Howdy. Long-time shorewall user here, but first post to the list. In the past, I''ve managed to figure out how to get Shorewall to do the things that I''ve needed, but I really hit a wall this time (no pun intended). I used the excellent instructions here: http://www.shorewall.net/ProxyARP.htm to put my servers behind the firewall (under the loc interface) but still be accessible from outside (net). The problem is, I can''t come up with the rule(s) needed to make those servers accessible by computers in loc. From the client, I get a connection refused, and from the firewall I get this message: Shorewall:FORWARD:REJECT:IN=vlan0 OUT=vlan0 SRC=192.168.1.235 DST=216.115.115.248 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15107 DF PROTO=TCP SPT=2092 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 vlan0 is the loc zone/interface. (This is an ASUS WL-500GP running OpenWRT, if it matters). Well, actually, it does matter, because I can''t use the iprange module, since it''s not included with that package of iptables, otherwise, I think I would have solved my problem a while ago. In the status output, I can see the rules in the FORWARD chain, but I guess I''m at a loss in figuring out how to modify those to FORWARD the connections to the right place. Thanks for any points you can give! j -- Joshua Kugler Lead System Admin -- Senior Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Joshua J. Kugler wrote:> Howdy. Long-time shorewall user here, but first post to the list.Hello Joshua,> I used the excellent instructions here: http://www.shorewall.net/ProxyARP.htm > to put my servers behind the firewall (under the loc interface) but still be > accessible from outside (net). The problem is, I can''t come up with the > rule(s) needed to make those servers accessible by computers in loc. > > From the client, I get a connection refused, and from the firewall I get this > message: > > Shorewall:FORWARD:REJECT:IN=vlan0 OUT=vlan0 SRC=192.168.1.235 > DST=216.115.115.248 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15107 DF PROTO=TCP > SPT=2092 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0There are two things to say about this message: a) The answer to Shorewall FAQ 17 says this about the chain name in a log message: INPUT or FORWARD ... If the chain is FORWARD and the IN and OUT interfaces are the same, then you probably need the ''routeback'' option on that interface in /etc/shorewall/interfaces or you need the routeback option in the relevant entry in /etc/shorewall/hosts . So the reason that this traffic is being rejected is because you have not specified ''routeback'' on your vlan0 interface. Why do I require ''routeback''? I have this bias that it is silly to route packets out of the same interface that they were received on. When that happens, it says to me that the routing of the LAN connected to the interface is inadequate. So without ''routeback'', Shorewall doesn''t create rules to handle such traffic. b) There is a more important issue. I beliver that your network is insecure *by design* because it appears that you have internet-accessible servers on the same VLAN as your local systems. Do you think someone who is smart enough to hack one of your servers is too dim-witted to realize that the server is on the same VLAN as a bunch of plump ripe Windows boxes? And that the router (you can''t call it a firewall -- it is just a badly conceived router) is sitting off at the side and is not between the servers and the local systems?> vlan0 is the loc zone/interface. (This is an ASUS WL-500GP running OpenWRT, > if it matters). Well, actually, it does matter, because I can''t use the > iprange module, since it''s not included with that package of iptables, > otherwise, I think I would have solved my problem a while ago. > > In the status output, I can see the rules in the FORWARD chain, but I guess > I''m at a loss in figuring out how to modify those to FORWARD the connections > to the right place.You can probably get it to work by specifying ''routeback'' on vlan0 -- but when you get hacked, please do not blame Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> vlan0 is the loc zone/interface. (This is an ASUS WL-500GP runningOpenWRT,>> if it matters). Well, actually, it does matter, because I can''t use the >> iprange module, since it''s not included with that package of iptables, >> otherwise, I think I would have solved my problem a while ago.>You can probably get it to work by specifying ''routeback'' on vlan0 -- >but when you get hacked, please do not blame Shorewall.This advice might be a bit off-topic for the Shorewall mailing list, but is there any reason that you cannot just reconfigure your switch so that your server is in a DMZ? I''m using Shorewall on an Asus 500G deluxe running OpenWRT and have all 5 ports configured as different interfaces. My relevant Vlan NVRAM settings are: vlan0hwname=et0 vlan0ports=1 5* vlan1hwname=et0 vlan1ports=0 5 vlan2hwname=et0 vlan2ports=2 5 vlan3hwname=et0 vlan3ports=3 5 vlan4hwname=et0 vlan4ports=4 5 vlan_enable=1 I am not sure if your router would be configured the same way, but it''s probably worth a try. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Joshua J. Kugler
2006-Oct-09 21:49 UTC
Re: Problem getting ProxyARP and loc to play together
On Saturday 07 October 2006 17:23, Tom Eastep wrote:> a) The answer to Shorewall FAQ 17 says this about the chain name in a > log message:I apologize for asking a FAQ. I probably read the question, but the fact that it was what I needed didn''t click.> Why do I require ''routeback''? I have this bias that it is silly to > route packets out of the same interface that they were received on. > When that happens, it says to me that the routing of the LAN > connected to the interface is inadequate. So without ''routeback'', > Shorewall doesn''t create rules to handle such traffic.Understood.> b) There is a more important issue. I beliver that your network is > insecure *by design* because it appears that you have > internet-accessible servers on the same VLAN as your local systems. > Do you think someone who is smart enough to hack one of your servers > is too dim-witted to realize that the server is on the same VLAN as a > bunch of plump ripe Windows boxes? And that the router (you can''t > call it a firewall -- it is just a badly conceived router) is sitting > off at the side and is not between the servers and the local systems?Right. That makes sense. I was originally looking for a method that would route traffic from the client to the servers, but not the other way around. Routeback, of course, does not fulfill that. Splitting off a couple ports for another VLAN, and using proxyARP on that VLAN* plus adding the right firewall rules has proved to be a much better solution. The reason I didn''t originally use another VLAN was because there were some issues I wasn''t grokking and I thought it was going to be impossible as currently set up. But I''m glad I posted, since your answer (as well as Russell''s) got me thinking about VLAN''s again. All is happy now. The clients can get to the servers in vlan2/dmz but not vice-versa. j *Yes, I''m using proxyARP, even though the servers are already in a VLAN, and even though there might be better ways. We are dealing with some funky IP space, so a /XX mask wont'' work, and the OpenWRT iptables doesn''t have iprange support, so I can''t just give it a range of IP''s. -- Joshua Kugler Lead System Admin -- Senior Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV