Shorewall users - Feb 2013 - Passing traffic between separate public subnets on same interface

I have read everything I can find in the docs and faqs about this, and
I feel there must just be some simple thing I''m not doing, but
I''m
stumped.

Two interfaces, eth0 and eth1.  eth1 is the WAN connection to the
upstream provider, and has a single IP and the default gateway.
 Connection uses bgp.

eth0 is the LAN interface, and has multiple IP addresses, private
(ie., 10.0.2.x) and public.  There are 5 small public subnets, one is
/27 and others are /28 or /29.  

Zones are:  net (eth1), open (public nets on eth0), safe (private
nets on eth0), noc (management net), and of course fw.

Here is one line from my hosts file:

open  
 eth0:64.147.222.128/27,72.250.228.0/28,72.250.228.184/29,72.250.228.160/29,72.27.252.128/28,72.27.252.144/29,72.27.252.152/29

Here are the policies:

###############################################################################

#SOURCE         DEST            POLICY          LOG            
LIMIT:BURST

#                                               LEVEL

# FW

fw             all             ACCEPT

open            fw              ACCEPT

# OPEN

open            net             ACCEPT

all             open            ACCEPT

# SAFE

safe            net             ACCEPT

noc             safe            ACCEPT

safe            noc             ACCEPT

all             safe            DROP            ULOG

#

# THE FOLLOWING POLICY MUST BE LAST

#

all           all             REJECT          ULOG

The problem is that the various public subnets listed in the hosts
file above cannot see each other.  A mail server on 72.250.228.13 which
has a gateway on this router of 72.250.228.1, cannot ping (or send mail
to) another email server at 64.147.222.139 with a gateway on this
router of 64.147.222.129.  I tried putting "routeback" at the end of
the hosts file open line above, to no effect.  Here are the established
routes on the router:

 # ip route show

64.147.209.132/30 dev eth1
 proto kernel  scope link  src 64.147.209.134

72.27.252.152/29 via
10.0.2.108 dev eth0

72.250.228.160/29 dev eth0
 proto kernel  scope link  src 72.250.228.161

72.250.228.184/29 dev eth0
 proto kernel  scope link  src 72.250.228.188

72.27.252.128/28 dev eth0
 proto kernel  scope link  src 72.27.252.129

72.250.228.0/28 dev eth0
 proto kernel  scope link  src 72.250.228.1

64.147.222.128/27 dev eth0
 proto kernel  scope link  src 64.147.222.129

10.0.5.0/24 via 10.0.2.100 dev
eth0

10.0.17.0/24 via 10.0.2.100 dev
eth0

10.0.2.0/24 dev eth0  proto
kernel  scope link  src 10.0.2.1

10.0.254.0/24 via 10.0.2.100
dev eth0

10.1.2.0/24 via 10.0.2.108 dev
eth0

default via 64.147.209.133 dev eth1  proto zebra equalize

Looks to me like open net 72.250.228.0/28
should be able to pass traffic to  open net 64.147.222.128/27 as both their
gateways are on the router and the policy allows all traffic from open
to the fw.  What am I missing?

Thanks,

Art



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 02/12/2013 11:35 AM, Art Mandler wrote:
> I have read everything I can find in the docs and faqs about this, and I
> feel there must just be some simple thing I''m not doing, but
I''m stumped.
> 
> Two interfaces, eth0 and eth1.  eth1 is the WAN connection to the
> upstream provider, and has a single IP and the default gateway.
>  Connection uses bgp.
> eth0 is the LAN interface, and has multiple IP addresses, private (ie.,
> 10.0.2.x) and public.  There are 5 small public subnets, one is /27 and
> others are /28 or /29.  
> 
> Zones are:  net (eth1), open (public nets on eth0), safe (private nets
> on eth0), noc (management net), and of course fw.
> 
> Here is one line from my hosts file:
We would much rather see the output of ''shorewall dump''
collected as
described at http://www.shorewall.net/support.htm#guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

Regarding my earlier email with this subject, I failed to include the 
shorewall dump file, as Tom pointed out.  Here it is.

Thx,
Art



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 02/12/2013 11:46 AM, Tom Eastep wrote:
> On 02/12/2013 11:35 AM, Art Mandler wrote:
>> I have read everything I can find in the docs and faqs about this, and
I
>> feel there must just be some simple thing I''m not doing, but
I''m stumped.
>>
>> Two interfaces, eth0 and eth1.  eth1 is the WAN connection to the
>> upstream provider, and has a single IP and the default gateway.
>>  Connection uses bgp.
>> eth0 is the LAN interface, and has multiple IP addresses, private (ie.,
>> 10.0.2.x) and public.  There are 5 small public subnets, one is /27 and
>> others are /28 or /29.  
>>
>> Zones are:  net (eth1), open (public nets on eth0), safe (private nets
>> on eth0), noc (management net), and of course fw.
>>
>> Here is one line from my hosts file:
> 
> We would much rather see the output of ''shorewall dump''
collected as
> described at http://www.shorewall.net/support.htm#guidelines.
One thing comes to mind -- be sure that you have IP_FORWARDING=Yes in
shorewall.conf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 02/12/2013 12:08 PM, Art Mandler wrote:
> Regarding my earlier email with this subject, I failed to include the
> shorewall dump file, as Tom pointed out.  Here it is.
I am afraid that I have no clue how to advise you about this issue,
given that you are running on a 2.4 kernel with Shorewall 3.0.5. 3.0.5
was released 7 years ago (almost to the day) and I have a hard enough
time remembering how versions released a year ago work.

Sorry,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

Thanks, Tom.  It is set for IP_FORWARDING=On (not Yes), which is 
consistent with the in-file notes.  Any other thoughts?

On 01/-10/-28163 02:59 PM, Tom Eastep wrote:
> On 02/12/2013 11:46 AM, Tom Eastep wrote:
>    
>> On 02/12/2013 11:35 AM, Art Mandler wrote:
>>      
>>> I have read everything I can find in the docs and faqs about this,
and I
>>> feel there must just be some simple thing I''m not doing,
but I''m stumped.
>>>
>>> Two interfaces, eth0 and eth1.  eth1 is the WAN connection to the
>>> upstream provider, and has a single IP and the default gateway.
>>>   Connection uses bgp.
>>> eth0 is the LAN interface, and has multiple IP addresses, private
(ie.,
>>> 10.0.2.x) and public.  There are 5 small public subnets, one is /27
and
>>> others are /28 or /29.
>>>
>>> Zones are:  net (eth1), open (public nets on eth0), safe (private
nets
>>> on eth0), noc (management net), and of course fw.
>>>
>>> Here is one line from my hosts file:
>>>        
>> We would much rather see the output of ''shorewall
dump'' collected as
>> described at http://www.shorewall.net/support.htm#guidelines.
>>      
> One thing comes to mind -- be sure that you have IP_FORWARDING=Yes in
> shorewall.conf.
>
> -Tom
>    

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

Art Mandler wrote:
>Thanks, Tom.  It is set for IP_FORWARDING=On (not Yes), which is 
>consistent with the in-file notes.  Any other thoughts?
Routeback set on the interface ?

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb