[Shorewall-users] Policy Rules not working as expected (fwd)
Thu, 25 Apr 2002 11:51:46 -0700
Thanks for the reply, and sorry for not being 100% clear about my setup.
Your guess is right...I have one interface (eth0) on each machine.
You're right, it's not a smart idea since anyone can get to my computer
through SMB over TCP/IP, but the reason I did was because someone in my
local LUG lied to me, and told me that my ADSL router/modem would not
pass these packets out onto the Internet. I guess the guy was probably
a Windows user and was confused with NetBEUI or something. My best
option now is to just get a new network card for each computer and
connect them with one cable. Very secure. But I'm making the best of
it. At any given time I either have no shares, or I put a complicated
password on the share.
Anyways, about this problem, it's kind of boggling me as to why I'm
getting these packets blocked. Here's what I see in my syslog file:
(I've disgused my IP for security reasons):
Apr 25 11:36:25 bih8151uy48rg kernel: Shorewall:net2all:DROP:IN=eth0
OUT= MAC=<MAC address> SRC=<IP of the computer downstairs> DST=<IP of my
computer> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23296 PROTO=UDP SPT=137
net eth0 detect routefilter,dhcp
fw net ACCEPT
net all DROP info
all all REJECT info
DROP net fw tcp 113
ACCEPT net fw tcp 80 #HTTP server
ACCEPT net fw tcp 22 #SSH server
ACCEPT fw net udp 137:139 #SAMBA
ACCEPT fw net tcp 137,139 #SAMBA
ACCEPT net fw udp 137:139 #SAMBA
ACCEPT net fw tcp 137,139 #SAMBA
ACCEPT net fw tcp 6346 #Gnutella
net Net Internet
All other config files are empty.
I basically set up my system by downloading the example files from the
shorewall website for a single interface network setup. I did cp -f *
/etc/shorewall/ to all the files, I then edied the rules file, and I
think that's it. If I stop shorewall I can see the shares on the other
computer, and as soon as I start it, I can't see the other computers
shares (although I can see the computer) and I start to see dropped
packets. Oh yeah, the "other" computer is a Windows 98 PC by the way.
If you can give me any advice about this that would be great. I hope I
have explained everything more clearly this time. Thanks,
Tom Eastep wrote:
>Subject: Re: [Shorewall-users] Policy Rules not working as expected
>On Thu, 25 Apr 2002, Tom Eastep wrote:
>>Sorry Patrick -- I didn't pay attention to which post you were replying
>>to. Yes, I agree totally that there is no reason to switch the meaning of
>>'net' and 'loc' and I replied to that effect to the original poster.
>Ok -- hope that I haven't made everyone else as confused as I am :-)
>We had two posts this morning with similar traits:
>a) David Grant -- he reported that his local net was actually the internet
>because of something that I didn't understand.
>b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was his
>network interface and eth1 was his local yet his configuration looked to
>be the other way around. I thought that his opening paragraph was a typo
>given that the subnets on eth1 (with the exception of 'token') use RFC1918
>addresses and that's why I reacted to Patrick's post. To me, it still
>looks like a typo; maybe Bernd can clear that up for us.
>It was David's post that I responded to given that I didn't understand
>that part about why his local net being on the internet. I think I've now
>muddled that one out. David has a single NIC in each of two systems, both
>of which get IP's dynamically from his ISP. So he is using one lan segment
>for both internet and local traffic. Not the world's best idea given that
>the rules that he posted will give all of his neighbors free SMB access to
>his SAMBA box.
>I have a similar configuration here currently but I use a PPTP VPN from my
>laptop to my firewall. The reason that the laptop moved out from behind my
>firewall is that any time that I need tech support from my employer,
>that's the first thing that the help desk wants me to do :-/ I just
>decided to leave it outside the firewall permanently. Makes a good PoPToP
>test bed :-)