[Shorewall-users] Policy Rules not working as expected (fwd)

Jerry Vonau jvonau@shaw.ca
Thu, 25 Apr 2002 18:17:33 -0500


Hi David:

could this be the problem:

ACCEPT          net     fw              udp     137:139   
#SAMBA

shouldn't that be 137,139??

To everybody:

to limit access, can't you do something like:

ACCEPT          net     fw              udp     137,139  
-    <ip of allowed comp>

Just a couple of thoughts.....

Jerry Vonau





David Grant wrote:
> 
> Tom,
> 
> Thanks for the reply, and sorry for not being 100% clear about my setup.
>  Your guess is right...I have one interface (eth0) on each machine.
>  You're right, it's not a smart idea since anyone can get to my computer
> through SMB over TCP/IP, but the reason I did was because someone in my
> local LUG lied to me, and told me that my ADSL router/modem would not
> pass these packets out onto the Internet.  I guess the guy was probably
> a Windows user and was confused with NetBEUI or something.  My best
> option now is to just get a new network card for each computer and
> connect them with one cable.  Very secure.  But I'm making the best of
> it.  At any given time I either have no shares, or I put a complicated
> password on the share.
> 
> Anyways, about this problem, it's kind of boggling me as to why I'm
> getting these packets blocked.  Here's what I see in my syslog file:
>  (I've disgused my IP for security reasons):
> 
> syslog file:
> 
> Apr 25 11:36:25 bih8151uy48rg kernel: Shorewall:net2all:DROP:IN=eth0
> OUT= MAC=<MAC address> SRC=<IP of the computer downstairs> DST=<IP of my
> computer> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23296 PROTO=UDP SPT=137
> DPT=1038 LEN=70
> 
> interfaces file:
> 
> net     eth0            detect          routefilter,dhcp
> 
> policy file:
> 
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
> rules file:
> 
> DROP            net       fw            tcp     113
> ACCEPT          net     fw              tcp     80      #HTTP server
> ACCEPT          net     fw              tcp     22      #SSH server
> ACCEPT          fw      net             udp     137:139 #SAMBA
> ACCEPT          fw      net             tcp     137,139    #SAMBA
> ACCEPT          net     fw              udp     137:139    #SAMBA
> ACCEPT          net     fw              tcp     137,139    #SAMBA
> ACCEPT          net     fw              tcp     6346    #Gnutella
> 
> zones file:
> 
> net     Net             Internet
> 
> All other config files are empty.
> 
> I basically set up my system by downloading the example files from the
> shorewall website for a single interface network setup.  I did cp -f *
> /etc/shorewall/ to all the files, I then edied the rules file, and I
> think that's it.  If I stop shorewall I can see the shares on the other
> computer, and as soon as I start it, I can't see the other computers
> shares (although I can see the computer) and I start to see dropped
> packets.  Oh yeah, the "other" computer is a Windows 98 PC by the way.
> 
> If you can give me any advice about this that would be great.  I hope I
> have explained everything more clearly this time.  Thanks,
> 
> David Grant
> 
> Tom Eastep wrote:
> 
> >Subject: Re: [Shorewall-users] Policy Rules not working as expected
> >
> >On Thu, 25 Apr 2002, Tom Eastep wrote:
> >
> >
> >
> >>Sorry Patrick -- I didn't pay attention to which post you were replying
> >>to. Yes, I agree totally that there is no reason to switch the meaning of
> >>'net' and 'loc' and I replied to that effect to the original poster.
> >>
> >>
> >
> >Ok -- hope that I haven't made everyone else as confused as I am :-)
> >
> >We had two posts this morning with similar traits:
> >
> >a) David Grant -- he reported that his local net was actually the internet
> >because of something that I didn't understand.
> >
> >b) Bernd (Nowak?) -- he stated in his opening paragraph that eth0 was his
> >network interface and eth1 was his local yet his configuration looked to
> >be the other way around. I thought that his opening paragraph was a typo
> >given that the subnets on eth1 (with the exception of 'token') use RFC1918
> >addresses and that's why I reacted to Patrick's post. To me, it still
> >looks like a typo;  maybe Bernd can clear that up for us.
> >
> >It was David's post that I responded to given that I didn't understand
> >that part about why his local net being on the internet. I think I've now
> >muddled that one out. David has a single NIC in each of two systems, both
> >of which get IP's dynamically from his ISP. So he is using one lan segment
> >for both internet and local traffic. Not the world's best idea given that
> >the rules that he posted will give all of his neighbors free SMB access to
> >his SAMBA box.
> >
> >I have a similar configuration here currently but I use a PPTP VPN from my
> >laptop to my firewall. The reason that the laptop moved out from behind my
> >firewall is that any time that I need tech support from my employer,
> >that's the first thing that the help desk wants me to do :-/ I just
> >decided to leave it outside the firewall permanently. Makes a good PoPToP
> >test bed :-)
> >
> >-Tom
> >
> >
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users