thr3ads.net - Shorewall users - [Shorewall-users] need urgent help [Sep 2002]

If this information is useful, please help other people find it:
Share via:

Brandis Jaroslav

2002-Sep-30 08:36 UTC

[Shorewall-users] need urgent help

hello ...

I have problem: I have configured shorewall to access some fw ports,
internet access, DMZ access. On FW I have route record for NET2, but I
can''t access NET2 when on hosts in NET1 is default gw FW. On ping  I
get
message "Destination Port Unreachable" . It looks that FW
doesn''t allow
ICMP redirect for net2.=20
On shorewall in config files are this values:
zones: 		loc	Local 		xxxx
interfaces:	loc	eth0		detect          routestopped   <
-- here I Try multi, but doesn''t help
hosts:		loc	eth0:net2/x

in logs are this messages: Shorewall:FORWARD:REJECT:IN=3Deth0 OUT=3Deth0
=09
my net scenario :

net2 -----{router}----net1----{FW - shorewall}---internet
						|
						|-- DMZ


Any advice ?=20
------------------------------------------
Brandis Jaroslav
SOFTEC s.r.o.=20
Kutuzovova 23
831 03 Bratislava

Tel: +421(2)49202547
Fax: +421(2)49202531

Cowles, Steve

2002-Sep-30 10:53 UTC

head link

[Shorewall-users] need urgent help

> -----Original Message-----
> From: Brandis Jaroslav [mailto:jaroslav.brandis@softec.sk]
> Sent: Monday, September 30, 2002 3:36 AM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] need urgent help
> 
> 
> hello ...
> 
> I have problem: I have configured shorewall to access some fw ports,
> internet access, DMZ access. On FW I have route record for NET2, but I
> can''t access NET2 when on hosts in NET1 is default gw FW. On 
> ping  I get message "Destination Port Unreachable" . It looks
that FW
> doesn''t allow ICMP redirect for net2. 
>
> On shorewall in config files are this values:
> zones: 		loc	Local 		xxxx
> interfaces:	loc	eth0		detect          routestopped   <
> -- here I Try multi, but doesn''t help
> hosts:		loc	eth0:net2/x
> 
> in logs are this messages: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> 	
> my net scenario :
> 
> net2 -----{router}----net1----{FW - shorewall}---internet
> 						|
> 						|-- DMZ
>
I just went through adding a network (called lab) last week. I went through
the same set of problems as you. Thanks to Tom''s help, we came up with
the
following shorewall config changes. Note: My network topology seems to be
identical to yours. Substitute the following zone names/network addresses to
make sense of my changes.

net1 = loc (192.168.9.0/24, eth1 on fw)
net2 = lab (192.168.10/0/24, accessable thru router on loc lan)

/etc/shorewall/zones (added lab network zone)
lab     Lab             Lab Network
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demilitarized zone

/etc/shorewall/interfaces (added multi. I''m running shorewall 1.3.7)
loc     eth1       detect       routestopped,multi

/etc/shorewall/hosts (added the following)
lab             eth1:192.168.10.0/24

/etc/shorewall/policy (added the following)
lab             all             CONTINUE
loc             lab             ACCEPT

/etc/shorewall/masq (added the following)
eth0            192.168.10.0/24
>>> From firewall route tables (added static -net
route)<<<<
[root@firewall shorewall]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
xx.xx.xx.xx     0.0.0.0         255.255.255.252 U     0      0        0 eth0
192.168.10.0    192.168.9.3     255.255.255.0   UG    0      0        0 eth1
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xx.xx.xx.xx     0.0.0.0         UG    0      0        0 eth0

With the above changes, the icmp redirects now work from any host on the lan
segment. Which basically eliminates the firewall as a hop once the redirect
kicks in. e.g. From my W2K station on the lan segment:

C:\>route print (before icmp redirect)
==========================================================================Interface
List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 b0 c9 03 43 c1 ...... Intel 8255x-based Integrated Fast Ethernet
====================================================================================================================================================Active
Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.9.1    192.168.9.21       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.9.0    255.255.255.0     192.168.9.21    192.168.9.21       1
     192.168.9.21  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.9.255  255.255.255.255     192.168.9.21    192.168.9.21       1
        224.0.0.0        224.0.0.0     192.168.9.21    192.168.9.21       1
  255.255.255.255  255.255.255.255     192.168.9.21    192.168.9.21       1
Default Gateway:       192.168.9.1
==========================================================================Persistent
Routes:
  None

C:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:

Reply from 192.168.10.1: bytes=32 time=10ms TTL=64
Reply from 192.168.10.1: bytes=32 time<10ms TTL=64
Reply from 192.168.10.1: bytes=32 time<10ms TTL=64
Reply from 192.168.10.1: bytes=32 time<10ms TTL=64

Ping statistics for 192.168.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  10ms, Average =  2ms

C:\>route print (Note the automatic host route addition)
==========================================================================Interface
List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 b0 c9 03 43 c1 ...... Intel 8255x-based Integrated Fast Ethernet
====================================================================================================================================================Active
Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.9.1    192.168.9.21       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.9.0    255.255.255.0     192.168.9.21    192.168.9.21       1
     192.168.9.21  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.9.255  255.255.255.255     192.168.9.21    192.168.9.21       1
->>  192.168.10.1  255.255.255.255      192.168.9.3    192.168.9.21      
1
        224.0.0.0        224.0.0.0     192.168.9.21    192.168.9.21       1
  255.255.255.255  255.255.255.255     192.168.9.21    192.168.9.21       1
Default Gateway:       192.168.9.1
==========================================================================Persistent
Routes:
  None


Your mileage may vary, but the above changes work great for me.

Good Luck
Steve Cowles

Shorewall users - Sep 2002 - need urgent help

[Shorewall-users] need urgent help

[Shorewall-users] need urgent help