Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Shorewall 3 interface setup
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Tue Dec 18, 2007 11:40 pm    Post subject: Shorewall 3 interface setup Reply with quote

Hi there,
I'm having problems setting up shorewall on my gentoo server.
I've followed several guides but i'm starting to think i'm missing a concept as my current configuration dosn't do what I expect it to do.

I expect the virtual machines aren't able to pick up a dhcp lease either because the traffic is blocked or because of the way that the vmnet interfaces are binded - at one stage i can confirm they were being offered a address by the server but i'm not sure if thats still the case.
Sorry for all the 'I's in this, trying to be blunt for a shorter post.

Thanks for your help and insight in advance.

I need to be able to:
I want my network devided into three zones - LAN, WAN and DMZ.
I need to be able to do ssh, dns, rsync and smb traffic from all zones to all zones.
I need to be able to access my virtual machines (port 902, tcp) from the DMZ and LAN
I need to be able to host websites on ports 80 and 8080, where 80 is available to the world but 8080 is only available on the LAN and DMZ
I need to be able to VNC to any machine in the DMZ and LAN from the DMZ or LAN, but need to access a specific machine via the WAN connection (but only that one, don't want the others exposed)
I run a timeserver on my server, so NTP traffic needs to come from the WAN and from the server to the DMZ and LAN
I need to be able to access Mysql databases stored on both the LAN and DMZ from the LAN and DMZ
I need virtual machines and physical machines on the DMZ and LAN to be able to get DHCP leases and resolve names from the server and need to be able browse the web from them.

I have three physical nics, binded to vmnets as below:
WAN - vmnet0 = eth0 = dhcp (192.168.1.x) HWaddr 00:16:17:EC:5C:37
LAN - vmnet2 = eth1 = 192.168.2.1 HWaddr 00:08:54:4F:73:94
DMZ - vmnet3 = eth2 = 169.254.1.1 HWaddr 00:08:54:4F:73:08

Currrent known issues:
Physical machines can get dhcp leases from the LAN and WAN, but not vmware machines
I can't connect from machines on the LAN/DMZ to my vmware server on the server
I'm not sure that other things are working as expected, and that i'm set up securely.
Even if I set All traffic allowable to All zones in the /etc/shorewall/policy file it dosn't seem to allow full access - why not? This suggests i'm missing crucial knowledge.

DNSMASQ config:
domain=serrix.co.nz
dhcp-range=eth1,192.168.2.50,192.168.2.150,255.255.255.0,12h
dhcp-range=eth2,192.168.3.50,192.168.3.150,255.255.255.0,12h
dhcp-host=00:08:54:4F:73:94,VMserver
# Set the NTP time server address to be the same machine as
# is running dnsmasq
dhcp-option=42,0.0.0.0
# Set the default time-to-live to 50
dhcp-option=23,50
dhcp-authoritative

/etc/conf.d/net
dhcpcd_eth0="-N"
config_eth0=( "dhcp" )
#routes_eth0=( "default via 192.168.1.1" )
config_eth1=( "192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0" )
config_eth2=( "192.168.3.1 broadcast 192.168.3.255 netmask 255.255.255.0" )

/etc/shorewall/policy
#$FW wan ACCEPT
lan wan ACCEPT info
#all all ACCEPT info
wan all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules
#SECTION RELATED
SECTION NEW
DNS/ACCEPT all all
SSH/ACCEPT all all
Rsync/ACCEPT all all
SMB/ACCEPT all all
ACCEPT all all TCP 902
ACCEPT wan dmz TCP 8080
ACCEPT dmz wan TCP 8080
ACCEPT wan lan TCP 8080
ACCEPT lan wan TCP 8080
#Web/DNAT net dmz
Web/ACCEPT lan dmz
VNC/ACCEPT lan dmz
VNC/ACCEPT wan dmz
MySQL/ACCEPT dmz lan
MySQL/ACCEPT lan dmz
NTP/ACCEPT wan dmz
NTP/ACCEPT dmz wan
NTP/ACCEPT lan wan
NTP/ACCEPT wan lan
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0 192.168.1.255 blacklist,dhcp,tcpflags,routefilter
lan eth1 192.168.2.255 dhcp
dmz eth2 192.168.3.255 dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/zones

fw firewall
lan ipv4
dmz ipv4
wan ipv4

/etc/shorewall/shorewall.conf
cat /etc/shorewall/shorewall.conf
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
# V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################

SHOREWALL_COMPILER=shell

###############################################################################
# L O G G I N G
###############################################################################

LOGFILE=/var/log/shorewall

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"

###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=No

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Wed Dec 19, 2007 1:07 am    Post subject: Reply with quote

I notice that if you run vmnet-dhcpd it seems to be looking for /etc/dhcpd.conf.... i wonder if this is whats stopping virtuals from getting a dhcp lease??

vmnet-dhcpd
Internet Software Consortium DHCP Server 2.0
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.

Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html

Can't open /etc/dhcpd.conf: No such file or directory
exiting.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Wed Dec 19, 2007 4:10 am    Post subject: Reply with quote

Please post the output of iptables-save -c so we can see the rules that shorewall is loading. The shorewall configuration may come in handy as refinements are made, but it is much easier to debug the problem by looking at the rules which cause the problem, rather than looking at the rules which indirectly create the rules which cause the problem.
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Wed Dec 19, 2007 8:14 am    Post subject: Reply with quote

Thank you very much for your reply, hope this helps :)
Another small questions - i've been finding it very hard to trouble shoot because the logs aren't filling up, i've pointed the log to /var/log/shorewall and even gave the file 777 permissions but its still not writing to it, is there something simple i'm missing?
Thanks for your time and help!

# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007
*raw
:PREROUTING ACCEPT [2034:104627]
:OUTPUT ACCEPT [2917:9196840]
COMMIT
# Completed on Wed Dec 19 21:13:05 2007
# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007
*mangle
:PREROUTING ACCEPT [2034:104627]
:INPUT ACCEPT [2034:104627]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2081125:6655395634]
:POSTROUTING ACCEPT [2917:9196840]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[1966:101301] -A PREROUTING -j tcpre
[0:0] -A FORWARD -j tcfor
[2814:8938216] -A OUTPUT -j tcout
[2814:8938216] -A POSTROUTING -j tcpost
COMMIT
# Completed on Wed Dec 19 21:13:05 2007
# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:eth0_masq - [0:0]
[0:0] -A POSTROUTING -o eth0 -j eth0_masq
[0:0] -A eth0_masq -s 192.168.2.0/255.255.255.0 -j MASQUERADE
[0:0] -A eth0_masq -s 192.168.3.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Wed Dec 19 21:13:05 2007
# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dmz2fw - [0:0]
:dmz2lan - [0:0]
:dmz2wan - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
:eth2_fwd - [0:0]
:eth2_in - [0:0]
:eth2_out - [0:0]
:fw2dmz - [0:0]
:fw2lan - [0:0]
:fw2wan - [0:0]
:lan2dmz - [0:0]
:lan2fw - [0:0]
:lan2wan - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:wan2dmz - [0:0]
:wan2fw - [0:0]
:wan2lan - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT
[1959:100958] -A INPUT -i eth0 -j eth0_in
[0:0] -A INPUT -i eth1 -j eth1_in
[0:0] -A INPUT -i eth2 -j eth2_in
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:ACCEPT:" --log-level 6
[0:0] -A INPUT -j ACCEPT
[0:0] -A FORWARD -i eth0 -j eth0_fwd
[0:0] -A FORWARD -i eth1 -j eth1_fwd
[0:0] -A FORWARD -i eth2 -j eth2_fwd
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:ACCEPT:" --log-level 6
[0:0] -A FORWARD -j ACCEPT
[0:0] -A OUTPUT -o lo -j ACCEPT
[2801:8899209] -A OUTPUT -o eth0 -j eth0_out
[0:0] -A OUTPUT -o eth1 -j eth1_out
[0:0] -A OUTPUT -o eth2 -j eth2_out
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:ACCEPT:" --log-level 6
[0:0] -A OUTPUT -j ACCEPT
[0:0] -A Drop -p tcp -m tcp --dport 113 -j reject
[0:0] -A Drop -j dropBcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A Drop -j dropInvalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -j DROP
[0:0] -A Drop -p udp -m udp --dport 137:139 -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -j DROP
[0:0] -A Drop -p tcp -j dropNotSyn
[0:0] -A Drop -p udp -m udp --sport 53 -j DROP
[0:0] -A Reject -p tcp -m tcp --dport 113 -j reject
[0:0] -A Reject -j dropBcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A Reject -j dropInvalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -j reject
[0:0] -A Reject -p udp -m udp --dport 137:139 -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -j DROP
[0:0] -A Reject -p tcp -j dropNotSyn
[0:0] -A Reject -p udp -m udp --sport 53 -j DROP
[0:0] -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A all2all -j LOG --log-prefix "Shorewall:all2all:ACCEPT:" --log-level 6
[0:0] -A all2all -j ACCEPT
[0:0] -A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2fw -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2fw -j all2all
[0:0] -A dmz2lan -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2lan -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A dmz2lan -j all2all
[0:0] -A dmz2wan -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2wan -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A Reject -p udp -m udp --sport 53 -j DROP
[0:0] -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A all2all -j LOG --log-prefix "Shorewall:all2all:ACCEPT:" --log-level 6
[0:0] -A all2all -j ACCEPT
[0:0] -A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2fw -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2fw -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2fw -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2fw -j all2all
[0:0] -A dmz2lan -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2lan -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2lan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2lan -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A dmz2lan -j all2all
[0:0] -A dmz2wan -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A dmz2wan -p udp -m multiport --dports 135,445 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 137:139 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m multiport --dports 135,139,445 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 902 -j ACCEPT
[0:0] -A dmz2wan -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A dmz2wan -p udp -m udp --dport 123 -j ACCEPT
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Wed Dec 19, 2007 11:15 am    Post subject: Reply with quote

