Shorewall users - Mar 2002 - Routing Problem

Hi,

I have setup up a shorewall with 2 subnets on the internet zone.

Here are the IPs of the firewall:

Internet
--------
xx.xx.1.24/28
xx.xx.2.14/28

DMZ
---
192.168.254.254/24

Local
------
192.168.1.254


Everything works fine. The Local net is masqueraded.

A bunch of servers are in the DMZ and connected via ProxyARP.

I have access from the local net to the dmz and the internet. Also the=20
access from the internet to the hosts in the dmz is fine.

My only problem is the the routing between the two internet subnets is not=20
working. When I try to access a port form one host (IP xx.xx.1.18) in the=20
DMZ to another host (IP xx.xx.2.2) in the DMZ but in an other subnet I get=20
a "connection refused". When doing the same form the internet
everything works.


I have the option "multi" on the net zone set. I tried to put the
option=20
also on the dmz zone but it didn=B4t help. Also I tried to put "dmz     
dmz=20
ACCEPT" in the policy file.





Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Sascha,

Your report is a bit confused since you report that your Internet interface
has 2 subnets yet you go on to talk almost exclusively about your DMZ!!??

Assuming that you really do have two internet subnets that aren''t
talking to
each other, you would want "multi" to be specified on the
''net'' interface
(unless the subnets have separate interfaces) and you would want the
''net->net'' policy to be ACCEPT.

-Tom

----- Original Message -----
From: "Sascha Knific" <knific@k-sysdes.net>
To: <shorewall-users@shorewall.net>
Sent: Tuesday, March 19, 2002 4:51 AM
Subject: [Shorewall-users] Routing Problem


Hi,

I have setup up a shorewall with 2 subnets on the internet zone.

Here are the IPs of the firewall:

Internet
--------
xx.xx.1.24/28
xx.xx.2.14/28

DMZ
---
192.168.254.254/24

Local
------
192.168.1.254


Everything works fine. The Local net is masqueraded.

A bunch of servers are in the DMZ and connected via ProxyARP.

I have access from the local net to the dmz and the internet. Also the
access from the internet to the hosts in the dmz is fine.

My only problem is the the routing between the two internet subnets is not
working. When I try to access a port form one host (IP xx.xx.1.18) in the
DMZ to another host (IP xx.xx.2.2) in the DMZ but in an other subnet I get
a "connection refused". When doing the same form the internet
everything
works.


I have the option "multi" on the net zone set. I tried to put the
option
also on the dmz zone but it didn´t help. Also I tried to put "dmz      dmz
ACCEPT" in the policy file.





Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

Hi,

At 05:42 19.03.2002 -0800, you wrote:
>Your report is a bit confused since you report that your Internet interface
>has 2 subnets yet you go on to talk almost exclusively about your DMZ!!??
The ISP assinged the customer 2 subnets. The routing between them is done=20
by the ISPs router. I was told that the ISP accounts the routed traffic=20
between the two subnets.

To save some money I wanted the firewall to do the routing. The hosts that=20
had the routing problem are in the DMZ. So my first thought was that the=20
problem must have something to do with the DMZ/ProxyARP construction (I was=20
wrong :-(((. That=B4s why maybe my report was so confusing....

>Assuming that you really do have two internet subnet that aren''t
talking to
>each other, you would want "multi" to be specified on the
''net'' interface
>(unless the subnets have separate interfaces) and you would want the
>''net->net'' policy to be ACCEPT.
That did it!!! Yuhu!

I knew that I had to specifiy "multi" but I didn=B4t thing of net/net
;-(((.


Thank you very much!!!



Regards
Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Hi Tom,

I overlooked something. The problem is still there.


I reworked my report:


Here a little ASCII art:
------------------------

  Router   (xx.xx.1.17/28  &  xx.xx.2.1/28)
    !
Firewall  (xx.xx.1.24/28  &  xx.xx.2.14/28)  --------- DMZ
(192.168.254.254/24)
    !
Internet  (192.168.1.254/24)



In the DMZ:
-----------

Host A (xx.xx.1.18)

Host B (xx.xx.2.3)


ProxyARP is set for all host in the DMZ.




The Problem:
------------

Host A and host B can=B4t communicate.




I have specifed "multi" on the NET interface and "net net
ACCEPT" in the=20
policy file.


I looked trought the FORWARD chain and I have found:

target  prot  opt   in     out
-------------------------------
net2net all   --    eth1   eth1


In my config eth1 is the NET interface and eth2 the DMZ interface.

So in/out is limited on eth1. Could this be my problem????




Mit freundlichen Gr=FC=DFen
Sascha Knific

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Sascha,

Why don''t you simply add host routes on each of your DMZ systems so
that
they can communicate directly? It would be stupid to make them communicate
through the firewall when they are on the same LAN segment.

The way that host routes are added depends on which distribution you are
running...

-Tom

----- Original Message -----
From: "Sascha Knific" <knific@k-sysdes.net>
To: <shorewall-users@shorewall.net>; "Tom Eastep"
<teastep@shorewall.net>
Sent: Tuesday, March 19, 2002 7:03 AM
Subject: Re: [Shorewall-users] Routing Problem


Hi Tom,

I overlooked something. The problem is still there.


I reworked my report:


Here a little ASCII art:
------------------------

  Router   (xx.xx.1.17/28  &  xx.xx.2.1/28)
    !
Firewall  (xx.xx.1.24/28  &  xx.xx.2.14/28)  --------- DMZ
(192.168.254.254/24)
    !
Internet  (192.168.1.254/24)



In the DMZ:
-----------

Host A (xx.xx.1.18)

Host B (xx.xx.2.3)


ProxyARP is set for all host in the DMZ.




The Problem:
------------

Host A and host B can´t communicate.




I have specifed "multi" on the NET interface and "net net
ACCEPT" in the
policy file.


I looked trought the FORWARD chain and I have found:

target  prot  opt   in     out
-------------------------------
net2net all   --    eth1   eth1


In my config eth1 is the NET interface and eth2 the DMZ interface.

So in/out is limited on eth1. Could this be my problem????




Mit freundlichen Grüßen
Sascha Knific

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

While you are researching how to add the proper host routes, the following
approach should work:

For the DMZ interface, specify "multi".
Specify ACCEPT as the DMZ->DMZ policy.

Seems to me you tried that once already but it should work (although I think
it''s a hack). Be sure that your entry in the policy file isn''t
being masked
by another policy.

-Tom

----- Original Message -----
From: "Sascha Knific" <knific@k-sysdes.net>
To: <shorewall-users@shorewall.net>; "Tom Eastep"
<teastep@shorewall.net>
Sent: Tuesday, March 19, 2002 7:03 AM
Subject: Re: [Shorewall-users] Routing Problem


Hi Tom,

I overlooked something. The problem is still there.


I reworked my report:


Here a little ASCII art:
------------------------

  Router   (xx.xx.1.17/28  &  xx.xx.2.1/28)
    !
Firewall  (xx.xx.1.24/28  &  xx.xx.2.14/28)  --------- DMZ
(192.168.254.254/24)
    !
Internet  (192.168.1.254/24)



In the DMZ:
-----------

Host A (xx.xx.1.18)

Host B (xx.xx.2.3)


ProxyARP is set for all host in the DMZ.




The Problem:
------------

Host A and host B can´t communicate.




I have specifed "multi" on the NET interface and "net net
ACCEPT" in the
policy file.


I looked trought the FORWARD chain and I have found:

target  prot  opt   in     out
-------------------------------
net2net all   --    eth1   eth1


In my config eth1 is the NET interface and eth2 the DMZ interface.

So in/out is limited on eth1. Could this be my problem????




Mit freundlichen Grüßen
Sascha Knific

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57°59''52.4"
E11°20''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

At 07:25 19.03.2002 -0800, you wrote:
>While you are researching how to add the proper host routes, the following
>approach should work:
>
>For the DMZ interface, specify "multi".
>Specify ACCEPT as the DMZ->DMZ policy.
>
>Seems to me you tried that once already but it should work (although I think
>it''s a hack). Be sure that your entry in the policy file
isn''t being masked
>by another policy.

You are right. Host routes are the best solution. I added them already.

I=B4m not shure if I tried exactly this combination in the first place
(we=B4ll never know ;-))))


It amazes how complicated firewalls & Co. become when you start adding
nics...
I don=B4t want to imagine a 8-port firewall.



Thanks again for your time!!!




Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Sascha Knific wrote:
> ...
> Here a little ASCII art:
> ------------------------
> ...
I think we should start an award for the best ASCII art on the shorewall mailing
list.  :-)  What do you all think?

Paul
http://paulgear.webhop.net

Hello,

FW has 2 interfaces to internet - eth2 (213.197...) and ppp0 (213.190...).
DMZ is on eth1 (213.197...). Default route on FW is through ppp0.
The problem is that outgoing connections from DMZ are going through eth2,
but traceroute some.external.ip is going through ppp0 (this is what I want).
What should I do in order connections from DMZ to go through ppp0?
Is the easiest way to assign DMZ a 192.168 type address?

Regards,
Nerijus

On Wed, 27 Mar 2002 20:33:17 +0200 (EET) Nerijus Baliunas
<nerijus@users.sourceforge.net> wrote:

NB> FW has 2 interfaces to internet - eth2 (213.197...) and ppp0
(213.190...).
NB> DMZ is on eth1 (213.197...). Default route on FW is through ppp0.
NB> The problem is that outgoing connections from DMZ are going through eth2,
NB> but traceroute some.external.ip is going through ppp0 (this is what I
want).
NB> What should I do in order connections from DMZ to go through ppp0?
NB> Is the easiest way to assign DMZ a 192.168 type address?

OK, I''ve added DMZ address to masq file and now everything seems OK.

Another question related to PPPoE. I have CLAMPMSS=1412 in my pppoe.conf
(from rp-pppoe-3.3). Do I still need CLAMPMSS="Yes" in shorewall.conf?

Regards,
Nerijus

----- Original Message -----
From: "Nerijus Baliunas" <nerijus@users.sourceforge.net>
To: <shorewall-users@shorewall.net>
Sent: Wednesday, March 27, 2002 11:15 AM
Subject: Re: [Shorewall-users] routing problem


>
> Another question related to PPPoE. I have CLAMPMSS=1412 in my pppoe.conf
> (from rp-pppoe-3.3). Do I still need CLAMPMSS="Yes" in
shorewall.conf?
>
CLAMPMSS="Yes" doesn''t hurt anything in any event so I would
definitely keep
it.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Wed, 27 Mar 2002 21:15:33 +0200 (EET) Nerijus Baliunas
<nerijus@users.sourceforge.net> wrote:

NB> NB> FW has 2 interfaces to internet - eth2 (213.197...) and ppp0
(213.190...).
NB> NB> DMZ is on eth1 (213.197...). Default route on FW is through ppp0.
NB> NB> The problem is that outgoing connections from DMZ are going
through eth2,
NB> NB> but traceroute some.external.ip is going through ppp0 (this is
what I want).
NB> NB> What should I do in order connections from DMZ to go through ppp0?
NB> NB> Is the easiest way to assign DMZ a 192.168 type address?
NB> 
NB> OK, I''ve added DMZ address to masq file and now everything seems
OK.

Replying to a message from myself once more ;) Now how can I access local hosts
on eth0 (192.168...) from DMZ on eth1 (213.197...)? I want to gather snmp info
from hubs and switches for mrtg running on DMZ. I can provide more info about my
config if needed.

Regards,
Nerijus

On Thu, 28 Mar 2002 01:29:23 +0200 (EET) Nerijus Baliunas
<nerijus@users.sourceforge.net> wrote:

NB> Replying to a message from myself once more ;) Now how can I access local
hosts
NB> on eth0 (192.168...) from DMZ on eth1 (213.197...)? I want to gather snmp
info
NB> from hubs and switches for mrtg running on DMZ. I can provide more info
about my
NB> config if needed.

Tried the following config unsuccessfully:
rules:
ACCEPT dmz     loc:192.168.56.21:161 udp 163    -      213.197.143.57

I.e. connection from dmz to 213.197.143.57 port 163 should be forwarded to
loc:192.168.56.21:161. Is it impossible to forward udp packets?

