Hi again, I have now configured a 2.0.8 shorewall with two interfaces:
interfaces:
net eth0 detect
loc eth2 detect
masq:
eth0 eth2
the interface eth0 has the 192.168.1.10 ip and its connected to internet
the interface eth2 has the 192.168.2.1 ip and its conected to a
router (CMTS - Cable Modem Termination System)
I have this policy''s file:
loc net ACCEPT
net loc ACCEPT
net fw DROP info
fw all ACCEPT
loc fw DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all ACCEPT
as you can read I''ve changed the all-all policy because if I use REJECT
(as I''d like and I must) I get this log messages:
Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=62.175.165.X
DST=(public''s
ips)
this is because PCs connected to the CMTS have public ips of the range
62.175.165.X/24
After reading a lot of links I have found three things that could help me:
file interfaces:
add the options newnotsyn and routeback to eth2
file masq:
add this line eth0 61.175.165.X/24
file hosts:
loc 62.175.165.1/24 routeback
But I''m not really sure if this is the better way to do it and I
can''t
do as many "shorewall restarts" as Id like because
of the users of the system, so I prefer to be as sure as I could before
try anything.
Many thanks for all
--
Un Saludo.
Javier Ramirez Molina
Departamento Ingeniera Scancom
jramirez@scancom.es
Telefono: 952486557
Javier Ramirez wrote:> Hi again, I have now configured a 2.0.8 shorewall with two interfaces: > interfaces: > net eth0 detect > loc eth2 detect > masq: > eth0 eth2 > > the interface eth0 has the 192.168.1.10 ip and its connected to internet > the interface eth2 has the 192.168.2.1 ip and its conected to a > router (CMTS - Cable Modem Termination System) > I have this policy''s file: > loc net ACCEPT > net loc ACCEPT > net fw DROP info > fw all ACCEPT > loc fw DROP info > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all ACCEPT > > as you can read I''ve changed the all-all policy because if I use REJECT > (as I''d like and I must) I get this log messages: > > Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=62.175.165.X DST=(public''s > ips) > > this is because PCs connected to the CMTS have public ips of the range > 62.175.165.X/24 >This looks like the routing or cabling is screwed up -- traffic coming in on eth0 is being routed back out eth0. Why is traffic with source 62.175.165.X arriving on eth0 if those systems are connected to eth2??? Do you have eth0 and eth2 connected to the same hub/switch??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Javier Ramirez wrote:> > This looks like the routing or cabling is screwed up -- traffic coming > in on eth0 is being routed back out eth0. Why is traffic with source > 62.175.165.X arriving on eth0 if those systems are connected to eth2??? > > Do you have eth0 and eth2 connected to the same hub/switch??? >Or do I understand that you are actually trying to route traffic between 192.168.1.1 and 192.168.1.11 (which are both connected to eth0)? If so, why? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>This looks like the routing or cabling is screwed up -- traffic coming >in on eth0 is being routed back out eth0. Why is traffic with source >62.175.165.X arriving on eth0 if those systems are connected to eth2??? > >Do you have eth0 and eth2 connected to the same hub/switch??? > >-Tom > >Many thanks Tom, yes the eth0 and the eth2 are connected to the same switch. So Do you think if I use a crossover cable between the 62.175.165.X''s network* and eth2 in stead of use the same switch that eth0 uses would help me? * I mean the ethernet of the CMTS where all the cable modems with that Publics IP are connected. Many thanks for your time and congratulations for your great job. -- Un Saludo. Javier Ramirez Molina Departamento Ingeniera Scancom jramirez@scancom.es Telefono: 952486557
Javier Ramirez wrote:> Tom Eastep wrote: > >> This looks like the routing or cabling is screwed up -- traffic coming >> in on eth0 is being routed back out eth0. Why is traffic with source >> 62.175.165.X arriving on eth0 if those systems are connected to eth2??? >> >> Do you have eth0 and eth2 connected to the same hub/switch??? >> >> -Tom >> >> > Many thanks Tom, yes the eth0 and the eth2 are connected to the same > switch. So Do you think if I use a crossover cable between the > 62.175.165.X''s network* and eth2 in stead of use the same switch that > eth0 uses would help me? >Javier, *All* of the multi-interface QuickStart guides as well as the Troubleshooting guide point out that *you must not connect multiple firewall interfaces to the same HUB/switch*. For *testing*, you can use the ''arp_filter'' interface option to make that sort of configuration work but it should never be used in production since at best it provides "security by obscurity" (and it''s not all that obscure given that broadcasts will sail right through the hub/switch). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key