Greets. On my shorewall 1.2.8 fw I have eth0 which is my TWC cable modem and eth1 which is my private 192.168.0.0 network. After setting up shorewall on SuSE 7.3 I noticed the following: kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=:01:00:5e...08:00 SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2>From the logs it looks like the cable modem, a Surfboard SB3100, is doingsome broadcast stuff every 3 min. I haven''t yet sniffed it to see what it is but my guess is that it''s testing to see if the host it''s attached to is turned on. (Maybe to release it''s DHCP address if it doesn''t get a response?) Ideally I would like to tell shorewall that broadcasts from this IP/MAC on eth0 are okay but NOT to pass them on to the local net at eth1. Any clues as how to do this? I think, from the docs i''ve read, that I need to add the CM to the loc zone using the host file but I''m not sure if that''s all I have to do. Any help would be great. -- Scott
Scott,> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Scott Russell > Sent: Sunday, February 24, 2002 5:59 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] CM doing multicast stuff > > Ideally I would like to tell shorewall that broadcasts from > this IP/MAC on > eth0 are okay but NOT to pass them on to the local net at eth1. > > Any clues as how to do this? I think, from the docs i''ve > read, that I need to > add the CM to the loc zone using the host file but I''m not > sure if that''s all > I have to do.This sounds like a regression between 1.2.6 and 1.2.8 -- 1.2.6 and earlier versions did what you want. I''ll take a look.... -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Scott Russell > Sent: Sunday, February 24, 2002 5:59 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] CM doing multicast stuff > > > Greets. > > On my shorewall 1.2.8 fw I have eth0 which is my TWC cable > modem and eth1 > which is my private 192.168.0.0 network. After setting up > shorewall on SuSE > 7.3 I noticed the following: > > kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=:01:00:5e...08:00 > SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 > TTL=1 ID=0 > PROTO=2 >Scratch my previous comments about a regression; I see that the source address is 192.168.100.1 -- an RFC 1918 address. If you want to handle some packets from RFC 1918 hosts differently from others, you will need to NOT specify ''norfc1918'' on the interface and add your own rules to filter what you want or don''t want to log. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Scott Russell wrote:> Greets. > > On my shorewall 1.2.8 fw I have eth0 which is my TWC cable modem and eth1 > which is my private 192.168.0.0 network. After setting up shorewall on SuSE > 7.3 I noticed the following: > > kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=:01:00:5e...08:00 > SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 > PROTO=2 > > >From the logs it looks like the cable modem, a Surfboard SB3100, is doing > some broadcast stuff every 3 min. I haven''t yet sniffed it to see what it is > but my guess is that it''s testing to see if the host it''s attached to is > turned on. (Maybe to release it''s DHCP address if it doesn''t get a response?)I doubt it. I have a Nortel cable modem, and it has that address hard coded on the internal interface. You can point your web browser at the modem and look at the link status and error logs. I don''t know if this is the case with your modem, but i expect it''s something similar. My cable modem regularly broadcasts IGMP just like that as well. I think it''s something to do with the cable modem management protocols that my ISP uses.> Ideally I would like to tell shorewall that broadcasts from this IP/MAC on > eth0 are okay but NOT to pass them on to the local net at eth1. > > Any clues as how to do this? I think, from the docs i''ve read, that I need to > add the CM to the loc zone using the host file but I''m not sure if that''s all > I have to do.I think that what you really want is to override the rfc1918 addressing for just that case and silently drop the packets. I don''t know if this is possible. Tom, this is the sort of situation i was referring to when i emailed you a while back about providing some way to allow selected rfc1918 addresses but deny all the rest as normal. At the moment, i have to turn off rfc1918 because my cable modem is so noisy. I really would like to use the rfc1918 protection, but we need to have some way of overriding it on a per-interface basis. Maybe we should have a way of marking rules as pre-rfc1918 filtering? Or perhaps a separate config file like ''common.def'' but inserted at the beginning instead of the end? Paul http://paulgear.webhop.net
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Paul Gear > Sent: Monday, February 25, 2002 12:36 AM > To: Scott Russell > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] CM doing multicast stuff > > > I think that what you really want is to override the rfc1918 > addressing for just > that case and silently drop the packets. I don''t know if > this is possible. > > Tom, this is the sort of situation i was referring to when i > emailed you a while > back about providing some way to allow selected rfc1918 > addresses but deny all > the rest as normal. At the moment, i have to turn off > rfc1918 because my cable > modem is so noisy. I really would like to use the rfc1918 > protection, but we > need to have some way of overriding it on a per-interface > basis. Maybe we > should have a way of marking rules as pre-rfc1918 filtering? > Or perhaps a > separate config file like ''common.def'' but inserted at the > beginning instead of > the end?I thought about this some more after I went to bed last night and I think that you can both simply create /etc/shorewall/start and in it place the following: IGNORE1918=<comma-separatedlist of IP addresses that you will allow to enter your system> for addr in `expand_list $IGNORE1918`; do run_iptables -I rfc1918 -s $addr -j RETURN done I don''t think that I want to add formal support in Shorewall for this but the above should work fine. You could of course assign the value to IGNORE1918 in the /etc/shorewall/params file if you choose. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> ... > > Tom, this is the sort of situation i was referring to when i > > emailed you a while > > back about providing some way to allow selected rfc1918 > > addresses but deny all > > the rest as normal. At the moment, i have to turn off > > rfc1918 because my cable > > modem is so noisy. I really would like to use the rfc1918 > > protection, but we > > need to have some way of overriding it on a per-interface > > basis. Maybe we > > should have a way of marking rules as pre-rfc1918 filtering? > > Or perhaps a > > separate config file like ''common.def'' but inserted at the > > beginning instead of > > the end? > > I thought about this some more after I went to bed last night andThe guys are right - you are better than paid support! :-)> I think that you can both simply create /etc/shorewall/start and in it > place the following: > > IGNORE1918=<comma-separatedlist of IP addresses that you will allow to > enter your system> > > for addr in `expand_list $IGNORE1918`; do > run_iptables -I rfc1918 -s $addr -j RETURN > done > > I don''t think that I want to add formal support in Shorewall for this > but the above should work fine. You could of course assign the value to > IGNORE1918 in the /etc/shorewall/params file if you choose.That sounds good. I will give it a try as soon as i am able. My understanding of RETURN is that it goes back to the previous chain, which would make it pass through all our normal rules and policies. Is that right? BTW, the new "shorewall check" in 1.2.8 rocks! As we say here in Oz, you''re a dead-set legend! Paul http://paulgear.webhop.net
> -----Original Message----- > From: paulgear@gear03.gear.dyndns.org > [mailto:paulgear@gear03.gear.dyndns.org] On Behalf Of Paul Gear > Sent: Monday, February 25, 2002 12:13 PM > To: Tom Eastep > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] CM doing multicast stuff> > > I think that you can both simply create > /etc/shorewall/start and in it > > place the following: > > > > IGNORE1918=<comma-separatedlist of IP addresses that you > will allow to > > enter your system> > > > > for addr in `expand_list $IGNORE1918`; do > > run_iptables -I rfc1918 -s $addr -j RETURN > > done > > > > I don''t think that I want to add formal support in > Shorewall for this > > but the above should work fine. You could of course assign > the value to > > IGNORE1918 in the /etc/shorewall/params file if you choose. > > That sounds good. I will give it a try as soon as i am able. My > understanding of RETURN is that it goes back to the previous > chain, which > would make it pass through all our normal rules and policies. Is that > right?Yes. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Paul Gear wrote:> That sounds good. I will give it a try as soon as i am able. My > understanding of RETURN is that it goes back to the previous chain, which > would make it pass through all our normal rules and policies. Is that > right? > > BTW, the new "shorewall check" in 1.2.8 rocks! As we say here in Oz, > you''re a dead-set legend!Aye, I''m chiming in, too! :-) Tom has made iptables easy for us users while doing such hard work on his own. Thanks isn''t really enough!.. I have the same problem as Scott, using a Surfboard 4100. The same multicasts show up every 6 minutes. Same ip - 192.168.100.1 - it has a configurator in which you can enable or disable DHCP for the internal network. I disabled it but the multicasts keep showing up and I was trying to figure out how to try and disengage the logging for that ip but as Tom mentioned, it''s the norfc1918 chain that causes the logging and changing policies won''t work. So I''ll try Tom''s fix, too, and see what happens.... Tom, you got a good cheerleader squad out here! :-) -- Patrick Benson Stockholm, Sweden
On Mon, Feb 25, 2002 at 05:56:41AM -0800, Tom Eastep wrote:> > I thought about this some more after I went to bed last night and I > think that you can both simply create /etc/shorewall/start and in it > place the following: > > IGNORE1918=<comma-separatedlist of IP addresses that you will allow to > enter your system> > > for addr in `expand_list $IGNORE1918`; do > run_iptables -I rfc1918 -s $addr -j RETURN > doneIn shorewall 1.2.8 I get an error on the expand_list command. Running SuSE 7.3 + errata. I looked on my Red Hat 7.2 box for it, checked the bash manpage, and even looked in perldoc. :) Any hints? -- Scott
try separate_list instead of expand_list ! regards Ajay
Thanks for the correction Ajay... -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net> -----Original Message----- > From: Ajay Ramaswamy [mailto:ajayr@1ar.org] > Sent: Monday, February 25, 2002 6:33 PM > To: Scott Russell > Cc: Tom Eastep; ''Paul Gear''; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] CM doing multicast stuff > > > try separate_list instead of expand_list ! > > regards > Ajay > > >
On Tue, Feb 26, 2002 at 08:03:04AM +0530, Ajay Ramaswamy wrote:> try separate_list instead of expand_list ! > > regards > Ajaybingo. This works. My cable modem no longer fills my logs with rfc1918 noise. Here''s the contents of my /etc/shorewall/start file for anyone who wants to see. Thanks for all the help and kudos on a nice package. # Hack to get around cable modem doing broadcasts # against eth1 and getting trapped in the rfc1918 # chain. Perhaps in the future this can be done by # MAC address instead. # # $IGNORE1918 is a comma seperated list of addresses # to ignore. Not tested but it should take subnets # such as 192.168.100.0/24 as well. IGNORE1918="192.168.100.1" for addr in `separate_list $IGNORE1918`; do run_iptables -I rfc1918 -s $addr -j RETURN done
Scott Russell wrote:> ... > bingo. This works. My cable modem no longer fills my logs with rfc1918 noise. > Here''s the contents of my /etc/shorewall/start file for anyone who wants to > see. Thanks for all the help and kudos on a nice package. > ... > IGNORE1918="192.168.100.1" > > for addr in `separate_list $IGNORE1918`; do > run_iptables -I rfc1918 -s $addr -j RETURN > doneWorks for me, too. It took me a few minutes to work out why i still wasn''t seeing the packets, though - multicast packets are dropped in common.def. And because i already allow outgoing connections to http, looking at the cable modem web page worked fine, too. Good work, lads! Paul http://paulgear.webhop.net P.S. Maybe we''d better make a new motto for shorewall and Tom: "Better than proprietary firewalls. Better than paid support." :-)