Discussion:
[Shorewall-users] logging router running shorewall in the DMZ VM in NAT mode running behind
Zenny
2017-05-14 17:07:01 UTC
Permalink
Hi,

I appended "*.* @@<IP_of_LocalVM_in_NATted_DMZ>:514" in the router
running shorewall so that I can centralize logging, but it does not
log, although port 514 has been DNATed to the local DMZ VM in
shorewall rules. However, logging from all other shorewall firewall
from remote instances works with "*.* @@<Public IP with shorewall
host>:514.

Is there a specific rule need to be added for such scenario? Inputs appreciated!
--
Cheers,
/z


-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: http://openpgpjs.org

xsBNBFcTxwEBCAC+G0MG+BHNGs8orGRobPV6jd+8RtT4XhXXEnuEjLA5uHz8
1OulvUS/qiq58Jo/KEnTn19rtyNiN7GmrLvo14Q0+mpFQEfrnzj2NCr1bf8w
l5r+CrIIb+xFEqf5dIHf3w1NNXgHwl6Z3QBflZsqaPHa8y5dhAqVlr1NS7EL
VgCifutAppl2Fcl05p4F5pQLKHMYCO+5gPMnMfnOOe4BTch0VOg8N4qkv0Px
JtSHjHucpivf4eJwznejYwDt/AtdyaB7LUC9N6yuLN+QYuB/mIo0YVU2wcgP
iwr8ITfDUz5Nx0MUm9hmTbOyj6ixNOVuYMmOvevCzzU0ULEkr99EMoAJABEB
AAHNHFplbm55IDxnYXJieXRyYXNoQGdtYWlsLmNvbT7CwHIEEAEIACYFAlcT
xwEGCwkIBwMCCRABOcPTK6+XKwQVCAIKAxYCAQIbAwIeAQAAD5gH/21f5PLm
ytP4rd9HLGKHTMQola/VKMoCMlA7zb1LLJKTCJayZmIproblTyWO8iSSkkaA
89gIifuCTvMJ8vh4WLTUfO0gr+41uZhLScYqAOoqgctCPsyrHxV4QBYAzGf7
1LAEymtYBSiKHhks4Jff190Czrfupz7AAuLxepS1/RIZbdmeYO2g8FWf4sIR
ZFKehNMSWlspxYGxXdAmGLX+xtHD+LNHqqnERsuatynR9oJ3G8WauD4CiNgW
IRyfxf2xZVj7J+bGzg7dl7IJNmp0UDTLqqsF2TFpURyfIAAAhb3WkQAaV5n1
osMST1BbCnWdGo5bjpReuBl3lQ5bIn3Gc3HOwE0EVxPHAQEIAL2Pq+od71kT
/lRMt+XDryOc1XTT5DJW7BUMXOjXXOZfWsuGTrqU3O1XYPWYzoZy9L+6zpII
On/auicvkUblWvrXkt4CIVIU1qDk6KpDKVKBiINy5sk7cTyjumbqxPmnVBK2
DHN27rLOnReCnFUmgIgbfgK0/un0oEnAHvsYdeg1ydipd2vVzx3aJ1TfQS1W
IBWN125EO4nKQ5Kl1XV7nWvlv+ZvrOmOWVeSl9jpyZvLJDmks0E/AIF4QBJF
K+NTME8+x7CwFDQwLGENXojeZOfsNHbln91KE1ZU1/QvzLHVqdZOo/s20Y7V
tjdUsiUPpVQcsSpXLzGKPCWz90M3Be8AEQEAAcLAXwQYAQgAEwUCVxPHAgkQ
ATnD0yuvlysCGwwAAL9hCACP7CY1fivXEN4X+l/C56l/nARrNVoZvJr4QHnF
9C/r5m6TLCMov0eOLg8IvZF7M0Ecyvq1IzNqbwQd+8mTA4tn+aND20fk2z08
floFL6fJykIyAGtRMwAb3HdC1pqexk/0pYxhoy9GtQzqvK/NbcPPdBDd1N7M
pKdXDVhXhx0R1K6UlMYfnyc9o171UYRPlFrmdBV7ZLC4KeBKqFEESKXaxyRg
D7E1FXGl1pDMh2QJNM/n9gVLJb0+znBsPG4jUNOctAOhRwF9Z23qsU6AGpOu
QhWG1alJz6d1T4sTgPdh+K1nMWNKGUzzayAKrRPTbnwLEijqqJPpIIDVzoai
py73
=JPvb
-----END PGP PUBLIC KEY BLOCK-----
Tom Eastep
2017-05-14 23:41:00 UTC
Permalink
Post by Zenny
Hi,
running shorewall so that I can centralize logging, but it does
not log, although port 514 has been DNATed to the local DMZ VM in
shorewall rules. However, logging from all other shorewall
shorewall host>:514.
Is there a specific rule need to be added for such scenario? Inputs appreciated!
You need to open port 514 from the fw do the DMZ VM.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Zenny
2017-05-15 16:21:17 UTC
Permalink
Thanks Tom for your input.

But I have the ports already DNATed to the the DMZ VM as follows in my rules:

# grep -Rn 514 /etc/shorewall/rules
128:DNAT net dmz:192.168.20.110 tcp 514
129:DNAT net dmz:192.168.20.110 udp 514
132:DNAT $FW dmz:192.168.20.110 tcp 514
133:DNAT $FW dmz:192.168.20.110 udp 514
#134:ACCEPT $FW dmz tcp 514 (this too didn't
work by disabling the two DNAT lines-132-133 above)

And I have also tried appending the following in the policy :

$FW dmz ACCEPT

Yet it didn't seem to work.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Zenny
Hi,
running shorewall so that I can centralize logging, but it does
not log, although port 514 has been DNATed to the local DMZ VM in
shorewall rules. However, logging from all other shorewall
shorewall host>:514.
Is there a specific rule need to be added for such scenario? Inputs appreciated!
You need to open port 514 from the fw do the DMZ VM.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZGOsMAAoJEJbms/JCOk0QsskQAJVWfsMOYFTO7zTJMe3QflVo
ue2uAaxphZTvJ+Maz/tEH4WC8H/NuBW8LfjiT5Z8tlFNlOOii+DKDXK7Hgqaqw2W
IIswMfBAYG//G+kYLi/J7wTYNXHUyN8CXE3MzXisaDtNYrSGVifhQbY8EXOMKZVV
tkdaPBvkol9GuROxNLH74bRwpKQOZUwNeYbcbZUxnYF3gwRrQK5kqM3pO5C/iKtf
YOBtJypW/MTcvOkSnL1GA1LCWo4PLA26fdIrEeS/PssmsTbev/HE2+/YhpoexOIF
lbTz6lln/bCqPOJHi5xWDFGlQt9p1cTk7PcwIf5HeubA47fQp1zWeiH3HBe/YgUX
a/KjFKf/Kt7T/+4SZmoNzqQlISBo6BqJEk2c3m25Ik/ldqEfZ6P1yBF0fs27/Ta3
rjAE1iEdkRvfh48luG4e4e9elNGTXf2TgRHKcqzZpL05m34HnWIhaIbqQmigYhDP
/4rf0d0KZ8TkfEZfp7iZGXzjWkoM4+parO+nUW3O9gbcGxJqWhCTgCSagi26Cyby
+REHdxyvOSdsFnn7GHfrUwkNVYs4D8ruu4rbqAg0mJK9SMf1MVDGPOJf2U2/WSlM
tEAuE9oT4rDxnbGlTMX6/LvpHtKZhGctFh3WqV+tSd1zWgfjkntZo/xmmQSa4ndd
uDtPcZU+8tF7H8baHAeP
=cIf0
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Cheers,
/z


-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: http://openpgpjs.org

xsBNBFcTxwEBCAC+G0MG+BHNGs8orGRobPV6jd+8RtT4XhXXEnuEjLA5uHz8
1OulvUS/qiq58Jo/KEnTn19rtyNiN7GmrLvo14Q0+mpFQEfrnzj2NCr1bf8w
l5r+CrIIb+xFEqf5dIHf3w1NNXgHwl6Z3QBflZsqaPHa8y5dhAqVlr1NS7EL
VgCifutAppl2Fcl05p4F5pQLKHMYCO+5gPMnMfnOOe4BTch0VOg8N4qkv0Px
JtSHjHucpivf4eJwznejYwDt/AtdyaB7LUC9N6yuLN+QYuB/mIo0YVU2wcgP
iwr8ITfDUz5Nx0MUm9hmTbOyj6ixNOVuYMmOvevCzzU0ULEkr99EMoAJABEB
AAHNHFplbm55IDxnYXJieXRyYXNoQGdtYWlsLmNvbT7CwHIEEAEIACYFAlcT
xwEGCwkIBwMCCRABOcPTK6+XKwQVCAIKAxYCAQIbAwIeAQAAD5gH/21f5PLm
ytP4rd9HLGKHTMQola/VKMoCMlA7zb1LLJKTCJayZmIproblTyWO8iSSkkaA
89gIifuCTvMJ8vh4WLTUfO0gr+41uZhLScYqAOoqgctCPsyrHxV4QBYAzGf7
1LAEymtYBSiKHhks4Jff190Czrfupz7AAuLxepS1/RIZbdmeYO2g8FWf4sIR
ZFKehNMSWlspxYGxXdAmGLX+xtHD+LNHqqnERsuatynR9oJ3G8WauD4CiNgW
IRyfxf2xZVj7J+bGzg7dl7IJNmp0UDTLqqsF2TFpURyfIAAAhb3WkQAaV5n1
osMST1BbCnWdGo5bjpReuBl3lQ5bIn3Gc3HOwE0EVxPHAQEIAL2Pq+od71kT
/lRMt+XDryOc1XTT5DJW7BUMXOjXXOZfWsuGTrqU3O1XYPWYzoZy9L+6zpII
On/auicvkUblWvrXkt4CIVIU1qDk6KpDKVKBiINy5sk7cTyjumbqxPmnVBK2
DHN27rLOnReCnFUmgIgbfgK0/un0oEnAHvsYdeg1ydipd2vVzx3aJ1TfQS1W
IBWN125EO4nKQ5Kl1XV7nWvlv+ZvrOmOWVeSl9jpyZvLJDmks0E/AIF4QBJF
K+NTME8+x7CwFDQwLGENXojeZOfsNHbln91KE1ZU1/QvzLHVqdZOo/s20Y7V
tjdUsiUPpVQcsSpXLzGKPCWz90M3Be8AEQEAAcLAXwQYAQgAEwUCVxPHAgkQ
ATnD0yuvlysCGwwAAL9hCACP7CY1fivXEN4X+l/C56l/nARrNVoZvJr4QHnF
9C/r5m6TLCMov0eOLg8IvZF7M0Ecyvq1IzNqbwQd+8mTA4tn+aND20fk2z08
floFL6fJykIyAGtRMwAb3HdC1pqexk/0pYxhoy9GtQzqvK/NbcPPdBDd1N7M
pKdXDVhXhx0R1K6UlMYfnyc9o171UYRPlFrmdBV7ZLC4KeBKqFEESKXaxyRg
D7E1FXGl1pDMh2QJNM/n9gVLJb0+znBsPG4jUNOctAOhRwF9Z23qsU6AGpOu
QhWG1alJz6d1T4sTgPdh+K1nMWNKGUzzayAKrRPTbnwLEijqqJPpIIDVzoai
py73
=JPvb
-----END PGP PUBLIC KEY BLOCK-----
Tom Eastep
2017-05-15 17:16:06 UTC
Permalink
Post by Zenny
Thanks Tom for your input.
# grep -Rn 514 /etc/shorewall/rules 128:DNAT net
dmz:192.168.20.110 tcp 514 129:DNAT net
dmz:192.168.20.110 udp 514 132:DNAT $FW
dmz:192.168.20.110 tcp 514 133:DNAT $FW
dmz:192.168.20.110 udp 514
This is directing ALL traffic from the firewall to port 514 to the DMZ
host. Given that you are specifying 192.168.20.110 as the logging
target, you should have only needed these rules:
ACCEPT $FW dmz:192.168.20.110 tcp 514
ACCEPT $FW dmz:192.168.20.110 udp 514
Post by Zenny
$FW dmz ACCEPT
Yet it didn't seem to work.
Then, I am betting that the problem has nothing to do with your
Shorewall configuration.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Adam Cecile
2017-05-15 19:38:46 UTC
Permalink
SELinux shit? What distro are you running?

Adam.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Zenny
Thanks Tom for your input.
# grep -Rn 514 /etc/shorewall/rules 128:DNAT net
dmz:192.168.20.110 tcp 514 129:DNAT net
dmz:192.168.20.110 udp 514 132:DNAT $FW
dmz:192.168.20.110 tcp 514 133:DNAT $FW
dmz:192.168.20.110 udp 514
This is directing ALL traffic from the firewall to port 514 to the DMZ
host. Given that you are specifying 192.168.20.110 as the logging
ACCEPT $FW dmz:192.168.20.110 tcp 514
ACCEPT $FW dmz:192.168.20.110 udp 514
Post by Zenny
$FW dmz ACCEPT
Yet it didn't seem to work.
Then, I am betting that the problem has nothing to do with your
Shorewall configuration.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZGeJWAAoJEJbms/JCOk0QB0wQAIUy3f9XJCFyhUyeFG90nRgr
1jBxQmHkL8KMuY1kmMirl92k2VR7Hl8XaBkFDnHoiXV1eOf61C0GoHp6Czl1jYow
VuX/KLQGgY25weqwFA98gSbAfnsrzgDjD2m4yus8791ZNy2iVfhvnqs/SLP++qi+
jDB3U7IGhrwuLPCGah5+y2tqm0njX/6rmbXus0YJ45PFz+XAJsahPY07fY1GFF4r
SgkrAWLMtP68JQ29vF+HwIkzRUUeEt/+gFCZ6KD7ueM9ieUDAq/2CMGJtelZtCVV
/XxBz5tqKSIWVogklbSwI456KBVOU2H0FkMicucaxeCJoJyjN4+8UAp96eNzko3l
/MHryrtGm9JDhL7I/IuhLg16v+xmd8UT9L7cfvUBXVZVzEGZk7l4sARWFdxe8tje
SpQmmdv4Kx6HfTVBtbpG2cVJ1ZeJrUr5IPvLm7PwwwI2l9HxhkhJPXTxY9XCVO/D
OHB5ku3KBbpEU1fgUxpznWUh/mhJJZ9B2DaVH/R9tstiY7BL4g4VhAAJdmbQ9zCl
F3+lWaO/tIzapZ8VXqbHFYu6HxGs4/4yRhqjr4Y5Dtjln0UEjCWJOhCGkKgGiLMD
SoADnny3kvU4IC3JTD1Dh/5LmrPeBoxwrIuQjJMJikVEs0max+GSkBGWld9zBNH3
RTVPvZjN7dzBfakPy15g
=Chos
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Zenny
2017-05-29 00:57:52 UTC
Permalink
@Adam

Using CentOS 4.9 on the shorewall host machine with selinux disabled
and debian 8 in the VM with proxmox 4.5 host (also based on debian
jessie), fyi.

Cheers,
/z
Post by Adam Cecile
SELinux shit? What distro are you running?
Adam.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Zenny
Thanks Tom for your input.
# grep -Rn 514 /etc/shorewall/rules 128:DNAT net
dmz:192.168.20.110 tcp 514 129:DNAT net
dmz:192.168.20.110 udp 514 132:DNAT $FW
dmz:192.168.20.110 tcp 514 133:DNAT $FW
dmz:192.168.20.110 udp 514
This is directing ALL traffic from the firewall to port 514 to the DMZ
host. Given that you are specifying 192.168.20.110 as the logging
ACCEPT $FW dmz:192.168.20.110 tcp 514
ACCEPT $FW dmz:192.168.20.110 udp 514
Post by Zenny
$FW dmz ACCEPT
Yet it didn't seem to work.
Then, I am betting that the problem has nothing to do with your
Shorewall configuration.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZGeJWAAoJEJbms/JCOk0QB0wQAIUy3f9XJCFyhUyeFG90nRgr
1jBxQmHkL8KMuY1kmMirl92k2VR7Hl8XaBkFDnHoiXV1eOf61C0GoHp6Czl1jYow
VuX/KLQGgY25weqwFA98gSbAfnsrzgDjD2m4yus8791ZNy2iVfhvnqs/SLP++qi+
jDB3U7IGhrwuLPCGah5+y2tqm0njX/6rmbXus0YJ45PFz+XAJsahPY07fY1GFF4r
SgkrAWLMtP68JQ29vF+HwIkzRUUeEt/+gFCZ6KD7ueM9ieUDAq/2CMGJtelZtCVV
/XxBz5tqKSIWVogklbSwI456KBVOU2H0FkMicucaxeCJoJyjN4+8UAp96eNzko3l
/MHryrtGm9JDhL7I/IuhLg16v+xmd8UT9L7cfvUBXVZVzEGZk7l4sARWFdxe8tje
SpQmmdv4Kx6HfTVBtbpG2cVJ1ZeJrUr5IPvLm7PwwwI2l9HxhkhJPXTxY9XCVO/D
OHB5ku3KBbpEU1fgUxpznWUh/mhJJZ9B2DaVH/R9tstiY7BL4g4VhAAJdmbQ9zCl
F3+lWaO/tIzapZ8VXqbHFYu6HxGs4/4yRhqjr4Y5Dtjln0UEjCWJOhCGkKgGiLMD
SoADnny3kvU4IC3JTD1Dh/5LmrPeBoxwrIuQjJMJikVEs0max+GSkBGWld9zBNH3
RTVPvZjN7dzBfakPy15g
=Chos
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Cheers,
/z


