Shorewall users - Sep 2004 - Public IP issues

I have had Shorewall 2.0.8 up and running for a month or so. Now I need
to change some things around. Currently I am running on a private IP
scheme and Shorewall is setup based on the 3 interface guide. Now I want
to change to a public scheme on my "loc" zone. I have a /24 block of
public IP''s. I need my private scheme and public to co-exist so I
currently have is eth1 (local) has a public IP and another private IP
alias (eth1:1). When I setup my test laptop with a public IP I can ping
my Internet (eth0) my DMZ (eth2), but not anything in it, and my gateway
(eth1) but I can not ping or view the web. If my test laptop has a
private IP it can browse and ping as it should.

My policy file has this: 
loc net accept
net loc accept
So that the local zone has full Internet access.

Where should I start looking to find the problem? The logs are not
showing me anything that I can see.

Also as a bonus question, I currently have:

LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet

LAN and router1 all have a 10.1.0.0/24 address
router2 and the Shorewall local interface have a 10.0.0.0/24 address
How should I split up my new public /24 block so that everything has a
public IP?

A lot of questions but any guidance would be very very helpful.

Thanks,
 _
/-\ ndrew

P.S. Tom. thanks for the great product and all the time you spend
supporting it!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Niemantsverdriet wrote:
| I have had Shorewall 2.0.8 up and running for a month or so. Now I need
| to change some things around. Currently I am running on a private IP
| scheme and Shorewall is setup based on the 3 interface guide. Now I want
| to change to a public scheme on my "loc" zone. I have a /24 block of
| public IP''s. I need my private scheme and public to co-exist so I
| currently have is eth1 (local) has a public IP and another private IP
| alias (eth1:1). When I setup my test laptop with a public IP I can ping
| my Internet (eth0) my DMZ (eth2), but not anything in it, and my gateway
| (eth1) but I can not ping or view the web. If my test laptop has a
| private IP it can browse and ping as it should.
|
| My policy file has this:
| loc net accept
| net loc accept
| So that the local zone has full Internet access.
|
| Where should I start looking to find the problem? The logs are not
| showing me anything that I can see.

a) Routing -- You should be able to remove Shorewall totally from your
firewall and still have complete access to all hosts from the laptop.

b) Be sure that you are not masquerading traffic from the internal
public IP addresses.

|
| Also as a bonus question, I currently have:
|
| LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet
|
| LAN and router1 all have a 10.1.0.0/24 address
| router2 and the Shorewall local interface have a 10.0.0.0/24 address
| How should I split up my new public /24 block so that everything has a
| public IP?
|



a) Configure the external Shorewall interface as /32 and add a host
route to the upstream router.

b) On the Shorewall box, add a net route to the /24 via router2. Your
old routes to the 10.1.0.0/24 net can remain so that the Shorewall box
can route traffic to router1.

c) Leave the addressing on router2 the way it is but configure a route
to the /24 via router1 and host routes to the Shorewall box''s external
IP and the upstream router via the Shorewall box.

c) Change the internal IP of router1 to a public IP/24 -- that public IP
address will be default gateway for hosts on the LAN.

I welcome suggestions from other subscribers -- the above is the result
of no more than 5 minutes thought and given that I have never actually
set up routing for anything larger than my little home network, I speak
a lot more from theory than from practice.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPhsnO/MAbZfjDLIRAsFjAJ9NiDbxbx6kR+EBsswSvN9Il0aYVQCdEkBU
wOCXDLcTaVXvWgzPPzqKsHs=gEpS
-----END PGP SIGNATURE-----

On Tue, 2004-09-07 at 14:33, Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Niemantsverdriet wrote:
> | I have had Shorewall 2.0.8 up and running for a month or so. Now I need
> | to change some things around. Currently I am running on a private IP
> | scheme and Shorewall is setup based on the 3 interface guide. Now I want
> | to change to a public scheme on my "loc" zone. I have a /24
block of
> | public IP''s. I need my private scheme and public to co-exist so
I
> | currently have is eth1 (local) has a public IP and another private IP
> | alias (eth1:1). When I setup my test laptop with a public IP I can ping
> | my Internet (eth0) my DMZ (eth2), but not anything in it, and my gateway
> | (eth1) but I can not ping or view the web. If my test laptop has a
> | private IP it can browse and ping as it should.
> |
> | My policy file has this:
> | loc net accept
> | net loc accept
> | So that the local zone has full Internet access.
> |
> | Where should I start looking to find the problem? The logs are not
> | showing me anything that I can see.
> 
> a) Routing -- You should be able to remove Shorewall totally from your
> firewall and still have complete access to all hosts from the laptop.
> 
> b) Be sure that you are not masquerading traffic from the internal
> public IP addresses.
My problem must be a routing issue. 

Just to clarify I can still use masq for the private IP''s so my masq
file would look like this:
eth0                    10.1.0.0/24     public IP here
> |
> | Also as a bonus question, I currently have:
> |
> | LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet
> |
> | LAN and router1 all have a 10.1.0.0/24 address
> | router2 and the Shorewall local interface have a 10.0.0.0/24 address
> | How should I split up my new public /24 block so that everything has a
> | public IP?
> |
> 
Thanks for your suggestion with this. One thing that should be noted is
a server is going to be added in the near future that is going to sit on
the same hub the router 2 and Shorewall loc zone is connected to. It
would be nice to have 6 or so public IP''s on the router 2 side of the
T1. Hope that makes sense.

Thanks again Tom for the quick response and a place to start looking.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Niemantsverdriet wrote:

|
|
| My problem must be a routing issue.
|
| Just to clarify I can still use masq for the private IP''s so my masq
| file would look like this:
| eth0                    10.1.0.0/24     public IP here
|

Yes.

|
|>|
|>| Also as a bonus question, I currently have:
|>|
|>| LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet
|>|
|>| LAN and router1 all have a 10.1.0.0/24 address
|>| router2 and the Shorewall local interface have a 10.0.0.0/24 address
|>| How should I split up my new public /24 block so that everything has a
|>| public IP?
|>|
|>
|
| Thanks for your suggestion with this. One thing that should be noted is
| a server is going to be added in the near future that is going to sit on
| the same hub the router 2 and Shorewall loc zone is connected to. It
| would be nice to have 6 or so public IP''s on the router 2 side of the
| T1. Hope that makes sense.

Sure -- just make sure that you align the block of addresses so that you
can handle them with a single route (/29).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPiVaO/MAbZfjDLIRAiytAKCD9npUfPJ2Md/ZNSAfHLqP1TgRJQCgwtvC
92W26YFifj5mwRFD4LJV680=fjVs
-----END PGP SIGNATURE-----

On Tue, 2004-09-07 at 15:17, Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> |>|
> |>| Also as a bonus question, I currently have:
> |>|
> |>| LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet
> |>|
> |>| LAN and router1 all have a 10.1.0.0/24 address
> |>| router2 and the Shorewall local interface have a 10.0.0.0/24 address
> |>| How should I split up my new public /24 block so that everything has
a
> |>| public IP?
> |>|
> | Thanks for your suggestion with this. One thing that should be noted is
> | a server is going to be added in the near future that is going to sit on
> | the same hub the router 2 and Shorewall loc zone is connected to. It
> | would be nice to have 6 or so public IP''s on the router 2 side
of the
> | T1. Hope that makes sense.
> 
> Sure -- just make sure that you align the block of addresses so that you
> can handle them with a single route (/29).
So then what would the route statements look like on the Shorewall box
and the routers? If you have a /29 or /28 on the router2 side of things
what is the subnet size on the router1 side of things.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Niemantsverdriet wrote:
| On Tue, 2004-09-07 at 15:17, Tom Eastep wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>|>|
|>|>| Also as a bonus question, I currently have:
|>|>|
|>|>| LAN<===>router1<--T1
Line-->router2<===>Shorewall<--->Internet
|>|>|
|>|>| LAN and router1 all have a 10.1.0.0/24 address
|>|>| router2 and the Shorewall local interface have a 10.0.0.0/24 address
|>|>| How should I split up my new public /24 block so that everything has
a
|>|>| public IP?
|>|>|
|>| Thanks for your suggestion with this. One thing that should be noted is
|>| a server is going to be added in the near future that is going to sit on
|>| the same hub the router 2 and Shorewall loc zone is connected to. It
|>| would be nice to have 6 or so public IP''s on the router 2 side
of the
|>| T1. Hope that makes sense.
|>
|>Sure -- just make sure that you align the block of addresses so that you
|>can handle them with a single route (/29).
|
|
| So then what would the route statements look like on the Shorewall box
| and the routers? If you have a /29 or /28 on the router2 side of things
| what is the subnet size on the router1 side of things.

	ip route add a.b.c.d/29 dev <dev>

or

	ip route add a.b.c.d/29 via <gateway> dev <dev>


The network doesn''t change size just because it is routed through a
gateway.

Linux boxes will sort the routing table with the more specific routes
first and the more general routes last. So there is no ambiguity if you
have two conflicting routes to the same host -- so long as the more
specific of the two routes is the correct one.

Example from my firewall:

gateway:~ # ip route ls
206.124.146.177 dev eth2  scope link
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254
206.124.146.0/24 dev eth1  proto kernel  scope link  src 206.124.146.176
192.168.9.0/24 dev texas  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 206.124.146.254 dev eth1
gateway:~ #

Note that there is a route to 206.124.146.177[/32] and a second route to
206.124.146.0/24. The more specific route is the one that will be used.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPjUIO/MAbZfjDLIRAmxmAJ9rHjSA30NG92JDgIweHXGOgqxi1QCeOqAX
FHwAvXvYiaxXi1kAsSwpOYs=3FKn
-----END PGP SIGNATURE-----

On Tue, 2004-09-07 at 14:33, Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Niemantsverdriet wrote:
> | I have had Shorewall 2.0.8 up and running for a month or so. Now I need
> | to change some things around. Currently I am running on a private IP
> | scheme and Shorewall is setup based on the 3 interface guide. Now I want
> | to change to a public scheme on my "loc" zone. I have a /24
block of
> | public IP''s. I need my private scheme and public to co-exist so
I
> | currently have is eth1 (local) has a public IP and another private IP
> | alias (eth1:1). When I setup my test laptop with a public IP I can ping
> | my Internet (eth0) my DMZ (eth2), but not anything in it, and my gateway
> | (eth1) but I can not ping or view the web. If my test laptop has a
> | private IP it can browse and ping as it should.
> |
> | My policy file has this:
> | loc net accept
> | net loc accept
> | So that the local zone has full Internet access.
> |
> | Where should I start looking to find the problem? The logs are not
> | showing me anything that I can see.
> 
> a) Routing -- You should be able to remove Shorewall totally from your
> firewall and still have complete access to all hosts from the laptop.
> 
> b) Be sure that you are not masquerading traffic from the internal
> public IP addresses.
After a few days of messing around with stuff I was able get some
functionality. I am now able to ping stuff in the DMZ. I can still ping
all interfaces on my shorewall box but I can not ping anything on the
net. 

I double checked my masq file it is indeed only masquerading my private
address.

Here is my route table:
> 172.16.31.0/30 via 10.0.0.2 dev eth1
> xxx.xxx.170.120/30 dev eth0  proto kernel  scope link  src xxx.xxx.170.122
> xxx.xx.170.128/29 dev eth2  proto kernel  scope link  src xxx.xxx.170.129
> 10.0.0.0/24 dev eth1  proto kernel  scope link  src 10.0.0.1
> xxx.xxx.138.0/24 dev eth1  proto kernel  scope link  src xxx.xxx.138.1
> 10.1.0.0/24 via 10.0.0.2 dev eth1
> 169.254.0.0/16 dev eth0  scope link
> default via xxx.xxx.170.121 dev eth0
Any ideas on why I can''t get out to the net when I have a public IP
given to my laptop? I am connected to a hub then to the local interface.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Niemantsverdriet wrote:

|
|
| Any ideas on why I can''t get out to the net when I have a public IP
| given to my laptop? I am connected to a hub then to the local interface.
|

Does your ISP route your /24 through your firewall''s primary IP or is
the setup unrouted. If it is unrouted then you need to take measures to
make your firewall respond to ARP who-has requests for the entire /24.

