Dear list, I have several years'' experience with Bering Firewall and have configured Shorewall a dozen times in different setups. The issue I am facing has to do with the Xen routed context as outlined at http://www.shorewall.net/XenMyWay-Routed.html I have a similar working setup without the wifi and vpn zones. two physical interfaces: ------------------------ eth0 connects to loc zone switch eth1 is in the net zone and connects to an ADSL modem virtual interfaces: ------------------- 4 virtual interfaces (eth3-6) are in the loc zone attaching domU guests 1 virtual interface (eth7) is in the dmz zone and associated with a domU public webserver the attached .svg shows my network setup. below are the zones, interfaces, masq and proxyarp files. With the introduction of virtual interfaces I lost my common sense: the DMZ domU interface (eth7) has address 192.168.192.252 but what should be its gateway? I have arbitrarily assigned 192.168.192.27 in the host''s /etc/network/interfaces file, yet this cannot be correct? With my current setup users on the web can connect to the DMZ host, but the machine cannot initiate connections to the web (e.g. apt-get update or wget) because (I assume) it cannot find a gateway route. core files: /etc/shorewall/zones fw firewall #The firewall itself. net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ /etc/shorewall/interfaces net eth1 detect dhcp,logmartians,blacklist dmz eth7 detect logmartians loc eth0 detect logmartians,routeback loc eth3 detect loc eth4 detect loc eth5 detect loc eth6 detect /etc/shorewall/masq (not sure about this) eth1 eth0 62.24.195.87 eth1 eth3 eth1 eth4 eth1 eth5 eth1 eth6 eth1 eth7 62.24.195.87 /etc/shorewall/proxyarp (not sure about this) 192.168.2.169 eth0 eth1 yes 192.168.1.27 eth1 eth0 yes 192.168.2.11 eth3 eth0 yes 192.168.2.12 eth4 eth0 yes 192.168.2.10 eth5 eth0 yes 192.168.2.18 eth6 eth0 yes 192.168.192.252 eth7 eth1 yes hope someone can help. Werner ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Werner van Staden wrote:> Dear list, > > I have several years'' experience with Bering Firewall and have configured Shorewall a > dozen times in different setups. The issue I am facing has to do with > the Xen routed context as outlined at http://www.shorewall.net/XenMyWay-Routed.html > > I have a similar working setup without the wifi and vpn zones.< Irrelevant detail deleted> Werner, Please review the guidelines for reporting Shorewall problems at http://www.shorewall.net/support.htm#Guidelines. Then please submit another report that follows those guidelines. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Dear List, As per reporting guidelines, status.txt.bz2 attached. I am running shorewall 3.0.4 in a routed Xen Dom0. physical interface eth0 is in the loc zone physical interface eth2 is in the net zone virtual interface eth7 (in the dmz zone) connects webserver DomU - its address is 192.168.192.252 With the introduction of virtual interfaces I lost my common sense: the DMZ domU interface (eth7) has address 192.168.192.252 but what should be its gateway? I have arbitrarily assigned 192.168.192.27 in the host''s /etc/network/interfaces file, yet this cannot be correct? With my current setup users on the web can connect to the DMZ host, but the machine cannot initiate connections to the web (e.g. apt-get update or wget) because (I assume) it cannot find a gateway route. regards, Werner ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Werner van Staden wrote:> Dear List, > > As per reporting guidelines, status.txt.bz2 attached. > > I am running shorewall 3.0.4 in a routed Xen Dom0.Shorewall 3.0.4 is quite old to be attempting that.> > physical interface eth0 is in the loc zone > physical interface eth2 is in the net zone > virtual interface eth7 (in the dmz zone) connects webserver DomU - its address is 192.168.192.252 > > With the introduction of virtual interfaces I lost my common sense: the > DMZ domU interface (eth7) has address 192.168.192.252 but what should be > its gateway?I don''t understand your question. According to the dump 23: eth7: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff inet 192.168.2.169/32 brd 192.168.2.255 scope global eth7 inet6 fe80::fcff:ffff:feff:ffff/64 scope link valid_lft forever preferred_lft forever So eth7 has IP address 196.168.2.169. From The routing table: 192.168.192.252 dev eth7 scope link src 192.168.2.169 So apparently, you have a VM with IP address 192.168.192.252 running on the VM associated with VIF eth7. Is that correct? If so, how is it that you expect any communication to the outside world from that VM? Why did you use that IP address? There are no other addresses in your configuration in the 192.168.192.0 network. Your /etc/shorewall/masq file makes no sense: It appears to look like: eth2 192.168.2.0/24 eth2 192.168.2.11 eth2 192.168.2.12 eth2 192.168.2.18 62.24.195.87 a) All but the first rule are useless since they are masked by the first rule (remember that the first match determines the outcome except in the tcrules file). b) You are not masquerading/SNATting 192.168.192.252. I see that you have a couple of DNAT rules: 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.27 tcp dpt:18080 to:192.168.192.252:80 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.27 tcp dpt:22252 to:192.168.192.252:22 I have arbitrarily assigned 192.168.192.27 in the host''s> /etc/network/interfaces file, yet this cannot be correct?I don''t think there is anything correct about this IP configuration.> With my > current setup users on the web can connect to the DMZ host, but the > machine cannot initiate connections to the web (e.g. apt-get update or > wget) because (I assume) it cannot find a gateway route.It''s because the net has no clue how to route responses back to that host. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Mar 25, 2008 at 10:55:33AM -0700, Tom Eastep wrote:> I don''t think there is anything correct about this IP configuration.When I looked it over, I thought "either I''m reading this wrong, or it''s complete nonsense". I also couldn''t find any trace of a problem. Packets are passing through the firewall rules in all the described directions. They just aren''t being sent anywhere meaningful. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks for the reply, Tom. Your critique of this routed Xen network has shown me the fatal error in my thinking:> So eth7 has IP address 196.168.2.169. From The routing table: > > 192.168.192.252 dev eth7 scope link src 192.168.2.169 > > So apparently, you have a VM with IP address 192.168.192.252 running on > the VM associated with VIF eth7. Is that correct?I assumed (from previous standalone Bering firewalls) that the DMZ needs to be on its own subnet. Hence I have Dom0''s eth0 (192.168.2.169) in the loc zone and eth7 (192.168.192.252) associated with DomU in the dmz zone. Because Xen configures eth7 to have the same address as eth0 my configuration is wrong. eth7 should have an address in the same subnet (192.168.2.0) as eth0, right? Yet, having the loc and dmz zones on the same subnet seems counter intuitive and insecure...> Your /etc/shorewall/masq file makes no sense: It appears to look like: > > eth2 192.168.2.0/24 > eth2 192.168.2.11 > eth2 192.168.2.12 > eth2 192.168.2.18 62.24.195.87 > > a) All but the first rule are useless since they are masked by the first > rule (remember that the first match determines the outcome except in the > tcrules file).So, the first rule will be sufficient if eth7 has an address in the 192.168.2.0 subnet.> b) You are not masquerading/SNATting 192.168.192.252. > > I see that you have a couple of DNAT rules: > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.27 tcp dpt:18080 to:192.168.192.252:80 > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.27 tcp dpt:22252 to:192.168.192.252:22I will update these DNAT rules with eth7''s new IP address.> I don''t think there is anything correct about this IP configuration.The truth hurts! Thanks for your honest appraisal of my network. I based my configuration on your routed Dom0 example at http://www.shorewall.net/XenMyWay-Routed.html but got confused by the fact that you have multiple public IP addresses associated with various physical and virtual interfaces. The paradigm shift to Xen networking is not trivial and your help is greatly appreciated. Werner ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Mar 25, 2008 at 07:13:19PM +0000, Werner van Staden wrote:> eth7 should have an address in the same subnet (192.168.2.0) as eth0, > right? Yet, having the loc and dmz zones on the same subnet seems > counter intuitive and insecure...Security has got nothing to do with address assignment and subnets. Address assignment and subnets are all about routing. Routing is about deciding *where* traffic will go, not *which* traffic will go. You don''t appear to understand how IP routing works. Either learn, or find somebody who does and get them to do it for you. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Well, this certainly is a humbling experience, Andrew. May I just reassure readers that I have several years experience of Shorewall in the context of the Bering firewall and that I have configured working 3-interface firewalls in the past.> When I looked it over, I thought "either I''m reading this wrong, or > it''s complete nonsense".My setup is a Shorewall configuration in a routed Xen Dom0 with 3 physical interfaces: eth0, 192.168.2.169, loc zone eth1, disabled Prism card ("one step at a time" goes the saying) eth2, 192.168.1.27, net zone (connects to ADSL modem) Then several DomU''s (virtual machines) with virtual interfaces ranging from eth3 through eth8. Each of these is seen by the Xen host (DomU) as associated with eth0 (192.168.2.169). Shorewall starts and all networking is as expected, except for: eth7, 192.168.192.252, dmz zone This is my error. I assigned this DomU virtual interface an address in a different subnet in the mistaken assumption that the DMZ cannot possibly be in the same subnet as the local zone... consequently I was stumped when I had to specify a gateway in that DomU''s /etc/network/interfaces file.