My firewall server is a two-NIC system with eth0 on the internal LAN and eth1 on the external LAN. I just installed a VOIP box and, per their recommendations, installed the VOIP box between the cablemodem and eth1. Therefore, the VOIP box is between my firewall server and the external LAN. Since the VOIP box comes first, it is assigned external IP address and assigns a non-routable IP address (192.168.x.x) to eth1 on a different segment than the IP address assigned to eth0. Two questions: 1) Are all my firewall rules still correct even though eth1 used to be assigned the routable external IP address and is now assigned a non-routable address? I would assume yes, since the interfaces are named ''LOC'' and ''FW'' and all the rules use those names. 2) My firewall server uses ddclient to publish the dynamically assigned IP address. Since eth1 now has an internal address, this does not work anymore. Is there a way for me to find out the actual external IP address assigned to my VOIP box? Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:> My firewall server is a two-NIC system with eth0 on the internal LAN and eth1 > on the external LAN. I just installed a VOIP box and, per their > recommendations, installed the VOIP box between the cablemodem and eth1. > Therefore, the VOIP box is between my firewall server and the external LAN. > Since the VOIP box comes first, it is assigned external IP address and assigns a > non-routable IP address (192.168.x.x) to eth1 on a different segment than the > IP address assigned to eth0. > > Two questions: > > 1) Are all my firewall rules still correct even though eth1 used to be > assigned the routable external IP address and is now assigned a > non-routable address? I would assume yes, since the interfaces are named > ''LOC'' and ''FW'' and all the rules use those names.You will want to remove ''norfc1918'' from the list of options for the FW interface in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>>>> "TE" == Tom Eastep <teastep@shorewall.net> writes:TE> You will want to remove ''norfc1918'' from the list of options for the FW TE> interface in /etc/shorewall/interfaces. Is the ''norfc1918'' option simply a fail-safe to prevent such an address from being assigned? Or does it do more than that? In other words, if I redo my config such that my FW interface now does get assigned the real external IP address, does it matter in any material way if I do not put back the ''norfc1918'' option? -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jake Colman wrote:>>>>>> "TE" == Tom Eastep <teastep@shorewall.net> writes: > > TE> You will want to remove ''norfc1918'' from the list of options for the FW > TE> interface in /etc/shorewall/interfaces. > > Is the ''norfc1918'' option simply a fail-safe to prevent such an address from > being assigned? Or does it do more than that? In other words, if I redo my > config such that my FW interface now does get assigned the real external IP > address, does it matter in any material way if I do not put back the > ''norfc1918'' option? >''norfc1918'' does what the documentation indicates. From http://www.shorewall.net/Documentation.htm#Interfaces: ------------------------------------------------------------------------------- norfc1918 Packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 will be dropped after being optionally logged. ------------------------------------------------------------------------------- That documentation then goes on to warn that ISPs are increasingly using RFC1918 addresses in their infrastructure. So it very definitely affects the behavior of the firewall in a material way. It is highly recommended to specify ''norfc1918'' if you have DNAT rules and your iptables/kernel don''t support "Connection Tracking Match" (see the output of "shorewall show capabilities"). Otherwise, any host in your external IP network can access your local server(s) by its (their) local address(es) through a simple addition of a route. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key