Miguel wrote:> > if i run shorewall clear, i can reach all subnets, any hints? >Yes -- Please supply a Shorewall dump collected as described at http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, im having a hard time trying to setup vlan filtering in shorewall
3.4, i have ubuntu 7.10 and the vlan setup is working ok, this is my
config:
/etc/network/interfaces:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth1
auto vlan179
auto vlan152
# VALN 179 (PUBLIC)
iface vlan179 inet static
address 200.20.xxx.yyy
netmask 255.255.255.248
gateway 200.20.xxx.yyy
vlan_raw_device eth0
# VLAN 152 (MPLS)
iface vlan152 inet static
address 10.215.0.5
netmask 255.255.255.0
vlan_raw_device eth0
# VLAN 1 (MONITOREO)
iface eth1 inet static
address 10.2.64.206
netmask 255.255.255.0
/etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
mgmnt ipv4
mpls ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net vlan179 detect norfc1918,blacklist
mgmnt eth1 detect
mpls vlan152 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net ACCEPT
mgmnt all ACCEPT
mpls all ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE
i can ping to the outside, so vlan179 is working fine:
PING www.yahoo-ht3.akadns.net (69.147.114.210) 56(84) bytes of data.
64 bytes from f1.www.vip.re3.yahoo.com (69.147.114.210): icmp_seq=1
ttl=54 time=57.3 ms
if i try to ping the vlan152 or eth1 subnet, i got this error
From 10.2.64.206 icmp_seq=1 Destination Host Unreachable
From 10.215.0.1 icmp_seq=1 Destination Host Unreachable
and in /var/log/messages
Feb 11 15:25:21 cacti kernel: [ 1399.457252]
Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.2.64.206 DST=10.2.64.1
LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=35998 DPT=161 LEN=50
if i run shorewall clear, i can reach all subnets, any hints?
regards
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> Miguel wrote: > > >> if i run shorewall clear, i can reach all subnets, any hints? >> >> > > Yes -- Please supply a Shorewall dump collected as described at > http://www.shorewall.net/support.htm#Guidelines > > -TomHere it goes... --- Miguel ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Miguel wrote:> > /etc/shorewall/policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > $FW net ACCEPT > mgmnt all ACCEPT > mpls all ACCEPT > net all DROP info > all all REJECT info > #LAST LINE -- DO NOT REMOVE > > i can ping to the outside, so vlan179 is working fine: > PING www.yahoo-ht3.akadns.net (69.147.114.210) 56(84) bytes of data. > 64 bytes from f1.www.vip.re3.yahoo.com (69.147.114.210): icmp_seq=1 > ttl=54 time=57.3 ms > > if i try to ping the vlan152 or eth1 subnet, i got this error > > From 10.2.64.206 icmp_seq=1 Destination Host Unreachable > From 10.215.0.1 icmp_seq=1 Destination Host Unreachable > > and in /var/log/messages > > Feb 11 15:25:21 cacti kernel: [ 1399.457252] > Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.2.64.206 DST=10.2.64.1 > LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=35998 DPT=161 LEN=50 > > if i run shorewall clear, i can reach all subnets, any hints?Your $FW -> mgmnt and $FW -> mpls policies default to the all -> all policy of REJECT. Since you have no specific rules allowing connections from the firewall to those zones, those connections are being rejected. This follows basic Shorewall principles and has nothing to do with VLANs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep escribió:> > Your $FW -> mgmnt and $FW -> mpls policies default to the all -> all > policy of REJECT. Since you have no specific rules allowing > connections from the firewall to those zones, those connections are > being rejected. >You are absolutly right, i changed the policy to $FW all ACCEPT net all DROP info all all REJECT info and all is working fine now, many thanks, -- Miguel ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/