Regards,
Nerijus

----- Original Message -----
From: "Nerijus Baliunas" <nerijus@users.sourceforge.net>
To: <shorewall-users@shorewall.net>
Sent: Wednesday, March 27, 2002 4:45 PM
Subject: Re[3]: [Shorewall-users] routing problem

> On Thu, 28 Mar 2002 01:29:23 +0200 (EET) Nerijus Baliunas
<nerijus@users.sourceforge.net> wrote:
>
> NB> Replying to a message from myself once more ;) Now how can I access
local hosts
> NB> on eth0 (192.168...) from DMZ on eth1 (213.197...)? I want to gather
snmp info
> NB> from hubs and switches for mrtg running on DMZ. I can provide more
info about my
> NB> config if needed.
>
> Tried the following config unsuccessfully:
> rules:
> ACCEPT dmz     loc:192.168.56.21:161 udp 163    -      213.197.143.57
>
> I.e. connection from dmz to 213.197.143.57 port 163 should be forwarded to
> loc:192.168.56.21:161. Is it impossible to forward udp packets?
>
The rule that you have written says:

For connections from the DMZ to UDP port 163 on 213.197.143.57, forward the
connection to the loc zone, host 192.168.56.21 port 161. I don''t think
that''s what you wanted is it?

It is perfectly possible to forward udp packets given the proper rule.
Again, the (simplified) format of port forwarding rule is:

ACCEPT <src zone> <dest zone>:<server ip>[:<server
port>] <protocol>  <port>
[ <client ports> | -  [ <dest ip> | all ] ]

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Wed, 27 Mar 2002 17:21:39 -0800 Tom Eastep <teastep@shorewall.net>
wrote:

TE> > Tried the following config unsuccessfully:
TE> > rules:
TE> > ACCEPT dmz     loc:192.168.56.21:161 udp 163    -     
213.197.143.57
TE> >
TE> > I.e. connection from dmz to 213.197.143.57 port 163 should be
forwarded to
TE> > loc:192.168.56.21:161. Is it impossible to forward udp packets?
TE> >
TE> 
TE> The rule that you have written says:
TE> 
TE> For connections from the DMZ to UDP port 163 on 213.197.143.57, forward
the
TE> connection to the loc zone, host 192.168.56.21 port 161. I don''t
think
TE> that''s what you wanted is it?

It is what I wanted, but it doesn''t work. I forward ports 162, 163 and
164 to
3 different hubs (port 161).
Is port 161 enough for mrtg to work?

TE> It is perfectly possible to forward udp packets given the proper rule.
TE> Again, the (simplified) format of port forwarding rule is:
TE> 
TE> ACCEPT <src zone> <dest zone>:<server ip>[:<server
port>] <protocol>  <port>
TE> [ <client ports> | -  [ <dest ip> | all ] ]

My rule is OK, isn''t it?

Regards,
Nerijus

On Thu, 28 Mar 2002 06:27:18 -0800 Tom Eastep <teastep@shorewall.net>
wrote:

TE> > But I try:
TE> > cfgmaker --global ''WorkDir:
/usr/local/apache/htdocs/mrtg'' --global
TE> ''Options[_]: bits,growright'' --output
TE> /usr/local/apache/htdocs/mrtg/192.168.56.20.cfg public@213.197.143.57:163
TE> >
TE> > I think it should work, no?
TE> 
TE> Well, nowhere in that command do I see the IP address 213.197.143.57
which
TE> is what you would have to connect to given the rule that you posted.

public@213.197.143.57:163 should try to connect to 213.197.143.57 port 163,
which should forward to 192.168.56.20 port 161, no?

Just to clarify things - mrtg is on DMZ, manageable device is on loc.

TE> Are you masquerading the 192.168.56.0/24 network to the DMZ? If not then
you

No.

TE> don''t need port forwarding and you can connect directly from
your DMZ to
TE> 192.168.56.20. In that case, the rule would be:
TE> 
TE> ACCEPT    dmz    loc:192.168.56.20    udp    161

I tried it, it does not work.

My masq file is:
ppp0    192.168.56.48/29
ppp0    213.197.143.58

Regards,
Nerijus

----- Original Message -----
From: "Nerijus Baliunas" <nerijus@users.sourceforge.net>
To: "Tom Eastep" <teastep@shorewall.net>;
<shorewall-users@shorewall.net>
Sent: Thursday, March 28, 2002 6:42 AM
Subject: Re[9]: [Shorewall-users] routing problem

> On Thu, 28 Mar 2002 06:27:18 -0800 Tom Eastep <teastep@shorewall.net>
wrote:
>
> TE> > But I try:
> TE> > cfgmaker --global ''WorkDir:
/usr/local/apache/htdocs/mrtg'' --global
> TE> ''Options[_]: bits,growright'' --output
> TE> /usr/local/apache/htdocs/mrtg/192.168.56.20.cfg
public@213.197.143.57:163
> TE> >
> TE> > I think it should work, no?
> TE>
> TE> Well, nowhere in that command do I see the IP address 213.197.143.57
which
> TE> is what you would have to connect to given the rule that you posted.
>
> public@213.197.143.57:163 should try to connect to 213.197.143.57 port
163,
> which should forward to 192.168.56.20 port 161, no?
>
> Just to clarify things - mrtg is on DMZ, manageable device is on loc.
>
> TE> Are you masquerading the 192.168.56.0/24 network to the DMZ? If not
then you
>
> No.
>
> TE> don''t need port forwarding and you can connect directly
from your DMZ
to
> TE> 192.168.56.20. In that case, the rule would be:
> TE>
> TE> ACCEPT    dmz    loc:192.168.56.20    udp    161
>
> I tried it, it does not work.
>
On which system are you running MRTG? 192.168.56.20? If so, you have the
rule backward and it should be:

ACCEPT    loc:192.168.56.20     dmz:<ip>    udp    161

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Nerijus Baliunas" <nerijus@users.sourceforge.net>;
<shorewall-users@shorewall.net>
Sent: Thursday, March 28, 2002 7:00 AM
Subject: Re: Re[9]: [Shorewall-users] routing problem

> >
>
> On which system are you running MRTG? 192.168.56.20? If so, you have the
> rule backward and it should be:
>
> ACCEPT    loc:192.168.56.20     dmz:<ip>    udp    161
>
Sorry -- overlooked the answer in a previous response.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Thu, 28 Mar 2002 07:00:58 -0800 Tom Eastep <teastep@shorewall.net>
wrote:

TE> > Just to clarify things - mrtg is on DMZ, manageable device is on
loc.
TE> >
TE> > TE> Are you masquerading the 192.168.56.0/24 network to the DMZ?
If not
TE> then you
TE> >
TE> > No.
TE> >
TE> > TE> don''t need port forwarding and you can connect
directly from your DMZ
TE> to
TE> > TE> 192.168.56.20. In that case, the rule would be:
TE> > TE>
TE> > TE> ACCEPT    dmz    loc:192.168.56.20    udp    161
TE> >
TE> > I tried it, it does not work.
TE> >
TE> 
TE> On which system are you running MRTG? 192.168.56.20? If so, you have the
TE> rule backward and it should be:
TE> 
TE> ACCEPT    loc:192.168.56.20     dmz:<ip>    udp    161

No, see the first line.

Regards,
Nerijus

----- Original Message -----
From: "Nerijus Baliunas" <nerijus@users.sourceforge.net>
To: "Tom Eastep" <teastep@shorewall.net>;
<shorewall-users@shorewall.net>
Sent: Thursday, March 28, 2002 7:39 AM
Subject: Re[11]: [Shorewall-users] routing problem

> On Thu, 28 Mar 2002 07:00:58 -0800 Tom Eastep <teastep@shorewall.net>
wrote:
>
> TE> > Just to clarify things - mrtg is on DMZ, manageable device is
on
loc.
> TE> >
> TE> > TE> Are you masquerading the 192.168.56.0/24 network to the
DMZ? If
not
> TE> then you
> TE> >
> TE> > No.
> TE> >
> TE> > TE> don''t need port forwarding and you can connect
directly from
your DMZ
> TE> to
> TE> > TE> 192.168.56.20. In that case, the rule would be:
> TE> > TE>
> TE> > TE> ACCEPT    dmz    loc:192.168.56.20    udp    161
> TE> >
> TE> > I tried it, it does not work.
> TE> >
> TE>
> TE> On which system are you running MRTG? 192.168.56.20? If so, you have
the
> TE> rule backward and it should be:
> TE>
> TE> ACCEPT    loc:192.168.56.20     dmz:<ip>    udp    161
>
> No, see the first line.
>
Ok -- then you are going to have to run tcpdump on the firewall and find out
where it''s going wrong.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net