| View previous topic :: View next topic |
| Author |
Message |
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
 Posted: Mon May 18, 2020 11:16 pm Post subject: Need help with Gentoo router set-up |
 |
|
I'm trying to setup shorewall using the standard two-zone setup. I used the shorewall home page and the gentoo wiki shorewall article.
I already had interfaces named with eudev as "lan0" and wan0". My first attempt complained about missing module LOG in the kernel. I rebuilt the kernel enabling all the LOG modules in the ethernet section. Shorewall service now starts (OpenRC) but when I then ran iptables -L the output looked odd.
I did change from the default config that seemed to let the firewall be wide open to the internet when shorewall is down. I want the opposite.
Nothing fancy, no DMZ, not treating the devices like printer & roku differently. I do want to do fancy stuff later, but right now I just want to replace my aging D-LINK router.
The hardware is an old AMD k6-3 with Tyan mobo, very limited memory and an old WD Caviar IDE hard drive. There is an on-board Realtek 8139 10/100MHz ethernet renamed to wan0. And two PCI (not PCI-e) Gigabit ethernet cards, an Intel (module e1000) renamed as wan0 and a Realtek 8169 with the module currently blacklisted. This hardware is for test only, proof of concept and setup, not for production.
Output of iptables -L : http://dpaste.com/2PS4RAT
/var/log/messages: https://pastebin.com/7uCa8Upe
Output of dmesg: https://pastebin.com/i5VL8wgd
/proc/config.gz: https://pastebin.com/vrvug9RG
WAN connection was looped back to the router, not the cable modem. I wanted to check the firewall before going live.
The next step is to plug into the cable modem with lan0 connected to a Win 8 laptop.
P.S. what's with this "smurftab"?
Last edited by Tony0945 on Tue May 26, 2020 2:47 am; edited 2 times in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54808
Location: 56N 3W
|
| Posted: Tue May 19, 2020 12:00 am Post subject: |
|
|
Tony0945,
The idea behind shorewall is to stay away from iptables.
Shorewall has some very nice list commands. try shorewall with no parameters to get help.
| Code: | shorewall ls zones
shorewall ls policies
shorewall ls |
and others.
If you want to post the output, you may want to hide your public IP.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 12:45 am Post subject: |
|
|
| NeddySeagoon wrote: | | If you want to post the output, you may want to hide your public IP. |
It does come from dhcp and occasionally changes. But the warning is taken to heart.
I thought shorewall is a front end to iptables. The web site says to check with iptables -L.
I did reverse the settings in post-shorewall (or something like that). It looked to me like it opened up the internet, so I reversed it. Now I can't ssh in again, so I guess I shouldn't have done that. I'll have to go to the basement and reboot. I usually leave it sitting on a root login. I know. I know.
But if some stranger is rooting around in my basement I have bigger problems than him having root access to an ancient computer!
Maybe I should test with the WAN cable connected to the laptop (on a bench next to it).? Or just connect it to the internet (only) and see what happens. I do have a complete backup on my build partition on the Phenom II. Worst case, I have to boot sysresuecd, wipe the drive, repartition and restore from the backup. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 1:33 am Post subject: |
|
|
The file I was referring to was /etc/shorewall/stoppedrules
it now reads (sans comments)
| Code: | #ACTION SOURCE DEST PROTO DPORT SPORT
DROP wan0 -
ACCEPT - lan0
ACCEPT lan0 -
ACCEPT - wan0
|
|
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 5:32 pm Post subject: |
|
|
Had a lot of trouble reestablishing communications. That leads to an interesting general question that I can't find the answer to on the internet.
When a PC has two or more ethernet devices, call them eth0, eth1 ... How do programs like ping, or ssh select which one to use? Randomly? alphanumeric order? Something else?
| Code: | k6 ~ # ifconfig
lan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.0.106 netmask 255.255.255.0 broadcast 192.168.0.255
ether 90:e2:ba:ed:ef:4c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lan2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.109 netmask 255.255.255.0 broadcast 192.168.0.255
ether 6c:19:8f:9a:61:77 txqueuelen 1000 (Ethernet)
RX packets 895 bytes 74389 (72.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 462 bytes 84627 (82.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:50:bf:ed:e3:14 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
In this example only lan0 is physically connected. Both lan0 and lan2 have static addresses. But they could both be connected by cable to the same network switch.
Last edited by Tony0945 on Tue May 19, 2020 6:14 pm; edited 1 time in total |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6214
Location: Dallas area
|
| Posted: Tue May 19, 2020 5:54 pm Post subject: |
|
|
| Tony0945 wrote: | | When a PC has two or more ethernet devices, call them ewth0, eth1 ... How do programs like ping, or ssh select which one to use? Randomly? alphanumeric order? Something else? |
Usually one ethernet/wifi device is "default" (based on metric IIRC) and you address the others, like ping, with the interface flag.
ping -I <secondary adapter> some-address
Edit to add:
| Code: | $ ip route
default via 192.168.1.1 dev eth0 metric 2 |
If I turn on the vpn, it sets the default to it's address with a metric of 1 or 0 (IIRC) which takes precedence (If I don't have the numerical order reversed)
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 6:41 pm Post subject: |
|
|
Ah! That explains many problems.
| Code: | k6 ~ # ip route
default via 192.168.0.1 dev lan0 metric 3 linkdown
default via 192.168.0.1 dev lan2 metric 4
127.0.0.0/8 dev lo scope host
192.168.0.0/24 dev lan2 proto kernel scope link src 192.168.0.109
192.168.0.0/24 dev lan0 proto kernel scope link src 192.168.0.106 linkdown |
Thet should not both be default, should they? I've been assuming all these years that "default" applied to the gateway, not the interface. Only one interface should be default, correct?
From another machine on the lan: | Code: | MSI ~ # ping 192.168.0.106
PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.
64 bytes from 192.168.0.106: icmp_seq=1 ttl=64 time=0.507 ms
64 bytes from 192.168.0.106: icmp_seq=2 ttl=64 time=0.466 ms
64 bytes from 192.168.0.106: icmp_seq=3 ttl=64 time=0.451 ms
^C
--- 192.168.0.106 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2099ms
rtt min/avg/max/mdev = 0.451/0.474/0.507/0.023 ms
MSI ~ # ping 192.168.0.109
PING 192.168.0.109 (192.168.0.109) 56(84) bytes of data.
64 bytes from 192.168.0.109: icmp_seq=1 ttl=64 time=0.533 ms
64 bytes from 192.168.0.109: icmp_seq=2 ttl=64 time=0.455 ms
64 bytes from 192.168.0.109: icmp_seq=3 ttl=64 time=0.492 ms
64 bytes from 192.168.0.109: icmp_seq=4 ttl=64 time=0.453 ms
^C
--- 192.168.0.109 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3157ms
rtt min/avg/max/mdev = 0.453/0.483/0.533/0.032 ms
|
A cable is only connected to lan0 (192.168.0.106) but lan2, without a physical connection also responds! (Using the default device?)
All three interfaces were started by OpenRC, but lan0 & lan2 are static addresses and the third, wan0, is waiting for a dhcp response which it will never get because it has no cable connected!
| Code: | k6 ~ # grep -v ^# /etc/conf.d/net
rc_verbose="no"
config_wan0="dhcp" #get ip address and route from ISP
config_lan0="192.168.0.106 netmask 255.255.255.0"
routes_lan0="default gw 192.168.0.1"
dns_servers_lan0="192.168.0.102 8.8.8.8 "
config_lan2="192.168.0.109 netmask 255.255.255.0"
routes_lan2="default gw 192.168.0.1"
dns_servers_lan2="127.0.0.1 8.8.8.8 "
modules="${modules} !adsl !br2684ctl !bridge !clip !netplugd !ifplugd "
modules="${modules} !ipppd !pump !pppd "
modules="ethtool !iproute2" #prefer ifconfig
carrier_timeout_lan0=10 #fix for e1000
ifdown_lan0="no"
ethtool_change_lan0="wol g"
ifdown="no"
postdown() {
[ "${IFACE}" = "lan0" ] && ethtool -s "${IFACE}" wol g
return 0
}
|
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54808
Location: 56N 3W
|
| Posted: Tue May 19, 2020 7:04 pm Post subject: |
|
|
Tony0945,
"default" applies to the route. If you have more that one default route, only the first encountered in the routing table will be used.
| Code: | $ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 2 0 0 eth0
loopback 0.0.0.0 255.0.0.0 U 0 0 0 lo
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 |
Routing table rules are applied from the bottom up. The destination default matches anything, so any packets that get there are sent out of eth0, on the assumption that whatever gets them will know what to do with them.
When you have several default entries, they appear one above the other in the routing table. Only the bottom one will be used.
That's a little simplistic but it will do to get you started.
Why do you think you want two interfaces in the same subnet?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 7:48 pm Post subject: |
|
|
| NeddySeagoon wrote: | | Why do you think you want two interfaces in the same subnet? |
Don't need them now. But if the machine is to be a router then the second one is the interface into the machine while the first is the gateway to the router. That's the rationale anyway. The real mundane reason? I had two cards lying around. I turned the second one on when I couldn't ssh in.
Still don't know what I did to lose ssh and ping, nor really what I did to bring it back. Because I did so many things.
The final step, out of frustration was to power don every last device including switch cable modem, router, AP's and all PC's. That did work, but was it only because I followed advice on the internet to run | Code: | iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F |
That STILL didn't work, nor did a reboot afterward. Shutting down everything did. Why? I dunno.
However I did do one experiment relevant to the original post. I connected the wan0 port directly to the cablemodem after shutting the other two off. Then I fired up shorewall. I did get an ip address from the ISP and could ping various places. Then I shut down shorewall, transferred the cables back to their original slots and rebooted. PC worked OK but I couldn't ping anyone or be pinged, nor ssh in or out. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6214
Location: Dallas area
|
| Posted: Tue May 19, 2020 7:50 pm Post subject: |
|
|
| Tony0945 wrote: | Ah! That explains many problems.
| Code: | k6 ~ # ip route
default via 192.168.0.1 dev lan0 metric 3 linkdown
default via 192.168.0.1 dev lan2 metric 4
127.0.0.0/8 dev lo scope host
192.168.0.0/24 dev lan2 proto kernel scope link src 192.168.0.109
192.168.0.0/24 dev lan0 proto kernel scope link src 192.168.0.106 linkdown |
Thet should not both be default, should they? I've been assuming all these years that "default" applied to the gateway, not the interface. Only one interface should be default, correct? |
Think default per interface.
If you wanted to ping something by way of lan2 you would do something like "ping -I lan2 google.com"
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue May 19, 2020 7:59 pm Post subject: |
|
|
| Anon-E-moose wrote: | | If you wanted to ping something by way of lan2 you would do something like "ping -I lan2 google.com" |
Now I know to do that. Actually, since dhcp, whether from the D-link router or DNSmasq (no, not both on at the same time) will assign that same address to the ethernet card's mac address, I probably should just set all the interfaces to "dhcp" and let their connections assign the address. I'm surprised that I got a connection from my ISP, but I also did when I first got the replacement cable modem. Connection speed was only 100kbps, but they did have line troubles. Still having them, Chicago is having record rains not seen for 140 years. Flooding everywhere. However, perhaps they let unknown devices to connect but very slow so that one can report the new equipment to the ISP, which I did and two hours later they provisioned the modem and I got yet another ip address. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 3:27 am Post subject: |
|
|
shorewall rejecting attempts to ping computers on the LAN and WAN. Is this expected? is a policy required?
| Code: | May 19 10:05:04 k6 root[1365]: Shorewall started
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50010 DF PROTO=UDP SPT=36933 DPT=53 LEN=29
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=6931 DF PROTO=UDP SPT=35454 DPT=53 LEN=29
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50011 DF PROTO=UDP SPT=56181 DPT=53 LEN=29
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=6932 DF PROTO=UDP SPT=55859 DPT=53 LEN=29
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25464 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=1
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50016 DF PROTO=UDP SPT=38093 DPT=53 LEN=52
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6934 DF PROTO=UDP SPT=52797 DPT=53 LEN=52
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50017 DF PROTO=UDP SPT=36128 DPT=53 LEN=52
May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=8.8.8.8 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6935 DF PROTO=UDP SPT=42391 DPT=53 LEN=52
May 19 10:05:12 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25552 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=2
May 19 10:05:13 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25590 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=3
May 19 10:05:14 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25626 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=4
May 19 10:05:15 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25627 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=5
May 19 10:05:16 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25714 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=6
May 19 10:05:17 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25766 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=7
May 19 10:05:18 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25792 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=8
May 19 10:05:19 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25879 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=9
May 19 10:05:20 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25888 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=10
May 19 10:05:21 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25964 DF PROTO=ICMP TYPE=8 CODE=0 ID=1378 SEQ=11
|
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5364
Location: Bavaria
|
| Posted: Wed May 20, 2020 9:28 am Post subject: |
|
|
Hello Tony,
I never used shorewall, but I am shocked what it produces (rules from your first post). The whole crap with chains makes it really difficult to understand (even for me). This is more complicated than doing native iptables by yourself. Iptables is easy and I want to suggest you trying it native. You only have to know a little bit about networking. What is an IP adress, which protocols (tcp, udp, icmp) and which ports ? https://en.wikipedia.org/wiki/Port_(computer_networking)
We have an excelent Wiki https://wiki.gentoo.org/wiki/Iptables
and I wrote an installation guide (in german). Look there only to the passage "skelett" and I hope many questions will be answered: https://forums.gentoo.org/viewtopic-t-1112806-highlight-.html
A ping is an ICMP protocol and in the skelett you see how to enable it.
I recommend using "iptables -L -v -n" for investigating the actual rules (instead of only -L)
Many regards, Peter |
|
| Back to top |
|
|
nick_gentoo
Tux's lil' helper
Joined: 07 Jan 2019
Posts: 140
|
| Posted: Wed May 20, 2020 1:55 pm Post subject: |
|
|
| Tony0945 wrote: | | shorewall rejecting attempts to ping computers on the LAN and WAN. Is this expected? is a policy required? |
I also started to use shorewall recently.
As I understand it so far, the policy is defined in /etc/shorewall/policy for each zone, and it's probably REJECT in this case. A rule (or the Ping macro) should be added in /etc/shorewall/rules to allow pings. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 4:07 pm Post subject: |
|
|
policy, default:
| Code: | #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
net all DROP $LOG_LEVEL
# the next two are optional
#loc $FW ACCEPT
#$FW loc ACCEPT
# THE FOLOWING POLICY MUST BE LAST
all all REJECT $LOG_LEVEL
|
I thinkj I want a line that says:
Or should that be in the rules file? documentation is not clear. |
|
| Back to top |
|
|
nick_gentoo
Tux's lil' helper
Joined: 07 Jan 2019
Posts: 140
|
| Posted: Wed May 20, 2020 4:28 pm Post subject: |
|
|
That last line is probably not needed, according to the man page the intra-zone policies are predefined: https://shorewall.org/manpages/shorewall-policy.html
But according to the last log, it looks like the firewall is rejecting the packets because it sees them as going from 'fw' to 'loc'. Here I also would like to check for myself, but: shorewall.conf might be establishing a default inter-zone policy of Reject, and your policy file does not specify a policy for fw-to-loc. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 5:25 pm Post subject: |
|
|
new policy | Code: | #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
fw net ACCEPT info # added
net all DROP $LOG_LEVEL
loc loc ACCEPT # added by me, allow all traffic between locals
# the next two are optional
#loc $FW ACCEPT
#$FW loc ACCEPT
# THE FOLOWING POLICY MUST BE LAST
all all REJECT $LOG_LEVEL
|
Didn't help. Machine was locked out of the local net until reboot. At least stopping shorewall and rebooting restored communication
I'll try adding the optional lines next.
Result of "iptables -L" https://pastebin.com/aRNNg0Mf
shorewall-init.log https://pastebin.com/LayNwiet |
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Wed May 20, 2020 5:32 pm Post subject: |
|
|
just butting in without a lot of knowledge, but
don't you need a policy of:
| Quote: | fw loc ACCEPT
loc fw ACCEPT
|
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 5:37 pm Post subject: |
|
|
| nick_gentoo wrote: | | but: shorewall.conf might be establishing a default inter-zone policy of Reject, and your policy file does not specify a policy for fw-to-loc. |
There is an option (default off) to have the firewall part of the local zone. Maybe I should turn that on. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 5:51 pm Post subject: |
|
|
| albright wrote: | just butting in without a lot of knowledge, but
don't you need a policy of:
| Quote: | fw loc ACCEPT
loc fw ACCEPT
|
|
Quite possibly. I'm following these guildes
Basic Two-Interface Firewall
and Gentoo wiki
From the first website: | Quote: | Some people want to consider their firewall to be part of their local network from a security perspective. If you want to do this, add these two policies:
#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT
$FW loc ACCEPT |
I didn't quite understand "from a security perspective". Why isn't this the default" |
|
| Back to top |
|
|
nick_gentoo
Tux's lil' helper
Joined: 07 Jan 2019
Posts: 140
|
| Posted: Wed May 20, 2020 6:12 pm Post subject: |
|
|
I would guess it's because the firewall is directly connected to the internet, and one reason for using the firewall is precisely because the internet is not trustworthy.
Does it work now?
I use shorewall for now with the "single system" scenario, and I would like to try soon this two-interface configuration. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 6:19 pm Post subject: |
|
|
| nick_gentoo wrote: | | I would guess it's because the firewall is directly connected to the internet, and one reason for using the firewall is precisely because the internet is not trustworthy.. |
No, by default the firewall is a separate zone. With the changes the firewall is part of the local zone, not the internet zone.
No, it didn't work. This time I took the precaution of running a background script first before starting shorewall. The script sleeps for 1800 seconds, then stops shorewall and reboots. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5364
Location: Bavaria
|
| Posted: Wed May 20, 2020 7:08 pm Post subject: |
|
|
Building a firewall wihthout any knowledge about networks and how paket filtering in the kernel works, is like driving a car without any knowledge how to drive and what are the rules of the road.
But, hey, this is not a problem: I tell you, take a monster-truck instead a car ... and you will have no problems ...
Do you really know for what shorewall is used ?
Let me quote from: https://shorewall.org/Introduction.html
| Quote: | Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives:
UFW (Uncomplicated Firewall)
ipcop
If you are looking for a Linux firewall solution that can handle complex and fast changing network environments then Shorewall is a logical choice. |
I am a network engineer (or I was until I got retired) and I would take native iptables even for complex solution with 2 firewalls, a DMZ, and 3 internal networks and 2 external friendly networks, rather than this complex software I had to learn additionally how it works.
Let me say it clear: If you want to drive a truck you have to learn the rules of the road and how to drive. If you dont want to learn this, drive a bike (=>UFW). |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54808
Location: 56N 3W
|
| Posted: Wed May 20, 2020 7:10 pm Post subject: |
|
|
Tony0945,
You haze one more zone that you think you do.
| /etc/shorewall/zones: | #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
green ipv4
dmz ipv4
blue ipv4
net ipv4 |
The firewall is its own zone.
| /etc/shorewall/policy: | #SOURCE DEST POLICY LOGLEVEL RATE
net dmz DROP $LOG
net blue DROP $LOG
net green DROP $LOG
net $FW DROP $LOG
all all REJECT $LOG |
That policy file says that anything coming from the outside world (net), wherever its going is DROPped and logged.
and that anything else (it has to be from inside) is REJECTed and logged.
The difference is that the outside world is silently dropped an things on my network get an error message. That makes debugging easier.
So far so good. Nothing comes in and nothing goes out. Everything that is not expressly permitted by entries in the rules file, is forbidden.
There is an old joke there but I'll skip it.
The firewall zone $FW, should have its connections limited.
| /etc/shorewall/rules - part: | #ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT green fw tcp ssh
# fw accepts from the internet - its anti social to drop ping
ACCEPT fw net udp domain
ACCEPT fw net udp ntp
# fw will get updates from the dmz, so need to allow those outgoing
# fw to dmz
ACCEPT fw dmz:$Portage tcp rsync
ACCEPT fw dmz:$Source tcp 8080
ACCEPT fw net tcp www
ACCEPT fw net tcp https |
The only incoming connection accepted is on ssh from the wired network (green)
The outgoing connections are required for maintainace.
DNS, NTP, my private ::gentoo rsync server, http-replicator.
I've forgotten why www and https were required.
All that translates into the fw- chains
To the outside world | Code: | Shorewall 5.2.3.6 Chain fw-net at router - Wed 20 May 19:47:41 BST 2020
Counters reset Wed May 13 21:34:16 BST 2020
Chain fw-net (1 references)
pkts bytes target prot opt in out source destination
57374 4672K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1911 145K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-net:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] |
To the wired network
| Code: | Chain fw-green (1 references)
pkts bytes target prot opt in out source destination
33 10923 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
1261 585K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-green:ACCEPT:"
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 |
To WiFi
| Code: | Chain fw-blue (1 references)
pkts bytes target prot opt in out source destination
19254 1146K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
218 10464 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-blue:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
|
To the dmz. (For http-replicator, and the rsync mirror
| Code: | Chain fw-dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.119 multiport dports 873,8080
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "Shore4:fw-dmz:REJECT:"
2 80 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] |
Its mostly ping and accept replies to things you asked for.
All the magic happens in the rules between the other zones.
The fw zone should not be communicating with things it doesn't need to, so most things should be rejected, which is what you report.
Now, | Code: | | May 19 10:05:11 k6 kernel: fw-loc REJECT IN= OUT=lan0 SRC=192.168.0.106 DST=192.168.0.102 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=50010 DF PROTO=UDP SPT=36933 DPT=53 LEN=29 |
Thats a DNS lookup. (UDP on port 53) so it should probably be going to the outside world, not loc.
That's what my | Code: | | ACCEPT fw net udp domain |
permits.
Routing is a separate topic. That rule permits traffic. It says noting about how to route it.
Looking some more, the destination IP is DST=8.8.8.8, which is a public nameserver.
Now the question becomes why is traffic for the outside world being sent to lan0 ?
The firewall should sit between your router and everything else.
Is 192.168.0.106 (lan0) the firewalls interfare to the outside world?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed May 20, 2020 8:28 pm Post subject: |
|
|
| NeddySeagoon wrote: | | The firewall is its own zone. |
Yes, I don't understand why.
| NeddySeagoon wrote: | | Now the question becomes why is traffic for the outside world being sent to lan0 ? |
Because lan0 is intended to be local network interface to the cable modem.
| NeddySeagoon wrote: | | Is 192.168.0.106 (lan0) the firewalls interface to the outside world? |
No,that is the interface to the Local area network.
The rules I initially want for the firewall are:
1. Reject (or drop) all unsolicited traffic from the WAN (port wan0)
2. ACCEPT all WAN traffic that is a response to a LAN solicitation (web pages, e-mail, DNS queries ...)
3. ACCEPT all traffic from the LAN (this last could be restricted to a few listed ip addresses)
I also don't understand why the LAN zone is defined as 0.0.0.0/0 (any address, right?) instead of say 192.168.0.0/25 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
