Hi, I''m trying to set up a home network on DSL with bridged ethernet and wireless network. I''ve set up a bridge with this script: #!/bin/sh ifconfig eth0 0/0 promisc up ifconfig eth1 0/0 promisc up echo "Creating bridge" brctl delbr br0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 10.0.3.254 netmask 255.255.255.0 Then I''ve set up Shorewall, configuration files are included at the end of my post. eth0 is ethernet, and eth1 is wireless interface (Intel PRO/Wireless BG 2200). There is currently one host (apart from my router) in my home network. I''m trying to ping the host from router: root@leon:~# ping 10.0.3.54 PING 10.0.3.54 (10.0.3.54) 56(84) bytes of data. --- 10.0.3.54 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3000ms ...no answer. Let''s take a look with tcpdump: 14:15:33.113615 IP 10.0.3.254 > 10.0.3.54: ICMP echo request, id 12361, seq 1, length 64 14:15:33.113833 IP 10.0.3.54 > 10.0.3.254: ICMP echo reply, id 12361, seq 1, length 64 14:15:34.114271 IP 10.0.3.254 > 10.0.3.54: ICMP echo request, id 12361, seq 2, length 64 14:15:34.114485 IP 10.0.3.54 > 10.0.3.254: ICMP echo reply, id 12361, seq 2, length 64 14:15:35.114109 IP 10.0.3.254 > 10.0.3.54: ICMP echo request, id 12361, seq 3, length 64 14:15:35.114323 IP 10.0.3.54 > 10.0.3.254: ICMP echo reply, id 12361, seq 3, length 64 So there''s an answer, but router won''t listen. When I issue a command: iptables -I INPUT -i br0 -j ACCEPT (this command should allow all incoming traffic from bridge interface) ...and I try to ping: root@leon:~# ping -c 4 10.0.3.54 PING 10.0.3.54 (10.0.3.54) 56(84) bytes of data. 64 bytes from 10.0.3.54: icmp_seq=1 ttl=128 time=0.455 ms 64 bytes from 10.0.3.54: icmp_seq=2 ttl=128 time=0.262 ms 64 bytes from 10.0.3.54: icmp_seq=3 ttl=128 time=0.260 ms 64 bytes from 10.0.3.54: icmp_seq=4 ttl=128 time=0.262 ms --- 10.0.3.54 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.260/0.309/0.455/0.086 ms There is an answer! There is a rule in my "rules" file for ping: root@leon:~# grep Ping /etc/shorewall/rules AllowPing all fw Do you have any ideas how to fix it? My full Shorewall configuration follows: ------------------------------------------------------------------------ zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Network #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc br0 detect routeback,dhcp,tcpflags,routefilter net ppp0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc fw REJECT fw loc ACCEPT fw net ACCEPT loc net ACCEPT loc loc ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- DO NOT REMOVE rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT all fw icmp 8 ACCEPT fw all icmp # Skype ACCEPT all fw tcp 46464 ACCEPT all fw udp 46464 # Psi ACCEPT all fw tcp 8010 # quake, enemy territory ACCEPT all fw tcp 27963 ACCEPT all fw udp 27963 ACCEPT all fw tcp 27960 ACCEPT all fw udp 27960 # GnomeMeeting ACCEPT all fw tcp 1503 ACCEPT all fw tcp 1720 ACCEPT all fw tcp 1731 ACCEPT all fw tcp 30000:30010 ACCEPT all fw udp 5000:5016 # standard AllowPing all fw AllowSSH loc fw AllowSMB loc fw AllowDNS loc fw # BitTorrent ACCEPT all fw tcp 6881:6890 ACCEPT all fw udp 6881:6890 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -- Maciej Bliziński <maciej.blizinski@magnum2.pl> Magnum 2 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Maciej Bliziński wrote:> > There is an answer! There is a rule in my "rules" file for ping: > > root@leon:~# grep Ping /etc/shorewall/rules > AllowPing all fw > >That rule allows external hosts to ping the firewall. It does *NOT* allow pinging *FROM* the firewall. You also need: AllowPing fw all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dnia 29-08-2005, pon o godzinie 08:03 -0700, Tom Eastep napisał(a):> > root@leon:~# grep Ping /etc/shorewall/rules > > AllowPing all fw > > > > > > That rule allows external hosts to ping the firewall. It does *NOT* > allow pinging *FROM* the firewall. You also need: > > AllowPing fw allI thought about that. My policy file states... fw loc ACCEPT fw net ACCEPT ...and outgoing pings are allowed according to it. "tcpdump" shows outgoing ping packets as well as returning ping replies. 14:15:34.114271 IP 10.0.3.254 > 10.0.3.54: ICMP echo request, id 12361, seq 2, length 64 14:15:34.114485 IP 10.0.3.54 > 10.0.3.254: ICMP echo reply, id 12361, seq 2, length 64 For some reason, incoming packets get dropped. I don''t know how to track down the rule that drops them. Or, if policy is to drop (or reject), why aren''t they accepted by AllowPing action. -- Maciej Bliziński <maciej.blizinski@magnum2.pl> Software development, server administration. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Maciej Bliziński wrote:> For some reason, incoming packets get dropped. I don''t know how to track > down the rule that drops them. Or, if policy is to drop (or reject), why > aren''t they accepted by AllowPing action. >If you want my help, please follow the instructions at http://www.shorewall.net/support.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Maciej Bliziński wrote: > >>For some reason, incoming packets get dropped. I don''t know how to track >>down the rule that drops them. Or, if policy is to drop (or reject), why >>aren''t they accepted by AllowPing action. >> > > If you want my help, please follow the instructions at > http://www.shorewall.net/support.htm >And if you are not running Shorewall 2.4.3, please indicate which kernel you are running. Bridge/firewall is broken in many kernels with version 2.6.12 and later. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dnia 29-08-2005, pon o godzinie 09:03 -0700, Tom Eastep napisał(a):> If you want my help, please follow the instructions at > http://www.shorewall.net/support.htmI''m trying to ping host 10.0.3.54 from 10.0.3.254. I''m attaching output of "shorewall status" command. Some additional information: host 10.0.3.54 can ping 10.0.3.254; it can also make successful TCP connections (from 10.0.3.54 to 10.0.3.254). -- Maciej Bliziński <maciej.blizinski@magnum2.pl> Software development, server administration.
Dnia 29-08-2005, pon o godzinie 09:12 -0700, Tom Eastep napisał(a):> And if you are not running Shorewall 2.4.3, please indicate which kernel > you are running. Bridge/firewall is broken in many kernels with version > 2.6.12 and later.Sorry for not writing it before. It''s Shorewall 2.2.3 and kernel 2.6.12 (vanilla, no patches). -- Maciej Bliziński <maciej.blizinski@magnum2.pl> Software development, server administration. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:> Tom Eastep wrote: >>Maciej Bliziński wrote: >> >>>For some reason, incoming packets get dropped. I don''t know how to track >>>down the rule that drops them. Or, if policy is to drop (or reject), why >>>aren''t they accepted by AllowPing action. >>> >>If you want my help, please follow the instructions at >>http://www.shorewall.net/support.htm >> > > And if you are not running Shorewall 2.4.3, please indicate which kernel > you are running. Bridge/firewall is broken in many kernels with version > 2.6.12 and later. >There is a long thread on the Netfilter and Netfilter Development lists entitled "2.6.12: connection tracking broken?". This thread eventually was cross-posted on both Linux-kernel and Ebtables-devel as well. The patch made it into some Fedora 2.6.11 kernels and into 2.6.12 in virtually all distros. The patch causing the problem should be removed from 2.6.13. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Maciej Bliziński wrote:> Dnia 29-08-2005, pon o godzinie 09:12 -0700, Tom Eastep napisał(a): >>And if you are not running Shorewall 2.4.3, please indicate which kernel >>you are running. Bridge/firewall is broken in many kernels with version >>2.6.12 and later. > > Sorry for not writing it before. > > It''s Shorewall 2.2.3 and kernel 2.6.12 (vanilla, no patches).-------------- That is your problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dnia 29-08-2005, pon o godzinie 09:33 -0700, Tom Eastep napisał(a):> There is a long thread on the Netfilter and Netfilter Development lists > entitled "2.6.12: connection tracking broken?".Thanks a lot for the information, that was exactly the problem. I found a link to the patch, http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b31e5b1bb53b99dfd5e890aa07e943aff114ae1c I reversed the patch and now got my bridge working. Thanks a lot again for the help and for the excellent Shorewall. Regards, Maciej -- Maciej Bliziński <maciej.blizinski@magnum2.pl> Software development, server administration. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf