Hi folks, my internet connection is provided by a DSL modem connected to an ethernet card. The ppp0 device might exist when shorewall is started, but in some cases the dialin has not yet been triggered by some network traffic. Then it has an 10... address (instead of an IP of my provider). (Maybe this only happens if I forget to switch on the modem before booting the PC, but I am not sure. My box runs under Debian Etch.) Today I realized that shorewall failed to start, as I assigned the "norfc1918" option to ppp0, but ppp0 had one of these 10... addresses. Could you remove that check for norfc1918 options on interfaces with rfc1918 addresses, Tom, please? For me an interface with all traffic filtered due to an configuration error is preferable to a box without any filtering. Thanks in advance for comments. Cheers, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Christian Schneider wrote:> > Could you remove that check for norfc1918 options on interfaces with > rfc1918 addresses, Tom, please?Remove it yourself! All of the HOWTOs make a point of that issue and if you just remove the ''norfc1918'' option as the HOWTOs direct in cases like this, then you won''t have this issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Christian Schneider wrote: > >> >> Could you remove that check for norfc1918 options on interfaces with >> rfc1918 addresses, Tom, please? > > Remove it yourself! All of the HOWTOs make a point of that issue and if > you just remove the ''norfc1918'' option as the HOWTOs direct in cases > like this, then you won''t have this issue.As an aside, Shorewall-perl 4.2 drops the ''norfc1918'' option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Tom Eastep wrote: >> Christian Schneider wrote: >> >>> >>> Could you remove that check for norfc1918 options on interfaces with >>> rfc1918 addresses, Tom, please? >> >> Remove it yourself! All of the HOWTOs make a point of that issue and >> if you just remove the ''norfc1918'' option as the HOWTOs direct in >> cases like this, then you won''t have this issue. > > As an aside, Shorewall-perl 4.2 drops the ''norfc1918'' option.Not quite true -- I looked at the 4.2.0-Beta1 code again and it deprecates the ''norfc1918'' option and it only gives a warning if the option is specified on an interface with an RFC-1918 address. The bottom line is that the ''norfc1918'' option was probably a bad idea to begin with, it is going away, and I recommend against using it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Tom, On Saturday 24 May 2008 22:39, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Christian Schneider wrote: > >>> Could you remove that check for norfc1918 options on interfaces > >>> with rfc1918 addresses, Tom, please? > >> > >> Remove it yourself! All of the HOWTOs make a point of that issue > >> and if you just remove the ''norfc1918'' option as the HOWTOs direct > >> in cases like this, then you won''t have this issue. > > > > As an aside, Shorewall-perl 4.2 drops the ''norfc1918'' option. > > Not quite true -- I looked at the 4.2.0-Beta1 code again and it > deprecates the ''norfc1918'' option and it only gives a warning if the > option is specified on an interface with an RFC-1918 address. > > The bottom line is that the ''norfc1918'' option was probably a bad > idea to begin with, it is going away, and I recommend against using > it.Well, I had a look into the two interfaces HOWTO (for versions 3 and 4) and the only sentence mentioning norfc1918 is: "Before starting Shorewall, you should look at the IP address of your external interface and if it is one of the above ranges, you should remove the ''norfc1918'' option from the external interface''s entry in /etc/shorewall/interfaces." There is no warning that startup will fail and absolutely no filtering will be done even if the interface has an rfc1918 ip only temporarely. For me it sounds like "remove the option or all traffic will be filtered". The main problem is: If you start shorewall when you are dialed in, it will start correctly and you will think that your configuration is ok. But when you boot the next time startup may fail silently! Anyway, thanks for your comment. I removed the norfc1918 option, of course, to avoid this problem. Cheers, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Christian Schneider wrote:> Anyway, thanks for your comment. I removed the norfc1918 option, of > course, to avoid this problem.You could have also switched to Shorewall-perl -- it has always just issued a warning message when this situation occurs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Tom, --- Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > >> Christian Schneider wrote: > >> > >>> > >>> Could you remove that check for norfc1918 > options on interfaces with > >>> rfc1918 addresses, Tom, please? > >> > >> Remove it yourself! All of the HOWTOs make a > point of that issue and > >> if you just remove the ''norfc1918'' option as the > HOWTOs direct in > >> cases like this, then you won''t have this issue. > > > > As an aside, Shorewall-perl 4.2 drops the > ''norfc1918'' option. > > Not quite true -- I looked at the 4.2.0-Beta1 code > again and it deprecates > the ''norfc1918'' option and it only gives a warning > if the option is > specified on an interface with an RFC-1918 address. > > The bottom line is that the ''norfc1918'' option was > probably a bad idea to > begin with, it is going away, and I recommend > against using it.Why is it such a bad idea? I remember when I didn''t use it my firewalls would get hammered with those rfc1918 spoofed addresses. Regards, Michael.> -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio > 2008. >http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/mail ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Michael Mansour wrote:> > Why is it such a bad idea? > > I remember when I didn''t use it my firewalls would get > hammered with those rfc1918 spoofed addresses.Because: a) ''norfc1918'' does nothing that you can''t do with three simple DROP rules: DROP net:10.0.0.0/8 all DROP net:172.16.0.0/12 all DROP net:192.168.0.0/16 all b) Those ''spoofed'' addresses are probably just fools in your neighborhood who haven''t a clue how to configure their systems. Never attribute to malice that which can be explained by stupidity. -tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/