[Shorewall-users] Policy Rules not working as expected (fwd)

David Grant david.grant@telus.net
Thu, 25 Apr 2002 11:51:46 -0700


Tom,

Thanks for the reply, and sorry for not being 100% clear about my setup. 
 Your guess is right...I have one interface (eth0) on each machine. 
 You're right, it's not a smart idea since anyone can get to my computer 
through SMB over TCP/IP, but the reason I did was because someone in my 
local LUG lied to me, and told me that my ADSL router/modem would not 
pass these packets out onto the Internet.  I guess the guy was probably 
a Windows user and was confused with NetBEUI or something.  My best 
option now is to just get a new network card for each computer and 
connect them with one cable.  Very secure.  But I'm making the best of 
it.  At any given time I either have no shares, or I put a complicated 
password on the share.

Anyways, about this problem, it's kind of boggling me as to why I'm 
getting these packets blocked.  Here's what I see in my syslog file: 
 (I've disgused my IP for security reasons):

syslog file:

Apr 25 11:36:25 bih8151uy48rg kernel: Shorewall:net2all:DROP:IN=eth0 
OUT= MAC=<MAC address> SRC=<IP of the computer downstairs> DST=<IP of my 
computer> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23296 PROTO=UDP SPT=137 
DPT=1038 LEN=70

interfaces file:

net     eth0            detect          routefilter,dhcp

policy file:

fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

rules file:

DROP            net       fw            tcp     113
ACCEPT          net     fw              tcp     80      #HTTP server
ACCEPT          net     fw              tcp     22      #SSH server
ACCEPT          fw      net             udp     137:139 #SAMBA
ACCEPT          fw      net             tcp     137,139    #SAMBA
ACCEPT          net     fw              udp     137:139    #SAMBA
ACCEPT          net     fw              tcp     137,139    #SAMBA
ACCEPT          net     fw              tcp     6346    #Gnutella

zones file:

net     Net             Internet

All other config files are empty.

I basically set up my system by downloading the example files from the 
shorewall website for a single interface network setup.  I did cp -f * 
/etc/shorewall/ to all the files, I then edied the rules file, and I 
think that's it.  If I stop shorewall I can see the shares on the other 
computer, and as soon as I start it, I can't see the other computers 
shares (although I can see the computer) and I start to see dropped 
packets.  Oh yeah, the "other" computer is a Windows 98 PC by the way.

If you can give me any advice about this that would be great.  I hope I 
have explained everything more clearly this time.  Thanks,

David Grant


Tom Eastep wrote:

>Subject: Re: [Shorewall-users] Policy Rules not working as expected
>
>On Thu, 25 Apr 2002, Tom Eastep wrote:
>
>  
>
>>Sorry Patrick -- I didn't pay attention to which post you were replying 
>>to. Yes, I agree totally that there is no reason to switch the meaning of 
>>'net' and 'loc' and I replied to that effect to the original poster.  
>>    
>>
>
>Ok -- hope that I haven't made everyone else as confused as I am :-)
>
>We had two posts this morning with similar traits:
>
>a) David Grant -- he reported that his local net was actually the internet 
>because of something that I didn't understand.
>
>b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was his
>network interface and eth1 was his local yet his configuration looked to
>be the other way around. I thought that his opening paragraph was a typo
>given that the subnets on eth1 (with the exception of 'token') use RFC1918
>addresses and that's why I reacted to Patrick's post. To me, it still
>looks like a typo;  maybe Bernd can clear that up for us.
>
>It was David's post that I responded to given that I didn't understand
>that part about why his local net being on the internet. I think I've now
>muddled that one out. David has a single NIC in each of two systems, both
>of which get IP's dynamically from his ISP. So he is using one lan segment
>for both internet and local traffic. Not the world's best idea given that
>the rules that he posted will give all of his neighbors free SMB access to
>his SAMBA box.
>
>I have a similar configuration here currently but I use a PPTP VPN from my
>laptop to my firewall. The reason that the laptop moved out from behind my
>firewall is that any time that I need tech support from my employer,
>that's the first thing that the help desk wants me to do :-/ I just
>decided to leave it outside the firewall permanently. Makes a good PoPToP 
>test bed :-)
>
>-Tom
>  
>