thr3ads.net - Shorewall users - [Shorewall-users] [Shorewall Users] Configuration Issues [Mar 2003]

If this information is useful, please help other people find it:
Share via:

Carlos Cajina

2003-Mar-27 08:44 UTC

[Shorewall-users] [Shorewall Users] Configuration Issues

Hi, I just sign up to this list, a linux-firewalls newbie. I''ve been
assigned the task of setting up a FW for my office network. I already have Red
Hat Linux 8 and Shorewall installed and tested using the examples in the
documentation, however, when trying the actual network settings (that is, the
"real" IP addresses and son on...) things just don''t seem to
work. Here''s a "short" version of what I want to accomplish:

Currently, Internet access is as follows: { my LAN } ----> { Router }
----> { Antenna } ----> { INTERNET }
- my LAN has two IP subnets: a.b.86.0/24 and a.b.98.0/24
- Router uses a.b.86.254 and a.b.98.254

What I want to do is basically this:
{ my LAN } ----> { Firewall } ----> { Router } ----> { Antenna }
----> { INTERNET }
1. Restrict Internet access to the a.b.98.0/24 subnet while allowing (almost)
full access to the a.b.86.0/24 subnet

What I''ve done so far is:
1. Set up two Network Interfaces in my Linux box.
1.1. eth0 is my external interface, the one that goes straight to the router,
therefore, I assume it could have either a a.b.98.? address or a a.b.86.? one.
I''m using a.b.86.100
1.2. eth1 has two configured IP addresses: eth1 (main IP) --> a.b.98.253 and
eth1:1 (secondary IP) --> a.b.86.253

2. Defined three zones: net (Internet), loc1 (a.b.98.0/24) and loc2
(a.b.86.0/24)

3. In  /etc/shorewall/interfaces I have:
ZONE    INTERFACE      BROADCAST
net        eth0                  detect
-            eth1                 a.b.98.255,a.b.86.255

In  /etc/shorewall/hosts:
ZONE        HOSTS
loc1           eth1:a.b.98.0/24
loc2           eth1:a.b.86.0/24

The policy and rules files are very simple, they just follow the general
guideline (allow and deny access to whole subnets). I don''t think it
would be useful to include them here.

The rest of the configuration files are untouched, and with this configuration,
workstations within the a.b.98.0/24 subnet do have access (ping) to the FW, but
the ones in the a.b.86.0/24 subnet don''t. I might be missing the
simplest of things here, that''s what I feel at least, but my brain
seems to be already halted... :)  Any suggestions would be very much
appreciated.

Best regards,

        Carlos

Tom Eastep

2003-Mar-27 09:35 UTC

head link

[Shorewall-users] [Shorewall Users] Configuration Issues

Please follow the guidelines for connection problem reporting described at 
http://www.shorewall.net/support.htm -- I''m not going to try to even
guess
what is going on based on your description.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Mar 2003 - [Shorewall Users] Configuration Issues

[Shorewall-users] [Shorewall Users] Configuration Issues

[Shorewall-users] [Shorewall Users] Configuration Issues