Holger Brückner
2003-Oct-22 11:33 UTC
[Shorewall-users] routing between to subnetz on same interface ?
hello again, finally my setup is half way online ... but one thing isn''t working: routing between two different subnets on the same physical interface. Oct 22 20:28:00 router1 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792 RES=0x00 ACK SYN URGP=0 interfaces: ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS - eth0 217.5.177.79,217.89.141.31 #dmz see hosts - eth3 10.0.5.3 #loc see hosts #- eth2 10.0.1.254 #loc see hosts net eth1 217.5.177.75 - ipsec0 10.10.0.255,10.10.4.255,10.10.8.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hosts: #ZONE HOST(S) OPTIONS loc eth3:10.0.0.0/24 loc eth3:10.0.1.0/24 loc eth3:192.168.3.0/24 dmz eth0:217.5.177.76/30 dmz eth0:217.89.141.24/29 vpn ipsec0:10.10.0.0/24 vpn ipsec0:10.10.4.0/24 vpn ipsec0:10.10.8.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE according to the documentation about hosts file, routing should be setup correctly. what am i missing here ?!? greetings from germany Holger Brueckner net-labs Systemhaus GmbH
Holger Brückner
2003-Oct-22 11:39 UTC
[Shorewall-users] routing between to subnetz on same interface ?
(sorry, got the wrong sender address, so here again) hello again, finally my setup is half way online ... but one thing isn''t working: routing between two different subnets on the same physical interface. Oct 22 20:28:00 router1 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792 RES=0x00 ACK SYN URGP=0 interfaces: ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS - eth0 217.5.177.79,217.89.141.31 #dmz see hosts - eth3 10.0.5.3 #loc see hosts #- eth2 10.0.1.254 #loc see hosts net eth1 217.5.177.75 - ipsec0 10.10.0.255,10.10.4.255,10.10.8.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hosts: #ZONE HOST(S) OPTIONS loc eth3:10.0.0.0/24 loc eth3:10.0.1.0/24 loc eth3:192.168.3.0/24 dmz eth0:217.5.177.76/30 dmz eth0:217.89.141.24/29 vpn ipsec0:10.10.0.0/24 vpn ipsec0:10.10.4.0/24 vpn ipsec0:10.10.8.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE according to the documentation about hosts file, routing should be setup correctly. what am i missing here ?!? greetings from germany Holger Brueckner net-labs Systemhaus GmbH
Tom Eastep
2003-Oct-22 11:43 UTC
[Shorewall-users] routing between to subnetz on same interface ?
On Wed, 2003-10-22 at 11:35, Holger Br?ckner wrote:> > finally my setup is half way online ... but one thing isn''t working: > > routing between two different subnets on the same physical interface. > > Oct 22 20:28:00 router1 kernel: Shorewall:FORWARD:REJECT:IN=eth0 > OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60 TOS=0x00 PREC=0x00 > TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792 RES=0x00 ACK SYN > URGP=0 > > according to the documentation about hosts file, routing should be setup > correctly. what am i missing here ?!? >What is the output of "shorewall show FORWARD"? -tOM -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Holger Brückner
2003-Oct-22 11:50 UTC
[Shorewall-users] routing between to subnetz on same interface ?
ok further investigation revealed the following:
Chain dmz2dmz (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
the chain is there, but there ist no reference to it.
hmmm, more of a "suboptimal" optimization ?!? ;)
cya
Holger
On Wed, 2003-10-22 at 20:33, Holger Br?ckner wrote:> hello again,
>
> finally my setup is half way online ... but one thing isn''t
working:
>
> routing between two different subnets on the same physical interface.
>
> Oct 22 20:28:00 router1 kernel: Shorewall:FORWARD:REJECT:IN=eth0
> OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60 TOS=0x00 PREC=0x00
> TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792 RES=0x00 ACK SYN
> URGP=0
>
> interfaces:
>
##############################################################################
> #ZONE INTERFACE BROADCAST OPTIONS
> - eth0 217.5.177.79,217.89.141.31 #dmz see hosts
> - eth3 10.0.5.3 #loc see hosts
> #- eth2 10.0.1.254 #loc see hosts
> net eth1 217.5.177.75
> - ipsec0 10.10.0.255,10.10.4.255,10.10.8.255
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> hosts:
> #ZONE HOST(S) OPTIONS
> loc eth3:10.0.0.0/24
> loc eth3:10.0.1.0/24
> loc eth3:192.168.3.0/24
> dmz eth0:217.5.177.76/30
> dmz eth0:217.89.141.24/29
> vpn ipsec0:10.10.0.0/24
> vpn ipsec0:10.10.4.0/24
> vpn ipsec0:10.10.8.0/24
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
> according to the documentation about hosts file, routing should be setup
> correctly. what am i missing here ?!?
>
> greetings from germany
>
> Holger Brueckner
> net-labs Systemhaus GmbH
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Oct-22 11:56 UTC
[Shorewall-users] routing between to subnetz on same interface ?
On Wed, 2003-10-22 at 11:43, Tom Eastep wrote:> > > > What is the output of "shorewall show FORWARD"?Better yet, please send me the output of "shorewall status" as a text attachment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Holger Brückner
2003-Oct-22 11:57 UTC
[Shorewall-users] routing between to subnetz on same interface ?
Shorewall-1.4.7-Beta1 Chain FORWARD at router1 - Wed Oct 22 20:51:14
CEST 2003
Counters reset Wed Oct 22 20:17:16 CEST 2003
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
4681 1601K eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
2876 243K eth3_fwd all -- eth3 * 0.0.0.0/0
0.0.0.0/0
1894 275K eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
113 6833 common all -- * * 0.0.0.0/0
0.0.0.0/0
113 6833 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
113 6833 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Shorewall-1.4.7-Beta1 Chain eth0_fwd at router1 - Wed Oct 22 20:51:49
CEST 2003
Counters reset Wed Oct 22 20:17:16 CEST 2003
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
4702 1605K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
4502 1581K dmz_frwd all -- * * 217.5.177.76/30
0.0.0.0/0
200 24207 dmz_frwd all -- * * 217.89.141.24/29
0.0.0.0/0
Shorewall-1.4.7-Beta1 Chain dmz_frwd at router1 - Wed Oct 22 20:52:06
CEST 2003
Counters reset Wed Oct 22 20:17:16 CEST 2003
Chain dmz_frwd (2 references)
pkts bytes target prot opt in out source
destination
1724 137K dmz2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
2705 1435K dmz2loc all -- * eth3 0.0.0.0/0
10.0.0.0/24
152 25374 dmz2loc all -- * eth3 0.0.0.0/0
10.0.1.0/24
8 892 dmz2loc all -- * eth3 0.0.0.0/0
192.168.3.0/24
0 0 all2all all -- * ipsec0 0.0.0.0/0
10.10.0.0/24
0 0 all2all all -- * ipsec0 0.0.0.0/0
10.10.4.0/24
0 0 all2all all -- * ipsec0 0.0.0.0/0
10.10.8.0/24
On Wed, 2003-10-22 at 20:43, Tom Eastep wrote:> On Wed, 2003-10-22 at 11:35, Holger Br?ckner wrote:
>
> >
> > finally my setup is half way online ... but one thing isn''t
working:
> >
> > routing between two different subnets on the same physical interface.
> >
> > Oct 22 20:28:00 router1 kernel: Shorewall:FORWARD:REJECT:IN=eth0
> > OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60 TOS=0x00 PREC=0x00
> > TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792 RES=0x00 ACK SYN
> > URGP=0
> >
> > according to the documentation about hosts file, routing should be
setup
> > correctly. what am i missing here ?!?
> >
>
> What is the output of "shorewall show FORWARD"?
>
> -tOM
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Oct-22 12:01 UTC
[Shorewall-users] routing between to subnetz on same interface ?
Ok -- Please: shorewall debug restart 2> /tmp/trace and send me the /tmp/trace file. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Jerry Vonau
2003-Oct-22 16:02 UTC
[Shorewall-users] routing between to subnetz on same interface ?
> (sorry, got the wrong sender address, so here again) > > hello again, > > finally my setup is half way online ... but one thingisn''t working:> > routing between two different subnets on the same physicalinterface.> > Oct 22 20:28:00 router1 kernel:Shorewall:FORWARD:REJECT:IN=eth0> OUT=eth0 SRC=217.89.141.28 DST=217.5.177.78 LEN=60TOS=0x00 PREC=0x00> TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=56517 WINDOW=5792RES=0x00 ACK SYN> URGP=0 > > interfaces: >############################################################ ##################> #ZONE INTERFACE BROADCAST OPTIONS > - eth0 217.5.177.79,217.89.141.31 #dmz seehosts> - eth3 10.0.5.3 #loc seehosts> #- eth2 10.0.1.254 #loc seehosts> net eth1 217.5.177.75 > - ipsec0 10.10.0.255,10.10.4.255,10.10.8.255 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOTREMOVE> > hosts: > #ZONE HOST(S) OPTIONS > loc eth3:10.0.0.0/24 > loc eth3:10.0.1.0/24 > loc eth3:192.168.3.0/24 > dmz eth0:217.5.177.76/30 > dmz eth0:217.89.141.24/29 > vpn ipsec0:10.10.0.0/24 > vpn ipsec0:10.10.4.0/24 > vpn ipsec0:10.10.8.0/24 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOTREMOVE> > according to the documentation about hosts file, routingshould be setup> correctly. what am i missing here ?!? >SRC=217.89.141.28 DST=217.5.177.78 This is dmz2dmz traffic Don''t you need the "routeback" option for the interface listed as dmz in the hosts file?? Jerry Vonau
Tom Eastep
2003-Oct-22 16:21 UTC
[Shorewall-users] routing between to subnetz on same interface ?
On Wed, 2003-10-22 at 15:56, Jerry Vonau wrote:> > > > according to the documentation about hosts file, routing > should be setup > > correctly. what am i missing here ?!? > > > > SRC=217.89.141.28 DST=217.5.177.78 This is dmz2dmz traffic > > Don''t you need the "routeback" option for the interface > listed as dmz in the hosts file?? >Not in this case. The source and destination are covered by different entries in the /etc/shorewall/hosts file. The problem in this case was the "fix" included in 1.4.7a; I''ll be releasing 1.4.7b in the next day or so. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net