> I also couldn''t find any trace of a problem. Packets are passing > through the firewall rules in all the described directions. They just > aren''t being sent anywhere meaningful.packets from 192.168.192.252, right? they have no meaningful gateway - just like my thinking in this case! Your comments are appreciated. Must say, I am still confused... how can I have a DomU in the DMZ on the same subnet as the local zone? Werner ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Mar 25, 2008 at 07:36:36PM +0000, Werner van Staden wrote:> packets from 192.168.192.252, right? they have no meaningful gateway - > just like my thinking in this case!The concept of a "gateway" is one that only occurs in the trivial, endpoint-only configuration of a host (like a typical desktop or server). It implies that traffic is either sent to locally-connected hosts (straight cable or via a switch) or outwards towards a real internet router, and that''s just not the case here. A "gateway" is just a node to which all non-local traffic is sent, which will presumably know what to do with it all, because the host in question doesn''t. The primary purpose of the concept is so that real network admins can tell their users what to fill in without having to explain. The ''gateway'' line in ifupdown''s interfaces file just installs a default route for you. A host can have only one default route at any given time, so for normal purposes, you can have at most one gateway line in that file. On non-trivial routers, you usually don''t have one at all.> > When I looked it over, I thought "either I''m reading this wrong, or > > it''s complete nonsense". > > My setup is a Shorewall configuration in a routed Xen Dom0 with 3 > physical interfaces: > > eth0, 192.168.2.169, loc zone > eth1, disabled Prism card ("one step at a time" goes the saying) > eth2, 192.168.1.27, net zone (connects to ADSL modem) > > Then several DomU''s (virtual machines) with virtual interfaces ranging > from eth3 through eth8. Each of these is seen by the Xen host (DomU) as > associated with eth0 (192.168.2.169). Shorewall starts and all > networking is as expected, except for: > > eth7, 192.168.192.252, dmz zone > This is my error. I assigned this DomU virtual interface an address in a > different subnet in the mistaken assumption that the DMZ cannot possibly > be in the same subnet as the local zone... consequently I was stumped > when I had to specify a gateway in that DomU''s /etc/network/interfaces > file.You are consistently confusing firewalling issues with routing issues. There are two completely independent questions here: 1) For each packet outbound from a host, where should it send that packet? This is the routing decision. 2) For each packet passing through a host, should it let this packet pass at all? This is filtering, the primary task of a firewall. You''re not going to make any progress here until you understand how routing works (in the process, you''ll find out what a subnet actually is). It''s not really related to shorewall.> May I just reassure readers that I have several years experience of > Shorewall in the context of the Bering firewall and that I have > configured working 3-interface firewalls in the past.And I''m betting that none of them have been anything more than a bunch of locally-connected hosts plus an internet uplink, so you''ve only been concerned with part (2) above (because the OS defaults just happened to be right). ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Werner van Staden wrote:> Thanks for the reply, Tom. Your critique of this routed Xen network has > shown me the fatal error in my thinking: > >> So eth7 has IP address 196.168.2.169. From The routing table: >> >> 192.168.192.252 dev eth7 scope link src 192.168.2.169 >> >> So apparently, you have a VM with IP address 192.168.192.252 running on >> the VM associated with VIF eth7. Is that correct? > > I assumed (from previous standalone Bering firewalls) that the DMZ needs > to be on its own subnet. Hence I have Dom0''s eth0 (192.168.2.169) in the > loc zone and eth7 (192.168.192.252) associated with DomU in the dmz > zone. Because Xen configures eth7 to have the same address as eth0 my > configuration is wrong.Your previous Bering firewalls probably used the simple three-interface sample (http://www.shorewall.net/three-interface.htm). Xen''s routed configuration uses Proxy ARP (see http://www.shorewall.net/ProxyARP.htm) and assumes that the network associated with eth0 is the one that you want to use for all of your routed VMs.