Shorewall users - Sep 2004 - routing between networks on same interface

Hello Tom and others,
At first I want to say THANK YOU, for neverending support and development
Shorewall firewall.

I just upgraded from 1.x version to 2.0.7. I have several networks defined on
same interface. These are /30 networks, defined on ethernet interface where hw
wifi access point is connected to. I used this configuration to be able to get
accounting information about traffic between users. In previous version of
shorewall I had defined something like

-	eth0	
192.168.140.195,192.168.140.199,192.168.140.203,192.168.140.207,192.168.140.211,192.168.140.215,192.168.140.219,192.168.140.223,192.168.140.227,192.168.140.231,192.168.140.235,192.168.140.239,192.168.140.243,192.168.140.247,192.168.140.251,192.168.140.255
routefilter,tcpflags

in interface file and something like:

ap		eth0:192.168.140.192/30
ap		eth0:192.168.140.196/30
ap		eth0:192.168.140.200/30
ap		eth0:192.168.140.204/30
ap		eth0:192.168.140.208/30
ap		eth0:192.168.140.212/30
ap		eth0:192.168.140.216/30
ap		eth0:192.168.140.220/30
ap		eth0:192.168.140.224/30
ap		eth0:192.168.140.228/30
ap		eth0:192.168.140.232/30
ap		eth0:192.168.140.236/30
ap		eth0:192.168.140.240/30
ap		eth0:192.168.140.244/30
ap		eth0:192.168.140.248/30
ap		eth0:192.168.140.252/30

in hosts file.
All communication was routed by shorewall and because of that I had precise
accounting infromation a I was able to apply trafic shapping - which was second
point of my solution.

In time of migration to new Shorewall version I leave same configuration file,
but from that time any communication between users located on same ap
isn''t
allowed:

Sep 26 20:45:45 weedle Shorewall:FORWARD:REJECT: IN=eth0 OUT=eth0
MAC=00:50:fc:3a:02:9b:00:e0:98:be:7d:0f:08:00  SRC=192.168.140.198
DST=192.168.140.230 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=58717 CE PROTO=ICMP
TYPE=8 CODE=0 ID=38899 SEQ=34560

Also with same configuration I am finding in shorewall log some
broadcast/multicast REJECT which wasnot present in past:

Jan  1 01:00:00 square Shorewall:OUTPUT:REJECT: IN= OUT=eth0
MACSRC=192.168.144.217 DST=224.0.0.5 LEN=64 TOS=00 PREC=0x00 TTL=1 ID=62155 CE
PROTO=0

Please if you have any idea what is wrong help me :-)

I also tried to define eth0 to belong to only one zone - ap and delete entries
in hosts but with same results. - users in diferent networks on same interfaces
can''t comunicate each to others. I ahve no special policy o rule set
for "ap"
zone.

Best Regards
Dominik aka Litin


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

litin@unhfree.net wrote:
|
|
| In time of migration to new Shorewall version I leave same
configuration file,
| but from that time any communication between users located on same ap
isn''t
| allowed:
|
| Sep 26 20:45:45 weedle Shorewall:FORWARD:REJECT: IN=eth0 OUT=eth0
| MAC=00:50:fc:3a:02:9b:00:e0:98:be:7d:0f:08:00  SRC=192.168.140.198
| DST=192.168.140.230 LEN=60 TOS=00 PREC=0x00 TTL=126 ID=58717 CE PROTO=ICMP
| TYPE=8 CODE=0 ID=38899 SEQ=34560

You need to specify ''routeback'' on each of the
''ap'' entries in
/etc/shorewall/hosts.

|
| Also with same configuration I am finding in shorewall log some
| broadcast/multicast REJECT which wasnot present in past:
|
| Jan  1 01:00:00 square Shorewall:OUTPUT:REJECT: IN= OUT=eth0 MAC|
SRC=192.168.144.217 DST=224.0.0.5 LEN=64 TOS=00 PREC=0x00 TTL=1
ID=62155 CE
| PROTO=0
|

Try setting PKTTYPE=No in shorewall.conf. The Netfilter pkttype match
feature seems to fail to identify some broadcast/multicast packets.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBV0qoO/MAbZfjDLIRAhYZAJ4yXuFgUsHJhkNrWJbD7DGBGF+7QwCfR2y2
hCE0EPua7iF5NLI8ZViLiu4=sWCr
-----END PGP SIGNATURE-----