I''m trying to figure out how shorewall/iptables/firewalling works and setup a test system in the basement. It''s the standard Internet-DMZ-Internal setup but with an additional part, a zone with lots of internet users. I created a zone (called "cvs" for some developers), added about 50 static IPs to it and gave SSH rights to them in to the DMZ server. The problem is that for unknown reason shorewall seems to want to make sure that the developers can talk to each other over my external interface. When I do iptables -L I have something like ... Chain cvs2cvs (2500 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED cvs2all all -- anywhere anywhere ... Chain eth0_fwd target prot opt source destination ... cvs2cvs all -- 1.1.1.1 1.1.1.1 cvs2cvs all -- 1.1.1.1 1.1.1.2 cvs2cvs all -- 1.1.1.1 1.1.1.3 cvs2cvs all -- 1.1.1.1 1.1.1.4 cvs2cvs all -- 1.1.1.1 1.1.1.5 .. cvs2cvs all -- 1.1.1.2 1.1.1.1 cvs2cvs all -- 1.1.1.2 1.1.1.2 cvs2cvs all -- 1.1.1.2 1.1.1.3 ... Why is it adding all this "cvs2cvs" entries ? Right now it takes about 4 minutes to reload the rules and i guess it probably impact traffic also to go over all the rules. I did setup a small env on another server and the same thing happend there. What am I doing wrong? How can I avoid it? My intention (in this case) is to have ssh (plus some other application specific ports) access only from fixed IPs to some servers in DMZ and since the servers are spread out all over the place I can''t make a simple network out of them but have to add them to a host group. Is it some other way to do it without getting a table with several thousend entries that I can''t see any reason for? -- ------------------------------------------------------------------- "The software said it requires Windows 95 or better, so I installed Linux" Techwiz, Peter Sj?berg PGP key on keyserver & homepage Key fingerprint = 2C2E 30B6 5E85 9422 352B E23B EA7D B09F C30A 1303 mailto:peters@techwiz.ca http://www.techwiz.ca/~peters
Peter Sj?berg wrote:> ... > > Why is it adding all this "cvs2cvs" entries ? Right now it takes about 4 > minutes to reload the rules and i guess it probably impact traffic > also to go over all the rules. > I did setup a small env on another server and the same thing happend > there. > > What am I doing wrong? > How can I avoid it? >This can be caused by: a) a ''cvs->cvs'' policy is defined. b) a ''cvs->cvs'' rule is defined. c) the external interface has the ''multi'' option specified. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > This can be caused by: > > a) a ''cvs->cvs'' policy is defined. > b) a ''cvs->cvs'' rule is defined. > c) the external interface has the ''multi'' option specified. >You may also have to modify your firewall script to change the function ''setup_intrazone'' to be as follows: setup_intrazone() # $1 = zone { eval hosts=\$${1}_hosts if have_interfaces_in_zone_with_option $1 multi; then ensurechain ${1}2${1} fi } Let me know if that corrects the problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 18 Feb 2003, Tom Eastep wrote:> Tom Eastep wrote: > > > > > This can be caused by: > > > > a) a ''cvs->cvs'' policy is defined.No, only ''cvs->all REJECT''> > b) a ''cvs->cvs'' rule is defined.only a few ''cvs->other''> > c) the external interface has the ''multi'' option specified.No multi specified on any interface> > > You may also have to modify your firewall script to change the function > ''setup_intrazone'' to be as follows: > > setup_intrazone() # $1 = zone > { > eval hosts=\$${1}_hosts > > if have_interfaces_in_zone_with_option $1 multi; then > ensurechain ${1}2${1} > fi > }This seems to have worked. My restart time is now just below one minute and no ''cvs2cvs'' target. Thanks. BTW: The version I''m running is 1.3.11 (Mandrakes MNF 8.2) Is this anything that has changed in later versions?> > Let me know if that corrects the problem. > > -Tom >-- ------------------------------------------------------------------- "The software said it requires Windows 95 or better, so I installed Linux" Techwiz, Peter Sj?berg PGP key on keyserver & homepage Key fingerprint = 2C2E 30B6 5E85 9422 352B E23B EA7D B09F C30A 1303 mailto:peters@techwiz.ca http://www.techwiz.ca/~peters
Peter Sj?berg wrote:> > This seems to have worked. > My restart time is now just below one minute and no ''cvs2cvs'' target. > Thanks. > > BTW: The version I''m running is 1.3.11 (Mandrakes MNF 8.2) Is this > anything that has changed in later versions?No, but it is something that should change in the current version. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net