Re: [leaf-user] Is shorewall configured by default to drop/reject udp broadcasts?

youngdo Tue, 03 Dec 2002 01:21:45 -0800

> In my experience, "operation not permitted" errors on LEAF routers 
> typically (not always) signal problems with the firewall ruleset. In this 
> context, I'd suspect that to mean not a problem with Shorewall's default 
> settings (they are quite well tested by now) but one in some change you 
> made. To that end ...
> 
> 1. I repeat the question Tom asked (quoted below) but you did not answer: 
> is your internal (eth1) network 192.168.1.0/24? If not, what is it?
>
>Is your local network 192.168.1.0/24?
Yes.

My config:
eth0:ppp0 (PPPOE)
eth1:192.168.1.0/24

 
> 2. What happens if you try "ping 192.168.1.255" from a router command line?

There is not an answer.

> 
> 3. I infer that this is a PPPoE connection, using eth0 as the Ethernet 
> "carrier" for ppp0. Are your interface assignments and routing table 
> consistent with this setup (or am I mistaken in my inference)?
> 
> 4. If all else fails ... what is the complete output of "iptables -nvL"? 
> The Shorewall config files tell us what you are trying to do; the 
> underlying rulesets tell us what the router actually does. (If it gets to 
> this point, please also include an interface list and routing table.)
> 

1. This machine is PPTP server.
2. It is a remote accessed later file print shared purpose.

My samba.lrp: http://leaf.sourceforge.net/devel/jnilo/packages/untested/samba.lrp

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.55.170.55   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         xxx.55.170.55   0.0.0.0         UG    0      0        0 ppp0


#iptables -nvL
Chain INPUT (policy DROP 5 packets, 193 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  lo     *       0.0.0.0/0            0.0.0.0/0          

   13   465 ppp0_in    ah   --  ppp0   *       0.0.0.0/0            0.0.0.0/0          

   14  2109 eth1_in    ah   --  eth1   *       0.0.0.0/0            0.0.0.0/0          

    0     0 ppp_in     ah   --  ppp+   *       0.0.0.0/0            0.0.0.0/0          

    0     0 common     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    2    96 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
    4   374 ppp0_fwd   ah   --  ppp0   *       0.0.0.0/0            0.0.0.0/0          

    6   410 eth1_fwd   ah   --  eth1   *       0.0.0.0/0            0.0.0.0/0          

    0     0 ppp_fwd    ah   --  ppp+   *       0.0.0.0/0            0.0.0.0/0          

    0     0 common     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain OUTPUT (policy DROP 21 packets, 2208 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
state INVALID 
    0     0 ACCEPT     ah   --  *      lo      0.0.0.0/0            0.0.0.0/0          

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW,RELATED,ESTABLISHED 
    0     0 fw2net     ah   --  *      ppp0    0.0.0.0/0            0.0.0.0/0          

   14  2109 fw2loc     ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0          

    0     0 fw2loc     ah   --  *      ppp+    0.0.0.0/0            0.0.0.0/0          

    0     0 common     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    0     0 common     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 
    0     0 reject     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state INVALID 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp dpts:137:139 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp dpt:445 reject-with icmp-port-unreachable 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp dpt:1900 
    0     0 DROP       ah   --  *      *       0.0.0.0/0            255.255.255.255    

    0     0 DROP       ah   --  *      *       0.0.0.0/0            224.0.0.0/4        

    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp spt:53 state NEW 
    0     0 DROP       ah   --  *      *       0.0.0.0/0            192.168.1.255      


Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination        
 

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    6   410 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    6   410 loc2net    ah   --  *      ppp0    0.0.0.0/0            0.0.0.0/0          

    0     0 loc2loc    ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0          

    0     0 loc2loc    ah   --  *      ppp+    0.0.0.0/0            0.0.0.0/0          


Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
   14  2109 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
icmp type 8 
   14  2109 loc2fw     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain fw2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
   14  2109 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:137 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:139 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp spt:137 dpts:1024:65535 
    0     0 all2all    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp dpt:53 
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 all2all    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
icmp type 8 

Chain loc2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:22 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:80 
   14  2109 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:137 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:139 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW udp spt:137 dpts:1024:65535 
    0     0 all2all    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain loc2loc (4 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    5   362 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    1    48 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    4   374 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
   13   465 common     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

   13   465 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 
   13   465 DROP       ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:1723 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
state NEW tcp dpt:1723 
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0          

   13   465 net2all    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain newnotsyn (8 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 DROP       ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    4   374 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    4   374 net2all    ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0          