-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: http://openpgpjs.org

xsBNBFcTxwEBCAC+G0MG+BHNGs8orGRobPV6jd+8RtT4XhXXEnuEjLA5uHz8
1OulvUS/qiq58Jo/KEnTn19rtyNiN7GmrLvo14Q0+mpFQEfrnzj2NCr1bf8w
l5r+CrIIb+xFEqf5dIHf3w1NNXgHwl6Z3QBflZsqaPHa8y5dhAqVlr1NS7EL
VgCifutAppl2Fcl05p4F5pQLKHMYCO+5gPMnMfnOOe4BTch0VOg8N4qkv0Px
JtSHjHucpivf4eJwznejYwDt/AtdyaB7LUC9N6yuLN+QYuB/mIo0YVU2wcgP
iwr8ITfDUz5Nx0MUm9hmTbOyj6ixNOVuYMmOvevCzzU0ULEkr99EMoAJABEB
AAHNHFplbm55IDxnYXJieXRyYXNoQGdtYWlsLmNvbT7CwHIEEAEIACYFAlcT
xwEGCwkIBwMCCRABOcPTK6+XKwQVCAIKAxYCAQIbAwIeAQAAD5gH/21f5PLm
ytP4rd9HLGKHTMQola/VKMoCMlA7zb1LLJKTCJayZmIproblTyWO8iSSkkaA
89gIifuCTvMJ8vh4WLTUfO0gr+41uZhLScYqAOoqgctCPsyrHxV4QBYAzGf7
1LAEymtYBSiKHhks4Jff190Czrfupz7AAuLxepS1/RIZbdmeYO2g8FWf4sIR
ZFKehNMSWlspxYGxXdAmGLX+xtHD+LNHqqnERsuatynR9oJ3G8WauD4CiNgW
IRyfxf2xZVj7J+bGzg7dl7IJNmp0UDTLqqsF2TFpURyfIAAAhb3WkQAaV5n1
osMST1BbCnWdGo5bjpReuBl3lQ5bIn3Gc3HOwE0EVxPHAQEIAL2Pq+od71kT
/lRMt+XDryOc1XTT5DJW7BUMXOjXXOZfWsuGTrqU3O1XYPWYzoZy9L+6zpII
On/auicvkUblWvrXkt4CIVIU1qDk6KpDKVKBiINy5sk7cTyjumbqxPmnVBK2
DHN27rLOnReCnFUmgIgbfgK0/un0oEnAHvsYdeg1ydipd2vVzx3aJ1TfQS1W
IBWN125EO4nKQ5Kl1XV7nWvlv+ZvrOmOWVeSl9jpyZvLJDmks0E/AIF4QBJF
K+NTME8+x7CwFDQwLGENXojeZOfsNHbln91KE1ZU1/QvzLHVqdZOo/s20Y7V
tjdUsiUPpVQcsSpXLzGKPCWz90M3Be8AEQEAAcLAXwQYAQgAEwUCVxPHAgkQ
ATnD0yuvlysCGwwAAL9hCACP7CY1fivXEN4X+l/C56l/nARrNVoZvJr4QHnF
9C/r5m6TLCMov0eOLg8IvZF7M0Ecyvq1IzNqbwQd+8mTA4tn+aND20fk2z08
floFL6fJykIyAGtRMwAb3HdC1pqexk/0pYxhoy9GtQzqvK/NbcPPdBDd1N7M
pKdXDVhXhx0R1K6UlMYfnyc9o171UYRPlFrmdBV7ZLC4KeBKqFEESKXaxyRg
D7E1FXGl1pDMh2QJNM/n9gVLJb0+znBsPG4jUNOctAOhRwF9Z23qsU6AGpOu
QhWG1alJz6d1T4sTgPdh+K1nMWNKGUzzayAKrRPTbnwLEijqqJPpIIDVzoai
py73
=JPvb
-----END PGP PUBLIC KEY BLOCK-----
Loading...