Dave B wrote:> I have setup a bridged connection using the guide on > openvpn.sourceforge.net. The two linux gateways have established a > vpn connection over the internet but i can''t seem to get > anything through it. I''m using shorewall, but pretty much all the > policies are open right now. One thing that i see i am doing > different is that i have two different ip setups on the two networks. > one is 192.168.7.0 and the other is 192.168.1.0. Now, on the br0 for > each server, and on the clients i set a class b subnet mask so i > figured this setup would be ok. Is it? What else could be wrong? I > figure this is a shorewall configuration problem as opposed to > openvpn because VPN says i''m connected, and it''s displaying RWRW > across the link.[snip] Dave, Just the thought of designing a network that allows broadcast packets to be routed across a VPN (separated geographically) to satisfy what I can only assume to be a Microsoft Networking requirement, makes me cringe!!! In your design requirements, have you considered implementing a WINS server? Samba can be configured to act as a WINS server. This would at least eliminate your design requirement to implement a layer 2 type bridge. If you have not done so, consider reading: 1) The samba man pages. In particular, the options pertaining to configuring samba to be a WINS server and the options that make it win the local master browser election process. 2) If your using DHCP on both LAN''s - read the man pages (man 5 dhcp-options) about the options netbios-node-type (hybrid vs. broadcast) and netbios-name-servers. Steve Cowles
Hi guys im having a very weird issue with shorewall 1.4.6c. What happens is the following. my firewall works perfectly and so does my internal network. after some time no actual number for this since its somewhat random but happens 2 - 3 times a day. The firewall no longer allows internal traffic to get to the net. but from the firewall system itself you can connect to the net or ping to an internet website. This has been going on for maybe 1 month now and i thought upgrading to 1.4.6c would fix the issue but to no avail. Any information would be much appreciated as the firewall is making internet access for the internal network unusable since people here download huge files and access email. Thank you Nick Sklav
On Sunday 07 September 2003 07:42 am, Nick Sklavenitis wrote:> Hi guys > > im having a very weird issue with shorewall 1.4.6c. > > What happens is the following. > > my firewall works perfectly and so does my internal network. after some > time no actual number for this since its somewhat random but happens 2 - > 3 times a day. The firewall no longer allows internal traffic to get to > the net. but from the firewall system itself you can connect to the net > or ping to an internet website. This has been going on for maybe 1 month > now and i thought upgrading to 1.4.6c would fix the issue but to no > avail. Any information would be much appreciated as the firewall is > making internet access for the internal network unusable since people > here download huge files and access email.Are you on a dynamic IP that changes frequently? If so, do you have dhcp/detect on your external interface? -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Sun, 2003-09-07 at 17:28, John Andersen wrote:> > Are you on a dynamic IP that changes frequently? > If so, do you have dhcp/detect on your external interface?No i have a static ip address but i am using pppoe i also have the dhcp option in the interfaces file but it has never caused a problem before so im not sure what the problem is exactly in this case. all i know is a shorewall restart solves the problem.
Hi Nick, On 7 Sep 2003, Nick Sklavenitis wrote:>No i have a static ip address but i am using pppoe i also have the dhcp >option in the interfaces file but it has never caused a problem before so >im not sure what the problem is exactly in this case. all i know is a >shorewall restart solves the problem.After the Shorewall scripts finish running, Shorewall is no longer doing anything. It''s all netfilter/iptables. We''ll probably need some sort of diagnostic information to help you. Go through the steps in http://shorewall.net/troubleshoot.htm and http://shorewall.net/support.htm. One guess I have off the top of my head is that maybe netfilter kernel modules are being unloaded or something like that. But some diagnostic info would help. -Jason
Folks, I have attempted to follow the documentation regarding the configuration of a multiple subnet machine without any success. Here is my situation: We have a machine, ''mars'', which serves as a virtual webserver. The system''s main IP is on the 10.0.0.0/26 subnet, while the virtual IPs for the web server instances will all exist on 10.0.1.0/24. Ideally, I would be able to independently adjust the rules for the main IP and the virtual-server IPs (the main machine runs services that the individual web instances will not). To my understanding, the configuration below should function properly for this purpose, but it does not. In fact, I cannot seem to send or receive traffic anywhere when the firewall is enabled. Can anyone shed some light on what I''ve done wrong here? /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS loc eth0:10.0.0.0/26 loc eth0:10.0.1.0/24 /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS - eth0 10.0.0.63,10.0.1.255 norfc1918,routefilter,dropunclean,blacklist /etc/shorewall/rules: ACCEPT fw net tcp - ACCEPT fw net udp - ACCEPT net fw tcp ssh ACCEPT net fw tcp domain ACCEPT net fw udp domain ACCEPT net fw tcp http ACCEPT net fw tcp https ACCEPT loc net tcp domain ACCEPT loc net udp domain ACCEPT net loc tcp ssh ACCEPT net loc tcp ftp ACCEPT net loc tcp ftp-data ACCEPT net loc tcp http ACCEPT net loc tcp https -- .''''`. Daniel DeVoe <ddevoe@netset.com> : :'' : http://www.netset.com/~ddevoe `. `''` `- Debian - when you have better things to do than fix a system
Since I left out some pertinant information when posting this originally,
I thought it would be best to post some elaboration on my situation.
The machine in question runs debian sarge, on a late model linux 2.4
kernel, using Shorewall 1.4.5. The output of ip addr show is as follows
(contrary to the support page, I have changed our IP addresses to benign
RFC1918 addresses. I have made sure to do so in ways which would not
affect troubleshooting though -- the listed RFC1918 addys have the same
subnet boundaries as the real IPs)
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:55:91:8e:21 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.17/26 brd 10.0.0.63 scope global eth0
inet 10.0.1.2/24 brd 10.0.1.255 scope global eth0:2
inet6 fe80::202:55ff:fe91:8e21/64 scope link
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
# ip route show
10.0.1.2 dev eth0 scope link src 10.0.1.2
10.0.0.0/26 dev eth0 proto kernel scope link src 10.0.0.17
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.2
default via 10.0.0.1 dev eth0
Here is a sample of `shorewall show log` when I try to bring up the
firewall:
Sep 10 16:48:32 INPUT:REJECT:IN=eth0 OUT= SRC=10.0.0.154
DST=10.0.0.17 LEN=240 TOS=0x10 PREC=0x00 TTL=127 ID=2785 DF PROTO=TCP
SPT=1046 DPT=22 WINDOW=62896 RES=0x00 ACK PSH URGP=0
Sep 10 16:48:32 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.17
DST=10.0.0.154 LEN=40 TOS=0x10 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP
SPT=22 DPT=1046 WINDOW=0 RES=0x00 RST URGP=0
The one other notable facet of this problem is that for some reason, I get
the following message when doing a `shorewall check` (or start, etc.):
Determining Hosts in Zones...
Warning: Zone net is empty
Local Zone: eth0:10.0.0.0/26 eth0:10.0.1.0/24
Warning: Zone dmz is empty
Those zone empty messages don''t look very good...but I can''t
figure out
why I get them. I''m totally stumped. Help! =)
--
Dan DeVoe, System Administrator | http://www.netset.com
Ohio NetSet Enterprises, Inc. | (614) 527-9111
On Mon, 8 Sep 2003, Dan DeVoe wrote:
> Date: Mon, 8 Sep 2003 13:19:02 -0400 (EDT)
> From: Dan DeVoe <ddevoe@netset.com>
> Reply-To: Shorewall Users Mailing List
> <shorewall-users@lists.shorewall.net>
> To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> Subject: [Shorewall-users] Handling alias interfaces/subnets
>
> Folks,
>
> I have attempted to follow the documentation regarding the configuration
> of a multiple subnet machine without any success. Here is my situation:
>
> We have a machine, ''mars'', which serves as a virtual
webserver. The
> system''s main IP is on the 10.0.0.0/26 subnet, while the virtual
IPs for
> the web server instances will all exist on 10.0.1.0/24.
>
> Ideally, I would be able to independently adjust the rules for the main IP
> and the virtual-server IPs (the main machine runs services that the
> individual web instances will not).
>
> To my understanding, the configuration below should function properly for
> this purpose, but it does not. In fact, I cannot seem to send or receive
> traffic anywhere when the firewall is enabled.
>
> Can anyone shed some light on what I''ve done wrong here?
>
> /etc/shorewall/hosts:
> #ZONE HOST(S) OPTIONS
> loc eth0:10.0.0.0/26
> loc eth0:10.0.1.0/24
>
> /etc/shorewall/interfaces:
> #ZONE INTERFACE BROADCAST OPTIONS
> - eth0 10.0.0.63,10.0.1.255
norfc1918,routefilter,dropunclean,blacklist
>
> /etc/shorewall/rules:
> ACCEPT fw net tcp -
> ACCEPT fw net udp -
> ACCEPT net fw tcp ssh
> ACCEPT net fw tcp domain
> ACCEPT net fw udp domain
> ACCEPT net fw tcp http
> ACCEPT net fw tcp https
> ACCEPT loc net tcp domain
> ACCEPT loc net udp domain
> ACCEPT net loc tcp ssh
> ACCEPT net loc tcp ftp
> ACCEPT net loc tcp ftp-data
> ACCEPT net loc tcp http
> ACCEPT net loc tcp https
>
>
On Sun, 7 Sep 2003, Nick Sklavenitis wrote:> > my firewall works perfectly and so does my internal network. after some > time no actual number for this since its somewhat random but happens 2 - > 3 times a day. The firewall no longer allows internal traffic to get to > the net. but from the firewall system itself you can connect to the net > or ping to an internet website. This has been going on for maybe 1 month > now and i thought upgrading to 1.4.6c would fix the issue but to no > avail. Any information would be much appreciated as the firewall is > making internet access for the internal network unusable since people > here download huge files and access email. > >For at least the 1,000th time -- Shorewall generated rules are STATIC -- they do the same thing two weeks after the firewall is started as they do 2 seconds after the firewall is started. Problems that develop at some time after Shorewall starts are therefore VERy unlikely to be Shorewall related. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net