Here is my config:
dubenda:~ # shorewall version
3.2.1
dubenda:~ # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:2a:d5:3a:76 brd ff:ff:ff:ff:ff:ff
inet 10.37.254.1/24 brd 10.37.254.255 scope global eth1
inet6 fe80::202:2aff:fed5:3a76/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:0c:5d:70:0d brd ff:ff:ff:ff:ff:ff
inet 192.168.0.250/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20e:cff:fe5d:700d/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
dubenda:~ # ip route show
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.250
10.37.254.0/24 dev eth1 proto kernel scope link src 10.37.254.1
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth0
policy:
#SOURCE DEST POLICY LOG
LIMIT:BURST
loc dmz ACCEPT
loc fw ACCEPT
fw dmz ACCEPT
fw loc ACCEPT
dmz fw DROP info
dmz loc ACCEPT
Now the Problem:
I already figured out that the following rule:
DROP:info dmz loc:192.168.0.2-192.168.0.254 all
is dropping packets arriving from my net "loc" though the rule-
definition is that it shall block communication from the net "dmz" to
the net "loc" excluding the address: 192.168.0.1.
Now I commented out this rule, restarted and no more packets are
dropped. Ok, then removed the outcomment and packets are still not
dropped.
Let the firewall run for some more time causes this rule to drop
incoming packets on the interface "loc", again.
It''s quite weird because it''s only 1 special host
(192.168.0.39) of
whom packets are dropped. Another Host (e.g. 192.168.0.100) is accepted.
I have to mention that both networks
1) loc 192.168.0.0/24 and
2 dmz 10.37.253.0/24 are connected to 1 Switch
Thank you very very much!
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jochen Demmer wrote:> > I have to mention that both networks > 1) loc 192.168.0.0/24 and > 2 dmz 10.37.253.0/24 are connected to 1 SwitchThe Shorewall documentation is full of warnings about doing that. Please read them (hint: two-interface quickstart guide, three-interface quickstart guide, troubleshooting guide, ...). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Jochen Demmer wrote: > >> I have to mention that both networks >> 1) loc 192.168.0.0/24 and >> 2 dmz 10.37.253.0/24 are connected to 1 Switch > > The Shorewall documentation is full of warnings about doing that. Please read > them (hint: two-interface quickstart guide, three-interface quickstart guide, > troubleshooting guide, ...). >While the quickstart guides admonish you to not connect the external and internal interfaces to the same switch, the same applies for *any* two or more interfaces. a) From a security point of view, if a system in the DMZ is root-hacked, the hacker has clear sailing to your internal systems through the switch. b) Because of the way that Linux handles ARP, any of the interfaces can (and will) receive traffic addressed to another of the interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV