1918: <br>
|
||
</p>
|
||
|
||
<blockquote>
|
||
|
||
<table cellpadding="2" border="1" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td valign="top"><u><b>SUBNET</b></u><br>
|
||
</td>
|
||
<td valign="top"><u><b>TARGET</b></u><br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">192.168.100.1<br>
|
||
</td>
|
||
<td valign="top">RETURN<br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">192.168.100.2<br>
|
||
</td>
|
||
<td valign="top">RETURN<br>
|
||
</td>
|
||
</tr>
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
</blockquote>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
|
||
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
|
||
RFC 1918 filtering on my external interface, my DHCP client cannot renew
|
||
its lease.</h4>
|
||
</div>
|
||
|
||
<div align="left">
|
||
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
|
||
the IP address of your ISPs DHCP server.</p>
|
||
</div>
|
||
|
||
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
|
||
the net</h4>
|
||
|
||
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
|
||
the net", I wonder where the poster bought computers with eyes
|
||
and what those computers will "see" when things are working properly.
|
||
That aside, the most common causes of this problem are:</p>
|
||
|
||
<ol>
|
||
<li>
|
||
|
||
|
||
<p align="left">The default gateway on each local system isn't set to
|
||
the IP address of the local firewall interface.</p>
|
||
</li>
|
||
<li>
|
||
|
||
|
||
<p align="left">The entry for the local network in the /etc/shorewall/masq
|
||
file is wrong or missing.</p>
|
||
</li>
|
||
<li>
|
||
|
||
|
||
<p align="left">The DNS settings on the local systems are wrong or the
|
||
user is running a DNS server on the firewall and hasn't enabled
|
||
UDP and TCP port 53 from the firewall to the internet.</p>
|
||
</li>
|
||
|
||
</ol>
|
||
|
||
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
|
||
all over my console making it unusable!</h4>
|
||
|
||
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
|
||
to your startup scripts or place it in /etc/shorewall/start.
|
||
Under RedHat, the max log level that is sent to the console
|
||
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
|
||
</p>
|
||
|
||
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
|
||
logged?</h4>
|
||
<b>Answer: </b>Logging occurs out of a number of chains
|
||
(as indicated in the log message) in Shorewall:<br>
|
||
|
||
<ol>
|
||
<li><b>man1918 - </b>The destination address is listed
|
||
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
|
||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||
<li><b>rfc1918</b> - The source address is listed in
|
||
/etc/shorewall/rfc1918 with a <b>logdrop </b>target<EFBFBD>-- see <a
|
||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||
<li><b>all2<zone></b>, <b><zone>2all</b>
|
||
or <b>all2all </b>- You have a<a
|
||
href="Documentation.htm#Policy"> policy</a> that specifies a log level
|
||
and this packet is being logged under that policy. If you intend to
|
||
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a>
|
||
to that effect.<br>
|
||
</li>
|
||
<li><b><zone1>2<zone2> </b>- Either you
|
||
have a<a href="Documentation.htm#Policy"> policy</a> for <b><zone1>
|
||
</b>to <b><zone2></b> that specifies a log level and this
|
||
packet is being logged under that policy or this packet matches a
|
||
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
|
||
<li><b><interface>_mac</b> - The packet is being logged
|
||
under the <b>maclist</b> <a
|
||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||
</li>
|
||
<li><b>logpkt</b> - The packet is being logged under
|
||
the <b>logunclean</b> <a
|
||
href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||
<li><b>badpkt </b>- The packet is being logged under
|
||
the <b>dropunclean</b> <a
|
||
href="Documentation.htm#Interfaces">interface option</a> as specified
|
||
in the <b>LOGUNCLEAN </b>setting in <a
|
||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||
<li><b>blacklst</b> - The packet is being logged because
|
||
the source IP is blacklisted in the<a
|
||
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
|
||
<li><b>newnotsyn </b>- The packet is being logged because
|
||
it is a TCP packet that is not part of any current connection yet
|
||
it is not a syn packet. Options affecting the logging of such packets
|
||
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
|
||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has
|
||
a source IP address that isn't in any of your defined zones ("shorewall
|
||
check" and look at the printed zone definitions) or the chain is FORWARD
|
||
and the destination IP isn't in any of your defined zones.</li>
|
||
<li><b>logflags </b>- The packet is being logged because it failed
|
||
the checks implemented by the <b>tcpflags </b><a
|
||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
|
||
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
|
||
with Shorewall, and maintain separate rulesets for different IPs?</h4>
|
||
<b>Answer: </b>Yes. You simply use the IP address in your
|
||
rules (or if you use NAT, use the local IP address in your rules).
|
||
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will
|
||
disappear eventually. Neither iproute (ip and tc) nor iptables supports
|
||
that notation so neither does Shorewall. <br>
|
||
<br>
|
||
<b>Example 1:</b><br>
|
||
<br>
|
||
/etc/shorewall/rules
|
||
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span
|
||
class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span
|
||
class="moz-txt-citetags"></span></pre>
|
||
<span class="moz-txt-citetags"></span><b>Example 2 (NAT):</b><br>
|
||
<br>
|
||
<span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
|
||
|
||
<pre wrap=""><span class="moz-txt-citetags"></span><span
|
||
class="moz-txt-citetags"></span> 192.0.2.126 eth0 10.1.1.126</pre>
|
||
/etc/shorewall/rules
|
||
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
|
||
class="moz-txt-citetags"></span><br> <span class="moz-txt-citetags"></span>ACCEPT net loc:10.1.1.126 tcp www<span
|
||
class="moz-txt-citetags"></span><br></pre>
|
||
<b>Example 3 (DNAT):<br>
|
||
</b>
|
||
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
|
||
|
||
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
|
||
but they don't seem to do anything. Why?</h4>
|
||
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
||
so the contents of the tcrules file are simply being ignored.<br>
|
||
|
||
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
|
||
to change Shorewall to allow access to my server from the internet?</b><br>
|
||
</h4>
|
||
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
|
||
guide</a> that you used during your initial setup for information about
|
||
how to set up rules for your server.<br>
|
||
|
||
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
|
||
what are they?<br>
|
||
</h4>
|
||
|
||
<blockquote>
|
||
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
|
||
</blockquote>
|
||
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal
|
||
LAN<br>
|
||
<br>
|
||
<b>Answer: </b>While most people associate the Internet Control
|
||
Message Protocol (ICMP) with 'ping', ICMP is a key piece of <20>the internet.
|
||
ICMP is used to report problems back to the sender of a packet; this is
|
||
what is happening here. Unfortunately, where NAT is involved (including
|
||
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
|
||
That is what you are seeing with these messages.<br>
|
||
<br>
|
||
Here is my interpretation of what is happening -- to confirm this
|
||
analysis, one would have to have packet sniffers placed a both ends of
|
||
the connection.<br>
|
||
<br>
|
||
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS
|
||
query to 192.0.2.3 and your DNS server tried to send a response (the
|
||
response information is in the brackets -- note source port 53 which marks
|
||
this as a DNS reply). When the response was returned to to 206.124.146.179,
|
||
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to
|
||
172.16.1.10 who no longer had a connection on UDP port 2857. This causes
|
||
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
|
||
As this packet is sent back through 206.124.146.179, that box correctly
|
||
changes the source address in the packet to 206.124.146.179 but doesn't
|
||
reset the DST IP in the original DNS response similarly. When the ICMP
|
||
reaches your firewall (192.0.2.3), your firewall has no record of having
|
||
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
|
||
to anything that was sent. The final result is that the packet gets logged
|
||
and dropped in the all2all chain. I have also seen cases where the source
|
||
IP in the ICMP itself isn't set back to the external IP of the remote NAT
|
||
gateway; that causes your firewall to log and drop the packet out of the
|
||
rfc1918 chain because the source IP is reserved by RFC 1918.<br>
|
||
|
||
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
|
||
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4>
|
||
You can place these commands in one of the <a
|
||
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
|
||
sure that you look at the contents of the chain(s) that you will be modifying
|
||
with your commands to be sure that the commands will do what they are intended.
|
||
Many iptables commands published in HOWTOs and other instructional material
|
||
use the -A command which adds the rules to the end of the chain. Most chains
|
||
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT
|
||
rule and any rules that you add after that will be ignored. Check "man iptables"
|
||
and look at the -I (--insert) command.<br>
|
||
<br>
|
||
|
||
<div align="left"> </div>
|
||
<font size="2">Last updated 12/13/2002 - <a
|
||
href="support.htm">Tom Eastep</a></font>
|
||
|
||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||
</p>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|