We switched over from a bordermanager firewall to a shorewall firewall.
Some stuff is not working now.
I realized that I had not created the route for the network that is not
working however once I created it, it still didn''t work.
Most of our network is fine however some pieces are not working.
[Net] - [Shorewall] - [LAN] - [Cisco] - [Clients and servers not
working]
The firewall can ping inside my broken network.
Some clients can not ping inside my broken network 172.25.0.0/16
Some clients can.
I am a little flumoxed. Thanks for your consideration and your help.
lnxfw:/home/joel# shorewall version
1.4.10d
lnxfw:/home/joel# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:18:06:32:4f brd ff:ff:ff:ff:ff:ff
inet 216.228.3.194/29 brd 216.228.3.255 scope global eth0
inet 216.228.3.195/29 brd 216.228.3.199 scope global secondary
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:10:18:06:32:62 brd ff:ff:ff:ff:ff:ff
inet 172.30.2.7/16 brd 172.30.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0b:db:e7:36:ac brd ff:ff:ff:ff:ff:ff
inet 172.28.0.1/16 brd 172.28.255.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0b:db:e7:36:ae brd ff:ff:ff:ff:ff:ff
6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
7: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
216.228.3.197 dev eth2 scope link
216.228.3.196 dev eth2 scope link
216.228.3.192/29 dev eth0 proto kernel scope link src 216.228.3.194
172.25.0.0/16 via 172.30.1.239 dev eth1
172.30.0.0/16 dev eth1 proto kernel scope link src 172.30.2.7
172.28.0.0/16 dev eth2 proto kernel scope link src 172.28.0.1
default via 216.228.3.193 dev eth0
/etc/shorewall/interfaces
net eth0 216.228.3.199
tcpflags,blacklist,norfc1918,routefilter
loc eth1 172.30.255.255 dhcp
dmz eth2 172.28.255.255 proxyarp
Joel Staker wrote:> We switched over from a bordermanager firewall to a shorewall firewall. > Some stuff is not working now. > > I realized that I had not created the route for the network that is not > working however once I created it, it still didn''t work. > > Most of our network is fine however some pieces are not working. > > [Net] - [Shorewall] - [LAN] - [Cisco] - [Clients and servers not > working] > > The firewall can ping inside my broken network. > Some clients can not ping inside my broken network 172.25.0.0/16 > Some clients can. > > I am a little flumoxed. Thanks for your consideration and your help. > > lnxfw:/home/joel# shorewall version > 1.4.10d > > lnxfw:/home/joel# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:10:18:06:32:4f brd ff:ff:ff:ff:ff:ff > inet 216.228.3.194/29 brd 216.228.3.255 scope global eth0 > inet 216.228.3.195/29 brd 216.228.3.199 scope global secondary > eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:10:18:06:32:62 brd ff:ff:ff:ff:ff:ff > inet 172.30.2.7/16 brd 172.30.255.255 scope global eth1 > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0b:db:e7:36:ac brd ff:ff:ff:ff:ff:ff > inet 172.28.0.1/16 brd 172.28.255.255 scope global eth2 > 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 > link/ether 00:0b:db:e7:36:ae brd ff:ff:ff:ff:ff:ff > 6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop > link/ipip 0.0.0.0 brd 0.0.0.0 > 7: gre0@NONE: <NOARP> mtu 1476 qdisc noop > link/gre 0.0.0.0 brd 0.0.0.0 > > 216.228.3.197 dev eth2 scope link > 216.228.3.196 dev eth2 scope link > 216.228.3.192/29 dev eth0 proto kernel scope link src 216.228.3.194 > > 172.25.0.0/16 via 172.30.1.239 dev eth1 > 172.30.0.0/16 dev eth1 proto kernel scope link src 172.30.2.7 > 172.28.0.0/16 dev eth2 proto kernel scope link src 172.28.0.1 > default via 216.228.3.193 dev eth0 > > /etc/shorewall/interfaces > net eth0 216.228.3.199 > tcpflags,blacklist,norfc1918,routefilter > loc eth1 172.30.255.255 dhcp > dmz eth2 172.28.255.255 proxyarp > > >I suggest that you read carefully the material at http://shorewall.net/Multiple_Zones.html. I suspect that you might need to add the ''routeback'' option to eth1 but that should be clear after you have read the article. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hrm, I just did that before I got your e-mail... :-)>>> teastep@shorewall.net 05/17/04 08:28AM >>>Joel Staker wrote:> We switched over from a bordermanager firewall to a shorewallfirewall.> Some stuff is not working now. > > I realized that I had not created the route for the network that isnot> working however once I created it, it still didn''t work. > > Most of our network is fine however some pieces are not working. > > [Net] - [Shorewall] - [LAN] - [Cisco] - [Clients and servers not > working] > > The firewall can ping inside my broken network. > Some clients can not ping inside my broken network 172.25.0.0/16 > Some clients can. > > I am a little flumoxed. Thanks for your consideration and yourhelp.> > lnxfw:/home/joel# shorewall version > 1.4.10d > > lnxfw:/home/joel# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen1000> link/ether 00:10:18:06:32:4f brd ff:ff:ff:ff:ff:ff > inet 216.228.3.194/29 brd 216.228.3.255 scope global eth0 > inet 216.228.3.195/29 brd 216.228.3.199 scope global secondary > eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen1000> link/ether 00:10:18:06:32:62 brd ff:ff:ff:ff:ff:ff > inet 172.30.2.7/16 brd 172.30.255.255 scope global eth1 > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen1000> link/ether 00:0b:db:e7:36:ac brd ff:ff:ff:ff:ff:ff > inet 172.28.0.1/16 brd 172.28.255.255 scope global eth2 > 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 > link/ether 00:0b:db:e7:36:ae brd ff:ff:ff:ff:ff:ff > 6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop > link/ipip 0.0.0.0 brd 0.0.0.0 > 7: gre0@NONE: <NOARP> mtu 1476 qdisc noop > link/gre 0.0.0.0 brd 0.0.0.0 > > 216.228.3.197 dev eth2 scope link > 216.228.3.196 dev eth2 scope link > 216.228.3.192/29 dev eth0 proto kernel scope link src216.228.3.194> > 172.25.0.0/16 via 172.30.1.239 dev eth1 > 172.30.0.0/16 dev eth1 proto kernel scope link src 172.30.2.7 > 172.28.0.0/16 dev eth2 proto kernel scope link src 172.28.0.1 > default via 216.228.3.193 dev eth0 > > /etc/shorewall/interfaces > net eth0 216.228.3.199 > tcpflags,blacklist,norfc1918,routefilter > loc eth1 172.30.255.255 dhcp > dmz eth2 172.28.255.255 proxyarp > > >I suggest that you read carefully the material at http://shorewall.net/Multiple_Zones.html. I suspect that you might need to add the ''routeback'' option to eth1 but that should be clear after you have read the article. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
I don''t even have the words required to express my gratitude to Tom for
his patience and his help.
I will summarize my problem and the solution for the list:
Our network looks like this
[Net] - [Shorewall] - [LAN] - [Cisco] - [LAN2]
- [Cisco] - [LAN3]
Our e-mail server is set up for one-to-one NAT on [LAN]
Our http goes through squid on the same box as shorewall.
Everything was setup and tested on a simplified test network before we
went production on Friday.
Friday was a long long day. However we got it working, we thought.
This morning people in [LAN2] and [LAN3] could not get e-mail and could
not browse the web.
Aha! I thought. Oops I forgot to add routes on the new firewall. So I
do:
ip route add 172.25.0.0/16 via eth1
ip route add 172.29.0.0/16 via eth1 etc..
Cake! I thought. Nope people still could not browse and could not get
e-mail.
Tom came to my rescue.
I had:
216.228.3.195 eth0 172.30.1.11 yes
yes
This was wrong. My clients packets were being nat''ed back to the
public IP address!
It should have been:
216.228.3.195 eth0 172.30.1.11 no
no
Poof! e-mail worked.
At this point the browsing issue was quickly traced back to missing ACL
definitions in squid.conf.
Everything is working great now and I, like so many others owe a debt
of thanks to Tom. Thanks again Tom.
>>> JSTAKER@ci.watsonville.ca.us 05/17/04 08:31AM >>>
Hrm, I just did that before I got your e-mail... :-)
>>> teastep@shorewall.net 05/17/04 08:28AM >>>
Joel Staker wrote:> We switched over from a bordermanager firewall to a shorewall
firewall. > Some stuff is not working now.
>
> I realized that I had not created the route for the network that is
not> working however once I created it, it still didn''t work.
>
> Most of our network is fine however some pieces are not working.
>
> [Net] - [Shorewall] - [LAN] - [Cisco] - [Clients and servers not
> working]
>
> The firewall can ping inside my broken network.
> Some clients can not ping inside my broken network 172.25.0.0/16
> Some clients can.
>
> I am a little flumoxed. Thanks for your consideration and your
help.>
> lnxfw:/home/joel# shorewall version
> 1.4.10d
>
> lnxfw:/home/joel# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000> link/ether 00:10:18:06:32:4f brd ff:ff:ff:ff:ff:ff
> inet 216.228.3.194/29 brd 216.228.3.255 scope global eth0
> inet 216.228.3.195/29 brd 216.228.3.199 scope global secondary
> eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000> link/ether 00:10:18:06:32:62 brd ff:ff:ff:ff:ff:ff
> inet 172.30.2.7/16 brd 172.30.255.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000> link/ether 00:0b:db:e7:36:ac brd ff:ff:ff:ff:ff:ff
> inet 172.28.0.1/16 brd 172.28.255.255 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
> link/ether 00:0b:db:e7:36:ae brd ff:ff:ff:ff:ff:ff
> 6: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
> link/ipip 0.0.0.0 brd 0.0.0.0
> 7: gre0@NONE: <NOARP> mtu 1476 qdisc noop
> link/gre 0.0.0.0 brd 0.0.0.0
>
> 216.228.3.197 dev eth2 scope link
> 216.228.3.196 dev eth2 scope link
> 216.228.3.192/29 dev eth0 proto kernel scope link src
216.228.3.194>
> 172.25.0.0/16 via 172.30.1.239 dev eth1
> 172.30.0.0/16 dev eth1 proto kernel scope link src 172.30.2.7
> 172.28.0.0/16 dev eth2 proto kernel scope link src 172.28.0.1
> default via 216.228.3.193 dev eth0
>
> /etc/shorewall/interfaces
> net eth0 216.228.3.199
> tcpflags,blacklist,norfc1918,routefilter
> loc eth1 172.30.255.255 dhcp
> dmz eth2 172.28.255.255 proxyarp
>
>
>
I suggest that you read carefully the material at
http://shorewall.net/Multiple_Zones.html. I suspect that you might
need
to add the ''routeback'' option to eth1 but that should be clear
after
you
have read the article.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm