I thought I had this wired, but I''m missing something. Suppose you have two interfaces covering two non-overlapping ip ranges (192.168.1.0/24 and 192.168.2.0/24). How do the computers on one subnet route to the other subnet (assuming a rule allows them to)? I can have a computer ping one one subnet ping the firewall interface on the other subnet, but not a computer on the other subnet? Perhaps this is an ARP issue, but I don''t want to use proxyarp because of the number of computers on both subnets? How does the routing work between interfaces? Thanks. Dave
Dave and Donella Pearce wrote:>I thought I had this wired, but I''m missing something. > >Suppose you have two interfaces covering two non-overlapping ip ranges >(192.168.1.0/24 and 192.168.2.0/24). How do the computers on one subnet >route to the other subnet (assuming a rule allows them to)? I can have a >computer ping one one subnet ping the firewall interface on the other >subnet, but not a computer on the other subnet? > >Perhaps this is an ARP issue, but I don''t want to use proxyarp because of >the number of computers on both subnets? How does the routing work between >interfaces? > >Thanks. > >It''s just a guess, but I think shorewall filters your second subnet through the rfc1918 file. try using the ''norfc1918'' interface option Marius
Dave and Donella Pearce wrote:> I thought I had this wired, but I''m missing something. > > Suppose you have two interfaces covering two non-overlapping ip ranges > (192.168.1.0/24 and 192.168.2.0/24). How do the computers on one subnet > route to the other subnet (assuming a rule allows them to)? I can have a > computer ping one one subnet ping the firewall interface on the other > subnet, but not a computer on the other subnet? > > Perhaps this is an ARP issue, but I don''t want to use proxyarp because of > the number of computers on both subnets? How does the routing work between > interfaces?Try this test: a) shorewall clear b) Can you now ping between the subnets? If you can, then you have a Shorewall configuration problem. If you can''t then you have a routing problem. If you have a routing problem, the only possible explaination is that the systems in the two subnets don''t have their default gateways configured properly. If you have a Shorewall problem then post again with details. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2004-06-09 at 16:08 +0300, Marius Stan wrote:> It''s just a guess, but I think shorewall filters your second subnet > through the rfc1918 file. try using the ''norfc1918'' interface option > > MariusJust the opposite. If he has the ''norfc1918'' option specified on either of the two interfaces, all of that traffic will be dropped. Normally, you only use the norfc1918 for your Internet connection, not internally. -- David T Hollis <dhollis@davehollis.com>
So as a general rule, Shorewall/ipchains only blocks traffic that would normally flow if Shorewall was not around, it does not enable traffic to flow that would not normally? Dave -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, June 10, 2004 12:00 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Help needed on departmental firewall Dave and Donella Pearce wrote:> I thought I had this wired, but I''m missing something. > > Suppose you have two interfaces covering two non-overlapping ip ranges > (192.168.1.0/24 and 192.168.2.0/24). How do the computers on one > subnet route to the other subnet (assuming a rule allows them to)? I > can have a computer ping one one subnet ping the firewall interface on > the other subnet, but not a computer on the other subnet? > > Perhaps this is an ARP issue, but I don''t want to use proxyarp because > of the number of computers on both subnets? How does the routing work > between interfaces?Try this test: a) shorewall clear b) Can you now ping between the subnets? If you can, then you have a Shorewall configuration problem. If you can''t then you have a routing problem. If you have a routing problem, the only possible explaination is that the systems in the two subnets don''t have their default gateways configured properly. If you have a Shorewall problem then post again with details. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Dave and Donella Pearce wrote:> So as a general rule, Shorewall/ipchains only blocks traffic that would > normally flow if Shorewall was not around, it does not enable traffic to > flow that would not normally? >So long as the traffic requires neither NAT nor ProxyARP, then yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Then maybe I''m doing something the hard way. Let me explain what I want to do in a little more detail: I want to have two different physical networks. Each network will use 4 contiguous class ''C'' address (say 192.168.40.X to 43.X and 44.x to 47.X). I need all IPs to be able to reach all other IPs and be able to filter on port and IP between the two blocks of IPs (but no filtering between IPs of the same network). The Shorewall box will have one NIC on each network. In addition, I need to route internet traffic to a specific gateway on one of the two networks. The internet gateway is not on the Shorewall box. Simply, what we have is a department we want to be able to talk among themselves freely, talk some to the main body of departments, and talk some to the internet. I''d like to be able to place a firewall in the run to the core switch to accomplish this goal. The internet gateway is a dedicated appliance I can''t change. So what I''m hearing you say is I should try to get everything routing properly with no filtering (Shorewall clear), before I try to do any filtering? Routing like this is a little out of my normal job list, so I''m learning this stuff. Is there any Shorewall documentation you could point me at? Is what I''m after possible or difficult or a head scratcher? Dave
Dave and Donella Pearce wrote:> > So what I''m hearing you say is I should try to get everything routing > properly with no filtering (Shorewall clear), before I try to do any > filtering?Yes.> Routing like this is a little out of my normal job list, so I''m > learning this stuff. Is there any Shorewall documentation you could point me > at?No - It takes enough of my time to document Shorewall; I don''t need to spend more time documenting things like routing that are not directly related, especially when the topic has be written about so extensively. I suggest that you get a good book on addressing and routing; I Prefer Thomas Maufer''s "IP Fundamentals: What everyone needs to know about addressing and routing". Is what I''m after possible or difficult or a head scratcher? Network managers set up this sort of thing all of the time. It isn''t difficult but it will take more than I have the energy to explain to you in my free time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net