    0     0 net2all    ah   --  *      ppp+    0.0.0.0/0            0.0.0.0/0          


Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
   13   465 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
icmp type 8 
   13   465 net2fw     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain ppp_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 loc2net    ah   --  *      ppp0    0.0.0.0/0            0.0.0.0/0          

    0     0 loc2loc    ah   --  *      eth1    0.0.0.0/0            0.0.0.0/0          

    0     0 loc2loc    ah   --  *      ppp+    0.0.0.0/0            0.0.0.0/0          


Chain ppp_in (1 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 dynamic    ah   --  *      *       0.0.0.0/0            0.0.0.0/0          

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
icmp type 8 
    0     0 loc2fw     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          


Chain reject (6 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
reject-with tcp-reset 
    0     0 REJECT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
reject-with icmp-port-unreachable 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination        
 


My /etc/shorewall/  flies:

Shorewall 1.3.10

/etc/shorewall/interfaces
net     ppp0            -                 noping
loc     eth1            detect          routestopped
loc     ppp+

/etc/shorewall/policy
loc             loc             ACCEPT
loc             net             ACCEPT
net             all              DROP         info
all               all              REJECT      info

/etc/shorewall/rules
ACCEPT          net       fw            tcp     1723
ACCEPT          net       fw            47      -
ACCEPT          fw        net           47      -
ACCEPT          fw        loc           udp    137:139
ACCEPT          fw        loc           tcp     137,139
ACCEPT          fw        loc           udp    1024:   137
ACCEPT          loc       fw            udp    137:139
ACCEPT          loc       fw            tcp     137,139
ACCEPT          loc       fw            udp    1024:   137

/etc/shorewall/masq
ppp0              eth1


/etc/shorewall/tunnels
pptpserver              net     0.0.0.0/0


/etc/samba/smb.conf


[global]
 workgroup = WORK
 domain master = yes
 local master = yes
 preferred master = yes
 os level = 65
 wins support = yes
 name resolve order = wins lmhosts hosts bcast
[test]
 comment = for testing only, please
 path = /export/samba/test
 readonly = no
 guest ok = yes


> Finally, I am assuming here that this router works for other purposes, like 
> connecting LAN hosts to the Internet over the ppp connection. If there are 
> other problems too, please mention them.
> 
> At 02:56 AM 12/3/02 +0900, youngdo wrote:
> > > > [2002/12/02 16:58:02, 0]
> > > > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291)
> > > > become_domain_master_browser_bcast:
> > > >   Attempting to become domain master browser on workgroup WORK on subnet
> > > > 192.168.1.254 [2002/12/02 16:58:02, 0]
> > > > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(305)
> > > > become_domain_master_browser_bcast: querying subnet 192.168.1.254 for
> > > > domain master browser on workgroup WORK [2002/12/02 16:58:04, 0]
> > > > libsmb/nmblib.c:send_udp(756)
> > > >   Packet send failed to 192.168.1.255(137) ERRNO=Operation not permitted
> > > > ACCEPT          fw        loc           udp    137:139
> > >
> > > The above rule allows UDP port 137 packets from your firewall to the local
> > > network. Is your local network 192.168.1.0/24? Are you seeing any 
> > Shorewall
> > > log messages about 192.168.1.255:137 ("shorewall show log")?
> > >
> >
> >There are not that kind of contents.
> >
> >Shorewall-1.3.10 Log at firewall -
> >...
> >Dec  3 02:18:52 net2all:DROP:IN=ppp0 OUT= SRC=xxx.95.103.78 
> >DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=16397 DF 
> >PROTO=TCP SPT=2958 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0
> >Dec  3 02:18:59 net2all:DROP:IN=ppp0 OUT= SRC=xxx.95.103.78 
> >DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=16838 DF 
> >PROTO=TCP SPT=2958 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0
> >Dec  3 02:19:15 net2all:DROP:IN=ppp0 OUT= SRC=xxx.83.82.104 


Thanks,

-Youngdo
N�HY޵隊X���'���u��z�azw�=�fN��קN�v�t�0z����❧(����ȳzm���v�(��~��zw���"n)���b��-�ZZ�m4�g��柺ǫ����x%��ey�����l���q���z�m��?�X���(��~��zw��X�����b��?�柺ǫI@Bm���y�鮈�r�+��no�hs�hrf�j�����|�Xm�
Re: [leaf-user] Is shorewall configured by default to drop/reject udp broadcasts?

Reply via email to
