Hi,
This is probably a dumb question but I''m successfully pinging from
host1 to host2 via a shorewall bridge when I would be expecting NOT to.
So this should fail (DROP) but it doesn''t:
ping 192.168.144.90 (from 192.168.211.39)
Could you please have a look at the Shorewall dump?
http://213.96.91.201/temp/dump.gz
What dumb mistake have I done?
Why can 192.168.211.39 ping 192.168.144.90?
(I know the packets are going through the shorewall bridge if I run tcpdump on
it)
Thanks
Vieri
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
On 2/24/11 9:08 AM, Vieri Di Paola wrote:> Hi, > > This is probably a dumb question but I''m successfully pinging from host1 to host2 via a shorewall bridge when I would be expecting NOT to. > So this should fail (DROP) but it doesn''t: > > ping 192.168.144.90 (from 192.168.211.39) > > Could you please have a look at the Shorewall dump? > http://213.96.91.201/temp/dump.gz > > What dumb mistake have I done? > Why can 192.168.211.39 ping 192.168.144.90? > > (I know the packets are going through the shorewall bridge if I run tcpdump on it) >Looks like br0 is the ''net'' zone and the implicit net->net policy is ACCEPT. If you don''t want that, you need to add an explicit net->net policy in /etc/shorewall/policy. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
--- On Thu, 2/24/11, Tom Eastep <teastep@shorewall.net> wrote:> > So this should fail (DROP) but it doesn''t: > > > > ping 192.168.144.90 (from 192.168.211.39) > > Looks like br0 is the ''net'' zone and the implicit > net->net policy is > ACCEPT. If you don''t want that, you need to add an explicit > net->net > policy in /etc/shorewall/policy.I''m a bit confused because 192.168.211.39 is a host within the ''loc'' zone and 192.168.144.90 is within the ''net'' zone. So I thought that ping 192.168.144.90 (from 192.168.211.39) would obey rules/policies loc2net. My /etc/shorewall/interfaces contains: net br0 detect routefilter,tcpflags,routeback,blacklist What would be the implications of changing it to: loc br0 detect routefilter,tcpflags,routeback,blacklist ? Thanks ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev