Hello all,
I''ve read the shorewall guides and browsed through the mailing
lists, but I haven''t been able to find out if the following is possible
or not using shorewall.
Our provider has given us 16 IPs + 4 in a separate range for our uplink.
I would like to replace that router with a Linux box running shorewall
with three interfaces. I want the DMZ to be a standard, routed network
segment while the internal network is MASQd. To that end, I''ve set all
policies to allow so that there are fewer points of failure.
I thought a setup like this wouldn''t be difficult to configure,
however I cannot ping or connect into any box on the DMZ net. I do not
want to use proxy ARP, as it seems a bit wasteful in this situation
(please correct me if I''m wrong here). The desired setup is below
along
with my configs. Thanks all for any assistance in advance.
Desired topology
PROVIDER
|
| Separate /30 subnet
|
ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) )
|
|
MASQ''d PRIVATE
IP RANGE
Configurations below:
Eth0 192.168.1.211 (internal 192.168.1.0/24)
Eth2 38.116.45.145 (dmz net 38.116.45.144/28)
Eth4 66.28.28.78 (provider uplink 66.28.28.76/30)
echo 1 >/proc/sys/net/ipv4/ip_forward
Shorewall.conf is Debian 3.1 sparc64 standard
Shorewall version 2.2.3
Interfaces:
net eth4 detect
dmz eth2 detect
loc eth0 detect
Zones:
dmz dmz DeMilitarized Zone
net net Outside Network
loc LocalNet Local Network
masq:
eth4 eth0 66.28.28.78
policy:
loc $FW ACCEPT
net $FW ACCEPT
dmz $FW ACCEPT
net loc ACCEPT
loc net ACCEPT
dmz loc ACCEPT
loc dmz ACCEPT
dmz net ACCEPT
net dmz ACCEPT
Rules:
ACCEPT net dmz all
ACCEPT dmz net all
ACCEPT all $FW tcp 22
$FW all ACCEPT
Derek Murawsky wrote:> ... > policy: > loc $FW ACCEPT > net $FW ACCEPT > dmz $FW ACCEPT > net loc ACCEPT > loc net ACCEPT > dmz loc ACCEPT > loc dmz ACCEPT > dmz net ACCEPT > net dmz ACCEPTIs there /anything/ you want to block? :-) Why would you accept any traffic from net2$FW? Or dmz2$FW? net2loc? dmz2loc? You need to make at least an all2all DROP/REJECT policy.> Rules: > ACCEPT net dmz all > ACCEPT dmz net allDon''t do this - that''s what policies are for.> $FW all ACCEPTThat''s not a valid rule. Does ''shorewall check'' say anything about it (or anything else in your setup)? To find out a bit more about what''s going on, try adding info to the end of each policy line that includes DMZ, then you''ll get log messages that you hopefully can use to work out what''s wrong. I also recommend that people explicitly list /every/ possible zone combination in their policy file so that they get the most accurate zone2zone indications in their logs. -- Paul <http://paulgear.webhop.net> -- This message is signed with a GNU Privacy Guard cryptographic signature. If you are reading this message in a text attachment, it is because your email program does not support OpenPGP. Please consider upgrading to one of the secure alternatives at <http://mozilla.org/>.
Derek Murawsky wrote:>Hello all, > I''ve read the shorewall guides and browsed through the mailing >lists, but I haven''t been able to find out if the following is possible >or not using shorewall. >Our provider has given us 16 IPs + 4 in a separate range for our uplink. >I would like to replace that router with a Linux box running shorewall >with three interfaces. I want the DMZ to be a standard, routed network >segment while the internal network is MASQd. To that end, I''ve set all >policies to allow so that there are fewer points of failure. > I thought a setup like this wouldn''t be difficult to configure, >however I cannot ping or connect into any box on the DMZ net. I do not >want to use proxy ARP, as it seems a bit wasteful in this situation >(please correct me if I''m wrong here). The desired setup is below along >with my configs. Thanks all for any assistance in advance. > > >If you want routed public ips in your dmz, and you do not want to specify a bunch of dnat rules, then you must use proxy arp, i believe. It is not wasteful. All proxy arp does is make the firewall respond to arp requests for ip addresses on one interface (a request from private masqed net) that are actually located on another interface (dmz) and forward the request to that interface and network. This makes the firewall look transparent to the arp requests from say loc to dmz. I am not sure what you mean by wasteful. Proxy arp does not use extra addresses as you might be thinking, it just tells the firewall to respond to arp requests on one interface to hosts that are actually on another interface, so that they may be found. So, give your dmz hosts public ips, configure the firewall to proxy arp requests to the dmz for those hosts, and then use standard rules to allow traffic beween net loc and dmz. I would recommend not modifying the default policy. The way you have it means that nothing will be logged, which is not helpful for trouble shooting. Let me know if this makes sense, if not, I can point you to or write more specific examples of configurations. Alex Martin http://www.rettc.com>Desired topology > PROVIDER > | > | Separate /30 subnet > | > ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) ) > | > | >MASQ''d PRIVATE > IP RANGE > >Configurations below: >Eth0 192.168.1.211 (internal 192.168.1.0/24) >Eth2 38.116.45.145 (dmz net 38.116.45.144/28) >Eth4 66.28.28.78 (provider uplink 66.28.28.76/30) > >echo 1 >/proc/sys/net/ipv4/ip_forward > >Shorewall.conf is Debian 3.1 sparc64 standard >Shorewall version 2.2.3 > >Interfaces: >net eth4 detect >dmz eth2 detect >loc eth0 detect > >Zones: >dmz dmz DeMilitarized Zone >net net Outside Network >loc LocalNet Local Network > >masq: >eth4 eth0 66.28.28.78 > >policy: >loc $FW ACCEPT >net $FW ACCEPT >dmz $FW ACCEPT >net loc ACCEPT >loc net ACCEPT >dmz loc ACCEPT >loc dmz ACCEPT >dmz net ACCEPT >net dmz ACCEPT > >Rules: >ACCEPT net dmz all >ACCEPT dmz net all >ACCEPT all $FW tcp 22 >$FW all ACCEPT > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
Paul, Thanks for your quick response. The reason I set everything to allow was to eliminate possible areas where the configuration could be killing the interzone routing. If this system ever goes production, most if not all of those default policies will be set to drop. For the time being, I have changed the policy file to: loc $FW ACCEPT loc dmz ACCEPT info loc net ACCEPT dmz net ACCEPT info dmz $FW DROP info dmz loc DROP info net $FW DROP info net loc DROP net dmz ACCEPT info $FW loc ACCEPT $FW net ACCEPT info $FW dmz ACCEPT info Your note on the setting of rules instead of policies was brought up by the config check, but only as a warning. I removed those rules, but again, they were set to try to allow routing between the DMZ and the net. After adding the info lines, nothing appeared in the logs from any of my external connection attempts including successful ones to the firewall. I tried to connect out from a host in the DMZ. That prodced the following in the logs Jun 16 17:45:37 localhost kernel: Shorewall:dmz2net:ACCEPT:IN=eth2 OUT=eth4 SRC=38.116.45.146 DST=66.114.70.121 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9241 DF PROTO=TCP SPT=34472 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 16 17:45:40 localhost kernel: Shorewall:dmz2net:ACCEPT:IN=eth2 OUT=eth4 SRC=38.116.45.146 DST=66.114.70.121 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9243 DF PROTO=TCP SPT=34472 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 No connection was established. I found one thing suspect in the output of shorewall restart: Determining Hosts in Zones... dmz Zone: eth2:0.0.0.0/0 net Zone: eth4:0.0.0.0/0 LocalNet Zone: eth0:0.0.0.0/0 After reading the section on the host file, I don''t see it as a problem, but routing wise it looks like a nightmare. Also, I added routeback to two interfaces net eth4 detect routeback dmz eth2 detect routeback loc eth0 detect Still no good. Any other ideas? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Paul Gear Sent: Thursday, June 16, 2005 5:21 PM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Re: Setting up a routed DMZ Derek Murawsky wrote:> ... > policy: > loc $FW ACCEPT > net $FW ACCEPT > dmz $FW ACCEPT > net loc ACCEPT > loc net ACCEPT > dmz loc ACCEPT > loc dmz ACCEPT > dmz net ACCEPT > net dmz ACCEPTIs there /anything/ you want to block? :-) Why would you accept any traffic from net2$FW? Or dmz2$FW? net2loc? dmz2loc? You need to make at least an all2all DROP/REJECT policy.> Rules: > ACCEPT net dmz all > ACCEPT dmz net allDon''t do this - that''s what policies are for.> $FW all ACCEPTThat''s not a valid rule. Does ''shorewall check'' say anything about it (or anything else in your setup)? To find out a bit more about what''s going on, try adding info to the end of each policy line that includes DMZ, then you''ll get log messages that you hopefully can use to work out what''s wrong. I also recommend that people explicitly list /every/ possible zone combination in their policy file so that they get the most accurate zone2zone indications in their logs. -- Paul <http://paulgear.webhop.net> -- This message is signed with a GNU Privacy Guard cryptographic signature. If you are reading this message in a text attachment, it is because your email program does not support OpenPGP. Please consider upgrading to one of the secure alternatives at <http://mozilla.org/>.
Alex, It''s my understanding that in a routed environment, proxy ARP should be unnecessary. My ISP has a route to the 38.116.45.144/28 network through 68.28.28.78 (my firewall''s outside IP). My firewall has a static route to that network since it''s on a directly attached Ethernet card, so it seems that all should work, correct? Also, in this setup, I should set the DMZ''d hosts to use 66.28.28.77 as their default gateway? It''s not on the same network (DMZ is 38.116.45.144/28), so will it still work? Thanks for your ideas. -Derek -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alex Martin Sent: Thursday, June 16, 2005 5:32 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Setting up a routed DMZ Derek Murawsky wrote:>Hello all, > I''ve read the shorewall guides and browsed through the mailing >lists, but I haven''t been able to find out if the following is possible >or not using shorewall. >Our provider has given us 16 IPs + 4 in a separate range for ouruplink.>I would like to replace that router with a Linux box running shorewall >with three interfaces. I want the DMZ to be a standard, routed network >segment while the internal network is MASQd. To that end, I''ve set all >policies to allow so that there are fewer points of failure. > I thought a setup like this wouldn''t be difficult to configure, >however I cannot ping or connect into any box on the DMZ net. I do not >want to use proxy ARP, as it seems a bit wasteful in this situation >(please correct me if I''m wrong here). The desired setup is belowalong>with my configs. Thanks all for any assistance in advance. > > >If you want routed public ips in your dmz, and you do not want to specify a bunch of dnat rules, then you must use proxy arp, i believe. It is not wasteful. All proxy arp does is make the firewall respond to arp requests for ip addresses on one interface (a request from private masqed net) that are actually located on another interface (dmz) and forward the request to that interface and network. This makes the firewall look transparent to the arp requests from say loc to dmz. I am not sure what you mean by wasteful. Proxy arp does not use extra addresses as you might be thinking, it just tells the firewall to respond to arp requests on one interface to hosts that are actually on another interface, so that they may be found. So, give your dmz hosts public ips, configure the firewall to proxy arp requests to the dmz for those hosts, and then use standard rules to allow traffic beween net loc and dmz. I would recommend not modifying the default policy. The way you have it means that nothing will be logged, which is not helpful for trouble shooting. Let me know if this makes sense, if not, I can point you to or write more specific examples of configurations. Alex Martin http://www.rettc.com>Desired topology > PROVIDER > | > | Separate /30 subnet > | > ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) ) > | > | >MASQ''d PRIVATE > IP RANGE > >Configurations below: >Eth0 192.168.1.211 (internal 192.168.1.0/24) >Eth2 38.116.45.145 (dmz net 38.116.45.144/28) >Eth4 66.28.28.78 (provider uplink 66.28.28.76/30) > >echo 1 >/proc/sys/net/ipv4/ip_forward > >Shorewall.conf is Debian 3.1 sparc64 standard >Shorewall version 2.2.3 > >Interfaces: >net eth4 detect >dmz eth2 detect >loc eth0 detect > >Zones: >dmz dmz DeMilitarized Zone >net net Outside Network >loc LocalNet Local Network > >masq: >eth4 eth0 66.28.28.78 > >policy: >loc $FW ACCEPT >net $FW ACCEPT >dmz $FW ACCEPT >net loc ACCEPT >loc net ACCEPT >dmz loc ACCEPT >loc dmz ACCEPT >dmz net ACCEPT >net dmz ACCEPT > >Rules: >ACCEPT net dmz all >ACCEPT dmz net all >ACCEPT all $FW tcp 22 >$FW all ACCEPT > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users>Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Derek Murawsky wrote:>Alex, > It''s my understanding that in a routed environment, proxy ARP >should be unnecessary. My ISP has a route to the 38.116.45.144/28 >network through 68.28.28.78 (my firewall''s outside IP). My firewall has >a static route to that network since it''s on a directly attached >Ethernet card, so it seems that all should work, correct? > Also, in this setup, I should set the DMZ''d hosts to use >66.28.28.77 as their default gateway? It''s not on the same network (DMZ >is 38.116.45.144/28), so will it still work? Thanks for your ideas. >-Derek > > >Will you give a complete report as in www.shorewall.net/support.htm This will provide all of your routing tables, and other info, that I would like to ponder. I think you are having routing issues, and I think the dump above will give enough info to debug it I hope. FWIW traceroute to 68.28.28.78 and 38.116.45.144 (which is bogus but i should get close) seem to go in different directions. Alex Martin http://www.rettc.com>-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alex >Martin >Sent: Thursday, June 16, 2005 5:32 PM >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Setting up a routed DMZ > >Derek Murawsky wrote: > > > >>Hello all, >> I''ve read the shorewall guides and browsed through the mailing >>lists, but I haven''t been able to find out if the following is possible >>or not using shorewall. >>Our provider has given us 16 IPs + 4 in a separate range for our >> >> >uplink. > > >>I would like to replace that router with a Linux box running shorewall >>with three interfaces. I want the DMZ to be a standard, routed network >>segment while the internal network is MASQd. To that end, I''ve set all >>policies to allow so that there are fewer points of failure. >> I thought a setup like this wouldn''t be difficult to configure, >>however I cannot ping or connect into any box on the DMZ net. I do not >>want to use proxy ARP, as it seems a bit wasteful in this situation >>(please correct me if I''m wrong here). The desired setup is below >> >> >along > > >>with my configs. Thanks all for any assistance in advance. >> >> >> >> >> > >If you want routed public ips in your dmz, and you do not want to >specify a bunch of dnat rules, then you must use proxy arp, i believe. >It is not wasteful. All proxy arp does is make the firewall respond to >arp requests for ip addresses on one interface (a request from private >masqed net) that are actually located on another interface (dmz) and >forward the request to that interface and network. This makes the >firewall look transparent to the arp requests from say loc to dmz. I am >not sure what you mean by wasteful. Proxy arp does not use extra >addresses as you might be thinking, it just tells the firewall to >respond to arp requests on one interface to hosts that are actually on >another interface, so that they may be found. > >So, give your dmz hosts public ips, configure the firewall to proxy arp >requests to the dmz for those hosts, and then use standard rules to >allow traffic beween net loc and dmz. > >I would recommend not modifying the default policy. The way you have it >means that nothing will be logged, which is not helpful for trouble >shooting. > >Let me know if this makes sense, if not, I can point you to or write >more specific examples of configurations. > >Alex Martin >http://www.rettc.com > > > > > > >>Desired topology >> PROVIDER >> | >> | Separate /30 subnet >> | >> ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) ) >> | >> | >>MASQ''d PRIVATE >> IP RANGE >> >>Configurations below: >>Eth0 192.168.1.211 (internal 192.168.1.0/24) >>Eth2 38.116.45.145 (dmz net 38.116.45.144/28) >>Eth4 66.28.28.78 (provider uplink 66.28.28.76/30) >> >>echo 1 >/proc/sys/net/ipv4/ip_forward >> >>Shorewall.conf is Debian 3.1 sparc64 standard >>Shorewall version 2.2.3 >> >>Interfaces: >>net eth4 detect >>dmz eth2 detect >>loc eth0 detect >> >>Zones: >>dmz dmz DeMilitarized Zone >>net net Outside Network >>loc LocalNet Local Network >> >>masq: >>eth4 eth0 66.28.28.78 >> >>policy: >>loc $FW ACCEPT >>net $FW ACCEPT >>dmz $FW ACCEPT >>net loc ACCEPT >>loc net ACCEPT >>dmz loc ACCEPT >>loc dmz ACCEPT >>dmz net ACCEPT >>net dmz ACCEPT >> >>Rules: >>ACCEPT net dmz all >>ACCEPT dmz net all >>ACCEPT all $FW tcp 22 >>$FW all ACCEPT >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >> >> >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >> > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >