Mauro G. Todeschini
2003-Feb-03 15:48 UTC
[Shorewall-users] Problem with an alias interface
Hi,
this is my first message to the list and I want to thank the the autor for
developing
Shorewall.
And now the problem. I''m using version 1.3.13 and I have eth0 (IP
a.b.c.d/24) as a public
interface. I have an alias on eth0:0 (address a.b.c.e/24) and my dns servce
listens on this IP
(in this moment the dns is stopped).
This is my policy file:
#SOURCE...
fw all ACCEPT
all all DROP
#LAST....
This is my rules file:
#ACTION...
ACCEPT net fw:155.253.4.253 tcp 53
ACCEPT net fw:155.253.4.253 udp 53
ACCEPT net fw:155.253.4.254 tcp 22
ACCEPT net fw:155.253.4.254 tcp 53
ACCEPT net fw:155.253.4.254 udp 53
#LAST...
But If I scan with nmap (from another machine) this is the result:
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on (155.253.4.253):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 4.942 days (since Wed Jan 29 07:36:00 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on mi-gw.itia.cnr.it (155.253.4.254):
(The 1597 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
53/tcp open domain
113/tcp closed auth
135/tcp closed loc-srv
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 4.841 days (since Wed Jan 29 09:59:03 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 263 seconds
It is strange. It seems that eth0:0 is not filtered but eth0 is correctly
filtered. Probably I''ve done
something wrong. I want that eth0:0 is filtered as eth0 and to be able to
selectively accept
connections through rules file.
Is it possible?
Any hint?
Here is the output of the commnad you suggest...
Linux mi-gw 2.4.19 #3 Thu Jan 23 15:38:17 CET 2003 i686 unknown
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:02:f5:8a:61 brd ff:ff:ff:ff:ff:ff
inet 155.253.4.254/24 brd 155.253.4.255 scope global eth0
inet 155.253.4.253/24 brd 155.253.4.255 scope global secondary eth0:0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
155.253.4.0/24 dev eth0 proto kernel scope link src 155.253.4.254
10.2.0.0/16 dev eth1 proto kernel scope link src 10.2.1.254
default via 155.253.4.1 dev eth0 metric 1
Bye
--
Mauro G. Todeschini
e-mail: m.todeschini@itia.cnr.it
Mauro G. Todeschini
2003-Feb-03 15:49 UTC
[Shorewall-users] Re: Problem with an alias interface
On 3 Feb 2003 at 6:50, shorewall-users@lists.shorewa wrote:> Hi, > this is my first message to the list and I want to thank the the autor for developing > Shorewall.Ok, this is my first message but I should have waited to send It :))). I found the problem (a stupid error I''ve made configuring my machine), and It didn''t depend on Shorewall. Ignore my first message, sorry. Bye -- Mauro G. Todeschini e-mail: m.todeschini@itia.cnr.it