Thursday, February 12, 2009

Re: Using shorewall

-----Original Message-----
From: Paolo <oopla@users.sf.net>
To: debian-firewall@lists.debian.org <debian-firewall@lists.debian.org>
Subject: Re: Using shorewall
Date: Thu, 12 Feb 2009 21:47:17 +0100
Mailer: Mutt/1.3.28i

On Thu, Feb 12, 2009 at 03:05:14PM -0500, john wrote:
...
> I have set up shorewall with eth0 going to my existing d-link router.
> eth1 and eth2 are planned for a dmz and a loc. I have used the setup and

what's your final /etc/network/interfaces ?
what do ifconfig(8) or ip(8) report?

> lines from /var/log/shorewall-init.log):
>
> Setting up masquerading/SNAT....
> ERROR: Unable to determine routes through interface "eth1"

perhaps some more log line would help ? ...

--
paolo

I should have mentioned that I'm running lenny (up to date).

My /etc/network/interfaces file reads:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

My /etc/shorewall file reads:

net eth0 detect dhcp,routefilter,tcpflags
dmz eth1 detect dhcp
loc eth2 detect dhcp

/var/log/shorewall-init.log reads:
22:43:52 Compiling...
Loading /usr/share/shorewall/lib.base...
Loading /usr/share/shorewall/lib.config...
22:43:52 Processing /etc/shorewall/shorewall.conf...
22:43:52 Loading Modules...
22:43:54 Loading library /usr/share/shorewall-shell/lib.actions...
22:43:54 Loading library /usr/share/shorewall-shell/lib.nat...
22:43:54 Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
New Connection Tracking Match Syntax: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
22:43:55 Determining Zones...
IPv4 Zones: net dmz loc
Firewall Zone: fw
22:43:55 Validating interfaces file...
22:43:55 Validating hosts file...
22:43:55 Pre-processing Actions...
22:43:55 Pre-processing /usr/share/shorewall/action.Drop...
22:43:55 ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:55 ..End Macro
22:43:55 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:55 ..End Macro
22:43:55 ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:55 ..End Macro
22:43:55 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:55 ..End Macro
22:43:55 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:55 ..End Macro
22:43:55 Pre-processing /usr/share/shorewall/action.Reject...
22:43:55 Validating Policy file...
22:43:55 Policy for net to dmz is DROP using chain net2all
22:43:55 Policy for net to loc is DROP using chain net2all
22:43:55 Policy for net to fw is DROP using chain net2all
22:43:55 Policy for dmz to net is REJECT using chain dmz2all
22:43:55 Policy for dmz to loc is REJECT using chain dmz2all
22:43:55 Policy for dmz to fw is REJECT using chain dmz2all
22:43:55 Policy for loc to net is REJECT using chain loc2all
22:43:55 Policy for loc to dmz is REJECT using chain loc2all
22:43:55 Policy for loc to fw is REJECT using chain loc2all
22:43:55 Policy for fw to net is ACCEPT using chain fw2all
22:43:55 Policy for fw to dmz is ACCEPT using chain fw2all
22:43:55 Policy for fw to loc is ACCEPT using chain fw2all
22:43:55 Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
dmz Zone: eth1:0.0.0.0/0
loc Zone: eth2:0.0.0.0/0
22:43:55 Deleting user chains...
22:43:55 Compiling /etc/shorewall/routestopped ...
22:43:55 Creating Interface Chains...
22:43:55 Compiling Common Rules
22:43:55 Adding rules for DHCP
22:43:55 Compiling TCP Flags checking...
22:43:55 Compiling Kernel Route Filtering...
22:43:55 Compiling Martian Logging...
22:43:55 Compiling IPSEC...
22:43:55 Compiling /etc/shorewall/rules...
22:43:55 Rule "ACCEPT loc net tcp 80,443 " compiled.
22:43:55 Rule "ACCEPT loc fw udp 53 " compiled.
22:43:55 Rule "ACCEPT net dmz tcp 80 " compiled.
22:43:55 Rule "ACCEPT loc dmz tcp 80 " compiled.
22:43:55 Rule "ACCEPT fw dmz tcp 80 " compiled.
22:43:56 Rule "ACCEPT dmz net:206.167.141.10 tcp 80 " compiled.
22:43:56 Rule "ACCEPT dmz net:128.31.0.36 tcp 80 " compiled.
22:43:56 Compiling Actions...
22:43:56 Generating Transitive Closure of Used-action List...
22:43:56 Compiling /usr/share/shorewall/action.Drop for Chain Drop...
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:56 Rule "REJECT - - tcp 113 - - " compiled.
22:43:56 ..End Macro
22:43:56 Rule "dropBcast " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:56 Rule "ACCEPT - - icmp fragmentation-needed - - " compiled.
22:43:56 Rule "ACCEPT - - icmp time-exceeded - - " compiled.
22:43:56 ..End Macro
22:43:56 Rule "dropInvalid " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:56 Rule "DROP - - udp 135,445 - - " compiled.
22:43:56 Rule "DROP - - udp 137:139 - - " compiled.
22:43:56 Rule "DROP - - udp 1024: 137 - " compiled.
