Shorewall users - Aug 2007 - 10.x.x.x address going outside the firewall to the address?

Maybe I have missed something easy.
So, before I post my dump etc, i wanted to see if I could explain the problem
and get pointed to a direction I can go dig into.

On my Gentoo Linux 2.6.20 kernel iptables firewall with Shorewall 3.4.2.
I have two onboard ports and two PCIx cards with 2 ports each.

So, eth0-eth4 are used.

eth0 is the internet connection from our ISP''s switch.

eth4 is a DMZ with 1 machine connected, zone called web4. That machine has an
internal address of 10.4.4.4.
>From an external system (my house) I can connect to the web server on
that system in web4 and everything to works correctly. I can browse
the web server with no problems.

The problem is, from that system (web4) I cannot connect to any system
outside the firewall. After running tcpdump on the fw and my
destination server (which is another system on the internet) I see
that the source IP address is 10.4.4.4. So I realize the packet cannot
be returned to 10.4.4.4, because obviously my internet based system
does not
know how to talk back to the 10.x address.

So, the firewall is passing the 10.4.4.4 address out on the internet
to my destination address.

We had an older Shorewall 1.x running on the firewall at one time,
then last Sunday I changed it out with a new box running Gentoo and
Shorewall 3.4.2.
Have I configured something wrong for Shorewall 3.4.2?

I was reading through the man file for shorewall-interfaces
I don''t have any of the options set like routefilter, logmartians,
routeback or proxyarp
Maybe I need to set one of these?

cat /proc/sys/net/ipv4/conf/eth4/rp_filter
1

 cat /proc/sys/net/ipv4/conf/eth0/rp_filter
1

Any help would be greatly appreciated.

Thanks
Brad B.

-- 
Have Mercy & Say Yeah

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On 8/15/07, Brad Bendily <bendily@gmail.com>
wrote:
> Maybe I have missed something easy.
> So, before I post my dump etc, i wanted to see if I could explain the
problem
> and get pointed to a direction I can go dig into.
>
> On my Gentoo Linux 2.6.20 kernel iptables firewall with Shorewall 3.4.2.
> I have two onboard ports and two PCIx cards with 2 ports each.
>
> So, eth0-eth4 are used.
>
> eth0 is the internet connection from our ISP''s switch.
>
> eth4 is a DMZ with 1 machine connected, zone called web4. That machine has
an
> internal address of 10.4.4.4.
>
> >From an external system (my house) I can connect to the web server on
> that system in web4 and everything to works correctly. I can browse
> the web server with no problems.
>
> The problem is, from that system (web4) I cannot connect to any system
> outside the firewall. After running tcpdump on the fw and my
> destination server (which is another system on the internet) I see
> that the source IP address is 10.4.4.4. So I realize the packet cannot
> be returned to 10.4.4.4, because obviously my internet based system
> does not
> know how to talk back to the 10.x address.
Did you check your masquerading settings? Sounds like that is not
turned out for eth4 anymore.

~David
> So, the firewall is passing the 10.4.4.4 address out on the internet
> to my destination address.
>
> We had an older Shorewall 1.x running on the firewall at one time,
> then last Sunday I changed it out with a new box running Gentoo and
> Shorewall 3.4.2.
> Have I configured something wrong for Shorewall 3.4.2?
>
> I was reading through the man file for shorewall-interfaces
> I don''t have any of the options set like routefilter, logmartians,
> routeback or proxyarp
> Maybe I need to set one of these?
>
> cat /proc/sys/net/ipv4/conf/eth4/rp_filter
> 1
>
>  cat /proc/sys/net/ipv4/conf/eth0/rp_filter
> 1
>
> Any help would be greatly appreciated.
>
> Thanks
> Brad B.
>
> --
> Have Mercy & Say Yeah
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On 8/15/07, David Mohr <damailings@mcbf.net>
wrote:
> Did you check your masquerading settings? Sounds like that is not
> turned out for eth4 anymore.
Of course I meant "turned on"

~David

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On 8/15/07, David Mohr <damailings@mcbf.net>
wrote:
> On 8/15/07, David Mohr <damailings@mcbf.net> wrote:
> > Did you check your masquerading settings? Sounds like that is not
> > turned out for eth4 anymore.
>
> Of course I meant "turned on"
Right!

Well, that''s part of the confusion I have. Because on the old system,
everything worked
as needed, so I copied everything exact config to the new system.
Except for the fact that I
upgraded Shorewall.

I have 3 dmz''s each with only one machine behind them. They all
exhibit the same behavior. They are using their own 10.x address when
the source of communicating with machines on the internet starts from
the machine.
So, I didn''t change the masq file. But I tried, I put different things
there, but it didn''t help.
I also changed the nat file which didn''t seem to help either.

Here is the format of the masq file:
eth0     10.0.0.0/24     x.x.x.123
eth0    10.0.0.80        x.x.x.117
eth2    10.1.1.40       x.x.x.97
#eth4:0    10.1.4.4        x.x.x.113
eth0    10.0.0.5        x.x.x.118
eth0    10.0.0.35       x.x.x.118
eth0    10.0.0.150      x.x.x.118


bb

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Brad Bendily wrote:
> On 8/15/07, David Mohr <damailings@mcbf.net> wrote:
>> On 8/15/07, David Mohr <damailings@mcbf.net> wrote:
>>> Did you check your masquerading settings? Sounds like that is not
>>> turned out for eth4 anymore.
>> Of course I meant "turned on"
> 
> Right!
> 
> Well, that''s part of the confusion I have. Because on the old
system,
> everything worked
> as needed, so I copied everything exact config to the new system.
> Except for the fact that I
> upgraded Shorewall.
> 
> I have 3 dmz''s each with only one machine behind them. They all
> exhibit the same behavior. They are using their own 10.x address when
> the source of communicating with machines on the internet starts from
> the machine.
> So, I didn''t change the masq file. But I tried, I put different
things
> there, but it didn''t help.
> I also changed the nat file which didn''t seem to help either.
> 
> Here is the format of the masq file:
> eth0     10.0.0.0/24     x.x.x.123
> eth0    10.0.0.80        x.x.x.117
> eth2    10.1.1.40       x.x.x.97
> #eth4:0    10.1.4.4        x.x.x.113
> eth0    10.0.0.5        x.x.x.118
> eth0    10.0.0.35       x.x.x.118
> eth0    10.0.0.150      x.x.x.118
I think we''re going to have to see a ''shorewall
dump''. You reported that the
server''s IP address was 10.4.4.4 yet that host isn''t mentioned
in your masq
file. So I don''t know if you are trying to obfuscate (which just annoys
those of us who are trying to help you and delays a solution to your
problem) or whether this is the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

> > Here is the format of the masq file:
> > eth0     10.0.0.0/24     x.x.x.123
> > eth0    10.0.0.80        x.x.x.117
> > eth2    10.1.1.40       x.x.x.97
> > #eth4:0    10.1.4.4        x.x.x.113
> > eth0    10.0.0.5        x.x.x.118
> > eth0    10.0.0.35       x.x.x.118
> > eth0    10.0.0.150      x.x.x.118
>
> I think we''re going to have to see a ''shorewall
dump''. You reported that the
> server''s IP address was 10.4.4.4 yet that host isn''t
mentioned in your masq
> file. So I don''t know if you are trying to obfuscate (which just
annoys
> those of us who are trying to help you and delays a solution to your
> problem) or whether this is the problem.
I understand.

On my previous shorewall setup the eth4 was not listed in the masq file either.
So the above snippet excluding "eth4" is what was in the previous
server''s masq file.

The point being that neither eth4, web4 nor the ip 10.4.4.4 was listed
in the masq and they
are not listed in my new server''s masq file. I tried adding it, but
maybe I don''t understand the syntax or usage.

Brad B.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Brad Bendily wrote:
>>> Here is the format of the masq file:
>>> eth0     10.0.0.0/24     x.x.x.123
>>> eth0    10.0.0.80        x.x.x.117
>>> eth2    10.1.1.40       x.x.x.97
>>> #eth4:0    10.1.4.4        x.x.x.113
>>> eth0    10.0.0.5        x.x.x.118
>>> eth0    10.0.0.35       x.x.x.118
>>> eth0    10.0.0.150      x.x.x.118
>> I think we''re going to have to see a ''shorewall
dump''. You reported that the
>> server''s IP address was 10.4.4.4 yet that host isn''t
mentioned in your masq
>> file. So I don''t know if you are trying to obfuscate (which
just annoys
>> those of us who are trying to help you and delays a solution to your
>> problem) or whether this is the problem.
> 
> I understand.
> 
> On my previous shorewall setup the eth4 was not listed in the masq file
either.
> So the above snippet excluding "eth4" is what was in the previous
> server''s masq file.
> 
> The point being that neither eth4, web4 nor the ip 10.4.4.4 was listed
> in the masq and they
> are not listed in my new server''s masq file. I tried adding it,
but
> maybe I don''t understand the syntax or usage.
We''re not getting anywhere here. You continue to lament that this
Shorewall
configuration used to work on another computer in a different time and place
with an ancient version of Shorewall. That''s interesting but not
relevant to
getting it to work now on your current firewall with (somewhat) current
software.

So please send us the information we need to help you as described at
http://www.shorewall.net/support.htm (connection problem) and we''ll try
to
get it working now on your current firewall with your current network
configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> 
> So please send us the information we need to help you as described at
> http://www.shorewall.net/support.htm (connection problem)
And if you are reluctant to send this information to the mailing list, then
send it to me personally.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On 8/16/07, Tom Eastep <teastep@shorewall.net>
wrote:
> Tom Eastep wrote:
>
> >
> > So please send us the information we need to help you as described at
> > http://www.shorewall.net/support.htm (connection problem)
>
> And if you are reluctant to send this information to the mailing list, then
> send it to me personally.
To give a note back to the list, Tom got me straightened out.
Thanks Tom.

As it turns out my masq file was wrong.
This format got me fixed up.
eth0    10.1.0.80        x.x.x.117
eth0    10.1.0.0/24      x.x.x.123
eth0    10.1.1.40        x.x.x.97
eth0    10.1.4.4         x.x.x.113

I needed to masq for my particular.
In testing I also noticed that
eth0   eth4          x.x.x.113
would also work, if i wanted to specify an outgoing IP. If i didn''t
want to specify then I could use:
eth0   eth4

Again. Thanks Tom.

Brad B.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/