Shorewall users - May 2004 - Firewall Reconfig..

HOLA!!

I have an older vrsn of Shorewall running, sorry I
left the paper with all my specs at home. The vrsn I
think is 1.47RC1. I was thinking about upgrading up to
2.0.2c and started to look over the docs and upgrade
procedures/warnings  ;-).  In doing so I noticed a few
issues, shall I say incorrect implementation of my f/w
and wanted to seek some advice.

YES, I have gone thru the extensive library of data
and have a good understanding of what to do, but would
appreciate some input.

First I have RH 7.2 with the 2.4.20kernel(sorry notes
are home) with all of the appropriate mods installed.
I think ;-) Two nics eth0(external-DHCP),
eth1(internal, static 192.168.100.200). DSL is the
form of internet access with five internal W2K/XP-Home
systems.

Internet access is functional, well until I reset my
Linux box and the DARN Westell router changes the
DfltGtwy and DNS to its own internal IP loosing all of
my access, but that is not for here..

My issue is I can not access the westell modem from
the linux box or elsewhere. I changed the following
entry in the RFC1918 to my routers ip:
"192.168.100.xxx		RETURN		# Cable modem access for
configuration" and restarted Shorewall - nogo, still
can not connect.

I also noticed ''somewhere'' that stated the connection
to my DSL router should be through a ppp0 not eth0 and
the IP to my external nic should not be the same as my
internal LAN. Maybe I am reading this wrong, but I''d
like to upgrade and avoid any issues.

If someone would like to look over some of my config
files, I can forward them to you. I''d rather not add
more content to this email than I already have.. ;-)

As stated earlier I do have connectivity to the
internet, but I MIGHT have something configured wrong
and possibly open to unwanted access.

Gracias,

Ray


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Raymond N. Colón wrote:

> 
> My issue is I can not access the westell modem from
> the linux box or elsewhere. I changed the following
> entry in the RFC1918 to my routers ip:
> "192.168.100.xxx		RETURN		# Cable modem access for
> configuration" and restarted Shorewall - nogo, still
> can not connect.
If you "shorewall clear", can you connect to the modem?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

CLIPPED-->>
>>If you "shorewall clear", can you connect to the
>>modem?
> 
> No I can not access the router nor can I ping it. If
i
> remove the linux box from the equation and connect
it
> directly to one of the windows pc''s it works..
> 
> The internal NIC is 192.168.100.200 and the
> external(DHCP) 192.168.100.125 provided by the
routers
> Private Lan addressing.. The router itself
internally
> is 192.168.100.111 Is it a routing issue? I thought
> since they are on the same segment it should work?
Yes, it''s a routing issue. You would be much better
off with your 
firewall configured as a bridge
(http://shorewall.net/bridge.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently
talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you for the response, once again..

Sorry for not making my first response "Subject" in
line with my reply, as requested in EVERY header of
the digest. ;-)

Anyway.. YES I was up ''til rather late last night or
early(1am) and was looking over that bridge option.

Now would it be easier and most importantly SAFER to
figure out how to get the routing to work than doing
the bridge option? I think I would need to add a PPPOE
client to the linux box then change my westell to be a
bridge not a PPPOE which it is currently set to. that
would definitely be a big learning curve for mua. %-6

Sorry to bother and TIA..

Ray

FYI:
quick snapshot of my ''lan''

westell 2200(dsl/rtr) is given a pub DHCP ip by
verizon. W2200 internal IP=192.168.100.111.
W2200 assigns ETH0 a DHCP priv internal IP
192.168.100.125. ETH1 is static(192.168.100.200) & the
internal pc''s are assigned static 192.168.100.20x with
the eth1 as their gtwy with the ISP DNS as thiers..



	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Raymond N. Colÿfffff3n wrote:

 > Now would it be easier and most importantly SAFER to
 > figure out how to get the routing to work than doing
 > the bridge option? I think I would need to add a PPPOE
 > client to the linux box then change my westell to be a
 > bridge not a PPPOE which it is currently set to. that
 > would definitely be a big learning curve for mua. %-6

Where you have a NATing router (especially one that does PPPoE) on your 
premises, it makes more sense to me to use a bridging firewall and let 
the router handle DHCP.

If you want to try to fix your routing, please forward the output of:

ip addr ls
ip route ls

Also, please mention (again if you already have) which Linux 
distribution you are running.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

--- shorewall-users-request@lists.shorewall.net wrote:
> Send Shorewall-users mailing list submissions to
> 	shorewall-users@lists.shorewall.net
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> or, via email, send a message with subject or body
> ''help'' to
> 	shorewall-users-request@lists.shorewall.net
> 
> You can reach the person managing the list at
> 	shorewall-users-owner@lists.shorewall.net
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Shorewall-users digest..."
> 
> 
> Today''s Topics:
<---CLIPPED -->
Message: 7
Date: Wed, 26 May 2004 10:32:32 -0700
From: Tom Eastep <teastep@shorewall.net>
Subject: Re: [Shorewall-users] Re: Re: Firewall
Reconfig..
To: Mailing List for Shorewall Users
	<shorewall-users@lists.shorewall.net>
Message-ID: <40B4D4B0.8020708@shorewall.net>
Content-Type: text/plain; charset=ISO-8859-1;
format=flowed

Raymond N. Colfffff3n wrote:

 > Now would it be easier and most importantly SAFER
to
 > figure out how to get the routing to work than
doing
 > the bridge option? I think I would need to add a
PPPOE
 > client to the linux box then change my westell to
be a
 > bridge not a PPPOE which it is currently set to.
that
 > would definitely be a big learning curve for mua.
%-6

Where you have a NATing router (especially one that
does PPPoE) on your 
premises, it makes more sense to me to use a bridging
firewall and let 
the router handle DHCP.

If you want to try to fix your routing, please forward
the output of:

ip addr ls
ip route ls

Also, please mention (again if you already have) which
Linux 
distribution you are running.
...

Here''s the requested info..

---ip addr ls---
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,NOTRAILERS,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:01:03:20:45:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.125/24 brd 255.255.255.255 scope
global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:a0:cc:7c:88:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.200/24 brd 192.168.100.255 scope
global eth1

---ip route ls---
192.168.100.0/24 dev eth1  scope link 
192.168.100.0/24 dev eth1  proto kernel  scope link 
src 192.168.100.200 
127.0.0.0/8 dev lo  scope link 
default via 192.168.100.111 dev eth0 


RH7.3 2.96-126 krnl 2.4.20-28.7
Gracias,
Ray


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Raymond N. Colÿfffff3n wrote:
> --- shorewall-users-request@lists.shorewall.net wrote:
> 
>>Send Shorewall-users mailing list submissions to
>>	shorewall-users@lists.shorewall.net
>>
>>To subscribe or unsubscribe via the World Wide Web,
>>visit
>>
>>
> 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> 
>>or, via email, send a message with subject or body
>>''help'' to
>>	shorewall-users-request@lists.shorewall.net
>>
>>You can reach the person managing the list at
>>	shorewall-users-owner@lists.shorewall.net
>>
>>When replying, please edit your Subject line so it
>>is more specific
>>than "Re: Contents of Shorewall-users digest..."
>>
>>
>>Today''s Topics:
> 
> <---CLIPPED -->
> Message: 7
> Date: Wed, 26 May 2004 10:32:32 -0700
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] Re: Re: Firewall
> Reconfig..
> To: Mailing List for Shorewall Users
> 	<shorewall-users@lists.shorewall.net>
> Message-ID: <40B4D4B0.8020708@shorewall.net>
> Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> 
> Raymond N. Colÿfffff3n wrote:
> 
>  > Now would it be easier and most importantly SAFER
> to
>  > figure out how to get the routing to work than
> doing
>  > the bridge option? I think I would need to add a
> PPPOE
>  > client to the linux box then change my westell to
> be a
>  > bridge not a PPPOE which it is currently set to.
> that
>  > would definitely be a big learning curve for mua.
> %-6
> 
> Where you have a NATing router (especially one that
> does PPPoE) on your 
> premises, it makes more sense to me to use a bridging
> firewall and let 
> the router handle DHCP.
> 
> If you want to try to fix your routing, please forward
> the output of:
> 
> ip addr ls
> ip route ls
> 
> Also, please mention (again if you already have) which
> Linux 
> distribution you are running.
> ...
> 
> Here''s the requested info..
> 
> ---ip addr ls---
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd
> 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,NOTRAILERS,UP> mtu 1500 qdisc
> pfifo_fast qlen 100
>     link/ether 00:01:03:20:45:48 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.100.125/24 brd 255.255.255.255 scope
> global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
> pfifo_fast qlen 100
>     link/ether 00:a0:cc:7c:88:9b brd ff:ff:ff:ff:ff:ff
>     inet 192.168.100.200/24 brd 192.168.100.255 scope
> global eth1
> 
> ---ip route ls---
> 192.168.100.0/24 dev eth1  scope link 
> 192.168.100.0/24 dev eth1  proto kernel  scope link 
> src 192.168.100.200 
> 127.0.0.0/8 dev lo  scope link 
> default via 192.168.100.111 dev eth0 
Just add a host route to your cable modem from eth0. You can add the 
route using the RH Network GUI. A host route has netmask 255.255.255.255 
and no gateway.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net