Re: [Shorewall-users] Help with configuration bridge/kvm vnet host

[Tom Eastep]

On 4/7/2014 3:38 AM, Bruno Friedmann wrote:

> M, I will never find a small enough hole to hide myself in it!!!
> My feeling of missing something evident confirmed, a big thanks Tom.
> 
> After fixing the failure, I've tried the configuration. But I'm a bit puzzle 
> by the log I get 
> 
> I'm seeing a lot of DROP for traffic in net2dmz but that shouldn't normally 
> concern my vhost
> 
> Apr  7 11:42:10 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=24.25.227.67 
> DST=176.31.224.27 LEN=59 TOS=00 PREC=0x00 TTL=238 ID=38975 DF PROTO=UDP 
> SPT=62600 DPT=53 LEN=39 MARK=0
> Apr  7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=02:00:00:11:69:43:6c:9c:ed:bb:bd:80:08:00 SRC=37.59.224.97 
> DST=176.31.32.135 LEN=123 TOS=00 PREC=0x00 TTL=61 ID=61237 DF PROTO=UDP 
> SPT=40642 DPT=1200 LEN=103 MARK=0
> Apr  7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=02:00:00:89:d7:f2:6c:9c:ed:bb:bd:80:08:00 SRC=193.57.110.171 
> DST=5.135.101.211 LEN=60 TOS=00 PREC=0x00 TTL=56 ID=23071 PROTO=TCP SPT=34510 
> DPT=80 SEQ=2564968756 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0
> Apr  7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=178.255.84.39 
> DST=176.31.224.27 LEN=74 TOS=00 PREC=0x00 TTL=52 ID=23876 PROTO=UDP SPT=30851 
> DPT=53 LEN=54 MARK=0
> Apr  7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=212.54.41.229 
> DST=176.31.224.27 LEN=75 TOS=00 PREC=0x00 TTL=57 ID=36903 PROTO=UDP SPT=55191 
> DPT=53 LEN=55 MARK=0
> Apr  7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 
> MAC=00:25:90:53:4d:e4:6c:9c:ed:bb:bd:80:08:00 SRC=188.165.253.24 
> DST=176.31.224.190 LEN=60 TOS=00 PREC=0x00 TTL=62 ID=27903 DF PROTO=TCP 
> SPT=39169 DPT=6767 SEQ=732529407 ACK=0 WINDOW=5840 SYN URGP=0 MARK=0
> 
> 
> The main ip (fw/br0 is 176.31.224.222/24) and for the vm the provider want 
> the setup to be 
> 46.105.242.147/32
> 
> Look like I'm still missing one piece.

May we see the updated config and a dump?

Thanks,
-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Checking out my success

[Philip Le Riche]

Folks -

New round these parts (though not to firewalls), so please bear with any
stoopid questions.

I'm setting up Shorewall on a Linux Mint box in order to isolate a
Raspberry Pi farm in a school, allowing access by ssh and vnc from
school PCs and the Pis to access the Internet for updates and package
downloads. Pretty much all else unnecessary is blocked. After a fairly
thrilling scramble up the learning curve it all seems to work and just
needs validating and tidying up. One or two questions have arisen on the
way though:

1. I'm using DNAT to map the Pi ip addresses (on their own private
subnet) onto addresses on the school network. I did something logically
similar some years ago for a completely different application, which I
did with static NAT on a Cisco PIX. In that case, the PIX determined
that it had an interest in those pre-NATted ip addresses and responded
to ARP requests for them just as part of the day job. I vaguely assumed
the same would happen here until I realised I'd probably have to
explicitly add the pre-NATted ip addresses to the outer interface, which
I did by hand. Question: would Shorewall have done that for me if I'd
been a bit more patient? Maybe I went ahead before I'd got Shorewall to
understand where I was going with this.

