Hi all,
I'm seeing these messages in my logs:
<..snip..>
Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41848 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41851 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41853 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41855 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41857 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41859 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41861 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69
<..snip..>
This occurs each time an OpenVPN client attempts to access the internal M$
Exchange server with his Mac Classic 8.2.1 Outlook running in Classic
Environment on his Mac OS X laptop. I've modified the /etc/hosts file so
that the internal mail server is referenced by its internal IP address- dhcp
options are not pushed to non-Windows clients (not without getting into the
nitty-gritty). I can ping the mail server via vpn with either the domain
name or the IP address.
I'm running Bering uClibc 2.4 RC2. What I've done to Shorewall:
I've added to /etc/shorewall/zones:
vpn VPN Remote Subnet
Added to /etc/shorewall/interfaces:
vpn tun0
Added to /etc/shorewall/policy
loc vpn ACCEPT
vpn loc ACCEPT
Added to /etc/shorewall/tunnels:
openvpn net 0.0.0.0/0
openvpn:udp:1195 net 0.0.0.0/0
I've also added the following to /etc/shorewall/rules:
# VPN DNS Access to/from local/firewall DNS server
ACCEPT loc vpn tcp 53
ACCEPT loc vpn udp 53
ACCEPT vpn loc tcp 53
ACCEPT vpn loc udp 53
ACCEPT fw vpn tcp 53
ACCEPT fw vpn udp 53
ACCEPT vpn fw tcp 53
ACCEPT vpn fw udp 53
#
Output of restarting Shorewall as follows:
firewall# /etc/init.d/shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Not available
IP range Match: Not available
Recent Match: Available
Owner Match: Not available
Ipset Match: Not available
ROUTE Target: Not available
Extended MARK Target: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
Determining Zones...
Zones: net loc dmz vpn
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
DMZ Zone: eth2:0.0.0.0/0
VPN Zone: tun+:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowSubmission...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowICMPs...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowNTPbrd...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Host XXX.XXX.XXX.XXX connected to eth2 added to ARP on eth0
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding Anti-smurf Rules
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
Setting up Martian Logging...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
OPENVPN tunnel to 0.0.0.0/0:udp:1194 defined.
OPENVPN tunnel to 0.0.0.0/0:udp:1195 defined.
Processing /etc/shorewall/ipsec...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT fw loc tcp 53" added.
Rule "ACCEPT fw loc udp 53" added.
Rule "ACCEPT fw dmz tcp 53" added.
Rule "ACCEPT fw dmz udp 53" added.
Rule "ACCEPT loc fw tcp 53" added.
Rule "ACCEPT loc fw udp 53" added.
Rule "ACCEPT dmz fw tcp 53" added.
Rule "ACCEPT dmz fw udp 53" added.
Rule "ACCEPT dmz loc:192.168.1.XXX tcp 53" added.
Rule "ACCEPT dmz loc:192.168.1.XXX udp 53" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT loc dmz tcp 22" added.
Rule "ACCEPT fw loc tcp 5900:5910" added.
Rule "ACCEPT fw loc tcp 22" added.
Rule "ACCEPT dmz net tcp 53" added.
Rule "ACCEPT dmz net udp 53" added.
Rule "ACCEPT loc vpn tcp 53" added.
Rule "ACCEPT loc vpn udp 53" added.
Rule "ACCEPT vpn loc tcp 53" added.
Rule "ACCEPT vpn loc udp 53" added.
Rule "ACCEPT fw vpn tcp 53" added.
Rule "ACCEPT fw vpn udp 53" added.
Rule "ACCEPT vpn fw tcp 53" added.
Rule "ACCEPT vpn fw udp 53" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT dmz fw icmp 8" added.
Rule "ACCEPT loc dmz icmp 8" added.
Rule "ACCEPT dmz loc icmp 8" added.
Rule "ACCEPT dmz net icmp 8" added.
Rule "ACCEPT fw net icmp" added.
Rule "ACCEPT fw loc icmp" added.
Rule "ACCEPT fw dmz icmp" added.
Rule "ACCEPT net dmz icmp 8" added.
Rule "ACCEPT net loc icmp 8" added.
Rule "DNAT:ULOG net loc:192.168.1.XXX:80 tcp 8080 - 216.70.XXX.XXX"
added.
Rule "DNAT net loc:192.168.1.XXX tcp 52525" added.
Rule "DNAT net loc:192.168.1.XXX udp 52525" added.
Rule "DNAT net loc:192.168.1.XXX tcp smtp - 216.70.XXX.XXX" added.
Rule "ACCEPT dmz:216.70.XXX.XXX net tcp 5999" added.
Rule "DNAT:ULOG net loc:192.168.1.XXX tcp www - 216.70.XXX.XXX" added.
Rule "DNAT:ULOG net loc:192.168.1.XXX tcp 443 - 216.70.XXX.XXX" added.
Rule "REDIRECT net 80 tcp 8000 - 216.70.XXX.XXX" added.
Rule "ACCEPT net fw tcp www" added.
Rule "ACCEPT loc fw udp 67,68" added.
Rule "ACCEPT:ULOG loc fw tcp 80,8080" added.
Rule "ACCEPT dmz net tcp 80" added.
Rule "ACCEPT dmz net tcp smtp" added.
Rule "ACCEPT dmz loc tcp smtp" added.
Rule "ACCEPT fw net tcp smtp" added.
Rule "ACCEPT fw loc:192.168.1.XXX tcp smtp" added.
Rule "ACCEPT fw net tcp time" added.
Rule "ACCEPT fw net udp ntp" added.
Rule "ACCEPT loc fw udp ntp" added.
Rule "REJECT:ULOG loc net udp 1025:1031" added.
Rule "REJECT:ULOG dmz net udp 1025:1031" added.
Rule "ACCEPT:ULOG dmz net tcp 1024: 20" added.
Rule "REJECT:ULOG fw net udp 1025:1031" added.
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed" added.
Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy REJECT for fw to net using chain all2all
Policy REJECT for fw to loc using chain all2all
Policy REJECT for fw to dmz using chain all2all
Enabled SYN flood protection
Policy DROP for net to fw using chain net2all
Enabled SYN flood protection
Policy DROP for net to loc using chain net2all
Enabled SYN flood protection
Policy DROP for net to dmz using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy REJECT for loc to dmz using chain all2all
Policy ACCEPT for loc to vpn using chain loc2vpn
Policy REJECT for dmz to fw using chain all2all
Policy REJECT for dmz to net using chain all2all
Policy REJECT for dmz to loc using chain all2all
Policy ACCEPT for vpn to loc using chain vpn2loc
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth0
To 0.0.0.0/0 (all) from 192.168.2.0/24 through eth0
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 1720 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 15328:15338 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 15328:15338 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 5190,5222,5298 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 5060,5190,5220,5297,5298,5353,5678
" added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 16384:16403 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 25 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 22 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 21 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply " added
TC Rule "3:P 0.0.0.0/0 0.0.0.0/0 all " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 ipp2p " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 tcp 52525 " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 udp 52525 " added
Activating Rules...
Processing /etc/shorewall/start ...
Processing /etc/shorewall/start.d/weblet_start ...
Shorewall Restarted
Processing /etc/shorewall/started ...
What am I doing wrong?
~Doug
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
