Shorewall users - Jan 2004 - Routing problem between loc and dmz

OS: Debian

Shorewall: shorewall-1.4.8

 

groovy:~# ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:50:ba:50:55:03 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::250:baff:fe50:5503/64 scope link

3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:40:95:0b:99:f1 brd ff:ff:ff:ff:ff:ff

    inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1

    inet6 fe80::240:95ff:fe0b:99f1/64 scope link

4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:40:95:0b:bb:3c brd ff:ff:ff:ff:ff:ff

    inet 10.10.11.254/24 brd 10.10.11.255 scope global eth2

    inet6 fe80::240:95ff:fe0b:bb3c/64 scope link

5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3

    link/ppp

    inet 219.94.63.38 peer 219.93.218.177/32 scope global ppp0

6: sit0@NONE: <NOARP> mtu 1480 qdisc noop

    link/sit 0.0.0.0 brd 0.0.0.0

groovy:~#

 

groovy:~# ip route show

219.93.218.177 dev ppp0  proto kernel  scope link  src 219.94.63.38

10.10.10.0/24 dev eth1  proto kernel  scope link  src 10.10.10.254

10.10.11.0/24 dev eth2  proto kernel  scope link  src 10.10.11.254

default via 219.93.218.177 dev ppp0

groovy:~#

 

/etc/shorewall/policy

 

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT

fw              net             ACCEPT

loc             dmz             ACCEPT

dmz             loc             ACCEPT

dmz             net             ACCEPT

net             all             DROP            info

all             all             REJECT          info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

 

/etc/shorewall/rules

 

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE
ORIGINAL        RATE    USER

#                                                       PORT    PORT(S) DEST
LIMIT   SET

ACCEPT          fw              net             tcp     53

ACCEPT          fw              net             udp     53

ACCEPT          loc             fw              tcp     22

ACCEPT          loc             dmz             tcp     22

ACCEPT          net             fw              tcp     22

ACCEPT          fw              dmz             tcp     22

ACCEPT          dmz             fw              tcp     22

ACCEPT          dmz             loc             tcp     22

ACCEPT          dmz             net             tcp     22

ACCEPT          dmz             net             tcp     53

ACCEPT          dmz             net             udp     53

ACCEPT          loc             fw              tcp     53

ACCEPT          loc             fw              udp     53

ACCEPT          net             fw              icmp    8

ACCEPT          loc             fw              icmp    8

ACCEPT          dmz             fw              icmp    8

ACCEPT          loc             dmz             icmp    8

ACCEPT          dmz             loc             icmp    8

ACCEPT          dmz             net             icmp    8

ACCEPT          fw              loc             icmp    8

ACCEPT          fw              dmz             icmp    8

ACCEPT          net             dmz             icmp    8       # Only with
Proxy ARP and

ACCEPT          net             loc             icmp    8       # static NAT

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

 

Computers in zone ''LOC'' can''t talk to computers in
zone ''DMZ'' at all.

 

Policy has been set to ACCEPT.

Can''t ping nor whatsoever. Seems like there is no route between subnet
10.10.10.0/24 and 10.10.11.0/24

 

I setup the firewall following the three-interfaces setup guide.

 

Please help..

 

Cheers

 

Jason

a) Please show us your /etc/shorewall/interfaces and /etc/shorewall/hosts 
files -- How do you expect us to analyze your problem if we don''t know
how
zones map to interfaces and hosts?

b) Please include Shorewall messages from your log when you try to ping.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Friday 30 January 2004 12:08 pm, Tom Eastep wrote:
> a) Please show us your /etc/shorewall/interfaces and /etc/shorewall/hosts
> files -- How do you expect us to analyze your problem if we don''t
know how
> zones map to interfaces and hosts?
>
> b) Please include Shorewall messages from your log when you try to ping.
>
Also, I assume that if you "shorewall clear" that you can communicate 
perfectly between the two LAN segments?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Friday 30 January 2004 12:15, Tom Eastep wrote:
> On Friday 30 January 2004 12:08 pm, Tom Eastep wrote:
> > a) Please show us your /etc/shorewall/interfaces and
/etc/shorewall/hosts
> > files -- How do you expect us to analyze your problem if we
don''t know
> > how zones map to interfaces and hosts?
> >
> > b) Please include Shorewall messages from your log when you try to
ping.
>
> Also, I assume that if you "shorewall clear" that you can
communicate
> perfectly between the two LAN segments?
If not then I suggest that you check the default gateway settings on the 
systems that you are trying to ping between. Both systems should have as 
their default gateway the IP address of the firewall interface to which they 
are connected.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net