[Firehol-support] SQUID_USERS, 'time' and overlapping sources/destinations

Costa Tsaousis costa at tsaousis.gr
Wed Oct 29 21:32:02 CET 2003 

Hi Jack,

Problem 1: OWNER match fails with "invalid argument".
Answer:

I can guess of two reasons for this to happen:

a. The running kernel was not having the OWNER netfilter module compiled
in (or as module)

b. The iptables user-space tools were not compiled with the running kernel
(this can still happen even on RH systems if you update your kernel but
don't update the iptables user-space tools.

If none of the above is the case, then it might be a FireHOL bug (although
I don't see any errors in the produced iptables command that fails).

Problem 2: time service fails.
Answer:
There have been reported problems with some versions of BASH, producing
errors when BASH reserved keywords are used as array values. Time is a
reserved BASH keyword that produces such errors on these versions of BASH.
Note that such errors are not produced by the service names (FireHOL never
places service names in BASH arrays). They are produced by the port names
defined within the services. All these mean that:

server_time_ports="udp/time tcp/time"

produces errors when used by FireHOL on a few BASH versions, but

server_time_ports="udp/37 tcp/37"

runs without any problems.
I have changed the time definition to use numeric ports in version 1.164
(currently in the CVS).

Problem 3: Overlapping interfaces.
Answer:
I have chosen the default policy on interfaces to be DROP, meaning that
all traffic that is matched by an interface statement but is not matched
by the server and client statements within that interface will be dropped
at the end of the interface with a log-prefix of "IN-name" or "OUT-name"
where name is the name given to the interface.
Of course, I could give the default policy RETURN to interfaces (like the
routers) in which case everything would be the same except that
overlapping interfaces would work by default (like the routers) and all
logs should appear as "IN-unknown" and "OUT-unknown" (like the routers:
PASS-unknown).

I decided that for interfaces I should choose the first option (policy
DROP) since this would make debugging clear (you know which interface did
not match the traffic) and for routers the second options (policy RETURN)
to allow you to build routing zones any way you like them, even
overlapping.

So, to use overlapping interfaces you have to define:

policy return

within all but the last interface of the overlapping. Even if you give
this policy to all the interfaces in your firewall, traffic not explicitly
matched by server and client statements will be dropped at the end of the
firewall with "IN-unknown" or "OUT-unknown" - so this is not a security
problem.

Kind regards,

Costa

-- 
Costa Tsaousis


> Thanks to the FireHOL author for a tool I've been just looking
> for. Very good indeed.
>
> After a few days of trying it I've successfuly put it on our
> production router-transparent-proxy, RH7.2, kernel-2.4.20-20.7bigmem,
> iptables-1.2.5-3, firehol-1.159-rh7up, where it seems to run okay.
>
> During tests prior to that, I encountered three problems - the first
> two seem bugs, and the third is something that perhaps needs to be
> mentioned in the documentation.
>
> First:
> ======
>
> Consider the following piece of firehol.conf:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> reported for:
>
> # Run a transparent cache
> MCAFEE=216.49.80.0/19
> GOOGLE=216.239.57.99/32
>
> SQUID_PORT="8080"       # Leave empty to disable SQUID
> SQUID_USERS="squid"     # Users to be excluded from the cache
> SQUID_EXCLUDE="$MCAFEE $GOOGLE" # Web Server IPs to be excluded from the
> cache
>
> transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
>         inface eth0  src "${LAN} ${DYN}" dst not "${SQUID_EXCLUDE}"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> At the start, it reports:
>
> ----------------------------------------------------------------------
> FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
> FireHOL: Processing file /etc/firehol/firehol.conf:        [  OK  ]
> FireHOL: Activating new firewall:
>
> ERROR   : # 1.
> WHAT    : A runtime command failed to execute (returned error 1).
> SOURCE  : line 21 of /etc/firehol/firehol.conf
> COMMAND : /sbin/iptables -t nat -A out_trsquid.1 -m owner --uid-owner
> squid -j RETURN
> OUTPUT  :
>
> iptables: Invalid argument
>
>                                                            [FAILED]
>
> FireHOL: Restoring old firewall:                           [  OK  ]
> ----------------------------------------------------------------------
>
> Moreover, if SQUID_USERS contains more than one name, the same error
> is reported, with the last name shown as --uid-owner.
>
> Second:
> =======
>
> 'time' as a protocol name seems not to be recognized. I had to replace
> it by the following two lines:
>
> 	client custom timetcp tcp/37 default accept
> 	client custom timeudp udp/37 default accept
>
>
> Third:
> ======
>
> Do not define two or more interfaces with overlapping sources or
> destinations. Eg. with the following definitions:
>
> # coming from lan
> interface eth0 lan src $LAN dst $GATE
>         ...
>
> # coming from lan or dyn
> interface eth0 landyn src "$LAN $DYN" dst $GATE
>         ...
>
> a packet coming from $LAN will only be processed according to the lan
> interface, not according to landyn.
>
>
> Best regards to the author and to the users,
> --
> Jack Olszewski
> Hermes Internet
> http://www.hermes.net.au/

More information about the Firehol-support mailing list