Here''s my setup eth2 - Internet interface eth0 & eth1 - Local interfaces joined with a bridge (br0) br0 is set up to use subnet 10.1.0.0/24. I''ve tried both Shorewall 1.4.10d and 2.0.1RC3. Problem: Machine coming in on eth0 cannot reach a machine on eth1. Before I added the bridge, I had no problem communicating between the two interfaces, and I thought the bridge was supposed to automatically forward everything coming in on eth0 to eth1 and vice versa? In policy, I have one for local -> all and figured that would be sufficient? Here are the log messages I get. In this case, 10.1.0.11 is on eth0 and 10.1.0.12 is on eth1 and I''m trying to send stuff from 10.1.0.11 to 10.1.0.12 (to port 5001). But the error is reproduceable for any communication whatsoever. Apr 1 02:38:20 excelsior kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=10.1.0.11 DST=10.1.0.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=3889 DF PROTO=TCP SPT=1392 DPT=5001 WINDOW=25200 RES=0x00 SYN URGP=0 Here are the config files I changed from the default: interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth2 detect dhcp loc br0 10.1.0.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE masq: #INTERFACE SUBNET ADDRESS eth2 10.2.0.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc all ACCEPT $FW all ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info #LAST LINE -- DO NOT REMOVE rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT ACCEPT net fw tcp smtp,ssh,http,https #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Any ideas about how to fix this? :)
Here''s my setup eth2 - Internet interface eth0 & eth1 - Local interfaces joined with a bridge (br0) br0 is set up to use subnet 10.1.0.0/24. I''ve tried both Shorewall 1.4.10d and 2.0.1RC3. Problem: Machine coming in on eth0 cannot reach a machine on eth1. Before I added the bridge, I had no problem communicating between the two interfaces, and I thought the bridge was supposed to automatically forward everything coming in on eth0 to eth1 and vice versa? In policy, I have one for local -> all and figured that would be sufficient? Here are the log messages I get. In this case, 10.1.0.11 is on eth0 and 10.1.0.12 is on eth1 and I''m trying to send stuff from 10.1.0.11 to 10.1.0.12 (to port 5001). But the error is reproduceable for any communication whatsoever. Apr 1 02:38:20 excelsior kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=10.1.0.11 DST=10.1.0.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=3889 DF PROTO=TCP SPT=1392 DPT=5001 WINDOW=25200 RES=0x00 SYN URGP=0 Here are the config files I changed from the default: interfaces: net eth2 detect dhcp loc br0 10.1.0.255 masq: eth2 10.1.0.0/24 policy: loc all ACCEPT fw all ACCEPT net all DROP info all all REJECT info rules: ACCEPT net fw tcp smtp,ssh,http,https Any ideas about how to fix this? :)
Matt N wrote:> Here''s my setup > > eth2 - Internet interface > eth0 & eth1 - Local interfaces joined with a bridge (br0) > > br0 is set up to use subnet 10.1.0.0/24. > > I''ve tried both Shorewall 1.4.10d and 2.0.1RC3. > > Problem: > > Machine coming in on eth0 cannot reach a machine on eth1. > Before I added the bridge, I had no problem communicating between the two > interfaces, and I thought the bridge was supposed to automatically forward > everything coming in on eth0 to eth1 and vice versa? > > In policy, I have one for local -> all and figured that would be sufficient? > Here are the log messages I get. In this case, 10.1.0.11 is on eth0 and > 10.1.0.12 is on eth1 and I''m trying to send stuff from 10.1.0.11 to > 10.1.0.12 (to port 5001). But the error is reproduceable for any > communication whatsoever. > > Apr 1 02:38:20 excelsior kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 > PHYSIN=eth0 PHYSOUT=eth1 SRC=10.1.0.11 DST=10.1.0.12 LEN=48 TOS=0x00 > PREC=0x00 TTL=128 ID=3889 DF PROTO=TCP SPT=1392 DPT=5001 WINDOW=25200 > RES=0x00 SYN URGP=0 > > Here are the config files I changed from the default: > > interfaces: > > net eth2 detect dhcp > loc br0 10.1.0.255 >Bridges need the ''routeback'' option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Sorry about the double-post. Please ignore this message and instead have a look at the subsequent posting of the same name (I''ve corrected & cleaned up the post). ./matt Date: Thu, 1 Apr 2004 02:51:04 -0500 From: "Matthew Nichols" <mjnichol@uwaterloo.ca> Subject: [Shorewall-users] Local machines can''t talk over bridge To: <shorewall-users@lists.shorewall.net> Message-ID: <000501c417be$1597c6f0$0c00010a@constellation> Content-Type: text/plain; charset="iso-8859-1" Here''s my setup eth2 - Internet interface eth0 & eth1 - Local interfaces joined with a bridge (br0) br0 is set up to use subnet 10.1.0.0/24. I''ve tried both Shorewall 1.4.10d and 2.0.1RC3. Problem: Machine coming in on eth0 cannot reach a machine on eth1. Before I added the bridge, I had no problem communicating between the two interfaces, and I thought the bridge was supposed to automatically forward everything coming in on eth0 to eth1 and vice versa? In policy, I have one for local -> all and figured that would be sufficient? Here are the log messages I get. In this case, 10.1.0.11 is on eth0 and 10.1.0.12 is on eth1 and I''m trying to send stuff from 10.1.0.11 to 10.1.0.12 (to port 5001). But the error is reproduceable for any communication whatsoever. Apr 1 02:38:20 excelsior kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=10.1.0.11 DST=10.1.0.12 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=3889 DF PROTO=TCP SPT=1392 DPT=5001 WINDOW=25200 RES=0x00 SYN URGP=0 Here are the config files I changed from the default: interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth2 detect dhcp loc br0 10.1.0.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE masq: #INTERFACE SUBNET ADDRESS eth2 10.2.0.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc all ACCEPT $FW all ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info #LAST LINE -- DO NOT REMOVE rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT ACCEPT net fw tcp smtp,ssh,http,https #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Any ideas about how to fix this? :)
Thanks :) That did it. I distinctly remember trying this with 2.0.1RC3, though, and it didn''t work, but I''ll try that version again later today and let you know. I had forgot to try it with 1.4.10 which is what I''m using now and which seems to work. ./matt> Bridges need the ''routeback'' option. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep at shorewall.net
Matt N wrote:> Thanks :) That did it. I distinctly remember trying this with 2.0.1RC3, > though, and it didn''t work, but I''ll try that version again later today and > let you know. I had forgot to try it with 1.4.10 which is what I''m using now > and which seems to work. >Yep -- seems to be broken in RC3 :-( RC4 will be out sometime in the next day or so... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Matt N wrote: > >> Thanks :) That did it. I distinctly remember trying this with 2.0.1RC3, >> though, and it didn''t work, but I''ll try that version again later >> today and >> let you know. I had forgot to try it with 1.4.10 which is what I''m >> using now >> and which seems to work. >> > > Yep -- seems to be broken in RC3 :-( > > RC4 will be out sometime in the next day or so...In the mean time, the ''firewall'' script in CVS (Shorewall2/ project) corrects the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net