[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Firewall/Shorewall question



Here's my problem:

In /var/log/messages:
Jul 19 21:06:46 all2all:REJECT:IN= OUT=eth0 
  SRC=A.B.C.D DST=128.206.12.154 
  LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF 
  PROTO=UDP SPT=123 DPT=123 LEN=56

This tells me that the all2all chain is rejecting my NTP traffic from my 
firewall to the NTP server (128.206.12.154). The SRC address (A.B.C.D) is my 
external gateway IP.

I cannot figure out why this isn't going through from my config below. Can you 
see something I'm missing here. I've been staring at it for too long.

Mike/

Here's my config:
# Shorewall 1.3 /etc/shorewall/zones
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
wap     WAP             Wireless Access Point
--
# Shorewall 1.3 /etc/shorewall/interfaces
#ZONE    INTERFACE      BROADCAST       OPTIONS
net eth0 detect        norfc1918,dropunclean,blacklist,filterping,routefilter
loc eth1 192.168.1.255 dhcp
wap eth2 192.168.2.255 dhcp,dropunclean,blacklist,filterping,routefilter
--
# Shorewall 1.3 /etc/shorewall/policy
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             wap             ACCEPT
loc             fw              REJECT
wap             net             ACCEPT
wap             fw              REJECT
net             all             DROP            info            10/sec:40
all             all             REJECT          info
--
# Shorewall 1.3 /etc/shorewall/common
source /etc/shorewall/common.def # Include common.def 
run_iptables -A common -p udp --sport domain -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport auth -j REJECT
--
# Shorewall 1.3 /etc/shorewall/routestopped
#INTERFACE      HOST(S)
eth1            192.168.1.0/24

# Shorewall version 1.3 /etc/shorewall/rules
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
# Local Network to Internet
ACCEPT   loc            net             udp    ntp
# Reject attempts by trojans to call home
REJECT:info loc         net             tcp    ircd
#
# Local Network to Firewall
ACCEPT   loc            fw              tcp    ssh
ACCEPT   loc            fw              tcp    time
ACCEPT   loc            fw              tcp    domain
ACCEPT   loc            fw              udp    domain
ACCEPT   loc            fw              udp    ntp
#
# Local Network to WAP
# Globally allowed by policy
#
# Internet to WAP
#ACCEPT   net            wap             tcp    www
#ACCEPT   net            wap             tcp    smtp
#ACCEPT   net            wap             tcp    ftp
#ACCEPT   net            wap             tcp    auth
#ACCEPT   net            wap             tcp    https
#ACCEPT   net            wap             tcp    imaps
#ACCEPT   net            wap             tcp    domain
#ACCEPT   net            wap             udp    domain
#ACCEPT   net            wap             tcp    cvspserver
#ACCEPT   net            wap             icmp   echo-request
#ACCEPT   net            wap             tcp    rsync
# Allow ICQ chat and transfers
#ACCEPT   net            loc             tcp    4000:4100
#
# Internet to Local
# Next line allows ICQ chat and transfers
ACCEPT   net            loc             tcp    4000:4100
ACCEPT   net            loc             tcp    auth
REJECT   net            loc             tcp    www
#
# WAP to Internet
ACCEPT   wap            net             icmp   echo-request
ACCEPT   wap            net             tcp    smtp
ACCEPT   wap            net             tcp    auth
ACCEPT   wap            net             tcp    domain
ACCEPT   wap            net             udp    domain
ACCEPT   wap            net             tcp    www
ACCEPT   wap            net             tcp    https
ACCEPT   wap            net             tcp    whois
ACCEPT   wap            net             tcp    echo
ACCEPT   wap            net              udp    ntp
#ACCEPT   wap            net:$NTPSERVER  udp    ntp
#ACCEPT   wap            net:$POPSERVERS tcp    pop3
#
# WAP to Firewall
ACCEPT   wap            fw              tcp    snmp
ACCEPT   wap            fw              udp    snmp
#
# WAP to Local
# Globally disallowed by policy
#
# Internet to Firewall
#ACCEPT   net            fw              tcp    1723
#REJECT   net            fw              tcp    www
# Just to avoid logging these clowns
REJECT    net            fw              tcp    ms-sql-s
REJECT    net            fw              tcp    smtp
REJECT    net            fw              tcp    ftp
#
# Firewall to Internet
#ACCEPT    fw             net:$NTPSERVER  udp    ntp
ACCEPT    fw             net             udp    ntp
ACCEPT    fw             net             tcp    domain
ACCEPT    fw             net             udp    domain
ACCEPT    fw             net             tcp    www
ACCEPT    fw             net             tcp    https
ACCEPT    fw             net             tcp    ssh
ACCEPT    fw             net             tcp    whois
ACCEPT    fw             net             icmp    echo-request
# Firewall to WAP
# Globally allowed by policy
#
##############################################################################
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients.
ACCEPT:info loc         net             tcp    1024:  ftp-data
ACCEPT:info wap         net             tcp    1024:  ftp-data
#
##############################################################################
# LOC protection
DROP     net            loc             tcp     nfs
DROP     net            loc             udp     nfs
DROP     net            loc             tcp     xfs
DROP     net            loc             tcp     x11:6009
DROP     net            loc             tcp     printer
DROP     net            loc             udp     printer
DROP     net            loc             tcp     sunrpc
DROP     net            loc             udp     sunrpc
#DROP     net            loc             tcp     microsoft-ds
#DROP     net            loc             tcp     netbios-ns
#DROP     net            loc             tcp     netbios-dgm
#DROP     net            loc             tcp     netbios-ssn
#
##############################################################################
# WAP protection
DROP     net            wap             tcp     nfs
DROP     net            wap             udp     nfs
DROP     net            wap             tcp     xfs
DROP     net            wap             tcp     x11:6009
DROP     net            wap             tcp     printer
DROP     net            wap             udp     printer
DROP     net            wap             tcp     sunrpc
DROP     net            wap             udp     sunrpc
#DROP     net            wap             tcp     microsoft-ds
#DROP     net            wap             tcp     netbios-ns
#DROP     net            wap             tcp     netbios-dgm
#DROP     net            wap             tcp     netbios-ssn

Mike
-- 
() Join the ASCII ribbon campaign against HTML email and Microsoft-specific
/\ attachments. If I wanted to read HTML, I would have visited your website!
Support open standards.


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.