[Shorewall-users] allowing RPC calls

Tom Eastep teastep@shorewall.net
Mon, 8 Apr 2002 20:58:48 -0700 (Pacific Daylight Time)


Joe,

On Mon, 8 Apr 2002, Joe Van Andel wrote:

> I'm seeing RPC traffic rejected.
> /var/log/messages shows:
>
> Apr  8 21:44:36 ops-zebra kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=00:10:5a:75:b0:07:08:00:20:90:07:05:08:00 SRC=128.117.78.15
> DST=128.117.78.67 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=45672 DF
> PROTO=UDP SPT=111 DPT=39164 LEN=36
>

This is a port mapper UDP reply to the firewall.

> where 128.117.78.67 is my firewall machine.  I'm trying to allow RPC
> traffic, since rules contains:
> ACCEPT          net       $FW           tcp     portmapper
> ACCEPT          net       $FW           udp     portmapper
> ACCEPT          $FW       net           tcp     portmapper
> ACCEPT          $FW       net           udp     portmapper
>
> /etc/shorewall/firewall status shows
> Chain net2fw (1 references)
>   pkts bytes target     prot opt in     out     source
> destination
>
>      5   640 ACCEPT     udp  ---  *      *       0.0.0.0/0
> 0.0.0.0/0
>          state NEW udp dpt:111
>
> Chain fw2net (1 references)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 ACCEPT     udp  ---  *      *       0.0.0.0/0
> 0.0.0.0/0
>          state NEW udp dpt:111
>
> Is it possible to configure shorewall to allow RPC traffic?  (I searched
> the site and mail archives, and didn't come up with any advice.)
>

There used to be an RPC connection tracking/NAT module in NetFilter but I
personally could never get it to work. Without such a module (and one that
actually works), you will never get any useful results from any
NetFilter-based firewall (including Shorewall).

What RPC-based application are you trying to use through your firewall?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net