Hello. I have a /24 subnet of which I want to treat some clients different: hosts: #### wlan eth0:192.168.168.190,192.168.10.0/24 lanuntrust eth0:192.168.168.100,192.168.168.101,192.168.168.102 lan eth0:192.168.168.0/24 #### Before I had a working setup with only "lan". Do I have to set all policies and rules also for "lanuntrust", or are they also affected by lan? Is therefore the "continue" policy needed? After I set up the hosts, those client were not working anymore with the common "lan" policies. Paolo Peruzzi
> Hello. > > I have a /24 subnet of which I want to treat some clients different: > > hosts: > #### > wlan eth0:192.168.168.190,192.168.10.0/24 > > lanuntrust eth0:192.168.168.100,192.168.168.101,192.168.168.102 > > lan eth0:192.168.168.0/24 > #### > > Before I had a working setup with only "lan". > Do I have to set all policies and rules also for "lanuntrust", or are > they also affected by lan? > Is therefore the "continue" policy needed? > > After I set up the hosts, those client were not working anymore with the > common "lan" policies. > > Paolo PeruzziHi Paolo: Could you post your config file please, better yet see: http://www.shorewall.net/support.htm To the rest: Received about 2:30AM local time, It''s now after 9AM. During this time, flaming of a user was the big haha. Nobody could stop for a second, to help this person? Even just to ask for the config files or point to the support page? I''m a little disappointed..... Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Hi Paolo,> Hello. > > I have a /24 subnet of which I want to treat some clients different: > > hosts: > #### > wlan eth0:192.168.168.190,192.168.10.0/24 > > lanuntrust eth0:192.168.168.100,192.168.168.101,192.168.168.102 >first of all your zone name is too long: taken from /etc/shorewall/zones> <snip> # ZONE Short name of the zone (5 Characters or less in length). # The names "all" and "none" are reserved and may not be # used as zone names. </snip>> lan eth0:192.168.168.0/24 > #### > > Before I had a working setup with only "lan". > Do I have to set all policies and rules also for "lanuntrust", or are > they also affected by lan?Don''t know the handling of too long zone names and how it affects shorewall (no time to look into the code), but yes, you have to set rules/policies for zones defined by /etc/shorewall/hosts> Is therefore the "continue" policy needed?I didn''t get this question!?> > After I set up the hosts, those client were not working anymore with > the common "lan" policies. >I *guess* it is because of the combined problem of a too long zone name and missing rules/policies. As Jerry Vonau already wrote in his posting: For more detailed supoport please post you config files according to http://www.shorewall.net/support.htm HTH, Alex ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Am Donnerstag, den 28.07.2005, 09:13 -0500 schrieb Jerry Vonau:> > Hello. > > > > I have a /24 subnet of which I want to treat some clients different: > > > > hosts: > > #### > > wlan eth0:192.168.168.190,192.168.10.0/24 > > > > lanuntrust eth0:192.168.168.100,192.168.168.101,192.168.168.102 > > > > lan eth0:192.168.168.0/24 > > #### > > > > Before I had a working setup with only "lan". > > Do I have to set all policies and rules also for "lanuntrust", or are > > they also affected by lan? > > Is therefore the "continue" policy needed? > > > > After I set up the hosts, those client were not working anymore with the > > common "lan" policies.> Could you post your config file please, better yet see:Sorry, my first question to this mailing list. Here''s the status of shorewall configured with this /24 subnet and some special IPs within this subnet. For example, I want to block higher ports above 1024 for untrusted IPs. Paolo
> Am Donnerstag, den 28.07.2005, 09:13 -0500 schrieb Jerry Vonau: > > > Hello. > > > > > > I have a /24 subnet of which I want to treat some clients different: > > > > > > hosts: > > > #### > > > wlan eth0:192.168.168.190,192.168.10.0/24 > > > > > > lanuntrust eth0:192.168.168.100,192.168.168.101,192.168.168.102 > > > > > > lan eth0:192.168.168.0/24 > > > #### > > > > > > Before I had a working setup with only "lan". > > > Do I have to set all policies and rules also for "lanuntrust", or are > > > they also affected by lan? > > > Is therefore the "continue" policy needed? > > > > > > After I set up the hosts, those client were not working anymore withthe> > > common "lan" policies. > > > Could you post your config file please, better yet see: > > Sorry, my first question to this mailing list. > Here''s the status of shorewall configured with this /24 subnet and some > special IPs within this subnet. > For example, I want to block higher ports above 1024 for untrusted IPs. > > PaoloCan we see the config files that generated this status? Some people can visualize what you have in the config files, I can''t. I need to put this into context, just to have it straight in my head. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Am Donnerstag, den 28.07.2005, 11:41 -0500 schrieb Jerry Vonau:> Can we see the config files that generated this status?Of course. Here''s the complete set of my config. The planned hosts are still commented. Paolo
> Am Donnerstag, den 28.07.2005, 11:41 -0500 schrieb Jerry Vonau: > > Can we see the config files that generated this status? > > Of course. > Here''s the complete set of my config. The planned hosts are still > commented. > > Paolo >I''d suggest you re-read: http://www.shorewall.net/Multiple_Zones.html Note the difference in nested and paralled zones, one has "loc" in interfaces and not in hosts(nested), while the other(parallel) has both in just hosts. It looks like your trying to do both, with loc in both interfaces and hosts. I''d heed Alex advice on the zone naming, and shorten it from "lanuntrust" You could state a range here, #lanuntrust eth0:192.168.168.100-192.168.168.110 if you have the kernel support. wlan eth0:192.168.168.190,192.168.10.0/24 192.168.10.0/24 is a wireless subnet that is reachable though 192.168.168.190? You don''t have a route for that, or is .190 masq''ing the traffic from 192.168.10.0/24? Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Am Donnerstag, den 28.07.2005, 14:07 -0500 schrieb Jerry Vonau:> I''d suggest you re-read: > http://www.shorewall.net/Multiple_Zones.htmlThank you. I set up a nested network now, loc with 1. lanut # untrusted IPs of 192.168.168.0/24 2 wlan # subnet 192.168.10.0/24 through another NAT router with 192.168.168.190> eth0:192.168.168.100-192.168.168.110I modified to 16 clients, so that it fits to a subnet: eth0:192.168.168.96/28> 192.168.10.0/24 is a wireless subnet that is reachable though > 192.168.168.190? > You don''t have a route for that, or is .190 masq''ing the traffic from > 192.168.10.0/24?Yes that is another NAT-Router. For the clients behind that router it works. But for now I only use the Router-IP to reach a client behind- So what does the route should look like? masq is now: ppp0 192.168.168.0/24 ppp0 192.168.10.0/24 eth0:192.168.10.0/24 192.168.168.0/24 What I don''t understand: How can shorewall know of the subnet 192.168.10.0/24, it only can see the NAT router''s IP 192.168.168.190. I would like to tell shorewall: If eth0 receives for destination 192.168.10.0/24 than routeback on the same interface to local IP 192.168.168.190, because that''s the next NAT gateway. (192.168.168.0/24) --eth0-- [ F W shorewall ] --ppp0 --> {net} || VV (192.168.168.20) (192.168.168.25) ... {lanut} (192.168.168.96/28) {wlan} (192.168.168.190) -- [ other NAT ] -- (192.168.10.0/24) I have attached my new setup, little bit clearer than the last. Thanks, Paolo
> > I''d suggest you re-read: > > http://www.shorewall.net/Multiple_Zones.html > > Thank you. I set up a nested network now, loc with > 1. lanut # untrusted IPs of 192.168.168.0/24 > 2 wlan # subnet 192.168.10.0/24 through another NAT router with > 192.168.168.190 > > > eth0:192.168.168.100-192.168.168.110 > > I modified to 16 clients, so that it fits to a subnet: > eth0:192.168.168.96/28Much cleaner...> > > 192.168.10.0/24 is a wireless subnet that is reachable though > > 192.168.168.190? > > You don''t have a route for that, or is .190 masq''ing the traffic from > > 192.168.10.0/24? > > Yes that is another NAT-Router. For the clients behind that router it > works. But for now I only use the Router-IP to reach a client behind- > So what does the route should look like? >If you have this router doing nat, then you don''t need to have a route.> masq is now: > > ppp0 192.168.168.0/24 > ppp0 192.168.10.0/24 > eth0:192.168.10.0/24 192.168.168.0/24 > > What I don''t understand: How can shorewall know of the subnet > 192.168.10.0/24, it only can see the NAT router''s IP 192.168.168.190. >The Shorewall box doesn''t "see" anything but .190. I just needed to know if it was doing nat(masq).> I would like to tell shorewall: If eth0 receives for destination > 192.168.10.0/24 than routeback on the same interface to local IP > 192.168.168.190, because that''s the next NAT gateway. >You mean port forward from the net, from the local lan, or both to the second nat router, from there forward to a host on 192.168.10.0/24? Just need to know what you need to access on 10.0/24. I''ll look at the config files when I get back. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Am Donnerstag, den 28.07.2005, 17:17 -0500 schrieb Jerry Vonau:> The Shorewall box doesn''t "see" anything but .190. > I just needed to know if it was doing nat(masq).> You mean port forward from the net, from the local lan, or both to the > second nat router, from there forward to a host on 192.168.10.0/24? > Just need to know what you need to access on 10.0/24.The {wlan} subnet behind the NAT has access to the {net}. The local LAN anyway. But if I stand within 192.168.168.0/24 and want to access 192.168.10.0/24, I call my gateway, which is shorewall. Shorewall should route back on the same interface towards 192.168.168.190, which is the NAT for 192.168.10.0/24. Any entry in masq? Paolo ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Paolo wrote:> Am Donnerstag, den 28.07.2005, 17:17 -0500 schrieb Jerry Vonau: > >>The Shorewall box doesn''t "see" anything but .190. >>I just needed to know if it was doing nat(masq). > >>You mean port forward from the net, from the local lan, or both to the >>second nat router, from there forward to a host on 192.168.10.0/24? >>Just need to know what you need to access on 10.0/24. > > The {wlan} subnet behind the NAT has access to the {net}. > The local LAN anyway. > > But if I stand within 192.168.168.0/24 and want to access > 192.168.10.0/24, I call my gateway, which is shorewall. > Shorewall should route back on the same interface towards > 192.168.168.190, which is the NAT for 192.168.10.0/24. > > Any entry in masq? >This case is covered in the article at http://shorewall.net/Multiple_Zones.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Am Donnerstag, den 28.07.2005, 17:12 -0700 schrieb Tom Eastep:> > But if I stand within 192.168.168.0/24 and want to access > > 192.168.10.0/24, I call my gateway, which is shorewall. > > Shorewall should route back on the same interface towards > > 192.168.168.190, which is the NAT for 192.168.10.0/24. > > Any entry in masq?> This case is covered in the article at > http://shorewall.net/Multiple_Zones.html.I don''t think so. Last night I''ve read it carefully. It only sais: Add a route to 192.168.2.0/24 through the Router. (How to do this? Set the “routeback” and “newnotsyn” options for eth1 (the local firewall interface) in /etc/shorewall/interfaces. (done) The only example for masq is for one-armed router at the end of the article, which is a different situtation in my opinion. So at the moment, if I ping to a client behind the second nat router, I get the error message from an IP of my ISP, that is behind ppp0, which is the wrong interface. Paolo ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> > This case is covered in the article at > > http://shorewall.net/Multiple_Zones.html. > > I don''t think so. Last night I''ve read it carefully. > It only sais: > > Add a route to 192.168.2.0/24 through the Router. > (How to do this? > > Set the ´routeback¡ and ´newnotsyn¡ options for eth1 (the local > firewall interface) in /etc/shorewall/interfaces. > (done) > > The only example for masq is for one-armed router at the end of the > article, which is a different situtation in my opinion.Think about it a second, goes in one interface, comes out the same interface.... "one-armed" just change the addresses in the masq file example. eth0 192.168.168.0/24> So at the moment, if I ping to a client behind the second nat router, I > get the error message from an IP of my ISP, that is behind ppp0, which > is the wrong interface. >The second nat device is treating your lan like your firewall treats the internet, hides all the addresses behind one ip. To connect to anything behind that device, you would need to enable port forwarding on it. You would then need to address the connection to 192.168.168.190. You can''t connect directly to any 192.168.10.0/24 machines, just as nobody on the internet can connect to your stuff unless the is a dnat rule in the firewall. If you can disable the nat, and just forward, you can then route to 