See the Shorewall Setup Guide for lots of information in this area.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBQfhTO/MAbZfjDLIRAgO3AKC8O6W0N1pbKU1Y7Zt0b4VDddicRACfUhcj
s0MNqNpcOqEu+GkWH4VTniE=mfkr
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Andrew Niemantsverdriet wrote:
|
| |
| |
| | Any ideas on why I can''t get out to the net when I have a public IP
| | given to my laptop? I am connected to a hub then to the local interface.
| |
|
| Does your ISP route your /24 through your firewall''s primary IP or is
| the setup unrouted. If it is unrouted then you need to take measures to
| make your firewall respond to ARP who-has requests for the entire /24.
|
| See the Shorewall Setup Guide for lots of information in this area.
|

But one simple way is to set the proxyarp option on your external
interface in /etc/shorewall/interfaces.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBQfnkO/MAbZfjDLIRAm6tAKCxv8M5O5VzJljM+bU4CMieJdFThgCffggy
6t6pTqpQFSaRhBZijkcqMB0=KIQB
-----END PGP SIGNATURE-----

On Fri, 2004-09-10 at 13:00, Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | Andrew Niemantsverdriet wrote:
> | | Any ideas on why I can''t get out to the net when I have a
public IP
> | | given to my laptop? I am connected to a hub then to the local
interface.
> | |
> | Does your ISP route your /24 through your firewall''s primary IP
or is
> | the setup unrouted. If it is unrouted then you need to take measures to
> | make your firewall respond to ARP who-has requests for the entire /24.
> | See the Shorewall Setup Guide for lots of information in this area.
> |
> But one simple way is to set the proxyarp option on your external
> interface in /etc/shorewall/interfaces.
> 
> - -Tom
Which is better routed or non-routed? I have not really ever looked at
the setup guide for more than one public IP and so far that is really
helpful. It seems to me that routed would be easier simply because of
ease of setup (I don''t have to change anything on my firewall) but does
the non-routed proxyarp offer more flexibility?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Niemantsverdriet wrote:
| On Fri, 2004-09-10 at 13:00, Tom Eastep wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Tom Eastep wrote:
|>| Andrew Niemantsverdriet wrote:
|>| | Any ideas on why I can''t get out to the net when I have a
public IP
|>| | given to my laptop? I am connected to a hub then to the local
interface.
|>| |
|>| Does your ISP route your /24 through your firewall''s primary IP
or is
|>| the setup unrouted. If it is unrouted then you need to take measures to
|>| make your firewall respond to ARP who-has requests for the entire /24.
|>| See the Shorewall Setup Guide for lots of information in this area.
|>|
|>But one simple way is to set the proxyarp option on your external
|>interface in /etc/shorewall/interfaces.
|>
|>- -Tom
|
| Which is better routed or non-routed? I have not really ever looked at
| the setup guide for more than one public IP and so far that is really
| helpful. It seems to me that routed would be easier simply because of
| ease of setup (I don''t have to change anything on my firewall) but
does
| the non-routed proxyarp offer more flexibility?

Often you don''t have a chance but for a /24, I would prefer routed if
your ISP will set it up that way.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBQghIO/MAbZfjDLIRAkJTAJ4h2mSHgGbhMx3SZEZ8UY4UIqbwdwCeNr2B
JS/zrXuemam7KqMYxjn9EhQ=vBwY
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:

|
| Often you don''t have a chance but for a /24, I would prefer routed if
| your ISP will set it up that way.
|

Groan -- I meant to write "Often you don''t have a
*choice*..."

- -Tom

Proofread twice, send once
Proofread twice, send once
Proofread twice, send once
...
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBQhIeO/MAbZfjDLIRAnctAJ9Q+pBXTkoTxlfucCa9H9vomtDAogCeOMz9
DcUglF9+CzTP5IBbYhdtwG0=m6kN
-----END PGP SIGNATURE-----