[Shorewall-users] Local2local?

Andy.Geraerts@pi.be Andy.Geraerts@pi.be
Thu, 4 Apr 2002 00:16:59 +0200 Pre-release 1|February 04, 2002) at 04/04/2002 00:16:57, Serialize by Notes Client on Andy Geraerts/SBE/Sentinel(Build M12_02042002 Pre-release 1|February 04, 2002) at 04/04/2002 00:16:57, Serialize complete at 04/04/2002 00:16:57, S/MIME Sign failed at 04/04/2002 00:16:57: The cryptographic key was not found, Serialize by Router on SEN_BE1/Sentinel(Release 5.0.9 |November 16, 2001) at 04/04/2002 00:17:00, Serialize complete at 04/04/2002 00:17:00


This is a multipart message in MIME format.
--=_alternative 007A66E5C1256B90_=
Content-Type: text/plain; charset="US-ASCII"

Hello All!

My situation :

Firewall : 3 nics, LOC, DMZ, NET
LOC has ip 192.168.7.254
In the LOC network there is a WAN router 192.168.7.253 wich connects to 
network 192.168.1.x
The clients have the firewall as default gateway.

I get these erros when I try to access a host in 192.168.1.x from 
192.168.7.x :

Apr  4 00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 
SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE
C=0x00 TTL=127 ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192 
RES=0x00 SYN URGP=0

I have no idea where I can enable this? Why are these packets blocked?

Here are my configs :

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth2    detect          routefilter,dhcp
loc     eth0    detect          routestopped,multi
dmz     eth1    10.0.0.255      routestopped

masq:
#INTERFACE              SUBNET          ADDRESS
eth2                    eth0
eth2                    eth1

policy:
#CLIENT         SERVER          POLICY          LOG LEVEL
loc             fw              ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

rules:
##############################################################################
#RESULT         CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) 
ADDRESS
#
# Allow SSH from the local network
#
ACCEPT          loc       fw            tcp     ssh,1352
#
# Allow SSH and Auth from the internet
#
ACCEPT          net       fw            tcp     ssh,auth
#
# Allow Lotus Notes from the internet
#
ACCEPT          net       loc:192.168.7.2       tcp     1352    - all
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT          fw        net           udp     ntp
#
# Redirect all www requests from the local network to a squid server 
running on the
# firewall and listening on port 8080.
#
ACCEPT          loc       fw::8080      tcp     www     -       all
ACCEPT          fw        net           tcp     www
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Thanks for your help!

Andy...


--=_alternative 007A66E5C1256B90_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="Courier New">Hello All!</font>
<br>
<br><font size=2 face="Courier New">My situation :</font>
<br>
<br><font size=2 face="Courier New">Firewall : 3 nics, LOC, DMZ, NET</font>
<br><font size=2 face="Courier New">LOC has ip 192.168.7.254</font>
<br><font size=2 face="Courier New">In the LOC network there is a WAN router 192.168.7.253 wich connects to network 192.168.1.x</font>
<br><font size=2 face="Courier New">The clients have the firewall as default gateway.</font>
<br>
<br><font size=2 face="Courier New">I get these erros when I try to access a host in 192.168.1.x from 192.168.7.x :</font>
<br>
<br><font size=2 face="Courier New">Apr &nbsp;4 00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0 SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE</font>
<br><font size=2 face="Courier New">C=0x00 TTL=127 ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192 RES=0x00 SYN URGP=0<br>
<br>
I have no idea where I can enable this? Why are these packets blocked?</font>
<br>
<br><font size=2 face="Courier New">Here are my configs :</font>
<br>
<br><font size=2 face="Courier New">interfaces:</font>
<br><font size=2 face="Courier New">#ZONE &nbsp; &nbsp;INTERFACE &nbsp; &nbsp; &nbsp;BROADCAST &nbsp; &nbsp; &nbsp; OPTIONS</font>
<br><font size=2 face="Courier New">net &nbsp; &nbsp; eth2 &nbsp; &nbsp;detect &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;routefilter,dhcp</font>
<br><font size=2 face="Courier New">loc &nbsp; &nbsp; eth0 &nbsp; &nbsp;detect &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;routestopped,multi</font>
<br><font size=2 face="Courier New">dmz &nbsp; &nbsp; eth1 &nbsp; &nbsp;10.0.0.255 &nbsp; &nbsp; &nbsp;routestopped</font>
<br>
<br><font size=2 face="Courier New">masq:</font>
<br><font size=2 face="Courier New">#INTERFACE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SUBNET &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ADDRESS</font>
<br><font size=2 face="Courier New">eth2 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;eth0</font>
<br><font size=2 face="Courier New">eth2 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;eth1</font>
<br>
<br><font size=2 face="Courier New">policy:</font>
<br><font size=2 face="Courier New">#CLIENT &nbsp; &nbsp; &nbsp; &nbsp; SERVER &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;POLICY &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;LOG LEVEL</font>
<br><font size=2 face="Courier New">loc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ACCEPT</font>
<br><font size=2 face="Courier New">fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">loc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=2 face="Courier New">net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; all &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DROP &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;info</font>
<br><font size=2 face="Courier New">all &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; all &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;info</font>
<br>
<br><font size=2 face="Courier New">rules:</font>
<br><font size=2 face="Courier New">##############################################################################</font>
<br><font size=2 face="Courier New">#RESULT &nbsp; &nbsp; &nbsp; &nbsp; CLIENT(S) SERVER(S) &nbsp; &nbsp; PROTO &nbsp; PORT(S) CLIENT PORT(S) ADDRESS</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow SSH from the local network</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp; &nbsp; &nbsp; fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tcp &nbsp; &nbsp; ssh,1352</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow SSH and Auth from the internet</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; fw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tcp &nbsp; &nbsp; ssh,auth</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Allow Lotus Notes from the internet</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; loc:192.168.7.2 &nbsp; &nbsp; &nbsp; tcp &nbsp; &nbsp; 1352 &nbsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Run an NTP daemon on the firewall that is synced with outside sources</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;fw &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; udp &nbsp; &nbsp; ntp</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Redirect all www requests from the local network to a squid server running on the</font>
<br><font size=2 face="Courier New"># firewall and listening on port 8080.</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;loc &nbsp; &nbsp; &nbsp; fw::8080 &nbsp; &nbsp; &nbsp;tcp &nbsp; &nbsp; www &nbsp; &nbsp; - &nbsp; &nbsp; &nbsp; all</font>
<br><font size=2 face="Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;fw &nbsp; &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp &nbsp; &nbsp; www</font>
<br><font size=2 face="Courier New">#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thanks for your help!</font>
<br>
<br><font size=2 face="sans-serif">Andy...<br>
<br>
</font>
--=_alternative 007A66E5C1256B90_=--