Shoreline Firewall (Shorewall)

<snip>
> My questions are:
>- Does anyone see anything obviously wrong with my configuration files =
(see
>attached tgz)
<snip>
>- Finally, the most detailed question: how does RH9 and Shorewall add =
the
>routes to the routing table? I'm getting two identical
>66.1.1.96/27<http://66.1.1.96/27>entries and the wrong default gateway
>(eth1 instead of eth0).

You are using the same netmask, with the same ip, on both interfaces, =
one of=20
them needs to use a 255.255.255.255 netmask.
=20
> pps. How often do you all get scanned? I'm getting about one arp every =
5
> seconds looking for non-existent machines.
If it's arp, it's the gateway looking for machines on the lan, are there =
any logged=20
drop messages that occur at the same time? If so what is the source =
address?

Jerry

Adrian Mak escribi=F3:
> 2.4.x is a stable version and 3.0 is a development version
> then what about 2.5.x version ?

2.5 changed name to 3.0 because we liked to do that :-)

--=20
Cristian Rodriguez R.
perl -e '$_=3Dpack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;=
'

On Saturday 29 October 2005 14:16, Scott Ruckh wrote:

>
> I compiled a vanilla 2.6.14 kernel on CentOS x86_64.  It was after
> utilizing this new kernel when the shorewall errors first started to
> occur.
>

Sigh -- not two days ago, I told people on this list that I didn't recommen=
d=20
upgrading to 2.6.14 because I was sure that it would break Shorewall.

Looks like my prediction was on target,
=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Bummer...Too bad for me...I just joined the list today.

Are these errors serious enough that I do not want to run with the 2.6.14
kernel?

-- 

http://photo-gallery.gemneye.org:1115/Gallery/

This is what you said Tom Eastep
> On Saturday 29 October 2005 14:16, Scott Ruckh wrote:
>
>>
>> I compiled a vanilla 2.6.14 kernel on CentOS x86_64.  It was after
>> utilizing this new kernel when the shorewall errors first started to
>> occur.
>>
>
> Sigh -- not two days ago, I told people on this list that I didn't
> recommend
> upgrading to 2.6.14 because I was sure that it would break Shorewall.
>
> Looks like my prediction was on target,
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@...
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>

Joshua Schmidlkofer escribi=F3:
> Oscar A. Valdez wrote:
>=20
>=20
> So, where are you at in the process?  I have found that site to site=20
> VPNs w/ Linux2.6 and IPSec aren't that bad.  Albeit lacking a good=20
> central site /tools to help you get going.
>=20
> jsrs

I Suggest you read the documentation


http://www.shorewall.net/OPENVPN.html

it explain why we prefer OpenVPN.

--=20
Cristian Rodriguez R.
perl -e '$_=3Dpack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;=
'

> 
> I Suggest you read the documentation
> 
> 
> http://www.shorewall.net/OPENVPN.html
> 
> it explain why we prefer OpenVPN.
> 

Meh.  

  I have used OpenVPN.  There is nothing wrong with it and I will definately respect your choosing it over IPSec.  I, at this point, am much more excited about IPSec than OpenVPN.  I use a variety of vendors, etc.   I have pretty fair success with making IPSec work on Linux.  I also have support for tunnels with Cisco, WatchGuard, Netopias, and other stuff like m0n0wall, and ipcop.  IPSec is more interesting because of what it represents.  OpenVPN is exciting because of the Windows support.

  If I deploy mobile clients, I use OpenVPN.  For fixed site to site, I actually prefer IPSec, with the potential headache.

  It's easier to start with OpenVPN, and if you have control over everything (sites, firewalls, and technology in general) it's a lot better over all.  

thanks,
  joshua

El jue, 27-10-2005 a las 15:57 -0700, Joshua Schmidlkofer escribió:
> > I Suggest you read the documentation
> > 
> > 
> > http://www.shorewall.net/OPENVPN.html
> > 
> > it explain why we prefer OpenVPN.
> > 
> 
> ... I, at this point, am much more excited about IPSec than OpenVPN.
> I use a variety of vendors, etc.   I have pretty fair success with
> making IPSec work on Linux.  I also have support for tunnels with
> Cisco, WatchGuard, Netopias, and other stuff like m0n0wall, and ipcop.
> IPSec is more interesting because of what it represents.  OpenVPN is
> exciting because of the Windows support.
> 
>   If I deploy mobile clients, I use OpenVPN.  For fixed site to site,
> I actually prefer IPSec, with the potential headache.

I don't want to start a flame war, but I'm also excited about IPSEC's
potential. I'll give it a go at making it work with the 2.6 kernel.

What I've figured out as to my current stumbling block, is that the
linux-2.4.0-nonintconfig.patch is a Red Hat add-on, apparently to allow
non-interactive building of kernel rpm's. Ironically, it's somehow
interacting with the policy patch extension, preventing me from building
the rpm.
-- 
Oscar A. Valdez

El jue, 27-10-2005 a las 15:15 -0700, Joshua Schmidlkofer escribió:
> Oscar A. Valdez wrote:
> > El jue, 27-10-2005 a las 17:38 -0300, Cristian Rodriguez escribió:
> > 
> >>I have only one recommendation to you, **USE OpenVPN**.
> > 
> > Maybe. However, I feel I'm very close to solving the problem, and if I
> > do, I'll contribute to the community.

> So, where are you at in the process?  I have found that site to site VPNs w/ Linux2.6 and IPSec aren't that bad.  Albeit lacking a good central site /tools to help you get going.

I've put most of the pieces together. I'm currently stuck at recompiling
the kernel with the "policy match" extension, because of the following
error:

+ make ARCH=i386 nonint_oldconfig
CONFIG_IP_NF_MATCH_POLICY
CONFIG_IP6_NF_MATCH_POLICY
make[1]: *** [nonint_oldconfig] Error 2
make: *** [nonint_oldconfig] Error 2

It's caused by the linux-2.4.0-nonintconfig.patch. It's a fix for
building rpm's non-interactively. I have to figure out how to make it
let the "policy match" patch go through.
-- 
Oscar A. Valdez

On Thu, 2005-10-27 at 19:20 -0600, Oscar A. Valdez wrote:

> I don't want to start a flame war, but I'm also excited about IPSEC's
> potential. I'll give it a go at making it work with the 2.6 kernel.
> 

I also use ipsec for a long time now, and i don't think that it is
obsolote, especially if you have to connect to different sites (network
to network connections) running other firewall software
(checkpoint, ...),  although openvpn is sometimes very useful for road
warriors. 
But i wonder, if the so called "builtin" ipsec stack of linux 2.6 is so
difficult to use, why don't you use openswan ? Just one patch, and
everything is fine...

--arne

-- 
Arne Bernin <arne@...>

http://www.ucBering.de

Arne Bernin wrote:
> On Thu, 2005-10-27 at 19:20 -0600, Oscar A. Valdez wrote:
> 
> 
>>I don't want to start a flame war, but I'm also excited about IPSEC's
>>potential. I'll give it a go at making it work with the 2.6 kernel.
>>
> 
> 
> I also use ipsec for a long time now, and i don't think that it is
> obsolote, especially if you have to connect to different sites (network
> to network connections) running other firewall software
> (checkpoint, ...),  although openvpn is sometimes very useful for road
> warriors. 
> But i wonder, if the so called "builtin" ipsec stack of linux 2.6 is so
> difficult to use, why don't you use openswan ? Just one patch, and
> everything is fine...
> 
> --arne
> 


This one time, I got bloody and nearly died (sic) fighting frees/wan in 2.4.  It was evil, and now that I think, it was mostly caused by Redhat.  I am using Gentoo now, and those problems are gone.  Anyway, it left me with a bitter taste.  I will have to try it again.


js

El vie, 28-10-2005 a las 14:37 +0200, Arne Bernin escribió:
> I also use ipsec for a long time now, and i don't think that it is
> obsolote, especially if you have to connect to different sites (network
> to network connections) running other firewall software
> (checkpoint, ...),  although openvpn is sometimes very useful for road
> warriors. 
> But i wonder, if the so called "builtin" ipsec stack of linux 2.6 is so
> difficult to use, why don't you use openswan ? Just one patch, and
> everything is fine...

Actually, the problem is netfilter, not the ipsec stack. Netfilter
doesn't know what to do with the outgoing or incoming packets after
encryption/decryption.

The patches I'm trying to install are additional hooks so that netfilter
processes the packets twice: in the clear, and encrypted.
-- 
Oscar A. Valdez

Oscar A. Valdez wrote:
> El vie, 28-10-2005 a las 14:37 +0200, Arne Bernin escribi=F3:
>=20
>>I also use ipsec for a long time now, and i don't think that it is
>>obsolote, especially if you have to connect to different sites (network
>>to network connections) running other firewall software
>>(checkpoint, ...),  although openvpn is sometimes very useful for road
>>warriors.=20
>>But i wonder, if the so called "builtin" ipsec stack of linux 2.6 is so
>>difficult to use, why don't you use openswan ? Just one patch, and
>>everything is fine...
>=20
>=20
> Actually, the problem is netfilter, not the ipsec stack. Netfilter
> doesn't know what to do with the outgoing or incoming packets after
> encryption/decryption.
>=20
> The patches I'm trying to install are additional hooks so that netfilte=
r
> processes the packets twice: in the clear, and encrypted.

I hate to be a l4m3r, but I am simply not using the netfilter patches.  T=
hey were so much trouble to deal with, that I skipped them.  I have no id=
ea how to help that process along.  They just merged generic text matchin=
g support, so you would think that ipsec filtering support wouldn't be th=
at difficult.  2.6.11, 12 and 13 have all been progressivley better WRT t=
o IPSec stability.  However, I have been running fine since 2.6.6. =20

The patches give you more security [obviously], however, they remain a bi=
g fat PITA.  I have done enough testing to confirm that unencrypted packe=
ts simply won't get beyond my routers, eve if they leave the firewall [du=
e to ipsec being down, or policies not established].  In any case, port 5=
00 is locked down to specific hosts, I am not using road warrior mode, an=
d things work ok. =20

In the long term I hope to use mobile clients, but I have found that Open=
VPN works correctly for now in that department.

Thanks,
  joshua

On Thursday 27 October 2005 17:35, Preston Kutzner wrote:
>
>
> It happens when it validates each NAT entry, but it continues and states
> that it all checks out ok.  Just wondering what the error is all about.
> Is it something I need to fix on my end, or is it a bug in the check /
> start portion of Shorewall?

I won't be able to tell until I see a trace.

shorewall trace check 2> /tmp/trace

and post the /tmp/trace file.

=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Thursday 27 October 2005 17:35, Preston Kutzner wrote:
> 
>>
>>It happens when it validates each NAT entry, but it continues and states
>>that it all checks out ok.  Just wondering what the error is all about.
>>Is it something I need to fix on my end, or is it a bug in the check /
>>start portion of Shorewall?
> 
> 
> I won't be able to tell until I see a trace.
> 
> shorewall trace check 2> /tmp/trace
> 
> and post the /tmp/trace file.
> 
> -Tom

I'll post it tomorrow.

On Thursday 27 October 2005 19:50, Preston Kutzner wrote:

>
> I'll post it tomorrow.

Ok -- I won't be able to look at it until Sunday.

=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Thursday 27 October 2005 20:03, Tom Eastep wrote:
> 
>>On Thursday 27 October 2005 19:50, Preston Kutzner wrote:
>>
>>>I'll post it tomorrow.
>>
>>Ok -- I won't be able to look at it until Sunday.
> 
> 
> In the meantime, I suspect that the attached patch 
> against /usr/share/shorewall/firewall will correct the problem.

Yes, the patch corrected the problem.

Adrian Mak escribi=F3:
> I'm happy to see that 3.0 integrate tos to make traffic shaping more
> easily than previous version.

Good.

  Although the release date of final
> version  from RC2 may need some more time,


2 weeks I think.

but does it be used inb
> production env. ?
>=20
>=20

Officially : No.it's not for production yet,that's why is called RC2 and =

it's a development release.


Personally : Yes, it works, and works fine, I think it has no major or=20
serious bugs, and we are grateful if you can test it on your enviroment.

--=20
Cristian Rodriguez R.
perl -e '$_=3Dpack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;=
'