I am using shorewall for a long time.
Currently I testing shorewall-4.2.5-1. Here is my issue
LOC=172.10.1.0
VPN1=192.10.1.0 VPN2=192.10.2.0 (VPN Interfaces)
I can talk between LOC -> VPN back and forth but I cannot between
VPN1 <-> VPN2 (Getting rejections on the main firewall).
##shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
loc net ACCEPT
loc $FW ACCEPT
loc vpn ACCEPT
vpn loc ACCEPT
$FW net ACCEPT
vpn $FW ACCEPT
all all REJECT info
#shorewall-interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect
net eth4 detect
loc eth0 detect
vpn tun+ detect
Any idea of what I am missing.
Thank you
Chakri
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Chakravarthy Girda wrote:> I am using shorewall for a long time. > > Currently I testing shorewall-4.2.5-1. Here is my issue > > LOC=172.10.1.0 > > VPN1=192.10.1.0 VPN2=192.10.2.0 (VPN Interfaces) > > I can talk between LOC -> VPN back and forth but I cannot between > VPN1 <-> VPN2 (Getting rejections on the main firewall).Shorewall FAQ 17 is your friend.> > > ##shorewall-policy" > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT:BURST > > loc net ACCEPT > loc $FW ACCEPT > > loc vpn ACCEPT > vpn loc ACCEPT > > $FW net ACCEPT > vpn $FW ACCEPT > > all all REJECT info > > #shorewall-interfaces > ############################################################################### > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect > net eth4 detect > loc eth0 detect > vpn tun+ detectYou are missing the ''routeback'' option on the last entry. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Thank you so much...Awesome..that worked like champ. All I
did was added routeback to my "shorewall-interfaces". eth0 & vpn
interface but your next part which is FAQ17. I have the file
"/usr/share/shorewall/rfc1918" but
RFC1918_STRICT=No is set in my shorewall.conf
So the question is, should I still remove that file ?
Thank you
Chakri
Shorewall Guy wrote:> Chakravarthy Girda wrote:
>> I am using shorewall for a long time.
>>
>> Currently I testing shorewall-4.2.5-1. Here is my issue
>>
>> LOC=172.10.1.0
>>
>> VPN1=192.10.1.0 VPN2=192.10.2.0 (VPN Interfaces)
>>
>> I can talk between LOC -> VPN back and forth but I cannot
between
>> VPN1 <-> VPN2 (Getting rejections on the main firewall).
>
> Shorewall FAQ 17 is your friend.
>
>>
>> ##shorewall-policy"
>>
###############################################################################
>> #SOURCE DEST POLICY LOG
LIMIT:BURST
>>
>> loc net ACCEPT
>> loc $FW ACCEPT
>>
>> loc vpn ACCEPT
>> vpn loc ACCEPT
>>
>> $FW net ACCEPT
>> vpn $FW ACCEPT
>>
>> all all REJECT info
>>
>> #shorewall-interfaces
>>
###############################################################################
>> #ZONE INTERFACE BROADCAST OPTIONS
>> net eth1 detect
>> net eth4 detect
>> loc eth0 detect
>> vpn tun+ detect
>
> You are missing the ''routeback'' option on the last entry.
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
Chakravarthy Girda wrote:> Thank you so much...Awesome..that worked like champ. All I > did was added routeback to my "shorewall-interfaces". eth0 & vpn > interface but your next part which is FAQ17. I have the file > "/usr/share/shorewall/rfc1918" but > RFC1918_STRICT=No is set in my shorewall.conf > > So the question is, should I still remove that file ?I''m confused -- you should *never* remove /usr/share/shorewall/rfc1918. You should remove /etc/shorewall/rfc1918 unless you have a good reason to have your own copy; most people who have an rfc1918 file in /etc/shorewall do so because it is simply left over from an ancient version of Shorewall. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
No I don''t have /etc/shorewall/rfc1918. I started with fresh install. Now I am into fine tuning my firewall. Thank you very much for your help. I see a repeated lines of the following ? Is this because of the logmartians entry in my interfaces file ? net eth1 detect tcpflags,routefilter,blacklist,logmartians net eth4 detect tcpflags,routefilter,blacklist,logmartians **************** LOG FILE ****************** Jan 28 13:31:55 agni kernel: martian source 255.255.255.255 from 169.254.100.100, on dev eth1 Jan 28 13:31:55 agni kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:6e:7b:f5:00:08:00 Jan 28 13:32:11 agni kernel: martian source 255.255.255.255 from 169.254.100.100, on dev eth1 Jan 28 13:32:11 agni kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:6e:7b:f5:00:08:00 Jan 28 13:32:18 agni kernel: martian source 169.254.100.100 from 169.254.100.100, on dev eth1 Jan 28 13:32:18 agni kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:6e:7b:f5:00:08:06 Shorewall Guy wrote:> Chakravarthy Girda wrote: >> Thank you so much...Awesome..that worked like champ. All I >> did was added routeback to my "shorewall-interfaces". eth0 & vpn >> interface but your next part which is FAQ17. I have the file >> "/usr/share/shorewall/rfc1918" but >> RFC1918_STRICT=No is set in my shorewall.conf >> >> So the question is, should I still remove that file ? > > I''m confused -- you should *never* remove /usr/share/shorewall/rfc1918. > You should remove /etc/shorewall/rfc1918 unless you have a good reason > to have your own copy; most people who have an rfc1918 file in > /etc/shorewall do so because it is simply left over from an ancient > version of Shorewall. > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Chakravarthy Girda wrote:> No I don''t have /etc/shorewall/rfc1918. I started with fresh install. > Now I am into fine tuning my firewall. Thank you very much for your help. > I see a repeated lines of the following ? Is this because of the > logmartians entry in my interfaces file ? > > net eth1 detect tcpflags,routefilter,blacklist,logmartians > net eth4 detect tcpflags,routefilter,blacklist,logmartiansThe fact that packets are being checked at this level is due to the ''routefilter'' option; the fact that failures are being logged is due to ''logmartians''.> > **************** LOG FILE ****************** > > Jan 28 13:31:55 agni kernel: martian source 255.255.255.255 from > 169.254.100.100, on dev eth1That says that a limited broadcast was received on eth1 from 169.254.100.100. The route to 169.254.100.100 is not out of eth1; that''s why the packet is being reported as a martian. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword