Re: Using shorewall

To: Paolo <oopla@users.sf.net>, "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
Subject: Re: Using shorewall
From: john <johnsong@kos.net>
Date: Thu, 12 Feb 2009 18:38:07 -0500
Message-id: <[🔎] 1234481887.7805.8.camel@debian>
Reply-to: johnsong@kos.net
In-reply-to: <[🔎] 20090212204716.GA12607@localhost>
References: <[🔎] 1234469114.7341.20.camel@debian> <[🔎] 20090212204716.GA12607@localhost>

-----Original Message-----
From: Paolo <oopla@users.sf.net>
To: debian-firewall@lists.debian.org <debian-firewall@lists.debian.org>
Subject: Re: Using shorewall
Date: Thu, 12 Feb 2009 21:47:17 +0100
Mailer: Mutt/1.3.28i

On Thu, Feb 12, 2009 at 03:05:14PM -0500, john wrote:
...
> I have set up shorewall with eth0 going to my existing d-link router.
> eth1 and eth2 are planned for a dmz and a loc. I have used the setup and

what's your final /etc/network/interfaces ?
what do ifconfig(8) or ip(8) report?

> lines from /var/log/shorewall-init.log):
> 
> Setting up masquerading/SNAT....
>   ERROR: Unable to determine routes through interface "eth1"

perhaps some more log line would help ? ...

-- 
paolo

I should have mentioned that I'm running lenny (up to date).

My /etc/network/interfaces file reads:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

My /etc/shorewall file reads:

net	eth0	detect	dhcp,routefilter,tcpflags
dmz	eth1	detect	dhcp
loc	eth2	detect	dhcp

/var/log/shorewall-init.log reads:
22:43:52 Compiling...
Loading /usr/share/shorewall/lib.base...
Loading /usr/share/shorewall/lib.config...
22:43:52 Processing /etc/shorewall/shorewall.conf...
22:43:52 Loading Modules...
22:43:54 Loading library /usr/share/shorewall-shell/lib.actions...
22:43:54 Loading library /usr/share/shorewall-shell/lib.nat...
22:43:54 Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   New Connection Tracking Match Syntax: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
22:43:55 Determining Zones...
   IPv4 Zones: net dmz loc
   Firewall Zone: fw
22:43:55 Validating interfaces file...
22:43:55 Validating hosts file...
22:43:55 Pre-processing Actions...
22:43:55    Pre-processing /usr/share/shorewall/action.Drop...
22:43:55    ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:55    ..End Macro
22:43:55    ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:55    ..End Macro
22:43:55    ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:55    ..End Macro
22:43:55    ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:55    ..End Macro
22:43:55    ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:55    ..End Macro
22:43:55    Pre-processing /usr/share/shorewall/action.Reject...
22:43:55 Validating Policy file...
22:43:55    Policy for net to dmz is DROP using chain net2all
22:43:55    Policy for net to loc is DROP using chain net2all
22:43:55    Policy for net to fw is DROP using chain net2all
22:43:55    Policy for dmz to net is REJECT using chain dmz2all
22:43:55    Policy for dmz to loc is REJECT using chain dmz2all
22:43:55    Policy for dmz to fw is REJECT using chain dmz2all
22:43:55    Policy for loc to net is REJECT using chain loc2all
22:43:55    Policy for loc to dmz is REJECT using chain loc2all
22:43:55    Policy for loc to fw is REJECT using chain loc2all
22:43:55    Policy for fw to net is ACCEPT using chain fw2all
22:43:55    Policy for fw to dmz is ACCEPT using chain fw2all
22:43:55    Policy for fw to loc is ACCEPT using chain fw2all
22:43:55 Determining Hosts in Zones...
   net Zone: eth0:0.0.0.0/0
   dmz Zone: eth1:0.0.0.0/0
   loc Zone: eth2:0.0.0.0/0
22:43:55 Deleting user chains...
22:43:55 Compiling /etc/shorewall/routestopped ...
22:43:55 Creating Interface Chains...
22:43:55 Compiling Common Rules
22:43:55 Adding rules for DHCP
22:43:55 Compiling TCP Flags checking...
22:43:55 Compiling Kernel Route Filtering...
22:43:55 Compiling Martian Logging...
22:43:55 Compiling IPSEC...
22:43:55 Compiling /etc/shorewall/rules...
22:43:55    Rule "ACCEPT loc net tcp 80,443     " compiled.
22:43:55    Rule "ACCEPT loc fw udp 53     " compiled.
22:43:55    Rule "ACCEPT net dmz tcp 80     " compiled.
22:43:55    Rule "ACCEPT loc dmz tcp 80     " compiled.
22:43:55    Rule "ACCEPT fw dmz tcp 80     " compiled.
22:43:56    Rule "ACCEPT dmz net:206.167.141.10 tcp 80     " compiled.
22:43:56    Rule "ACCEPT dmz net:128.31.0.36 tcp 80     " compiled.
22:43:56 Compiling Actions...
22:43:56    Generating Transitive Closure of Used-action List...
22:43:56 Compiling /usr/share/shorewall/action.Drop for Chain Drop...
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:56    Rule "REJECT - - tcp 113 -  - " compiled.
22:43:56 ..End Macro
22:43:56    Rule "dropBcast        " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:56    Rule "ACCEPT - - icmp fragmentation-needed -  - " compiled.
22:43:56    Rule "ACCEPT - - icmp time-exceeded -  - " compiled.
22:43:56 ..End Macro
22:43:56    Rule "dropInvalid        " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:56    Rule "DROP - - udp 135,445 -  - " compiled.
22:43:56    Rule "DROP - - udp 137:139 -  - " compiled.
22:43:56    Rule "DROP - - udp 1024: 137  - " compiled.
22:43:56    Rule "DROP - - tcp 135,139,445 -  - " compiled.
22:43:56 ..End Macro
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:56    Rule "DROP - - udp 1900 -  - " compiled.
22:43:56 ..End Macro
22:43:56    Rule "dropNotSyn - - tcp     " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:56    Rule "DROP - - udp - 53  - " compiled.
22:43:56 ..End Macro
22:43:56 Compiling /usr/share/shorewall/action.Reject for Chain Reject...
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth...
22:43:56    Rule "REJECT - - tcp 113 -  - " compiled.
22:43:56 ..End Macro
22:43:56    Rule "dropBcast        " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
22:43:56    Rule "ACCEPT - - icmp fragmentation-needed -  - " compiled.
22:43:56    Rule "ACCEPT - - icmp time-exceeded -  - " compiled.
22:43:56 ..End Macro
22:43:56    Rule "dropInvalid        " compiled.
22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB...
22:43:56    Rule "REJECT - - udp 135,445 -  - " compiled.
22:43:56    Rule "REJECT - - udp 137:139 -  - " compiled.
22:43:57    Rule "REJECT - - udp 1024: 137  - " compiled.
22:43:57    Rule "REJECT - - tcp 135,139,445 -  - " compiled.
22:43:57 ..End Macro
22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
22:43:57    Rule "DROP - - udp 1900 -  - " compiled.
22:43:57 ..End Macro
22:43:57    Rule "dropNotSyn - - tcp     " compiled.
22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
22:43:57    Rule "DROP - - udp - 53  - " compiled.
22:43:57 ..End Macro
22:43:57 Compiling /etc/shorewall/policy...
22:43:57    Policy ACCEPT for fw to dmz using chain fw2all
22:43:57    Policy DROP for net to dmz using chain net2all
22:43:57    Policy REJECT for dmz to net using chain dmz2all
22:43:57    Policy REJECT for loc to fw using chain loc2all
22:43:57    Policy REJECT for loc to net using chain loc2all
22:43:57    Policy REJECT for loc to dmz using chain loc2all
22:43:57 Compiling Masquerading/SNAT
22:43:57 Compiling Traffic Control Rules...
22:43:57 Compiling Rule Activation...
22:43:57 Compiling IP Forwarding...
22:43:57 Shorewall configuration compiled to /var/lib/shorewall/.start
22:43:58 Starting Shorewall....
22:43:58 Initializing...
22:43:58 Loading Modules...
22:43:58 Clearing Traffic Control/QOS
22:43:58 Deleting user chains...
22:43:58 Enabling Loopback and DNS Lookups
22:43:58 Creating Interface Chains...
22:43:58 Setting up SMURF control...
22:43:58 Setting up Black List...
22:43:58 Setting up rules for DHCP...
22:43:58 Setting up TCP Flags checking...
22:43:59 Setting up ARP filtering...
22:43:59 Setting up Route Filtering...
22:43:59 Setting up Martian Logging...
22:43:59 Setting up Accept Source Routing...
22:43:59 Setting up SYN Flood Protection...
22:43:59 Setting up Rules...
22:43:59    Rule "ACCEPT loc net tcp 80,443     " added.
22:43:59    Rule "ACCEPT loc fw udp 53     " added.
22:43:59    Rule "ACCEPT net dmz tcp 80     " added.
22:43:59    Rule "ACCEPT loc dmz tcp 80     " added.
22:43:59    Rule "ACCEPT fw dmz tcp 80     " added.
22:43:59    Rule "ACCEPT dmz net:206.167.141.10 tcp 80     " added.
22:43:59    Rule "ACCEPT dmz net:128.31.0.36 tcp 80     " added.
22:43:59 Setting up Actions...
22:43:59 Creating action chain Drop
22:43:59    Rule "REJECT - - tcp 113 -  - " added.
22:43:59    Rule "dropBcast        " added.
22:43:59    Rule "ACCEPT - - icmp fragmentation-needed -  - " added.
22:43:59    Rule "ACCEPT - - icmp time-exceeded -  - " added.
22:43:59    Rule "dropInvalid        " added.
22:43:59    Rule "DROP - - udp 135,445 -  - " added.
22:43:59    Rule "DROP - - udp 137:139 -  - " added.
22:43:59    Rule "DROP - - udp 1024: 137  - " added.
22:43:59    Rule "DROP - - tcp 135,139,445 -  - " added.
22:43:59    Rule "DROP - - udp 1900 -  - " added.
22:43:59    Rule "dropNotSyn - - tcp     " added.
22:43:59    Rule "DROP - - udp - 53  - " added.
22:43:59 Creating action chain Reject
22:43:59    Rule "REJECT - - tcp 113 -  - " added.
22:43:59    Rule "dropBcast        " added.
22:43:59    Rule "ACCEPT - - icmp fragmentation-needed -  - " added.
22:43:59    Rule "ACCEPT - - icmp time-exceeded -  - " added.
22:43:59    Rule "dropInvalid        " added.
22:43:59    Rule "REJECT - - udp 135,445 -  - " added.
22:43:59    Rule "REJECT - - udp 137:139 -  - " added.
22:43:59    Rule "REJECT - - udp 1024: 137  - " added.
22:43:59    Rule "REJECT - - tcp 135,139,445 -  - " added.
22:43:59    Rule "DROP - - udp 1900 -  - " added.
22:43:59    Rule "dropNotSyn - - tcp     " added.
22:43:59    Rule "DROP - - udp - 53  - " added.
22:43:59 Creating action chain dropBcast
22:43:59 Creating action chain dropInvalid
22:43:59 Creating action chain dropNotSyn
22:43:59 Applying Policies...
22:43:59 Setting up Masquerading/SNAT...
   ERROR: Unable to determine the routes through interface "eth1"
22:43:59 IP Forwarding Enabled
Terminated


Thanks - John.
Reply to:
Follow-Ups:
- Re: Using shorewall
  - From: Paolo <oopla@users.sf.net>
- Re: Using shorewall
  - From: Beeman <beemanp78@gmail.com>
References:
- Using shorewall
  - From: john <jon.jrs@gmail.com>
- Re: Using shorewall
  - From: Paolo <oopla@users.sf.net>
Prev by Date: Re: Using shorewall
Next by Date: Re: Using shorewall
Previous by thread: Re: Using shorewall
Next by thread: Re: Using shorewall
Index(es):
- Date
- Thread