Shorewall users - Dec 2004 - wrong interface

My network configuration looks like this

                                                            --> server
(eth0: 192.168.1.2, eth1: 192.168.1.3)
internet --> cable modem --> router --> desktop (192.168.1.4)
                                                            --> laptop
(192.168.1.5)

The router forwards ports to 192.168.1.3. So for example, when I ssh
to my external ip of my cable modem, the router forwards port 22 to
192.168.1.3.

I''m trying to setup it so the server accepts only local connections
(192.168.1.0/24) on eth0, and internet connections on eth1. The
problem I''m having during testing using ssh, is that shorewall is
saying its coming in on eth0, when it''s really coming in on eth1. Any
ideas on why this happens, how to fix it?

Here''s the log message I get:
Dec 30 14:42:37 eigen Shorewall:lan2all:DROP:IN=eth0
OUTMAC=00:c0:4f:7c:6f:77:00:06:25:a2:44:f6:08:00 SRC=129.100.1
71.40 DST=192.168.1.3 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=26628 DF
PROTO=TCP SPT=58519 DPT=22 WINDOW=5840 RES=0x00 CW
R ECE SYN URGP=0

this is my shorewall configuration:
/etc/shorewall/zones
    net    Net      Internet
    lan    LAN    Local Area Network
/etc/shorewall/policy
    fw    lan    ACCEPT
    fw    net    ACCEPT
    lan   all     DROP       info
    net   all     DROP       info
    all    all     REJECT    info
/etc/shorewall/interfaces
    lan    eth0    detect
    net    eth1    detect
/etc/shorewall/rules
    ACCEPT    lan:192.168.1.0/24    fw:192.168.1.2    tcp    22
    ACCEPT    net                               fw:192.168.1.3    tcp    22
-- 
Tom

On Thu, 2004-12-30 at 20:15 +0000, Tom Hosiawa wrote:
> 
> I''m trying to setup it so the server accepts only local
connections
> (192.168.1.0/24) on eth0, and internet connections on eth1. The
> problem I''m having during testing using ssh, is that shorewall is
> saying its coming in on eth0, when it''s really coming in on eth1.
Any
> ideas on why this happens, how to fix it?
> 
> Here''s the log message I get:
> Dec 30 14:42:37 eigen Shorewall:lan2all:DROP:IN=eth0 OUT>
MAC=00:c0:4f:7c:6f:77:00:06:25:a2:44:f6:08:00 SRC=129.100.1
> 71.40 DST=192.168.1.3 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=26628 DF
> PROTO=TCP SPT=58519 DPT=22 WINDOW=5840 RES=0x00 CW
> R ECE SYN URGP=0
a) Your IP configuration is hopeless. If you want all of your local
systems to be in one network (192.168.1.0/24) then you must configure
your firewall as a bridge rather than a router (see
http://shorewall.net/bridge.html).

b) The "wrong interface" problem happens when you have both of your
firewall''s interfaces cabled to the same hub/switch. There are warnings
all over the Shorewall documentation to not do that.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> a) Your IP configuration is hopeless. If you want all of your local
> systems to be in one network (192.168.1.0/24) then you must configure
> your firewall as a bridge rather than a router (see
> http://shorewall.net/bridge.html).
>
> b) The "wrong interface" problem happens when you have both of
your
> firewall''s interfaces cabled to the same hub/switch. There are
warnings
> all over the Shorewall documentation to not do that.
I hadn''t read the bridge doc before because I didn''t think it
concerned me. I did finally come across something saying I can''t do
what I was trying with both nic''s on the same subnet.

I was just trying this because I thought I read somewhere it''s a good
idea to seperate the local and external traffic for security purposes.
But for my home server, I guess that''s probably overkill.

Thanks for the response though.

Tom