Shorewall users - Sep 2002 - Shorewall:FORWARD:REJECT only from private/ natted

hmm, no because we have eth0 for local and eth1 for net, multi is only
to route between to subnets on te same nic afaik.

thx for your input anyway

Christophe

On Mon, 2002-09-23 at 15:37, niels@wxn.nl wrote:
> Hi, I''m not sure, but you could try to add the "multi"
option to the
> interface that hosts your net zone
> 
> in /etc/shorewall/interfaces 
> 
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0                            multi
> 
> Niels.
> 
> 
> 
> -----Original Message-----
> From: Christophe Zwecker [mailto:czwecker@sysctl.de] 
> Sent: 23 September 2002 15:10
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Shorewall:FORWARD:REJECT only from
private/natted
> 
> 
> Hi,
> 
> our private network is behind a Netware Bordermanager, in front that is a
> linux shorewallmachine, attached to the same hub is a webserver I want to
> reach. From outside the network I can ready the webserver, from within the
> private network (my client is natted from the BM)
> 
> I get the following:
> 
> Sep 23 14:53:01 gate kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> SRC=134.100.58.111 DST=134.100.58.143 LEN=44 TOS=0x00 PREC=0x00 TTL=59
> ID=9739 PROTO=TCP SPT=80 DPT=40669 WINDOW=1600 RES=0x00 ACK SYN URGP=0 
> 
> what does that mean ?
> -- 
> Christophe Zwecker
> :Sysctl				
> Susannenstr. 26-28		
> 20357 Hamburg			
> phon/fax: +49 40 43099296/7		
> mail: czwecker@sysctl.de
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
-- 
Christophe Zwecker
:Sysctl				
Susannenstr. 26-28		
20357 Hamburg			
phon/fax: +49 40 43099296/7		
mail: czwecker@sysctl.de

Christophe Zwecker wrote:
> hmm, no because we have eth0 for local and eth1 for net, multi is only
> to route between to subnets on te same nic afaik.
> 
But the message you posted shows a packet that arrived on eth0 and is 
being routed out eth0!!! You don''t have both eth0 and eth1 connected to
the same hub/switch do you?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Mon, 2002-09-23 at 16:02, Tom Eastep wrote:
> But the message you posted shows a packet that arrived on eth0 and is 
> being routed out eth0!!! You don''t have both eth0 and eth1
connected to
> the same hub/switch do you?
no, eth1 is fibre going 500 meters to university, no connection to any
hub/switch here.

eth0 is going into a hub, the Netware Bordermanager is attached to that
same hub, aswell as the webserver I want to connect to (APC Powerswitch)

strange...


-- 
Christophe Zwecker
:Sysctl				
Susannenstr. 26-28		
20357 Hamburg			
phon/fax: +49 40 43099296/7		
mail: czwecker@sysctl.de

I may be mistaken, but it seems to me that this traffic shouldn''t
even be reaching the Shorewall box! I''d guess that your
BorderManager is set up to route everything to Shorewall, even
when it should go to the local subnet. If you''ll suffer some
ASCII art, it sounds like your configuration looks like this:

         -----------------    -------    -------------
LAN  ----| BorderManager |----| hub |----| Shorewall |---- Net
         -----------------    -------    -------------
                                 |
                           --------------
                           | Web Server |
                           --------------

The 134.100.58.x subnet contains the BM, web server, and
Shorewall, so if the BM is configured correctly it should be
sending packets to that subnet directly, not through its
gateway (the Shorewall machine). The log message you gave
previously showed that it _was_ sending the packets to the
Shorewall machine, so it looks like your BM config is
incorrect. While I''m sure you could make Shorewall
forward the packets if you had to, fixing the BM is probably
the simplest solution.

  - Bradey


-----Original Message-----
From: Christophe Zwecker [mailto:czwecker@sysctl.de]
Sent: Monday, September 23, 2002 7:09 AM
To: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Shorewall:FORWARD:REJECT only from
private/ natted


On Mon, 2002-09-23 at 16:02, Tom Eastep wrote:
> But the message you posted shows a packet that arrived on eth0 and is 
> being routed out eth0!!! You don''t have both eth0 and eth1
connected to
> the same hub/switch do you?
no, eth1 is fibre going 500 meters to university, no connection to any
hub/switch here.

eth0 is going into a hub, the Netware Bordermanager is attached to that
same hub, aswell as the webserver I want to connect to (APC Powerswitch)

strange...


-- 
Christophe Zwecker
:Sysctl				
Susannenstr. 26-28		
20357 Hamburg			
phon/fax: +49 40 43099296/7		
mail: czwecker@sysctl.de

_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

hmm,

yes sounds very reasonable, Ill have a talk with our netware admin.

thx alot for your input !

Chris

On Mon, 2002-09-23 at 21:45, Bradey Honsinger wrote:
> I may be mistaken, but it seems to me that this traffic shouldn''t
> even be reaching the Shorewall box! I''d guess that your
> BorderManager is set up to route everything to Shorewall, even
> when it should go to the local subnet. If you''ll suffer some
> ASCII art, it sounds like your configuration looks like this:
> 
>          -----------------    -------    -------------
> LAN  ----| BorderManager |----| hub |----| Shorewall |---- Net
>          -----------------    -------    -------------
>                                  |
>                            --------------
>                            | Web Server |
>                            --------------
> 
-- 
:sysctl				Christophe Zwecker
Susannenstr. 26-28		phon/fax: +49 40 43099296/7
20357 Hamburg			mail: czwecker@sysctl.de

Bradey Honsinger wrote:
> I may be mistaken, but it seems to me that this traffic shouldn''t
> even be reaching the Shorewall box! I''d guess that your
> BorderManager is set up to route everything to Shorewall, even
> when it should go to the local subnet. If you''ll suffer some
> ASCII art, it sounds like your configuration looks like this:
> 
>          -----------------    -------    -------------
> LAN  ----| BorderManager |----| hub |----| Shorewall |---- Net
>          -----------------    -------    -------------
>                                  |
>                            --------------
>                            | Web Server |
>                            --------------
> 
> The 134.100.58.x subnet contains the BM, web server, and
> Shorewall, so if the BM is configured correctly it should be
> sending packets to that subnet directly, not through its
> gateway (the Shorewall machine). The log message you gave
> previously showed that it _was_ sending the packets to the
> Shorewall machine, so it looks like your BM config is
> incorrect. While I''m sure you could make Shorewall
> forward the packets if you had to, fixing the BM is probably
> the simplest solution.
In the case of Shorewall, if you are running Shorewall 1.3.8 then you just 
need to add a loc->loc ACCEPT policy. If you are running an earlier 
version, you need to include that policy and specify ''multi''
for eth0 in
/etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Christophe Zwecker wrote:
> hmm,
> 
> yes sounds very reasonable, Ill have a talk with our netware admin.
> 
I agree with Bradey that modifying the BorderManager config is the best 
approach -- if you follow the Shorewall instructions I posted earlier, 
local traffic to the Web Server is needlessly routed through the Shorewall 
box.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net