Adam Sharples
2006-Aug-14 18:20 UTC
Problem with detectnets used in conjunction with Gated routing
Hi, I''ve been struggling for a few days now with a Shorewall firewall installation. I''ve just upgraded from Shorewall 1.4 on Redhat 9 to Shorewall 3.2.1 on Fedora Core 4 and since the upgrade I''m having problems with routing. I''ve searched the forums and Googled for similar issues, but have so far drawn a blank. My network setup is slightly unusual, as it is set up is a ferry terminal providing internet access for a ship that connects via wireless. Eth0 is my internet connection and eth1 is the local lan. The ship connects via a wireless bridge to the local lan. The local lan has a subnet of 192.168.17.0/24 and the ship has a subnet of 192.168.33.0/24. The ship has a router onboard that sends routing updates to the firewall via RIPv2, and the firewall runs Gated to process the routing updates. The router / rip setup is required as the ship docks in different ports with similar setups. My problem is as follows: When the ship docks the RIP updates take place and routes are instated to allow the local lan to talk to the ship, and the ship to talk to the internet. The ship is however not able to communicate with any shoreside devices and Shorewall reports FORWARD:REJECT errors with source and destination interface both eth1. If I restart shorewall everything bursts in to life and all traffic flows as expected. I suspect that this is because shorewall is not identifying the ship as part of the local network until it is restarted. I''m not sure whether I''m going about this correctly, so any pointers would be very much appreciated. I don''t need to impose any restrictions on traffic between the ship and shoreside lan, and my intention was to treat both of these as the ''loc'' zone. From what I''ve read I don''t think I need anything in the ''hosts'' file and I have the following in my Zones file: ######################################################################## #### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect detectnets,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I have also attached shorewall dump information. I''ve tried removing routeback option and specifying subnets in the hosts file, but neither improved the situation. I hope someone is able to give me some pointers, and will be most grateful as I''m pulling my hair out! Best Regards, Adam Sharples ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-14 18:28 UTC
Re: Problem with detectnets used in conjunction with Gated routing
Adam Sharples wrote:> I have also attached shorewall dump information. I''ve tried removing > routeback option and specifying subnets in the hosts file, but neither > improved the situation. I hope someone is able to give me some pointers, > and will be most grateful as I''m pulling my hair out!Get rid of ''detectnets'' on eth1. That option is totally unsuited for use with dynamic routing. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642