Hello, At our company we have a Shorewall firewall and about fifteen systems are using it for their internet access. We have MAC identification turned on. So far so good. The problem is that it looks that sometimes we loose connection from a system to the outside. Therefore I turned on a ping every second. After a while we see that a lot of pings are not replied and after a while it goes well again. When I look in syslog I see the following entries (copied one line out of it) Jul 15 16:34:45 router kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=62.216.11.36 DST=192.168.1.106 LEN=37 TOS=0x00 PREC=0x00 TTL=123 ID=48304 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=43269 Does this problem occur because of the fact that both the internal and external adapter are physically on the same switch and the package arrives at the wrong interface ? Why does the package been send to eth1 instead of eth0 ? (eth1 is LAN, eth0 is internet) Hope anybody can shine his light on it. Thanks ! -- Groeten, Peter -- C:\ Bad command or file name! Go stand in the corner. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 191 days, 20 hours and 47 minutes, 0 users logged in.
On Tue, 2003-07-15 at 14:02, Peter Lindeman wrote:> Hello, > > At our company we have a Shorewall firewall and about fifteen systems > are using it for their internet access. We have MAC identification > turned on. So far so good. The problem is that it looks that sometimes > we loose connection from a system to the outside. Therefore I turned on > a ping every second. After a while we see that a lot of pings are not > replied and after a while it goes well again. When I look in syslog I > see the following entries (copied one line out of it) > > Jul 15 16:34:45 router kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > SRC=62.216.11.36 DST=192.168.1.106 LEN=37 TOS=0x00 PREC=0x00 TTL=123 > ID=48304 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=43269 > > Does this problem occur because of the fact that both the internal and > external adapter are physically on the same switch and the package > arrives at the wrong interface ?Yes -- all of the multi-interface QuickStart guides emphatically point out that you shouldn''t do that. The Linux kernel responds to ARP requests when the arp-ed for address is configured on ANY interface on the system (not just the one that the request was received on). You *may* get some relief by placing the following in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/all/arp_filter echo 1 > /proc/sys/net/ipv4/default/arp_filter Please let us know how that works. Of course, given that you have more than one interface connected to the same hub/switch, your whole security strategy is no more than "security by obscurity". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>>Does this problem occur because of the fact that both the internal and >>external adapter are physically on the same switch and the package >>arrives at the wrong interface ? > > > Yes -- all of the multi-interface QuickStart guides emphatically point > out that you shouldn''t do that. The Linux kernel responds to ARP > requests when the arp-ed for address is configured on ANY interface on > the system (not just the one that the request was received on).Ok, now I am sure that that is the problem this is going to change asap. I was allready thinking this was the case but I wasn''t for 100% sure.> You *may* get some relief by placing the following in your > /etc/shorewall/init file: > > echo 1 > /proc/sys/net/ipv4/all/arp_filter > echo 1 > /proc/sys/net/ipv4/default/arp_filter > > Please let us know how that works.I am not at the location of the firewall now, I can SSH to it and then restart the firewall but is it safe to do ? If it goes down I think I''m in trouble ;-))> Of course, given that you have more than one interface connected to the > same hub/switch, your whole security strategy is no more than "security > by obscurity". >You are right, it wasn''t smart to do so, we have to change it -- Groeten, Peter -- You May Stop me.....!!BUT YOU CANT STOP US ALL!!...by DFA --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 191 days, 21 hours and 1 minutes, 0 users logged in.
On Tue, 2003-07-15 at 14:13, Peter Lindeman wrote:> Tom Eastep wrote:> > I am not at the location of the firewall now, I can SSH to it and then > restart the firewall but is it safe to do ? If it goes down I think I''m > in trouble ;-))There''s always a risk :) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>>I am not at the location of the firewall now, I can SSH to it and then >>restart the firewall but is it safe to do ? If it goes down I think I''m >>in trouble ;-)) >> There''s always a risk :)Then I guess it is better to wait till tomorrow and split these networks ;-) -- Groeten, Peter -- The only copy of Norton Utilities was on THAT disk??? --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 191 days, 21 hours and 11 minutes, 0 users logged in.