Shorewall users - Mar 2010 - Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0

Ok, i''m sorry for not answering last mail, butt I changed my hole
config.

So what I did now: two public ip''s on my vmbro that is bridged on eth0.
So my fw gets 94.23.244.210 my dmz is 10.10.10.0/24 and I have one kvm
machine connected on vmbr0 with ip 94.23.154.41.
The thing is that when I activate my Shorewall, I cant get on the
internet anymore with this kvm machine. and get this message in the log:

Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0
PHYSOUT=eth0 SRC=94.23.154.41 DST=94.23.154.254 LEN=64 TOS=0x00
PREC=0x00 TTL=64 ID=4338 PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345


so when I disable Shorewall, my two public ip''s work good, butt when
enabled, my second ip stops working. when I ping to my second ip I get
answer back from my main ip 94.23.244.210 that tell''s me destination
host unreachable.
I will answer much faster this time, i''m not changing my config
anymore.
Sincerely,

Selvam Matthys

 my interface file:

 net    vmbr0        detect        nosmurfs
dmz    vmbr1        detect        routeback,bridge
dmz    venet0       detect        routeback

my policy file:

# From Firewall:
fw        fw     ACCEPT
fw        net    ACCEPT
fw        dmz    ACCEPT

# Public Bridge (read the policy warnings!):
net        net    ACCEPT
net        dmz    DROP        info    1/sec:2
net        fw     DROP        info    1/sec:2


# Local (internal) Bridge:
dmz        dmz    ACCEPT
dmz        net    ACCEPT
dmz        fw     DROP        info    1/sec:2

# THE FOLLOWING POLICY MUST BE LAST
#
all    all    REJECT        info

my rules file:

SSH/ACCEPT       net        fw:94.23.244.210         -       -            -
         -      6/min:5
Ping/ACCEPT      all        all

ACCEPT net fw:94.23.244.210 tcp 5900:5999


DNAT    net   dmz:10.10.10.102       tcp  80,443


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Selvam Matthys wrote:
> Ok, i''m sorry for not answering last mail, butt I changed my hole
config.
> 
> So what I did now: two public ip''s on my vmbro that is bridged on
eth0.
> So my fw gets 94.23.244.210 my dmz is 10.10.10.0/24
> <http://10.10.10.0/24> and I have one kvm machine connected on vmbr0
> with ip 94.23.154.41.
> The thing is that when I activate my Shorewall, I cant get on the
> internet anymore with this kvm machine. and get this message in the log:
> 
> Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 PHYSOUT=eth0
SRC=94.23.154.41 DST=94.23.154.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=4338
PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345
> 
> 
> so when I disable Shorewall, my two public ip''s work good, butt
when
> enabled, my second ip stops working. when I ping to my second ip I get
> answer back from my main ip 94.23.244.210 that tell''s me
destination
> host unreachable.
> I will answer much faster this time, i''m not changing my config
anymore.
You have neglected to set the ''routeback'' option on vmbr0. See
Shorewall FAQ 17.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Thanks you for the solution! I will read this faq!
I can connect to my machine now :-)) i''m so glad. Butt for some strange
reason, i can''t get on the internet from this machine when Shorewall is
on.
I can do dns lookups, and tracert and ping from that machine to the
internet, butt can''t browse the internet. The worst thing is that there
is
nothing in the log to show me where the problem reside. The only thing I get
now is this: Thats strange because there is a rule that says accept from net
to dmz:10.10.10.102 80,443
Now when I open the browser(on the machine with the second ip 94.23.154.41)
I always see my webserver default webpage on 10.10.10.102.
Strange,

Sincerely,
Selvam Matthys

Shorewall:net2dmz:DROP:IN=vmbr0 OUT=venet0 PHYSIN=eth0
SRC=83.195.155.26 DST=10.10.10.102 LEN=48 TOS=0x00 PREC=0x00 TTL=115
ID=21435 DF PROTO=TCP SPT=2084 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0


2010/3/23 Tom Eastep <teastep@shorewall.net>
> Selvam Matthys wrote:
> > Ok, i''m sorry for not answering last mail, butt I changed my
hole config.
> >
> > So what I did now: two public ip''s on my vmbro that is
bridged on eth0.
> > So my fw gets 94.23.244.210 my dmz is 10.10.10.0/24
> > <http://10.10.10.0/24> and I have one kvm machine connected on
vmbr0
> > with ip 94.23.154.41.
> > The thing is that when I activate my Shorewall, I cant get on the
> > internet anymore with this kvm machine. and get this message in the
log:
> >
> > Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0
> PHYSOUT=eth0 SRC=94.23.154.41 DST=94.23.154.254 LEN=64 TOS=0x00 PREC=0x00
> TTL=64 ID=4338 PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345
> >
> >
> > so when I disable Shorewall, my two public ip''s work good,
butt when
> > enabled, my second ip stops working. when I ping to my second ip I get
> > answer back from my main ip 94.23.244.210 that tell''s me
destination
> > host unreachable.
> > I will answer much faster this time, i''m not changing my
config anymore.
>
> You have neglected to set the ''routeback'' option on
vmbr0. See Shorewall
> FAQ 17.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Ok I found the culprit,
I changed a rule: from DNAT  net  dmz:10.10.10.102  tcp 80,443 to
DNAT net  dmz:10.10.10.102  tcp  80,443  -   94.23.244.210

And now all is working! Thanks Tom for this wonderful firewall and for the
help you give.

Sincerely,
Selvam Matthys

2010/3/23 Selvam Matthys <selvam.matthys@gmail.com>
> Thanks you for the solution! I will read this faq!
> I can connect to my machine now :-)) i''m so glad. Butt for some
strange
> reason, i can''t get on the internet from this machine when
Shorewall is on.
> I can do dns lookups, and tracert and ping from that machine to the
> internet, butt can''t browse the internet. The worst thing is that
there is
> nothing in the log to show me where the problem reside. The only thing I
get
> now is this: Thats strange because there is a rule that says accept from
net
> to dmz:10.10.10.102 80,443
> Now when I open the browser(on the machine with the second ip 94.23.154.41)
> I always see my webserver default webpage on 10.10.10.102.
> Strange,
>
> Sincerely,
> Selvam Matthys
>
> Shorewall:net2dmz:DROP:IN=vmbr0 OUT=venet0 PHYSIN=eth0 SRC=83.195.155.26
DST=10.10.10.102 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=21435 DF PROTO=TCP
SPT=2084 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
>
>
> 2010/3/23 Tom Eastep <teastep@shorewall.net>
>
>> Selvam Matthys wrote:
>> > Ok, i''m sorry for not answering last mail, butt I changed
my hole
>> config.
>> >
>> > So what I did now: two public ip''s on my vmbro that is
bridged on eth0.
>> > So my fw gets 94.23.244.210 my dmz is 10.10.10.0/24
>> > <http://10.10.10.0/24> and I have one kvm machine connected
on vmbr0
>> > with ip 94.23.154.41.
>> > The thing is that when I activate my Shorewall, I cant get on the
>> > internet anymore with this kvm machine. and get this message in
the log:
>> >
>> > Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0
>> PHYSOUT=eth0 SRC=94.23.154.41 DST=94.23.154.254 LEN=64 TOS=0x00
PREC=0x00
>> TTL=64 ID=4338 PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345
>> >
>> >
>> > so when I disable Shorewall, my two public ip''s work
good, butt when
>> > enabled, my second ip stops working. when I ping to my second ip I
get
>> > answer back from my main ip 94.23.244.210 that tell''s me
destination
>> > host unreachable.
>> > I will answer much faster this time, i''m not changing my
config anymore.
>>
>> You have neglected to set the ''routeback'' option on
vmbr0. See Shorewall
>> FAQ 17.
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Download Intel&#174; Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Selvam Matthys wrote:
> Thanks you for the solution! I will read this faq!
> I can connect to my machine now :-)) i''m so glad. Butt for some
strange
> reason, i can''t get on the internet from this machine when
Shorewall is
> on. I can do dns lookups, and tracert and ping from that machine to the
> internet, butt can''t browse the internet. The worst thing is that
there
> is nothing in the log to show me where the problem reside. The only
> thing I get now is this: Thats strange because there is a rule that says
> accept from net to dmz:10.10.10.102 80,443
> Now when I open the browser(on the machine with the second ip
> 94.23.154.41) I always see my webserver default webpage on 10.10.10.102.
> Strange,
From my response to your earlier post:

	Also, please see http://www.shorewall.net/support.htm#Guidelines
	regarding what we need to solve connection problems.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Selvam Matthys wrote:
> Ok I found the culprit,
> I changed a rule: from DNAT  net  dmz:10.10.10.102  tcp 80,443 to
> DNAT net  dmz:10.10.10.102  tcp  80,443  -   94.23.244.210
> 
> And now all is working! Thanks Tom for this wonderful firewall and for
> the help you give.
>     Now when I open the browser(on the machine with the second ip
>     94.23.154.41) I always see my webserver default webpage on
10.10.10.102.
I assume that ''machine with the second ip'' is connected to
bridge vmbr0? If
so, be aware that it is not protected by the firewall as it is falling into
the ''net'' zone.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev