Dear Shorewall-Users, dear Tom, for quite some time I am using Shorewall on top of OpenSuse. Over the years my shorewall.conf has been modified to incorporate the new stuff, my rules file has stayed similar most of the time.
I experience multiple things, and I hope you can be of help to root out the cause and help me get it back to working the way I want it to... I have Shorewall 4.6.13.4 running, taken from baseurl=http://download.opensuse.org/repositories/security:/netfilter/openSUSE_13.2/ as a repository. I run kernel 3.16.7-35 desktop. My local network is 192.168.2.0/255, served by eth1 My dial up into the internet is conducted via dsl over ppp0 bound to eth0 My interfaces file is loc eth1 detect net ppp0 detect My masq file is ppp0 eth1 zones looks like fw firewall net loc rules, shorewall.conf are attached. policy file is loc all ACCEPT $LOG fw all ACCEPT $LOG net all DROP $LOG net net NONE #ADD THIS all all REJECT $LOG Hope I provided all the relevant information. Now to my problems. #1) I have a service on a pc in the loc zone where I setup a port redirection from the firewall/gw machine to that machine, via DNAT. What has worked in the past ceased to work (don't know how many weeks, months back, just noticed). I see in the firewall logs that the Apr 1 21:59:25 bhaal kernel: [963505.929180] Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 21:59:25 bhaal kernel: [963505.929196] Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 21:59:25 bhaal kernel: [963505.929217] Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 21:59:25 bhaal kernel: [963505.929228] Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 21:59:25 bhaal kernel: [963505.929253] Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 It gets the package request, but then drops it, instead of forwarding it as per DNAT line DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091 DNAT:$LOG net loc:192.168.2.3:7091 udp 7091 (this port forwarding is just ONE example, I have multiple services that I can't reach anymore) #2) I have on the loc LAN a DLINK Wifi Access Point, providing (surprise!) wifi access to the LAN and the internet (via the firewall linux machine). On the firewall I run squid as a proxy, the wifi devices can access web pages, etc. nicely, with or without squid. But what I can't is e.g. get the samsung phones to connect to the samsung update server, which is done via requests (maybe via http/https, or by using port 5223, didn't really figure that out yet) unfortunately definitely NOT via squid. These requests then simply fail, network or server error response by the update dialog. When not in wifi it connects to the servers without any issues. Any ideas around that? I see the requests in the firewall.log though Apr 1 22:12:36 bhaal kernel: [964296.870561] Shorewall:mangle:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870594] Shorewall:nat:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870623] Shorewall:mangle:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870640] Shorewall:filter:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870664] Shorewall:loc2net:ACCEPT:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870676] Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 1 22:12:36 bhaal kernel: [964296.870688] Shorewall:nat:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 #3) WhatsApp. Whatsapp works in my Wifi. Most of the time. If I don't send out OR receive e.g. pictures. Then it somehow freezes communication. I have to switch wifi off, get the picture send or receive the stuff, then I can turn on wifi again. While in "freeze mode", I can't send out any message, no matter how short it is. I get the clock twiddling its counters... For #2) and #3), I have checked settings of the Wifi access point, there is NO extra firewall, there is no way of setting packet sizes. I have no issues transfering large files via wifi within the loc LAN zone. So I for the time being assume it's working on the wifi access point setting side... Further, maybe #4) how can I setup Tom's Shorewall update sites in a repository kind of way? Anybody done that? I appreciate any kind of help you guys can provide, I have waited quite a long time to put my help request here, hopefully some of you have a good idea how to fix things. If the solution is to go to v5.0(.x), maybe you have a good suggestion how-to in the best non-breaking-the-other-stuff type of way... Thanks for your help and thanks to Tom for his great work over all the MANY years! Florian PS: If I forgot to include some config detail, lmk asap. -- Florian Piekert flo...@floppy.org =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine. Thx!
# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED # #?SECTION ALL #?SECTION ESTABLISHED #?SECTION RELATED #?SECTION INVALID #?SECTION UNTRACKED #?SECTION NEW ?SECTION NEW #?SECTION ALL # PORT PORT(S) DEST # emule masquerading # #DNAT net loc:212.79.61.12:8866 tcp 8866 #DNAT net loc:212.79.61.12:8876 udp 8876 #DNAT net loc:212.79.61.11:8890 tcp 8890 # remote emule control, obsolete?? #DNAT net loc:212.79.61.2:8899 tcp 8899 #DNAT net loc:192.168.2.34:8866 tcp 8866 #DNAT net loc:192.168.2.34:8876 udp 8876 #DNAT net loc:192.168.2.34:8899 tcp 8899 # remote emule control, obsolete?? #DNAT net loc:192.168.2.34:8890 tcp 8890 # # p2p # #ACCEPT net fw tcp 8890 # # p2p # # #---------------------------------------------------- # Video-Server Port redirecting # DNAT:$LOG net loc:192.168.2.2:9000 tcp 9000 DNAT:$LOG net loc:192.168.2.2:9000 udp 9000 DNAT:$LOG net loc:192.168.2.2:9001 tcp 9001 DNAT:$LOG net loc:192.168.2.2:9001 udp 9001 # #---------------------------------------------------- # Satel Alarmanlage Port redirecting # DNAT:$LOG net loc:192.168.2.3:7090 tcp 7090 DNAT:$LOG net loc:192.168.2.3:7090 udp 7090 DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091 DNAT:$LOG net loc:192.168.2.3:7091 udp 7091 # # Satel Alarmanlage Port redirecting #---------------------------------------------------- # # Florian # # bittorrent f374r revelations # #DNAT net loc:212.79.61.11 tcp 6881:6889 #DNAT net loc:212.79.61.11 tcp 6969 # # aus 20150618 #DNAT net loc:192.168.2.30 tcp 3389 # #---------------------------------------------------- # # reject hack and portscanner ip addresses # # # reject hack and portscanner ip addresses # # this is the permanent block we willl have # # # settings related to firewall # # with destination firewall, coming from various sources to allow port acceptance for server processes # # # # Port 25 fuer SMTP als Mailserver # Port 587 fuer SMTP/submission als Mailserver # ACCEPT net fw tcp smtp ACCEPT net fw tcp 587 # # Port 53 fuer BIND/NAMED als Nameserver # #ACCEPT net fw tcp 53 #ACCEPT net fw udp 53 # # Mail-Abfrage # #20110212 fp removed #ACCEPT net fw tcp pop3 #ACCEPT net fw udp pop3 #20110212 fp removed ACCEPT:$LOG net fw tcp pop3s ACCEPT:$LOG net fw udp pop3s ACCEPT:$LOG net fw tcp imaps ACCEPT:$LOG net fw udp imaps #ACCEPT net fw tcp 465 #ACCEPT net fw udp 465 #ACCEPT net fw tcp 587 #ACCEPT net fw udp 587 # # WebService # ACCEPT net fw tcp http ACCEPT net fw tcp https # # SSH # ACCEPT:$LOG net fw tcp ssh - - s:ssh:1/min:3 # # FTP # ACCEPT net fw tcp ftp ACCEPT net fw tcp ftp-data # # outpost.post-peine.de rsync, proxy # blueberry.post-peine.de rsync, proxy # ACCEPT net:$OUTPOST fw tcp rsync ACCEPT net:$OUTPOST fw udp rsync ACCEPT net:$OUTPOST fw tcp 8080 ACCEPT net:$OUTPOST fw udp 8080 ACCEPT net:$BLUEBERRY fw tcp rsync ACCEPT net:$BLUEBERRY fw udp rsync ACCEPT net:$BLUEBERRY fw tcp 8080 ACCEPT net:$BLUEBERRY fw udp 8080 # # DLR machines # ACCEPT:$LOG net:$DLRNET fw icmp ACCEPT:$LOG net:$DLRNET fw udp ACCEPT:$LOG net:$DLRNET fw tcp 3306 #ACCEPT:$LOG net:$DLRNET fw udp 3306 # ACCEPT net:$DLRNET fw tcp 8080 ACCEPT net:$DLRNET fw udp 8080 #ACCEPT net:$DLRNET fw tcp 888 #ACCEPT net:$DLRNET fw udp 888 # # from outpost.post-peine.de # from island.post-peine.de # from blueberry.post-peine.de # from arschkrebs.de # ACCEPT:$LOG net:$OUTPOST fw icmp ACCEPT:$LOG net:$OUTPOST fw udp ACCEPT:$LOG net:$ISLAND fw icmp ACCEPT:$LOG net:$ISLAND fw udp ACCEPT:$LOG net:$BLUEBERRY fw icmp ACCEPT:$LOG net:$BLUEBERRY fw udp ACCEPT:$LOG net:$ARSCHK fw icmp ACCEPT:$LOG net:$ARSCHK fw udp # # reject all Port 25 (SMTP) traffic for local machines due to virus or worm infections, regular use is by using the relay moria.floppy.org # ACCEPT loc net:$OUTPOST tcp 25 ACCEPT loc net:$OUTPOST udp 25 # # web.de ACCEPT:$LOG loc:192.168.2.30 net:217.72.192.157 tcp 25 # # andere smtp ports REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net udp 25 # # 20130322 Teredo ipv6 zu ipv4 microsoft tunnel krams # #2016019 2316 raus #REJECT:$LOG loc net tcp 3544 #REJECT:$LOG loc net udp 3544 #2016019 2316 raus # #20120507 raus #REDIRECT:$LOG loc 8080 tcp www - !192.168.2.1 #20120507 raus # #20121019 REDIRECT:$LOG loc 123 udp 123 - !192.168.2.1 # # block samba/nfs ports to external sources like microsoft dsn # REJECT net fw tcp 135:139,445 REJECT net fw udp 135:139,445 #REJECT fw net tcp 135:139,445 #REJECT fw net udp 135:139,445 # #REJECT:$LOG loc:192.168.2.39 net tcp 161 #REJECT:$LOG loc:192.168.2.39 net udp 161 # REJECT loc:!192.168.2.0/24 fw REJECT loc:!192.168.2.0/24 net # #REJECT:$LOG loc net:172.21.0.0/8 tcp #REJECT:$LOG loc net:172.21.0.0/8 udp #REJECT:info loc fw tcp 8099 # 20160110 ACCEPT loc net tcp 4244 # Whatsapp ACCEPT loc net tcp 5242 # Whatsapp #
############################################################################### # # Shorewall Version 4 -- /etc/shorewall/shorewall.conf # # For information about the settings in this file, type "man shorewall.conf" # # Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=2 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOGLEVEL=$LOG INVALID_LOG_LEVEL=$LOG LOG_MARTIANS=Yes LOG_VERBOSITY=2 LOGALLNEW=$LOG LOGFILE=/var/log/firewall.log #LOGFILE=/var/log/shorewall.log #LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGLIMIT= MACLIST_LOG_LEVEL=$LOG RELATED_LOG_LEVEL=$LOG RPFILTER_LOG_LEVEL=$LOG SFILTER_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=$LOG UNTRACKED_LOG_LEVEL=$LOG ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### ARPTABLES= CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES=/usr/sbin/iptables IP=/sbin/ip IPSET= LOCKFILE= MODULESDIR= NFACCT= PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PERL=/usr/bin/perl RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/run/shorewall TC=/usr/sbin/tc ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=filter #20160110 ADD_IP_ALIASES=No ADD_IP_ALIASES=YES #20160110 #20160110 ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=YES #20160110 ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=No BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No #20160110 DETECT_DNAT_IPADDRS=YES #20160110 DISABLE_IPV6=No DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= HELPERS= IMPLICIT_CONTINUE=No INLINE_MATCHES=No #INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=On KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=Yes #LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REJECT_ACTION= REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RESTORE_ROUTEMARKS=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_ARPTABLES=No SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No TRACK_RULES=No USE_DEFAULT_RT=Yes #USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No USE_RT_NAMES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=Yes ZONE2ZONE=2 ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 ################################################################################ # L E G A C Y O P T I O N # D O N O T D E L E T E O R A L T E R ################################################################################ IPSECFILE=zones
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users