2. I'd like to parameterise this where I can to facilitate reuse in
other schools if it turned out to be useful. I've just stumbled across
the params file, which I don't remember seeing on my way up the learning
curve, but on the face of it, it only appears to allow parameterisation
of complete lexical items. But having done a bit of shell and Perl in my
time I was tempted to try:
Schoolnet=172.16.1
Pinet=192.168.1
and in my rules, brandish something like:
DNATskoolpinet:${Pinet}.1tcpssh${Schoolnet}.129
(There will need to be a number of such lines.) It seems to work. Am I
playing with fire?

3. Is there a more succinct way of performing a linear mapping of one
block of ip addresses onto another, rather than repeated lines as above?
I thought I could map one CIDR range onto another with the PIX, but my
memory is a bit hazy from more than 10 years ago.

4. Changing DROP to REJECT quickly found my last bug, but I never got
logging to work. I created /var/log/messages in order to eliminate an
error, but putting debug in the LOG LEVEL field of the policy file
didn't do anything. In fact, I've never had anything  beyond the startup
message in /var/log/messages. I've never had occasion to more than
scratch the surface of syslog so this may be a silly question. Is there
something I'm missing?

Anyway, great work Tom. Having quickly dismissed gufw and geared myself
up if necessary to fight with raw iptables, you've saved me a lot of work!

Best regards - Philip


--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Checking out my success

[Tom Eastep]

On 4/8/2014 2:01 PM, Philip Le Riche wrote:
> Folks -
> 
> New round these parts (though not to firewalls), so please bear with any
> stoopid questions.
> 
> I'm setting up Shorewall on a Linux Mint box in order to isolate a
> Raspberry Pi farm in a school, allowing access by ssh and vnc from
> school PCs and the Pis to access the Internet for updates and package
> downloads. Pretty much all else unnecessary is blocked. After a fairly
> thrilling scramble up the learning curve it all seems to work and just
> needs validating and tidying up. One or two questions have arisen on the
> way though:
> 
> 1. I'm using DNAT to map the Pi ip addresses (on their own private
> subnet) onto addresses on the school network. I did something logically
> similar some years ago for a completely different application, which I
> did with static NAT on a Cisco PIX. In that case, the PIX determined
> that it had an interest in those pre-NATted ip addresses and responded
> to ARP requests for them just as part of the day job. I vaguely assumed
> the same would happen here until I realised I'd probably have to
> explicitly add the pre-NATted ip addresses to the outer interface, which
> I did by hand. Question: would Shorewall have done that for me if I'd
> been a bit more patient? Maybe I went ahead before I'd got Shorewall to
> understand where I was going with this.

Check out the ADD_DNAT_ADDRS in shorewall.conf.

> 
> 2. I'd like to parameterise this where I can to facilitate reuse in
> other schools if it turned out to be useful. I've just stumbled across
> the params file, which I don't remember seeing on my way up the learning
> curve, but on the face of it, it only appears to allow parameterisation
> of complete lexical items. But having done a bit of shell and Perl in my
> time I was tempted to try:
> Schoolnet=172.16.1
> Pinet=192.168.1
> and in my rules, brandish something like:
> DNATskoolpinet:${Pinet}.1tcpssh${Schoolnet}.129
> (There will need to be a number of such lines.) It seems to work. Am I
> playing with fire?

That should work fine.

> 
> 3. Is there a more succinct way of performing a linear mapping of one
> block of ip addresses onto another, rather than repeated lines as above?
> I thought I could map one CIDR range onto another with the PIX, but my
> memory is a bit hazy from more than 10 years ago.

Check out http://www.shorewall.org/netmap.html

> 
> 4. Changing DROP to REJECT quickly found my last bug, but I never got
> logging to work. I created /var/log/messages in order to eliminate an
> error, but putting debug in the LOG LEVEL field of the policy file
> didn't do anything. In fact, I've never had anything  beyond the startup
> message in /var/log/messages. I've never had occasion to more than
> scratch the surface of syslog so this may be a silly question. Is there
> something I'm missing?

http://www.shorewall.org/shorewall_logging.html

> 
> Anyway, great work Tom. Having quickly dismissed gufw and geared myself
> up if necessary to fight with raw iptables, you've saved me a lot of work!

Thanks Philip!

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users