thr3ads.net - Shorewall users - Policy not working on aliased IP [Jul 2004]

If this information is useful, please help other people find it:
Share via:

Julian Hein

2004-Jul-18 02:35 UTC

Policy not working on aliased IP

Hi list,

I tried to read the all documentation and search through the mailing
list archive, but did not find an answer to the problem I am having.
Also the part about aliased interfaces in the documentation did not
cover my situation:

We have two firewalls in a cluster. Both have two bonded external
interfaces, two bonded internal interface and one for administration.
There are two cluster IPs, that get aliased on the internal and the
external interface of one of the firewalls by heartbeat, so when the
currently active firewall fails, the secondary can take over the IPs,
restart shorewall and resume service. All this works pretty well exept
for one thing. Policies are randomly not applied to some of the IPs of
the firewall. A policy should deny everything to the firewall (FW)
itself coming from the internet (INET). 

I would be very happy, if somebody has a hint where I could start
looking further. I posted all configuration data, that is mentioned on
the website at the end of this mail. Ir more is needed, I will send it.

Thank you,
Julian

Shorewall version
-----------------
 2.0.3a

IP Addresses
------------
 eth4 is for administration
 bond0 is DMZ consisting of eth0 and eth2
 bond1 is external consisting of eth1 and eth3

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global eth0
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master
bond1 qlen 1000
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master
bond0 qlen 1000
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global eth2
5: eth3: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master bond1 qlen 1000
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:76:8b:da:a8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.11/24 brd 10.10.1.255 scope global eth4
7: tunl0@NONE: <NOARP> mtu 1480 qdisc noop 
    link/ipip 0.0.0.0 brd 0.0.0.0
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop 
    link/gre 0.0.0.0 brd 0.0.0.0
9: bond0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global bond0
    inet 213.95.19.1/26 brd 213.95.19.63 scope global secondary bond0:0
10: bond1: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global bond1
    inet 10.0.18.167/16 brd 10.0.255.255 scope global secondary bond1:0

Routing
-------
213.95.19.0/26 dev bond0  proto kernel  scope link  src 213.95.19.11 
10.10.1.0/24 dev eth4  proto kernel  scope link  src 10.10.1.11 
10.0.0.0/16 dev bond1  proto kernel  scope link  src 10.0.18.168 
default via 10.0.0.1 dev bond1 

Zones
-----
INET    INET            Internet
ADM     ADM             Admin networks
DMZ     DMZ             Demilitarized zone

Interfaces
----------
INET    bond1           10.0.255.255    routefilter,norfc1918,blacklist
DMZ     bond0           213.95.19.63    routefilter,norfc1918
ADM     eth4            10.10.1.255

Policy
------
FW              INET            ACCEPT
FW              DMZ             ACCEPT
FW              ADM             ACCEPT
DMZ             INET            ACCEPT
ADM             FW              ACCEPT
ADM             ADM             ACCEPT
INET            ADM             DROP
INET            all             DROP
all             all             REJECT          info

Rules
-----
# ALL
ACCEPT          INET            DMZ                     icmp    8
ACCEPT          INET            DMZ                     icmp    11
ACCEPT          DMZ             INET                    icmp    8
ACCEPT          DMZ             INET                    icmp    11
# FW
ACCEPT          INET            FW                      icmp    8
ACCEPT          INET            FW                      icmp    11
ACCEPT          DMZ             FW                      icmp    8
ACCEPT          DMZ             FW                      icmp    11
ACCEPT          ADM             FW                      icmp    8
ACCEPT          ADM             FW                      icmp    11
ACCEPT          ADM             FW                      tcp     22

Tom Eastep

2004-Jul-18 02:44 UTC

head link

Re: Policy not working on aliased IP

Julian Hein wrote:
> Hi list,
> 
> I tried to read the all documentation and search through the mailing
> list archive, but did not find an answer to the problem I am having.
> Also the part about aliased interfaces in the documentation did not
> cover my situation:
> 
> We have two firewalls in a cluster. Both have two bonded external
> interfaces, two bonded internal interface and one for administration.
> There are two cluster IPs, that get aliased on the internal and the
> external interface of one of the firewalls by heartbeat, so when the
> currently active firewall fails, the secondary can take over the IPs,
> restart shorewall and resume service. All this works pretty well exept
> for one thing. Policies are randomly not applied to some of the IPs of
> the firewall. 
What does that mean?  Give us concrete examples. And while whatever it 
is that you think is wrong is happening, please capture the output of 
"ip addr ls", "ip route ls" and "shorewall
status".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Julian Hein

2004-Jul-18 10:49 UTC

head link

RE: Policy not working on aliased IP

Hi Tom,

thanks for replying so fast.
> > I tried to read the all documentation and search through the mailing
> > list archive, but did not find an answer to the problem I am having.
> > Also the part about aliased interfaces in the documentation did not
> > cover my situation:
> > 
> > We have two firewalls in a cluster. Both have two bonded external
> > interfaces, two bonded internal interface and one for 
> > administration.
> > There are two cluster IPs, that get aliased on the internal and the
> > external interface of one of the firewalls by heartbeat, so when the
> > currently active firewall fails, the secondary can take 
> > over the IPs,
> > restart shorewall and resume service. All this works pretty 
> > well exept
> > for one thing. Policies are randomly not applied to some of 
> > the IPs of the firewall. 
> 
> What does that mean?  Give us concrete examples. And while 
> whatever it 
> is that you think is wrong is happening, please capture the output of 
> "ip addr ls", "ip route ls" and "shorewall
status".
Sorry for my stupidity, forgeting the most important part. I try to give
an overview of the network layout as well:

                    INET                        
                      |                         
            +---------+------+                  
            |                |                  
           RealIP:         Real IP              
        10.0.18.168      10.0.18.169            
        Aliased IP:                             
        10.0.18.167                             
                                                
         Admin IP:         Admin IP:            
        10.10.1.11        10.10.1.12            
            +-----------------+------------- ADM
                                                
           RealIP:         Real IP              
        213.95.19.11      213.95.19.12          
        Aliased IP:                             
        213.95.19.1                             
             |                |                 
             +--------+-------+                 
                      |                         
                     DMZ                        

The aliased IPs are started by heartbeat and can "move" to firewall 2,
if firewall 1 fails. All imcoming traffic is routed to the aliased IP,
not the real IPs. Both machines also have an dedicated interface only
for administration 


My shorewall config on both machines is like the following and I would
expect, that no ports on the firewall should be open, to the INET zone
of the firewall. I want the aliased IP and the real IP to have the same
rules, because they are on the same interface

Zones:
INET    INET            Internet
ADM     ADM             Admin network
DMZ     DMZ             Demilitarized zone

Interfaces:
INET    bond1           10.0.255.255    routefilter,norfc1918,blacklist
DMZ     bond0           213.95.19.63    routefilter,norfc1918
ADM     eth4            10.10.1.255

Policy:
FW              INET            ACCEPT
FW              DMZ             ACCEPT
FW              ADM             ACCEPT
DMZ             INET            ACCEPT
ADM             FW              ACCEPT
ADM             ADM             ACCEPT
INET            ADM             DROP
INET            all             DROP
all             all             REJECT          info

Rules:
# ALL
ACCEPT          INET            DMZ                     icmp    8
ACCEPT          INET            DMZ                     icmp    11
ACCEPT          DMZ             INET                    icmp    8
ACCEPT          DMZ             INET                    icmp    11
# FW
ACCEPT          INET            FW                      icmp    8
ACCEPT          INET            FW                      icmp    11
ACCEPT          DMZ             FW                      icmp    8
ACCEPT          DMZ             FW                      icmp    11
ACCEPT          ADM             FW                      icmp    8
ACCEPT          ADM             FW                      icmp    11
ACCEPT          ADM             FW                      tcp     22


But if I run a nmap scan on all three IPs from a machine on the INET
side, there is always one IP, where all ports are open:


nets-opr:~# nmap 10.0.18.167-169

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on  (10.0.18.167):
(The 1549 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
111/tcp    open        sunrpc                  
1007/tcp   open        unknown                 
1080/tcp   open        socks                   

Interesting ports on  (10.0.18.168):
(The 1553 ports scanned but not shown below are in state: filtered)
Port       State       Service
113/tcp    closed      auth                    

Interesting ports on  (10.0.18.169):
(The 1553 ports scanned but not shown below are in state: filtered)
Port       State       Service
113/tcp    closed      auth   

On firewall 1, which is currently the active firewall:

ip addr ls:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global eth0
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master
bond1 qlen 1000
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master
bond0 qlen 1000
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global eth2
5: eth3: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master bond1 qlen 1000
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:76:8b:da:a8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.11/24 brd 10.10.1.255 scope global eth4
7: tunl0@NONE: <NOARP> mtu 1480 qdisc noop 
    link/ipip 0.0.0.0 brd 0.0.0.0
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop 
    link/gre 0.0.0.0 brd 0.0.0.0
9: bond0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
    link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
    inet 213.95.19.11/26 brd 213.95.19.63 scope global bond0
    inet 213.95.19.1/26 brd 213.95.19.63 scope global secondary bond0:0
10: bond1: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
    link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
    inet 10.0.18.168/16 brd 10.0.255.255 scope global bond1
    inet 10.0.18.167/16 brd 10.0.255.255 scope global secondary bond1:0


ip route ls:
213.95.19.0/26 dev bond0  proto kernel  scope link  src 213.95.19.11 
10.10.1.0/24 dev eth4  proto kernel  scope link  src 10.10.1.11 
10.0.0.0/16 dev bond1  proto kernel  scope link  src 10.0.18.168 
default via 10.0.0.1 dev bond1 


And this is "shorewall status":

Shorewall-2.0.3a Status at stf-fw1 - Sun Jul 18 12:24:09 CEST 2004

Counters reset Sun Jul 18 12:05:19 CEST 2004

Chain INPUT (policy DROP 27 packets, 3590 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID 
13058  790K bond1_in   all  --  bond1  *       0.0.0.0/0
0.0.0.0/0           
    4  1312 bond0_in   all  --  bond0  *       0.0.0.0/0
0.0.0.0/0           
 4691  347K eth4_in    all  --  eth4   *       0.0.0.0/0
0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''

    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID 
    0     0 bond1_fwd  all  --  bond1  *       0.0.0.0/0
0.0.0.0/0           
    0     0 bond0_fwd  all  --  bond0  *       0.0.0.0/0
0.0.0.0/0           
    0     0 eth4_fwd   all  --  eth4   *       0.0.0.0/0
0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain OUTPUT (policy DROP 17 packets, 3007 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID 
 3121  125K FW2INET    all  --  *      bond1   0.0.0.0/0
0.0.0.0/0           
 1464  244K FW2ADM     all  --  *      eth4    0.0.0.0/0
0.0.0.0/0           
    0     0 FW2DMZ     all  --  *      bond0   0.0.0.0/0
0.0.0.0/0           
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain ADM2ADM (0 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain ADM2FW (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  921 51972 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    2    56 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11 
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22 
 3766  295K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain DMZ2FW (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11 
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain DMZ2INET (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain Drop (2 references)
 pkts bytes target     prot opt in     out     source
destination         
12901  778K RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12899  778K dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12859  771K DropSMB    all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12834  770K DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12834  770K dropNotSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12829  770K DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp spt:53 

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:445 
    8   480 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:135 
    9   540 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:139 
    8   480 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:445 

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:1900 

Chain FW2ADM (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  901  144K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
  563 99651 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain FW2DMZ (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain FW2INET (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 3120  125K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    1    67 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain INET2ADM (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain INET2DMZ (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11 
    0     0 INET2all   all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain INET2FW (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    2   189 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    5   140 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11 
12901  778K INET2all   all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain INET2all (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
12901  778K Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0           
12829  770K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 RejectSMB  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 dropNotSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    2   120 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:113 

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:135 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:135 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:445 

Chain all2all (4 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain bond0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
    0     0 norfc1918  all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW 
    0     0 DMZ2INET   all  --  *      bond1   0.0.0.0/0
0.0.0.0/0           
    0     0 all2all    all  --  *      eth4    0.0.0.0/0
0.0.0.0/0           

Chain bond0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    4  1312 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
    4  1312 norfc1918  all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW 
    0     0 DMZ2FW     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain bond1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
    0     0 blacklst   all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
    0     0 norfc1918  all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW 
    0     0 INET2ADM   all  --  *      eth4    0.0.0.0/0
0.0.0.0/0           
    0     0 INET2DMZ   all  --  *      bond0   0.0.0.0/0
0.0.0.0/0           

Chain bond1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
13056  790K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
13056  790K blacklst   all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
13056  790K norfc1918  all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW 
12908  779K INET2FW    all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source
destination         
   40  6760 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           PKTTYPE = multicast 

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    5   200 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp flags:!0x16/0x02 

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain eth4_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
    0     0 all2all    all  --  *      bond1   0.0.0.0/0
0.0.0.0/0           
    0     0 all2all    all  --  *      bond0   0.0.0.0/0
0.0.0.0/0           

Chain eth4_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 3770  295K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW 
 4691  347K ADM2FW     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain norfc1918 (4 references)
 pkts bytes target     prot opt in     out     source
destination         
    4  1312 rfc1918    all  --  *      *       0.0.0.0/7
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 0.0.0.0/7 
    0     0 rfc1918    all  --  *      *       2.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 2.0.0.0/8 
    0     0 rfc1918    all  --  *      *       5.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 5.0.0.0/8 
    0     0 rfc1918    all  --  *      *       7.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 7.0.0.0/8 
    0     0 rfc1918    all  --  *      *       23.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 23.0.0.0/8 
    0     0 rfc1918    all  --  *      *       27.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 27.0.0.0/8 
    0     0 rfc1918    all  --  *      *       31.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 31.0.0.0/8 
    0     0 rfc1918    all  --  *      *       36.0.0.0/7
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 36.0.0.0/7 
    0     0 rfc1918    all  --  *      *       39.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 39.0.0.0/8 
    0     0 rfc1918    all  --  *      *       41.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 41.0.0.0/8 
    0     0 rfc1918    all  --  *      *       42.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 42.0.0.0/8 
    0     0 rfc1918    all  --  *      *       71.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 71.0.0.0/8 
    0     0 rfc1918    all  --  *      *       72.0.0.0/5
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 72.0.0.0/5 
    0     0 rfc1918    all  --  *      *       89.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 89.0.0.0/8 
    0     0 rfc1918    all  --  *      *       90.0.0.0/7
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 90.0.0.0/7 
    0     0 rfc1918    all  --  *      *       92.0.0.0/6
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 92.0.0.0/6 
    0     0 rfc1918    all  --  *      *       96.0.0.0/3
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 96.0.0.0/3 
    0     0 rfc1918    all  --  *      *       173.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 173.0.0.0/8 
    0     0 rfc1918    all  --  *      *       174.0.0.0/7
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 174.0.0.0/7 
    0     0 rfc1918    all  --  *      *       176.0.0.0/5
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 176.0.0.0/5 
    0     0 rfc1918    all  --  *      *       184.0.0.0/6
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 184.0.0.0/6 
    0     0 rfc1918    all  --  *      *       189.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 189.0.0.0/8 
    0     0 rfc1918    all  --  *      *       190.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 190.0.0.0/8 
    0     0 rfc1918    all  --  *      *       197.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 197.0.0.0/8 
    0     0 rfc1918    all  --  *      *       223.0.0.0/8
0.0.0.0/0           
    0     0 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 223.0.0.0/8 
    0     0 rfc1918    all  --  *      *       240.0.0.0/4
0.0.0.0/0           
  150 11550 rfc1918    all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctorigdst 240.0.0.0/4 

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           PKTTYPE = multicast 
    0     0 DROP       all  --  *      *       10.0.255.255
0.0.0.0/0           
    0     0 DROP       all  --  *      *       213.95.19.63
0.0.0.0/0           
    0     0 DROP       all  --  *      *       10.10.1.255
0.0.0.0/0           
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0           
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0           
    2   120 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-prohibited 

Chain rfc1918 (52 references)
 pkts bytes target     prot opt in     out     source
destination         
  154 12862 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''

  154 12862 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 LOG        all  --  *      *       10.0.255.255
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       10.0.255.255
0.0.0.0/0           
    0     0 LOG        all  --  *      *       213.95.19.63
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       213.95.19.63
0.0.0.0/0           
    0     0 LOG        all  --  *      *       10.10.1.255
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       10.10.1.255
0.0.0.0/0           
    0     0 LOG        all  --  *      *       255.255.255.255
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0           
    0     0 LOG        all  --  *      *       224.0.0.0/4
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0           

Jul 18 12:21:28 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=822 PROTO=UDP
SPT=3988 DPT=712 LEN=57 
Jul 18 12:21:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=967 PROTO=UDP
SPT=3989 DPT=712 LEN=57 
Jul 18 12:21:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=967 PROTO=UDP
SPT=3989 DPT=712 LEN=57 
Jul 18 12:21:58 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1118 PROTO=UDP
SPT=3992 DPT=712 LEN=57 
Jul 18 12:21:58 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1118 PROTO=UDP
SPT=3992 DPT=712 LEN=57 
Jul 18 12:22:13 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1160 PROTO=UDP
SPT=3993 DPT=712 LEN=57 
Jul 18 12:22:13 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1160 PROTO=UDP
SPT=3993 DPT=712 LEN=57 
Jul 18 12:22:28 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1183 PROTO=UDP
SPT=3994 DPT=712 LEN=57 
Jul 18 12:22:28 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1183 PROTO=UDP
SPT=3994 DPT=712 LEN=57 
Jul 18 12:22:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1303 PROTO=UDP
SPT=3995 DPT=712 LEN=57 
Jul 18 12:22:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1303 PROTO=UDP
SPT=3995 DPT=712 LEN=57 
Jul 18 12:22:58 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1431 PROTO=UDP
SPT=4006 DPT=712 LEN=57 
Jul 18 12:22:58 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1431 PROTO=UDP
SPT=4006 DPT=712 LEN=57 
Jul 18 12:23:13 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1513 PROTO=UDP
SPT=4007 DPT=712 LEN=57 
Jul 18 12:23:13 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1513 PROTO=UDP
SPT=4007 DPT=712 LEN=57 
Jul 18 12:23:28 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1644 PROTO=UDP
SPT=4012 DPT=712 LEN=57 
Jul 18 12:23:28 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1644 PROTO=UDP
SPT=4012 DPT=712 LEN=57 
Jul 18 12:23:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1764 PROTO=UDP
SPT=4013 DPT=712 LEN=57 
Jul 18 12:23:43 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=1764 PROTO=UDP
SPT=4013 DPT=712 LEN=57 
Jul 18 12:23:58 rfc1918:DROP:IN=bond1 OUT= SRC=10.0.1.1
DST=255.255.255.255 LEN=77 TOS=0x00 PREC=0x00 TTL=128 ID=2090 PROTO=UDP
SPT=4019 DPT=712 LEN=57 

NAT Table

Chain PREROUTING (policy ACCEPT 39944 packets, 2595K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain POSTROUTING (policy ACCEPT 55 packets, 3597 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 14 packets, 1093 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Mangle Table

Chain PREROUTING (policy ACCEPT 64867 packets, 6177K bytes)
 pkts bytes target     prot opt in     out     source
destination         
18075 1155K pretos     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain INPUT (policy ACCEPT 64721 packets, 6168K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain FORWARD (policy ACCEPT 145 packets, 8988 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 26883 packets, 3625K bytes)
 pkts bytes target     prot opt in     out     source
destination         
 4903  426K outtos     all  --  *      *       0.0.0.0/0
0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 26919 packets, 3615K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22 TOS set 0x10 
 1219  201K TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    2    80 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:21 TOS set 0x10 
    2    80 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 1231 68220 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:22 TOS set 0x10 
   10   600 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:20 TOS set 0x08 
   10   600 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:20 TOS set 0x08 

udp      17 28 src=10.10.1.12 dst=10.10.1.11 sport=32768 dport=694
[UNREPLIED] src=10.10.1.11 dst=10.10.1.12 sport=694 dport=32768 use=1 
udp      17 1 src=10.0.1.1 dst=255.255.255.255 sport=4013 dport=712
[UNREPLIED] src=255.255.255.255 dst=10.0.1.1 sport=712 dport=4013 use=1 
udp      17 16 src=10.0.1.1 dst=255.255.255.255 sport=4019 dport=712
[UNREPLIED] src=255.255.255.255 dst=10.0.1.1 sport=712 dport=4019 use=1 
udp      17 29 src=10.10.1.11 dst=10.10.1.12 sport=32768 dport=694
[UNREPLIED] src=10.10.1.12 dst=10.10.1.11 sport=694 dport=32768 use=1 
tcp      6 431999 ESTABLISHED src=10.10.1.12 dst=10.10.1.11 sport=32770
dport=22 src=10.10.1.11 dst=10.10.1.12 sport=22 dport=32770 [ASSURED]
use=1 


I hope that this time I included all needed information. If something is
missing I will send it asap.

Thank you very much,
Julian

Tom Eastep

2004-Jul-18 13:31 UTC

head link

Re: Policy not working on aliased IP

Julian Hein wrote:
> Hi Tom,
> 
> thanks for replying so fast.
> 
> 
>>>I tried to read the all documentation and search through the mailing
>>>list archive, but did not find an answer to the problem I am having.
>>>Also the part about aliased interfaces in the documentation did not
>>>cover my situation:
>>>
>>>We have two firewalls in a cluster. Both have two bonded external
>>>interfaces, two bonded internal interface and one for 
>>>administration.
>>>There are two cluster IPs, that get aliased on the internal and the
>>>external interface of one of the firewalls by heartbeat, so when the
>>>currently active firewall fails, the secondary can take 
>>>over the IPs,
>>>restart shorewall and resume service. All this works pretty 
>>>well exept
>>>for one thing. Policies are randomly not applied to some of 
>>>the IPs of the firewall. 
>>
>>What does that mean?  Give us concrete examples. And while 
>>whatever it 
>>is that you think is wrong is happening, please capture the output of 
>>"ip addr ls", "ip route ls" and "shorewall
status".
> 
> 
> Sorry for my stupidity, forgeting the most important part. I try to give
> an overview of the network layout as well:
> 
>                     INET                        
>                       |                         
>             +---------+------+                  
>             |                |                  
>            RealIP:         Real IP              
>         10.0.18.168      10.0.18.169            
>         Aliased IP:                             
>         10.0.18.167                             
>                                                 
>          Admin IP:         Admin IP:            
>         10.10.1.11        10.10.1.12            
>             +-----------------+------------- ADM
>                                                 
>            RealIP:         Real IP              
>         213.95.19.11      213.95.19.12          
>         Aliased IP:                             
>         213.95.19.1                             
>              |                |                 
>              +--------+-------+                 
>                       |                         
>                      DMZ                        
> 
> The aliased IPs are started by heartbeat and can "move" to
firewall 2,
> if firewall 1 fails. All imcoming traffic is routed to the aliased IP,
> not the real IPs. Both machines also have an dedicated interface only
> for administration 
> 
> 
> My shorewall config on both machines is like the following and I would
> expect, that no ports on the firewall should be open, to the INET zone
> of the firewall. I want the aliased IP and the real IP to have the same
> rules, because they are on the same interface
> 
> Zones:
> INET    INET            Internet
> ADM     ADM             Admin network
> DMZ     DMZ             Demilitarized zone
> 
> Interfaces:
> INET    bond1           10.0.255.255    routefilter,norfc1918,blacklist
> DMZ     bond0           213.95.19.63    routefilter,norfc1918
> ADM     eth4            10.10.1.255
> 
> Policy:
> FW              INET            ACCEPT
> FW              DMZ             ACCEPT
> FW              ADM             ACCEPT
> DMZ             INET            ACCEPT
> ADM             FW              ACCEPT
> ADM             ADM             ACCEPT
> INET            ADM             DROP
> INET            all             DROP
> all             all             REJECT          info
> 
> Rules:
> # ALL
> ACCEPT          INET            DMZ                     icmp    8
> ACCEPT          INET            DMZ                     icmp    11
> ACCEPT          DMZ             INET                    icmp    8
> ACCEPT          DMZ             INET                    icmp    11
> # FW
> ACCEPT          INET            FW                      icmp    8
> ACCEPT          INET            FW                      icmp    11
> ACCEPT          DMZ             FW                      icmp    8
> ACCEPT          DMZ             FW                      icmp    11
> ACCEPT          ADM             FW                      icmp    8
> ACCEPT          ADM             FW                      icmp    11
> ACCEPT          ADM             FW                      tcp     22
> 
> 
> But if I run a nmap scan on all three IPs from a machine on the INET
> side, there is always one IP, where all ports are open:
> 
> 
> nets-opr:~# nmap 10.0.18.167-169
> 
> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
> Interesting ports on  (10.0.18.167):
> (The 1549 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh                     
> 25/tcp     open        smtp                    
> 111/tcp    open        sunrpc                  
> 1007/tcp   open        unknown                 
> 1080/tcp   open        socks                   
> 
> Interesting ports on  (10.0.18.168):
> (The 1553 ports scanned but not shown below are in state: filtered)
> Port       State       Service
> 113/tcp    closed      auth                    
> 
> Interesting ports on  (10.0.18.169):
> (The 1553 ports scanned but not shown below are in state: filtered)
> Port       State       Service
> 113/tcp    closed      auth   
> 
> On firewall 1, which is currently the active firewall:
> 
> ip addr ls:
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc
pfifo_fast
> master bond0 qlen 1000
>     link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
>     inet 213.95.19.11/26 brd 213.95.19.63 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master
> bond1 qlen 1000
>     link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
>     inet 10.0.18.168/16 brd 10.0.255.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast
master
> bond0 qlen 1000
>     link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
>     inet 213.95.19.11/26 brd 213.95.19.63 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc
pfifo_fast
> master bond1 qlen 1000
>     link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
>     inet 10.0.18.168/16 brd 10.0.255.255 scope global eth3
> 6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:0c:76:8b:da:a8 brd ff:ff:ff:ff:ff:ff
>     inet 10.10.1.11/24 brd 10.10.1.255 scope global eth4
> 7: tunl0@NONE: <NOARP> mtu 1480 qdisc noop 
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 8: gre0@NONE: <NOARP> mtu 1476 qdisc noop 
>     link/gre 0.0.0.0 brd 0.0.0.0
> 9: bond0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
>     link/ether 00:07:e9:1f:ba:65 brd ff:ff:ff:ff:ff:ff
>     inet 213.95.19.11/26 brd 213.95.19.63 scope global bond0
>     inet 213.95.19.1/26 brd 213.95.19.63 scope global secondary bond0:0
> 10: bond1: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue 
>     link/ether 00:07:e9:1f:be:2e brd ff:ff:ff:ff:ff:ff
>     inet 10.0.18.168/16 brd 10.0.255.255 scope global bond1
>     inet 10.0.18.167/16 brd 10.0.255.255 scope global secondary bond1:0
> 
> 
> ip route ls:
> 213.95.19.0/26 dev bond0  proto kernel  scope link  src 213.95.19.11 
> 10.10.1.0/24 dev eth4  proto kernel  scope link  src 10.10.1.11 
> 10.0.0.0/16 dev bond1  proto kernel  scope link  src 10.0.18.168 
> default via 10.0.0.1 dev bond1 
> 
> 
> And this is "shorewall status":
> 
> Shorewall-2.0.3a Status at stf-fw1 - Sun Jul 18 12:24:09 CEST 2004
> 
> Counters reset Sun Jul 18 12:05:19 CEST 2004
> 
> Chain INPUT (policy DROP 27 packets, 3590 bytes)
>  pkts bytes target     prot opt in     out     source
> destination         
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0           
>     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           state INVALID 
> 13058  790K bond1_in   all  --  bond1  *       0.0.0.0/0
> 0.0.0.0/0           
>     4  1312 bond0_in   all  --  bond0  *       0.0.0.0/0
> 0.0.0.0/0           
>  4691  347K eth4_in    all  --  eth4   *       0.0.0.0/0
Does it strike you as odd that while you were port scanning from the NET 
zone that 1/3 of the incoming traffic arrived on eth4? Do you have 
several firewall interfaces connected to the same HUB/Switch?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2004-Jul-18 15:31 UTC

head link

Re: Policy not working on aliased IP

Tom Eastep wrote:
> Julian Hein wrote:
> 
>> Shorewall-2.0.3a Status at stf-fw1 - Sun Jul 18 12:24:09 CEST 2004
>>
>> Counters reset Sun Jul 18 12:05:19 CEST 2004
>>
>> Chain INPUT (policy DROP 27 packets, 3590 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination             0     0 ACCEPT     all  --  lo     *       
>> 0.0.0.0/0
>> 0.0.0.0/0               0     0 DROP      !icmp --  *      *       
>> 0.0.0.0/0
>> 0.0.0.0/0           state INVALID 13058  790K bond1_in   all  --  
>> bond1  *       0.0.0.0/0
>> 0.0.0.0/0               4  1312 bond0_in   all  --  bond0  *       
>> 0.0.0.0/0
>> 0.0.0.0/0            4691  347K eth4_in    all  --  eth4   *       
>> 0.0.0.0/0
> 
> 
> Does it strike you as odd that while you were port scanning from the NET 
> zone that 1/3 of the incoming traffic arrived on eth4? Do you have 
> several firewall interfaces connected to the same HUB/Switch?
> 
And if you do (which I suspect is the case) then please re-read the 
Shorewall Troubleshooting Guide section entitled "Your Network
Environment".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Julian Hein

2004-Jul-19 09:07 UTC

head link

RE: Policy not working on aliased IP

Tom,
> > Does it strike you as odd that while you were port scanning 
> from the NET 
> > zone that 1/3 of the incoming traffic arrived on eth4? Do you have 
> > several firewall interfaces connected to the same HUB/Switch?
Well, uhm, not until you mentioned it :-( But you were absolutly right.
There is a dedicated Switch for the admin LAN, but we had it uplinked to
the internet Switch to download updates, while setting everything up.
> And if you do (which I suspect is the case) then please re-read the 
> Shorewall Troubleshooting Guide section entitled "Your 
> Network Environment".
Yes, I did and will never forget that point. Thank you very much for you
help and your time I wasted.

Would it be of any interest, if we compile a howto about setting
shorewall up in a failover cluster?

Best regards,
Julian

Tom Eastep

2004-Jul-19 13:07 UTC

head link

Re: Policy not working on aliased IP

Julian Hein wrote:
> 
> Would it be of any interest, if we compile a howto about setting
> shorewall up in a failover cluster?
> 
Yes - there have been a number of requests for such a HOWTO.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

David T Hollis

2004-Jul-19 18:11 UTC

head link

Re: Policy not working on aliased IP

On Mon, 2004-07-19 at 06:07 -0700, Tom Eastep wrote:> Julian Hein wrote:
> 
> > 
> > Would it be of any interest, if we compile a howto about setting
> > shorewall up in a failover cluster?
> > 
> 
> Yes - there have been a number of requests for such a HOWTO.
> 
If I can work up some time, I can try to whip something up using
keepalived or ucarpd.  The only hurdle is synchronizing configurations
since there isn''t any "built-in" method.  That really becomes
the
implementation detail that is left as an exercise for the reader.  

-- 
David T Hollis <dhollis@davehollis.com>

Paul Gear

2004-Jul-19 22:46 UTC

head link

Re: Policy not working on aliased IP

David T Hollis wrote:> On Mon, 2004-07-19 at 06:07 -0700, Tom Eastep wrote:
> 
>>Julian Hein wrote:
>>
>>
>>>Would it be of any interest, if we compile a howto about setting
>>>shorewall up in a failover cluster?
>>>
>>
>>Yes - there have been a number of requests for such a HOWTO.
>>
> 
> 
> If I can work up some time, I can try to whip something up using
> keepalived or ucarpd.  The only hurdle is synchronizing configurations
> since there isn''t any "built-in" method.  That really
becomes the
> implementation detail that is left as an exercise for the reader.  
I''d really like to see one based on linux-ha.org''s heartbeat. 
:-)

-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.

Shorewall users - Jul 2004 - Policy not working on aliased IP

Policy not working on aliased IP

Re: Policy not working on aliased IP

RE: Policy not working on aliased IP

Re: Policy not working on aliased IP

Re: Policy not working on aliased IP

RE: Policy not working on aliased IP

Re: Policy not working on aliased IP

Re: Policy not working on aliased IP

Re: Policy not working on aliased IP