[Shorewall-users] Trouble with fw->dmz net->dmz traffic

j6m at cvni.net j6m at cvni.net
Thu Jun 26 01:19:34 PDT 2003



Hello,

I installed a 3 leg firewall using Shorewall 1.4.5 on a box running SuSE 8.2
(kernel 2.4.20 patched with Yast Online Update).

My NICs are configured that way:

eth0 10.0.0.1 (255.0.0.0)
     (connected to a DSL modem)
eth1 192.168.1.1 (255.255.255.0)
     (local zone)
eth2 192.168.2.1 (255.255.255.0)
      (dmz)

My dmz main server is at 192.168.2.5, it offers DNS (bind9),HTTP,SMTP services

As I use PPPoE (fixed IP assigned by ISP) to connect I took the three-interface
template and changed eth0 by ppp0 in interfaces, masq and routestopped examples.

Then I edited the rules file and added :
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
(works)
ACCEPT          fw              dmz             tcp     53
ACCEPT          fw              dmz             udp     53
(does not work)
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
(works)
DNAT            net             dmz:192.168.2.5 tcp 53
DNAT            net             dmz:192.168.2.5 udp 53
(does not work)

Although I allowed fw access to DNS service in the DMZ, when doing
host <whatever domain> 192.168.2.5 I got busted. Inspecting /var/log/messages
shows that Shorewall reject such connections :

Jun 26 00:02:59 hotel kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.2.1 DST=192.168.2.5 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=44100 DF
PROTO=UDP SPT=32776 DPT=53 LEN=42

I must have missed something somewhere. Maybe is it related to the fact that
also DNAT does not occur.

Jun 25 16:41:39 hotel kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth1
SRC=80.67.173.196 DST=192.168.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=45136 DF
PROTO=TCP SPT=1225 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0

It is just as if these four rules did not exist causing Shorewall to follow what
is defined in policy.

----
My interfaces file is 

net     ppp0            detect          routefilter,norfc1918,dropunclean
        (Yes, I know I am a bit paranoid but they are all out after me ;))
loc     eth1            detect
dmz     eth2            detect

(Of course I take care to stop and start shorewall in ip-up so that ppp0 is
always up when Shorewall restarts, should a disconnect occurn which actually
happens every 24 hours by the telco) 

An oddity in my system is that, as present, there is no physical computer in my
local zone.



More information about the Shorewall-users mailing list