22:43:56 Rule "DROP - - tcp 135,139,445 - - " compiled.
22:43:56 ..End Macro
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:56 Rule "DROP - - udp 1900 - - " compiled.
22:43:56 ..End Macro
22:43:56 Rule "dropNotSyn - - tcp " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:56 Rule "DROP - - udp - 53 - " compiled.
22:43:56 ..End Macro
22:43:56 Compiling /usr/share/shorewall/action.Reject for Chain Reject...
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:56 Rule "REJECT - - tcp 113 - - " compiled.
22:43:56 ..End Macro
22:43:56 Rule "dropBcast " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:56 Rule "ACCEPT - - icmp fragmentation-needed - - " compiled.
22:43:56 Rule "ACCEPT - - icmp time-exceeded - - " compiled.
22:43:56 ..End Macro
22:43:56 Rule "dropInvalid " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:56 Rule "REJECT - - udp 135,445 - - " compiled.
22:43:56 Rule "REJECT - - udp 137:139 - - " compiled.
22:43:57 Rule "REJECT - - udp 1024: 137 - " compiled.
22:43:57 Rule "REJECT - - tcp 135,139,445 - - " compiled.
22:43:57 ..End Macro
22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:57 Rule "DROP - - udp 1900 - - " compiled.
22:43:57 ..End Macro
22:43:57 Rule "dropNotSyn - - tcp " compiled.
22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:57 Rule "DROP - - udp - 53 - " compiled.
22:43:57 ..End Macro
22:43:57 Compiling /etc/shorewall/policy...
22:43:57 Policy ACCEPT for fw to dmz using chain fw2all
22:43:57 Policy DROP for net to dmz using chain net2all
22:43:57 Policy REJECT for dmz to net using chain dmz2all
22:43:57 Policy REJECT for loc to fw using chain loc2all
22:43:57 Policy REJECT for loc to net using chain loc2all
22:43:57 Policy REJECT for loc to dmz using chain loc2all
22:43:57 Compiling Masquerading/SNAT
22:43:57 Compiling Traffic Control Rules...
22:43:57 Compiling Rule Activation...
22:43:57 Compiling IP Forwarding...
22:43:57 Shorewall configuration compiled to /var/lib/shorewall/.start
22:43:58 Starting Shorewall....
22:43:58 Initializing...
22:43:58 Loading Modules...
22:43:58 Clearing Traffic Control/QOS
22:43:58 Deleting user chains...
22:43:58 Enabling Loopback and DNS Lookups
22:43:58 Creating Interface Chains...
22:43:58 Setting up SMURF control...
22:43:58 Setting up Black List...
22:43:58 Setting up rules for DHCP...
22:43:58 Setting up TCP Flags checking...
22:43:59 Setting up ARP filtering...
22:43:59 Setting up Route Filtering...
22:43:59 Setting up Martian Logging...
22:43:59 Setting up Accept Source Routing...
22:43:59 Setting up SYN Flood Protection...
22:43:59 Setting up Rules...
22:43:59 Rule "ACCEPT loc net tcp 80,443 " added.
22:43:59 Rule "ACCEPT loc fw udp 53 " added.
22:43:59 Rule "ACCEPT net dmz tcp 80 " added.
22:43:59 Rule "ACCEPT loc dmz tcp 80 " added.
22:43:59 Rule "ACCEPT fw dmz tcp 80 " added.
22:43:59 Rule "ACCEPT dmz net:206.167.141.10 tcp 80 " added.
22:43:59 Rule "ACCEPT dmz net:128.31.0.36 tcp 80 " added.
22:43:59 Setting up Actions...
22:43:59 Creating action chain Drop
22:43:59 Rule "REJECT - - tcp 113 - - " added.
22:43:59 Rule "dropBcast " added.
22:43:59 Rule "ACCEPT - - icmp fragmentation-needed - - " added.
22:43:59 Rule "ACCEPT - - icmp time-exceeded - - " added.
22:43:59 Rule "dropInvalid " added.
22:43:59 Rule "DROP - - udp 135,445 - - " added.
22:43:59 Rule "DROP - - udp 137:139 - - " added.
22:43:59 Rule "DROP - - udp 1024: 137 - " added.
22:43:59 Rule "DROP - - tcp 135,139,445 - - " added.
22:43:59 Rule "DROP - - udp 1900 - - " added.
22:43:59 Rule "dropNotSyn - - tcp " added.
22:43:59 Rule "DROP - - udp - 53 - " added.
22:43:59 Creating action chain Reject
22:43:59 Rule "REJECT - - tcp 113 - - " added.
22:43:59 Rule "dropBcast " added.
22:43:59 Rule "ACCEPT - - icmp fragmentation-needed - - " added.
22:43:59 Rule "ACCEPT - - icmp time-exceeded - - " added.
22:43:59 Rule "dropInvalid " added.
22:43:59 Rule "REJECT - - udp 135,445 - - " added.
22:43:59 Rule "REJECT - - udp 137:139 - - " added.
22:43:59 Rule "REJECT - - udp 1024: 137 - " added.
22:43:59 Rule "REJECT - - tcp 135,139,445 - - " added.
22:43:59 Rule "DROP - - udp 1900 - - " added.
22:43:59 Rule "dropNotSyn - - tcp " added.
22:43:59 Rule "DROP - - udp - 53 - " added.
22:43:59 Creating action chain dropBcast
22:43:59 Creating action chain dropInvalid
22:43:59 Creating action chain dropNotSyn
22:43:59 Applying Policies...
22:43:59 Setting up Masquerading/SNAT...
ERROR: Unable to determine the routes through interface "eth1"
22:43:59 IP Forwarding Enabled
Terminated


Thanks - John.



--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

at

No comments:

Post a Comment