Firstly I must apologise for yesterdays 4 mails in 5 minutes /*wrist_slap*/. I suppose I could blame sendmail which I was have problems with, but it was me having the problems not sendmail (and I''ve sorted them out - hopefully). If anyone is willing to give me a second chance I''m still having problems. I have just set up a Debian (Woody) box (shorewall from ''testing'') to provide all the network needs for our school (I''m the IT Tech here). The system is as follows: eth0 - local NIC IP address 192.168.168.254 range 192.168.168.0/24 eth1 - internet NIC fixed IP in same subnet at router The box has: dhcp - providing local machines IP addresses apache - to serve local Intranet (not to be available to world) squid - for caching proxy (port 8080) - forwarding to another proxy provided by our ISP for filtering telnet/ssh - for local admin bind - caching/forwarding dns queries samba - for local file share basically it serves nothing to the world, but some things locally. The local machines should not have direct world access, there only net connection should be through the proxy. My problem is that shorewall appears to block internal requests on eth1 (i.e. machine 192.168.168.202 proxy requests which should be through eth0 are being clocked by eth1). Could this be that both NIC are on the same hub and if so how can I work round this. Help - please... Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 5008 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030724/7f3f0896/winmail.bin
BLUG wrote:> My problem is that shorewall appears to block internal requests on eth1 > (i.e. machine 192.168.168.202 proxy requests which should be through eth0 > are being clocked by eth1). Could this be that both NIC are on the same hub > and if so how can I work round this.I do not understand your setup entirely, but i can maybe give some hints. Do you have the option rfc1918 on your internet interface? That would indeed block local addresses on the interface. Are you saying that both interfaces go to the same hub? What for? Are you redirecting all traffic through squid, or do you set the proxy manually at each client? Have you got squid configured as a transparent proxy? -- - Pieter
On Thu, 24 Jul 2003 09:54:30 +0100, BLUG <andrew_blug@adburns.co.uk> wrote:> Could this be that both NIC are on the same hub > and if so how can I work round this.If both NICs are connected to the same hub, things won''t work as you''d expect and you''ll get some very confusing results when you try to troubleshoot. I''m pretty certain this is the source of your trouble. Have a look at http://www.shorewall.net/troubleshoot.htm regards Julian Church -- jc@ljchurch.co.uk www.ljchurch.co.uk
Hi Andrew On Thu, 24 Jul 2003 11:22:18 +0100, Andrew Burns <andrew_blug@adburns.co.uk> wrote:> For geographical reasons on site I cannot place the server next to the > router. Would placing an extra hub between the existing hub and one of > the > NICs make any difference?No. eth0 and eth1 need to be connected to physically separate subnets. It''s a feature of the way the Linux kernel handles ARP. Additionally, without physical separation between the internal and external subnets, there are security problems; it''s not hard for a hacker to bypass the firewall altogether.> And to answer Pieter, rfc1918 option is not enabled on either NIC, and > proxy > is manually set on each client - squid is not transparent.Until you''ve sorted out physically separate subnets for the two interfaces, there isn''t much point exploring other avenues. cheers Julian
On Thu, 2003-07-24 at 01:54, BLUG wrote:> > > My problem is that shorewall appears to block internal requests on eth1 > (i.e. machine 192.168.168.202 proxy requests which should be through eth0 > are being clocked by eth1). Could this be that both NIC are on the same hub > and if so how can I work round this.Andrew -- Every one of the QuickStart Guides that deals with more than one firewall interface warns you that you MUST NOT CONNECT MULTIPLE INTERFACES TO THE SAME HUB/SWITCH. Even if it did work (which it doesn''t), it would provide at most "security by obscurity". You *may* be able to get it to work enough for testing by including the following in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/arp_filter You certainly don''t want to put your firewall into production that way. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net