Hmm, it looks like I need to open some ports to the $FW? (which i'm assuming is the actual server itself?? that could explain alot of issues if thats correct...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Thu Dec 20, 2007 12:21 am    Post subject: Reply with quote

That may be the case. After reviewing your post, I noticed that all your problems are related to VMware. Could you collect a packet capture to verify that the packets are arriving on the interface you expect, and that they have reasonable values in the packet headers? If possible, please post the TCP and IP headers from the capture so that we can review which rules should be affecting the packets.

As for your problem with the messages, that is most likely a misconfiguration of your system logging daemon. Which logger are you using? Can you post the configuration file for it?
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Thu Dec 20, 2007 4:55 am    Post subject: Reply with quote

Thanks, i'll have a look into that.
I'm using syslog-ng and the config is below - its also the stock config

cat /etc/syslog-ng/syslog-ng.conf
# Copyright 2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.hardened,v 1.5 2007/10/30 17:16:15 solar Exp $

#
# Syslog-ng configuration file, compatible with default hardened installations.
#

options {
chain_hostnames(off);
sync(0);
stats(43200);
};

#options {
# chain_hostnames(off);
# sync(0);
# stats(43200);
# long_hostnames(off);
# use_dns(no);
# create_dirs(yes);
#};

source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };

#source net { udp(); };
#log { source(net); destination(net_logs); };
#destination net_logs { file("/var/log/HOSTS/$HOST/$YEAR$MONTH$DAY.log"); };

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
#destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };
destination audit { file("/var/log/audit.log"); };
destination pax { file("/var/log/pax.log"); };
destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
#filter f_ppp { facility(ppp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_avc { match(".*avc: .*"); };
filter f_audit { match("^audit.*") and not match(".*avc: .*"); };
filter f_pax { match("^PAX:.*"); };
filter f_grsec { match("^grsec:.*"); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(kernsrc); filter(f_pax); destination(pax); };
log { source(kernsrc); filter(f_grsec); destination(grsec); };
log { source(kernsrc); filter(f_audit); destination(audit); };
log { source(kernsrc); filter(f_avc); destination(avc); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); };
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Thu Dec 20, 2007 10:44 am    Post subject: Reply with quote

Hu wrote:
That may be the case. After reviewing your post, I noticed that all your problems are related to VMware. Could you collect a packet capture to verify that the packets are arriving on the interface you expect, and that they have reasonable values in the packet headers? If possible, please post the TCP and IP headers from the capture so that we can review which rules should be affecting the packets.

As for your problem with the messages, that is most likely a misconfiguration of your system logging daemon. Which logger are you using? Can you post the configuration file for it?


Can you please suggest a (easy to use) packet sniffer to use for this?
Also, so that we can confirm the issues aren't only VMware issues, could you suggest what other traffic i could test?
(Currently i've been testing connecting to the vmware server from machines on the WAN and LAN, which uses port 902 and has been allowed, the configuration is correct)

Thanks again for all your help.
Cheers,
Serrix
Back to top
View user's profile Send private message
serrix
n00b
n00b


Joined: 23 Nov 2007
Posts: 23

PostPosted: Sat Dec 22, 2007 1:18 am    Post subject: Reply with quote

*bump*

Any ideas on how to fix my configuration??
I've tried adding in rules going to the $FW zone which hasn't made any visible change..
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Sat Dec 22, 2007 5:03 pm    Post subject: Reply with quote

Use net-analyzer/tcpdump to capture traffic. Start with monitoring a connection to a server running in VMware. Run a sniffer on the host and on the guest. Check to see if the guest is receiving traffic. If the guest is receiving traffic, then the problem is that the guest's response never reaches the client system. If the guest is not receiving traffic, then the problem is that the host is never routing the request to the guest.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum