Karl Gaissmaier
2002-Aug-13 13:29 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6 (zones loc and net on same interface eth0) ?
Hi shorewall Users, I''m quite new playing with shorewall (but no newbie to firewalls and iptables) and stumpled over a problem to configure a "one armed NAT" Router with shorewall. I tried to use the following config (abbreviated for clarification): zones: net Internet loc local RFC1918 net interfaces: # both zones are on dev eth0! net eth0 120.120.120.255 multi loc eth0 192.168.1.255 multi policy: loc all ACCEPT net all DROP all all REJECT masq: # one armed SNAT router (eth0-> POSTROUTING -> eth0) eth0 192.168.1.0/24 120.120.120.1 shorewall stops parsing the config with the following error: Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Shorewall Not Currently Running Starting Shorewall... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Error: Duplicate Interface eth0 I thought with the option "multi" this should be possible. Where is the error? Some more info perhaps needed: root # uname -a Linux fw 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 and the shorewall version is from the shorwall.lrp package: root # cat /var/lib/shorewall/version 1.3.6 Thanks in advance for any help Charly P.S. Please don''t discuss about the need and security of a "one armed firewall" here it is the "best" solution. The question is just: Is this possible to do with shorewall and when yes how can it be done. -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration Tel.: ++49 731 50-22499
Tom Eastep
2002-Aug-13 13:35 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6 (zones loc and net on same interface eth0) ?
On Tue, 13 Aug 2002, Karl Gaissmaier wrote:> Hi shorewall Users, > > I''m quite new playing with shorewall (but no newbie to firewalls > and iptables) and stumpled over a problem to configure a > "one armed NAT" Router with shorewall. I tried to use the following > config (abbreviated for clarification): > > zones: > net Internet > loc local RFC1918 net > > interfaces: > # both zones are on dev eth0! > net eth0 120.120.120.255 multi > loc eth0 192.168.1.255 multi > > policy: > loc all ACCEPT > net all DROP > all all REJECT > > masq: > # one armed SNAT router (eth0-> POSTROUTING -> eth0) > eth0 192.168.1.0/24 120.120.120.1 > > shorewall stops parsing the config with the following error: >You need something on the lines of: zones: The order is important since loc is a sub-zone of net. loc Local RFC1918 net net Internet interfaces: - eth0 120.120.120.255,192.168.1.255 hosts: loc eth0:192.168.1.0/24 net eth0:0.0.0.0/0 masq: eth0 192.168.1.0/24 120.120.120.1 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Aug-13 13:44 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6 (zones loc and net on same interface eth0) ?
On Tue, 13 Aug 2002, Tom Eastep wrote:> > interfaces: > > - eth0 120.120.120.255,192.168.1.255 >Just to be safe: - eth0 120.120.120.255,192.168.1.255 multi -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Karl Gaissmaier
2002-Aug-13 15:21 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6 (zonesloc and net on same interface eth0) ?
Hello Tom, Tom Eastep schrieb:> > On Tue, 13 Aug 2002, Karl Gaissmaier wrote: > > > Hi shorewall Users, > > > > I''m quite new playing with shorewall (but no newbie to firewalls > > and iptables) and stumpled over a problem to configure a > > "one armed NAT" Router with shorewall. I tried to use the following > > config (abbreviated for clarification):...> > You need something on the lines of: > > zones: The order is important since loc is a sub-zone of net. > > loc Local RFC1918 net > net Internet > > interfaces: > > - eth0 120.120.120.255,192.168.1.255 > > hosts: > > loc eth0:192.168.1.0/24 > net eth0:0.0.0.0/0 > > masq: > eth0 192.168.1.0/24 120.120.120.1thanks for your fast help! I really tried to solve it reading the doc''s and the FAQ but I could not find any example for this or a similar feature (sure, I didn''t look very deep in your code). Even the meaning of order in the zone definition file and the concatenation of the different IP broadcasts in one dev line was totally unclear to me. Could you point me to the describing document(s)? Regards and thanks for shorewall! Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration Tel.: ++49 731 50-22499
Tom Eastep
2002-Aug-13 15:46 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6 (zonesloc and net on same interface eth0) ?
On Tue, 13 Aug 2002, Karl Gaissmaier wrote:> > > > You need something on the lines of: > > > > zones: The order is important since loc is a sub-zone of net. > > > > loc Local RFC1918 net > > net Internet > > > > interfaces: > > > > - eth0 120.120.120.255,192.168.1.255 > > > > hosts: > > > > loc eth0:192.168.1.0/24 > > net eth0:0.0.0.0/0 > > > > masq: > > eth0 192.168.1.0/24 120.120.120.1 > > thanks for your fast help! I really tried to solve it reading the > doc''s and the FAQ but I could not find any example for this > or a similar feature (sure, I didn''t look very deep in your code). > > Even the meaning of order in the zone definition file and the > concatenation of the different IP broadcasts in one dev line > was totally unclear to me. > > Could you point me to the describing document(s)? >The list of broadcast addresses isn''t documented :-( I''ll fix that today. At http://www.shorewall.net/Documentation.htm#Zones (which describes the zones file) there are two large warnings -- one says that the order of the entries may be significant and has a link to the part of the document that describes nested and overlapping zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Karl Gaissmaier
2002-Aug-14 07:50 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6(zones loc and net on same interface eth0) ?
Hi Tom,> The list of broadcast addresses isn''t documented :-( I''ll fix that today.Your doc about interfaces looks in the moment: BROADCAST - the broadcast address(es) for the sub-network(s) attached to the interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); if you need to specify options for such an interface, enter "-" in this column. If you supply the special value "detect" in this column, the firewall will automatically determine the broadcast address. Note that to use this feature, you must have iproute installed, the interface must be up before you start your firewall and it must only be attached to a single sub-network. Please update the following sentence: If you supply the special value "detect" in this column, the firewall will automatically determine the broadcast address(es). Regards Charly P.S. Do you really detect all broadcast address(es) automatically assigned to the interface? -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration Tel.: ++49 731 50-22499
Tom Eastep
2002-Aug-14 13:38 UTC
[Shorewall-users] Q: One armed (S)NAT possible with 1.3.6(zones loc and net on same interface eth0) ?
On Wed, 14 Aug 2002, Karl Gaissmaier wrote:> > P.S. Do you really detect all broadcast address(es) automatically assigned > to the interface? >No I don''t and that''s why it says that to use "detect", the interface must only be attached to a single subnet. I''ll try to make it clearer. -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net