Hi, I''m just trying out shorewall for the first time... It was recommended to me because it works ok with IPSEC. I followed the quickstart guide for a two interface linux system and downloaded the example files for the same. It seems to be working more or less as expected, however one thing that concerned me initially is that I can ping the internal interface on the linux gateway box that shorewall is running on. I use real ip numbers for my internal network as I need to route to them from external sources for our client/server applications. I can''t ping any other of the real IP numbers on the hosts that are on the internal network which is good, but it looks to me like it is forwarding packets to the internal interface which seems like it could be a security issue. Is this normal or have I set something up wrong and it shouldn''t do this. Thanks Bill
On Tue, 27 May 2003 15:52:40 +0100, Bill Dossett <billd@emtex.com> wrote:> Hi, > > I''m just trying out shorewall for the first time... > It was recommended to me because it works ok > with IPSEC. I followed the quickstart guide > for a two interface linux system and downloaded > the example files for the same. > > It seems to be working more or less as expected, > however one thing that concerned me initially > is that I can ping the internal interface on the > linux gateway box that shorewall is running on. > I use real ip numbers for my internal network as > I need to route to them from external sources for > our client/server applications. I can''t ping any > other of the real IP numbers on the hosts that are > on the internal network which is good, but it looks > to me like it is forwarding packets to the internal > interface which seems like it could be a security issue. > Is this normal or have I set something up wrong and > it shouldn''t do this.That is normal and is the way a Linux system works. IT IS NOT FORWARDING PACKETS TO THE "INTERNAL INTERFACE". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 27 May 2003 06:59:57 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > That is normal and is the way a Linux system works. IT IS NOT FORWARDING > PACKETS TO THE "INTERNAL INTERFACE". >PS -- If you don''t like that behavior, change your "net->fw" ping rule to: ACCEPT net fw:<fw external IP address> icmp 8 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
thankyou... just wanted to make sure... for some reason, some other firewalls that I have tried don''t seem to to do this so I wanted to make sure I hadn''t made any mistakes. Thanks again, Bill Tom Eastep wrote:> On Tue, 27 May 2003 06:59:57 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > > >> >> That is normal and is the way a Linux system works. IT IS NOT >> FORWARDING PACKETS TO THE "INTERNAL INTERFACE". >> > > PS -- If you don''t like that behavior, change your "net->fw" ping rule to: > > ACCEPT net fw:<fw external IP address> icmp 8 > > -Tom