Shorewall users - Dec 2008 - Allowing ping on an interface can show all other local interfaces

Hello

I just noticed something i wasn''t aware of, while building up a
wireless access point :

I have FW system with 3 interfaces :
10.0.0.1/8 : local lan (eth0/loc)
192.168.0.254/24 : lan to the ISP routeur (eth1/net)
192.168.2.1/24 : DMZ (eth2/dmz)

Excerpt of the rules-file :
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz            $FW

Excerpt of the policy-file :
net             all             DROP            info
loc             net             ACCEPT
all             all             REJECT          info

So i noticed i can always "reach" all the FW interfaces from LOC and
DMZ, ie :
- from a host in DMZ : ping 192.168.0.254 is OK, and ping 10.0.0.1 is OK
- from a host in LOC : ping 192.168.0.254 is OK, and ping 192.168.2.1 is OK

Is it normal ?
I tried changing $FW to $FW:192.168.2.1 (and similar), but it didn''t
seem to have the effect i want.

Another thing :
i read somewhere i had to allow ICMP for fragmentation messages, et al.
could anyone point me to a documentation resource explaining why and
what i should enable ?

Thanks in advance.

-- 
Nicolas Pillot (nicolas.pillot@gmail.com)

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Nicolas Pillot wrote:
> Is this normal?
Yes.
> i read somewhere i had to allow ICMP for fragmentation messages, et
> al.could anyone point me to a documentation resource explaining why
> and what i should enable ?
Any introductory text on IPv4 networking should explain how ICMP works.
Shorewall automatically allows the required ICMP packets to/from/through
the firewall so you don''t need to do anything additional.



------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Shorewall Geek <shorewalljunky@comcast.net>:
>> Is this normal?
> Yes.
Ok, so it works as intended.
Handing out network topology is not a real issue, but is somewhat
disappointing !

I''ve browsed around for ICMP messages, and found enlightment :-)
thanks.

-- 
Nicolas Pillot (nicolas.pillot@gmail.com)

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Nicolas Pillot wrote:
> Shorewall Geek <shorewalljunky@comcast.net>:
>>> Is this normal?
>> Yes.
> Ok, so it works as intended.
> Handing out network topology is not a real issue, but is somewhat
> disappointing !
Well -- if you are that disappointed, you can always prevent it!

Replace
	PING/ACCEPT	loc	$FW
with
	PING/ACCEPT	loc	$FW:<firewall''s local ip address>

That will only allow ping to the <firewall''s local ip address>

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/

Oh, although i said i tried that option which didn''t seem to have
effect, i realize i might have tried the ping from the wrong zone (ie
testing from loc...).

Now that i changed the rule for the DMZ to
         PING/ACCEPT     dmz     $FW:192.168.2.1
Only the ping to that gateway works (ie ping 10.0.0.1 doesn''t answer)

Anyway, as there''s an open public captive portal (all http traffic
redirected to the local webserver) in that DMZ (it''s ath2 and not
eth2) i wanted to give as few info about the local LAN layout as
possible.
That''s because as I read somewhere it''s pretty easy to guess
the
network topology (though i have no idea how it could be done :-) I
wonder if it''s even useful to do that additionnal filtering...

Thanks

2008/12/8 Shorewall Geek
<shorewalljunky@comcast.net>:
> Well -- if you are that disappointed, you can always prevent it!
>
> Replace
>        PING/ACCEPT     loc     $FW
> with
>        PING/ACCEPT     loc     $FW:<firewall''s local ip
address>
>
> That will only allow ping to the <firewall''s local ip
address>
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you.  Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/