192.168.10.0/24 though 192.168.168.190 Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Am Freitag, den 29.07.2005, 07:07 -0500 schrieb Jerry Vonau:> Think about it a second, goes in one interface, comes out the same > interface.... "one-armed" just change the addresses in the masq file example. > eth0 192.168.168.0/24#the exampe of the one armed router: #INTERFACE SUBNET ADDRESS eth0:!192.168.1.0/24 192.168.1.0/24 #your idea: #eth0:192.168.168.0/24 192.168.168.0/24 That sounds like: If you get something for 192.168.168.0/24 send it back to eth0. A client of that subnet would not contact the gateway to reach a client of its own subnet. I think it should be rather: #eth0:192.168.10.0/24 192.168.168.0/24 ? Anyway: On client 192.168.168.20 I ping 192.168.10.20. Different subnet -> gateway. The gateway receives on eth0 for destination 192.168.10.0/24, so routes it back to eth0. Is that a broadcast to 192.168.168.0/24? Can''t shorewall route this directly to 192.168.168.190 (NAT-Gateway)?> The second nat device is treating your lan like your firewall treats the internet, > hides all the addresses behind one ip. To connect to anything behind that device, > you would need to enable port forwarding on it. You would then need to address > the connection to 192.168.168.190. You can''t connect directly to any > 192.168.10.0/24 machines, just as nobody on the internet can connect to your > stuff unless the is a dnat rule in the firewall. If you can disable the nat, and just > forward, you can then route to 192.168.10.0/24 though 192.168.168.190Of course, so far I just do ssh to 192.168.168.190(NAT) and this device knows about ssh forwarding to a client such as 192.168.10.20 Thanks for your help and time so far, Jerry. I am still at the beginning of Cisco''s Academy:) Paolo ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> > Think about it a second, goes in one interface, comes out the same > > interface.... "one-armed" just change the addresses in the masq file example. > > eth0 192.168.168.0/24 > > #the exampe of the one armed router: > #INTERFACE SUBNET ADDRESS > eth0:!192.168.1.0/24 192.168.1.0/24 > > #your idea: > #eth0:192.168.168.0/24 192.168.168.0/24 > > That sounds like: If you get something for 192.168.168.0/24 send it back > to eth0. A client of that subnet would not contact the gateway to reach > a client of its own subnet.Think you just answered you own question. Why are you trying to contact the gateway? You should be using 192.168.168.190 as the target, not 192.168.10.xxx There is no route to that subnet, and all the traffic from 192.168.10.xxx appears to come from 192.168.168.190 anyway, to any machine on 192.168.168.0/24....> > I think it should be rather: > #eth0:192.168.10.0/24 192.168.168.0/24 > ? > Anyway: On client 192.168.168.20 I ping 192.168.10.20.How do you port forward a icmp packet, with the second nat device? You can''t right?> Different subnet -> gateway. > The gateway receives on eth0 for destination 192.168.10.0/24, so routes > it back to eth0. > Is that a broadcast to 192.168.168.0/24?No.> Can''t shorewall route this directly to 192.168.168.190 (NAT-Gateway)?This is like FAQ2, just a different service. For just one you would need a dnat rule and a masq rule. example: rules DNAT loc loc:192.168.168.190 tcp 22 - 192.168.10.20 masq eth0 192.168.168.0/24 192.168.168.202 tcp 22 Might do it, I''m not testing this, I think it''s a bit silly.> > The second nat device is treating your lan like your firewall treats the internet, > > hides all the addresses behind one ip. To connect to anything behind that device, > > you would need to enable port forwarding on it. You would then need to address > > the connection to 192.168.168.190. You can''t connect directly to any > > 192.168.10.0/24 machines, just as nobody on the internet can connect to your > > stuff unless the is a dnat rule in the firewall. If you can disable the nat, and just > > forward, you can then route to 192.168.10.0/24 though 192.168.168.190 > > Of course, so far I just do ssh to 192.168.168.190(NAT) and this device > knows about ssh forwarding to a client such as 192.168.10.20So in the end, what are you trying to accomplish? Access to every machine on 192.168.10.x or just a couple? What services?>Thanks for your help and time so far, Jerry. >I am still at the beginning of Cisco''s Academy:)I had better not be doing your homework..... Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf