# Shorewall 3 interface setup

## serrix

Hi there,

I'm having problems setting up shorewall on my gentoo server.

I've followed several guides but i'm starting to think i'm missing a concept as my current configuration dosn't do what I expect it to do.

I expect the virtual machines aren't able to pick up a dhcp lease either because the traffic is blocked or because of the way that the vmnet interfaces are binded - at one stage i can confirm they were being offered a address by the server but i'm not sure if thats still the case.

Sorry for all the 'I's in this, trying to be blunt for a shorter post.

Thanks for your help and insight in advance.

I need to be able to:

I want my network devided into three zones - LAN, WAN and DMZ.

I need to be able to do ssh, dns, rsync and smb traffic from all zones to all zones.

I need to be able to access my virtual machines (port 902, tcp) from the DMZ and LAN

I need to be able to host websites on ports 80 and 8080, where 80 is available to the world but 8080 is only available on the LAN and DMZ

I need to be able to VNC to any machine in the DMZ and LAN from the DMZ or LAN, but need to access a specific machine via the WAN connection (but only that one, don't want the others exposed)

I run a timeserver on my server, so NTP traffic needs to come from the WAN and from the server to the DMZ and LAN

I need to be able to access Mysql databases stored on both the LAN and DMZ from the LAN and DMZ

I need virtual machines and physical machines on the DMZ and LAN to be able to get DHCP leases and resolve names from the server and need to be able browse the web from them.

I have three physical nics, binded to vmnets as below:

WAN - vmnet0 = eth0 = dhcp (192.168.1.x) HWaddr 00:16:17:EC:5C:37

LAN - vmnet2 = eth1 = 192.168.2.1 HWaddr 00:08:54:4F:73:94

DMZ - vmnet3 = eth2 = 169.254.1.1 HWaddr 00:08:54:4F:73:08

Currrent known issues:

Physical machines can get dhcp leases from the LAN and WAN, but not vmware machines

I can't connect from machines on the LAN/DMZ to my vmware server on the server

I'm not sure that other things are working as expected, and that i'm set up securely.

Even if I set All traffic allowable to All zones in the /etc/shorewall/policy file it dosn't seem to allow full access - why not? This suggests i'm missing crucial knowledge.

DNSMASQ config:

domain=serrix.co.nz

dhcp-range=eth1,192.168.2.50,192.168.2.150,255.255.255.0,12h

dhcp-range=eth2,192.168.3.50,192.168.3.150,255.255.255.0,12h

dhcp-host=00:08:54:4F:73:94,VMserver

# Set the NTP time server address to be the same machine as

# is running dnsmasq

dhcp-option=42,0.0.0.0

# Set the default time-to-live to 50

dhcp-option=23,50

dhcp-authoritative

/etc/conf.d/net

dhcpcd_eth0="-N"

config_eth0=( "dhcp" )

#routes_eth0=( "default via 192.168.1.1" )

config_eth1=( "192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0" )

config_eth2=( "192.168.3.1 broadcast 192.168.3.255 netmask 255.255.255.0" )

/etc/shorewall/policy

#$FW            wan             ACCEPT

lan             wan             ACCEPT          info

#all            all             ACCEPT          info

wan             all             DROP            info

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules

#SECTION RELATED

SECTION NEW

DNS/ACCEPT      all     all

SSH/ACCEPT      all     all

Rsync/ACCEPT    all     all

SMB/ACCEPT      all     all

ACCEPT          all     all     TCP     902

ACCEPT          wan     dmz     TCP     8080

ACCEPT          dmz     wan     TCP     8080

ACCEPT          wan     lan     TCP     8080

ACCEPT          lan     wan     TCP     8080

#Web/DNAT       net     dmz

Web/ACCEPT      lan     dmz

VNC/ACCEPT      lan     dmz

VNC/ACCEPT      wan     dmz

MySQL/ACCEPT    dmz     lan

MySQL/ACCEPT    lan     dmz

NTP/ACCEPT      wan     dmz

NTP/ACCEPT      dmz     wan

NTP/ACCEPT      lan     wan

NTP/ACCEPT      wan     lan

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS

wan     eth0            192.168.1.255   blacklist,dhcp,tcpflags,routefilter

lan     eth1            192.168.2.255   dhcp

dmz     eth2            192.168.3.255   dhcp

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/zones

fw      firewall

lan     ipv4

dmz     ipv4

wan     ipv4

/etc/shorewall/shorewall.conf

cat /etc/shorewall/shorewall.conf

###############################################################################

#  /etc/shorewall/shorewall.conf V3.4 - Change the following variables to

#  match your setup

#

#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]

#

#  This file should be placed in /etc/shorewall

#

#  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)

#

#  For information about the settings in this file, type "man shorewall.conf"

#

#  Additional information is available at

#  http://www.shorewall.net/Documentation.htm#Conf

###############################################################################

#                      S T A R T U P   E N A B L E D

###############################################################################

STARTUP_ENABLED=Yes

###############################################################################

#                             V E R B O S I T Y

###############################################################################

VERBOSITY=1

###############################################################################

#                              C O M P I L E R

#      (setting this to 'perl' requires installation of Shorewall-perl)

###############################################################################

SHOREWALL_COMPILER=shell

###############################################################################

#                              L O G G I N G

###############################################################################

LOGFILE=/var/log/shorewall

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################

#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S

###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################

#               D E F A U L T   A C T I O N S / M A C R O S

###############################################################################

DROP_DEFAULT="Drop"

REJECT_DEFAULT="Reject"

ACCEPT_DEFAULT="none"

QUEUE_DEFAULT="none"

###############################################################################

#                        R S H / R C P  C O M M A N D S

###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################

#                       F I R E W A L L   O P T I O N S

###############################################################################

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=No

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

###############################################################################

#                       P A C K E T   D I S P O S I T I O N

###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE

----------

## serrix

I notice that if you run vmnet-dhcpd it seems to be looking for /etc/dhcpd.conf.... i wonder if this is whats stopping virtuals from getting a dhcp lease??

 vmnet-dhcpd

Internet Software Consortium DHCP Server 2.0

Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.

All rights reserved.

Please contribute if you find this software useful.

For info, please visit http://www.isc.org/dhcp-contrib.html

Can't open /etc/dhcpd.conf: No such file or directory

exiting.

----------

## Hu

Please post the output of iptables-save -c so we can see the rules that shorewall is loading.  The shorewall configuration may come in handy as refinements are made, but it is much easier to debug the problem by looking at the rules which cause the problem, rather than looking at the rules which indirectly create the rules which cause the problem.

----------

## serrix

Thank you very much for your reply, hope this helps  :Smile: 

Another small questions - i've been finding it very hard to trouble shoot because the logs aren't filling up, i've pointed the log to /var/log/shorewall and even gave the file 777 permissions but its still not writing to it, is there something simple i'm missing?

Thanks for your time and help! 

# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007

*raw

:PREROUTING ACCEPT [2034:104627]

:OUTPUT ACCEPT [2917:9196840]

COMMIT

# Completed on Wed Dec 19 21:13:05 2007

# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007

*mangle

:PREROUTING ACCEPT [2034:104627]

:INPUT ACCEPT [2034:104627]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2081125:6655395634]

:POSTROUTING ACCEPT [2917:9196840]

:tcfor - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

[1966:101301] -A PREROUTING -j tcpre

[0:0] -A FORWARD -j tcfor

[2814:8938216] -A OUTPUT -j tcout

[2814:8938216] -A POSTROUTING -j tcpost

COMMIT

# Completed on Wed Dec 19 21:13:05 2007

# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:eth0_masq - [0:0]

[0:0] -A POSTROUTING -o eth0 -j eth0_masq

[0:0] -A eth0_masq -s 192.168.2.0/255.255.255.0 -j MASQUERADE

[0:0] -A eth0_masq -s 192.168.3.0/255.255.255.0 -j MASQUERADE

COMMIT

# Completed on Wed Dec 19 21:13:05 2007

# Generated by iptables-save v1.3.8 on Wed Dec 19 21:13:05 2007

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Drop - [0:0]

:Reject - [0:0]

:all2all - [0:0]

:dmz2fw - [0:0]

:dmz2lan - [0:0]

:dmz2wan - [0:0]

:dropBcast - [0:0]

:dropInvalid - [0:0]

:dropNotSyn - [0:0]

:dynamic - [0:0]

:eth0_fwd - [0:0]

:eth0_in - [0:0]

:eth0_out - [0:0]

:eth1_fwd - [0:0]

:eth1_in - [0:0]

:eth1_out - [0:0]

:eth2_fwd - [0:0]

:eth2_in - [0:0]

:eth2_out - [0:0]

:fw2dmz - [0:0]

:fw2lan - [0:0]

:fw2wan - [0:0]

:lan2dmz - [0:0]

:lan2fw - [0:0]

:lan2wan - [0:0]

:logdrop - [0:0]

:logflags - [0:0]

:logreject - [0:0]

:reject - [0:0]

:shorewall - [0:0]

:smurfs - [0:0]

:tcpflags - [0:0]

:wan2dmz - [0:0]

:wan2fw - [0:0]

:wan2lan - [0:0]

[0:0] -A INPUT -i lo -j ACCEPT

[1959:100958] -A INPUT -i eth0 -j eth0_in

[0:0] -A INPUT -i eth1 -j eth1_in

[0:0] -A INPUT -i eth2 -j eth2_in

[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:ACCEPT:" --log-level 6

[0:0] -A INPUT -j ACCEPT

[0:0] -A FORWARD -i eth0 -j eth0_fwd

[0:0] -A FORWARD -i eth1 -j eth1_fwd

[0:0] -A FORWARD -i eth2 -j eth2_fwd

[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:ACCEPT:" --log-level 6

[0:0] -A FORWARD -j ACCEPT

[0:0] -A OUTPUT -o lo -j ACCEPT

[2801:8899209] -A OUTPUT -o eth0 -j eth0_out

[0:0] -A OUTPUT -o eth1 -j eth1_out

[0:0] -A OUTPUT -o eth2 -j eth2_out

[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:ACCEPT:" --log-level 6

[0:0] -A OUTPUT -j ACCEPT

[0:0] -A Drop -p tcp -m tcp --dport 113 -j reject

[0:0] -A Drop -j dropBcast

[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

[0:0] -A Drop -j dropInvalid

[0:0] -A Drop -p udp -m multiport --dports 135,445 -j DROP

[0:0] -A Drop -p udp -m udp --dport 137:139 -j DROP

[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP

[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -j DROP

[0:0] -A Drop -p udp -m udp --dport 1900 -j DROP

[0:0] -A Drop -p tcp -j dropNotSyn

[0:0] -A Drop -p udp -m udp --sport 53 -j DROP

[0:0] -A Reject -p tcp -m tcp --dport 113 -j reject

[0:0] -A Reject -j dropBcast

[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

[0:0] -A Reject -j dropInvalid

[0:0] -A Reject -p udp -m multiport --dports 135,445 -j reject

[0:0] -A Reject -p udp -m udp --dport 137:139 -j reject

[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject

[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -j reject

[0:0] -A Reject -p udp -m udp --dport 1900 -j DROP

[0:0] -A Reject -p tcp -j dropNotSyn

[0:0] -A Reject -p udp -m udp --sport 53 -j DROP

[0:0] -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A all2all -j LOG --log-prefix "Shorewall:all2all:ACCEPT:" --log-level 6

[0:0] -A all2all -j ACCEPT

[0:0] -A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2fw -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2fw -j all2all

[0:0] -A dmz2lan -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2lan -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 3306 -j ACCEPT

[0:0] -A dmz2lan -j all2all

[0:0] -A dmz2wan -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2wan -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 8080 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 123 -j ACCEPT

[0:0] -A Reject -p udp -m udp --sport 53 -j DROP

[0:0] -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A all2all -j LOG --log-prefix "Shorewall:all2all:ACCEPT:" --log-level 6

[0:0] -A all2all -j ACCEPT

[0:0] -A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2fw -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2fw -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2fw -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2fw -j all2all

[0:0] -A dmz2lan -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2lan -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2lan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2lan -p tcp -m tcp --dport 3306 -j ACCEPT

[0:0] -A dmz2lan -j all2all

[0:0] -A dmz2wan -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 22 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 873 -j ACCEPT

[0:0] -A dmz2wan -p udp -m multiport --dports 135,445 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 137:139 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --sport 137 --dport 1024:65535 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m multiport --dports 135,139,445 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 902 -j ACCEPT

[0:0] -A dmz2wan -p tcp -m tcp --dport 8080 -j ACCEPT

[0:0] -A dmz2wan -p udp -m udp --dport 123 -j ACCEPT

----------

## serrix

Hmm, it looks like I need to open some ports to the $FW? (which i'm assuming is the actual server itself?? that could explain alot of issues if thats correct...

----------

## Hu

That may be the case.  After reviewing your post, I noticed that all your problems are related to VMware.  Could you collect a packet capture to verify that the packets are arriving on the interface you expect, and that they have reasonable values in the packet headers?  If possible, please post the TCP and IP headers from the capture so that we can review which rules should be affecting the packets.

As for your problem with the messages, that is most likely a misconfiguration of your system logging daemon.  Which logger are you using?  Can you post the configuration file for it?

----------

## serrix

Thanks, i'll have a look into that.

I'm using syslog-ng and the config is below - its also the stock config

cat /etc/syslog-ng/syslog-ng.conf

# Copyright 2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.hardened,v 1.5 2007/10/30 17:16:15 solar Exp $

#

# Syslog-ng configuration file, compatible with default hardened installations.

#

options {

        chain_hostnames(off);

        sync(0);

        stats(43200);

};

#options {

#       chain_hostnames(off);

#       sync(0);

#       stats(43200);

#       long_hostnames(off);

#       use_dns(no);

#       create_dirs(yes);

#};

source src { unix-stream("/dev/log"); internal(); };

source kernsrc { file("/proc/kmsg"); };

#source net { udp(); };

#log { source(net); destination(net_logs); };

#destination net_logs { file("/var/log/HOSTS/$HOST/$YEAR$MONTH$DAY.log"); };

destination authlog { file("/var/log/auth.log"); };

destination syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

#destination ppp { file("/var/log/ppp.log"); };

destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };

destination audit { file("/var/log/audit.log"); };

destination pax { file("/var/log/pax.log"); };

destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

#filter f_ppp { facility(ppp); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_avc { match(".*avc: .*"); };

filter f_audit { match("^audit.*") and not match(".*avc: .*"); };

filter f_pax { match("^PAX:.*"); };

filter f_grsec { match("^grsec:.*"); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(kernsrc); filter(f_pax); destination(pax); };

log { source(kernsrc); filter(f_grsec); destination(grsec); };

log { source(kernsrc); filter(f_audit); destination(audit); };

log { source(kernsrc); filter(f_avc); destination(avc); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

#log { source(src); filter(f_ppp); destination(ppp); };

log { source(src); destination(console_all); };

----------

## serrix

 *Hu wrote:*   

> That may be the case.  After reviewing your post, I noticed that all your problems are related to VMware.  Could you collect a packet capture to verify that the packets are arriving on the interface you expect, and that they have reasonable values in the packet headers?  If possible, please post the TCP and IP headers from the capture so that we can review which rules should be affecting the packets.
> 
> As for your problem with the messages, that is most likely a misconfiguration of your system logging daemon.  Which logger are you using?  Can you post the configuration file for it?

 

Can you please suggest a (easy to use) packet sniffer to use for this?

Also, so that we can confirm the issues aren't only VMware issues, could you suggest what other traffic i could test?

(Currently i've been testing connecting to the vmware server from machines on the WAN and LAN, which uses port 902 and has been allowed, the configuration is correct)

Thanks again for all your help.

Cheers,

Serrix

----------

## serrix

*bump*

Any ideas on how to fix my configuration?? 

I've tried adding in rules going to the $FW zone which hasn't made any visible change..

----------

## Hu

Use net-analyzer/tcpdump to capture traffic.  Start with monitoring a connection to a server running in VMware.  Run a sniffer on the host and on the guest.  Check to see if the guest is receiving traffic.  If the guest is receiving traffic, then the problem is that the guest's response never reaches the client system.  If the guest is not receiving traffic, then the problem is that the host is never routing the request to the guest.

----------