> > eth7 should have an address in the same subnet (192.168.2.0) as eth0, > right?Yes. Yet, having the loc and dmz zones on the same subnet seems> counter intuitive and insecure...As Andrew has stated multiple times, address/routing and firewalling are two different things. You will notice that Shorewall zone names only appear in those configuration files having to do with security. They cannot be used in those files that deal with address manipulation and routing. There''s a reason for that -- the two are totally independent.> I will update these DNAT rules with eth7''s new IP address. > >> I don''t think there is anything correct about this IP configuration. > > The truth hurts! > > Thanks for your honest appraisal of my network. I based my configuration > on your routed Dom0 example at > http://www.shorewall.net/XenMyWay-Routed.html but got confused by the > fact that you have multiple public IP addresses associated with various > physical and virtual interfaces. The paradigm shift to Xen networking is > not trivial and your help is greatly appreciated.If you look at the Proxy ARP documentation, hopefully things will become clearer. Just look at what is happening from an IP point of view -- don''t be confused by the fact that the picture is labled pubnet and privnet. In your case, the two will be loc and dmz respectively. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew, are you addressing the issue at hand or are you venting off at some imaginary idiot? You''re making some wild assumptions and some offencive accusations too. You don''t talk to me like that! On Tue, 2008-03-25 at 20:30 +0000, Andrew Suffield wrote:> On Tue, Mar 25, 2008 at 07:36:36PM +0000, Werner van Staden wrote: > > packets from 192.168.192.252, right? they have no meaningful gateway - > > just like my thinking in this case! > > The concept of a "gateway" is one that only occurs in the trivial, > endpoint-only configuration of a host (like a typical desktop or > server). It implies that traffic is either sent to locally-connected > hosts (straight cable or via a switch) or outwards towards a real > internet router, and that''s just not the case here. A "gateway" is > just a node to which all non-local traffic is sent, which will > presumably know what to do with it all, because the host in question > doesn''t. The primary purpose of the concept is so that real network > admins can tell their users what to fill in without having to explain. > > The ''gateway'' line in ifupdown''s interfaces file just installs a > default route for you. A host can have only one default route at any > given time, so for normal purposes, you can have at most one gateway > line in that file. On non-trivial routers, you usually don''t have one > at all. > > > > When I looked it over, I thought "either I''m reading this wrong, or > > > it''s complete nonsense". > > > > My setup is a Shorewall configuration in a routed Xen Dom0 with 3 > > physical interfaces: > > > > eth0, 192.168.2.169, loc zone > > eth1, disabled Prism card ("one step at a time" goes the saying) > > eth2, 192.168.1.27, net zone (connects to ADSL modem) > > > > Then several DomU''s (virtual machines) with virtual interfaces ranging > > from eth3 through eth8. Each of these is seen by the Xen host (DomU) as > > associated with eth0 (192.168.2.169). Shorewall starts and all > > networking is as expected, except for: > > > > eth7, 192.168.192.252, dmz zone > > This is my error. I assigned this DomU virtual interface an address in a > > different subnet in the mistaken assumption that the DMZ cannot possibly > > be in the same subnet as the local zone... consequently I was stumped > > when I had to specify a gateway in that DomU''s /etc/network/interfaces > > file. > > You are consistently confusing firewalling issues with routing > issues. There are two completely independent questions here: > > 1) For each packet outbound from a host, where should it send that > packet? This is the routing decision. > > 2) For each packet passing through a host, should it let this > packet pass at all? This is filtering, the primary task of a > firewall. > > You''re not going to make any progress here until you understand how > routing works (in the process, you''ll find out what a subnet actually > is). It''s not really related to shorewall. > > > May I just reassure readers that I have several years experience of > > Shorewall in the context of the Bering firewall and that I have > > configured working 3-interface firewalls in the past. > > And I''m betting that none of them have been anything more than a bunch > of locally-connected hosts plus an internet uplink, so you''ve only > been concerned with part (2) above (because the OS defaults just > happened to be right). > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace