Shorewall users - Aug 2006 - Shorewall 3.2.2 - Problem with tcrules in bering 3.x

Hi,

I''ve this problem:

I''ve to wan interface
each connected to to isp (net1/eth0 - net2/eth0)

After configured them
in the providers file, i try to force the local lan to use one isp when
when using mail.

If I''ve the option
spoofprotect=on and the routefilter in the interface file for the to
wan, the traffic get marked, go out trough the correct interface but do
not come back. If i disable those option all work well.

Any suggestions?


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi,
> 
> 
> I''ve this problem:
> 
> 
> I''ve to wan interface each connected to to isp (net1/eth0 -
net2/eth0)
> 
> 
> After configured them in the providers file, i try to force the local lan
to use
> one isp when when using mail.
> 
> 
> If I''ve the option spoofprotect=on and the routefilter in the
interface file for
> the to wan, the traffic get marked, go out trough the correct interface but
do
> not come back. If i disable those option all work well.
> 
> 
> Any suggestions?
Disable those options.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thursday 24 August 2006 17:36, Tom Eastep wrote:
> > not come back. If i disable those option all work well.
> >
> >
> > Any suggestions?
>
> Disable those options.
Doctor, It hurts when I do this....

;-)
-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Fri, 2006-08-25 at 10:07 -0800, John Andersen wrote:
> On Thursday 24 August 2006 17:36, Tom Eastep wrote:
> > > not come back. If i disable those option all work well.
> > >
> > >
> > > Any suggestions?
> >
> > Disable those options.
> 
> Doctor, It hurts when I do this....
> 
> ;-)
Exactly!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

I''ve already disabled
those options, but i was interested to maybe know why it happen! And is
it safe to turn off spoof protection?

thx


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi Tom,
> 
> 
> I''ve already disabled those options, but i was interested to maybe
know why it
> happen! And is it safe to turn off spoof protection?
>
Giacomo,

With the minimal information than you sent in your post, I can''t tell
you anything more. You should be getting ''martian'' messages in
your log
if you have enabled martian logging but I can''t seen your log from
here.

I don''t know what spoofprotect=on is -- it''s not a Shorewall
option so I
haven''t a clue what it does or why it would break your setup but
I''m
guessing that it sets the same option in /proc that
''routefilter'' does.

When ''routefilter'' breaks communication, it usually means that
traffic
is being received on an interface where the source IP address would not
be routed out of that interface. One common thing that can cause this is
where the user has foolishly connected two or more of his ISP interfaces
to the same hub/switch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

the two wan interface of the firewall connects directly to the two interface of
the ADSL/HDSL routers, so i don''t think
that the problem is a bad hardware confgiuration. But i''ve found this:

-------------

The reason one has to turn of route filtering is to avoid this blockage:

    kernel: martian source XXX from YYY, on dev eth1

where XXX is the IP address of the eth0 interface and YYY is the Internet
destination IP of the re-routed packet.

This blockage occurs because the ip fwmark rule that re-routes the packet
from going out eth0 to going out eth1 doesn''t fix the source address -
the packet still looks like it should be coming from eth0 even though it
is being sent out eth1, and the kernel doesn''t like that.  (Only
packets
with sources on the eth1 network should be leaving on eth1?)

Turning off route filtering seems like the wrong thing to do here; it''s
covering up the symptom instead of fixing the problem.  Ideally, there
should be a way to set the source address so that the marked and re-routed
packets have the source address of their new output interface - eth1.

Adding a NAT rule does fix the outgoing address, e.g.

    # iptables -t nat -A POSTROUTING -m mark --mark 500 \
        -j SNAT --to-source $EXTIP

where EXTIP is the IP address of the eth1 interface; but, it doesn''t
stop the kernel from complaining about the martian addresses.  (I guess
that the martian check is done before the NAT is applied?)
-------------

So, is there a better fix for the martian address problem than simply
disabling the check for martian addresses?  Is there a way for the
marked packets to have their source address set so that the kernel
doesn''t see them as martian on the eth1 interface?

thx


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sat, 2006-08-26 at 11:25 +0200, Giacomo Lancella wrote:
> 
> Adding a NAT rule does fix the outgoing address, e.g.
> 
>     # iptables -t nat -A POSTROUTING -m mark --mark 500 \
>         -j SNAT --to-source $EXTIP
> 
> where EXTIP is the IP address of the eth1 interface; but, it
doesn''t
> stop the kernel from complaining about the martian addresses.  (I guess
> that the martian check is done before the NAT is applied?)
> -------------
> 
> 
> So, is there a better fix for the martian address problem than simply
> disabling the check for martian addresses?  Is there a way for the
> marked packets to have their source address set so that the kernel
> doesn''t see them as martian on the eth1 interface?
To my knowledge, no one has seen this problem when using the masq rules
described on the Multi-ISP page that are designed to avoid this problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi,

I''ve added this to the
masq file (i had missed this entry in my masq file, as stated in the
multi-isp configuration example hosted on the shorewall website!), but
it did not solve the problem! I''ve tcpdumped the transaction from an
internal pc that with this "2:P     172.16.33.0/24  0.0.0.0/0      
tcp     25,110  # MAIL VIA HDSL" in the tcrules config file should go
out through the HDSL line. The connection go out from the correct ISP
but cannot come back. 

tcpdump -vv -i eth1 tcp
port 25

tcpdump: listening on
eth1

22:41:24.565904
host4-220-static.35-85-b.business.telecomitalia.it.1444 >
mail.tin.it.smtp: S [tcp sum ok] 4081621080:4081621080(0) win 16384
 (DF) (ttl 127, id 3892, len 48)

22:41:24.579728 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: S [tcp sum ok]
2752920413:2752920413(0) ack 4081621081 win 24820
 (DF) (ttl 53, id 62317, len 48)

22:41:27.521209 host4-220-static.35-85-b.business.telecomitalia.it.1444
> mail.tin.it.smtp: S [tcp sum ok] 4081621080:4081621080(0) win
16384  (DF) (ttl 127, id 3921, len 48)

22:41:27.534859 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: . [tcp sum ok]
1:1(0) ack 1 win 24820 (DF) (ttl 53, id 62318, len 40)

22:41:27.944573 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: S [tcp sum ok]
2752920413:2752920413(0) ack 4081621081 win 24820
 (DF) (ttl 53, id 62319, len 48)

22:41:30.743852 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1436: S [tcp sum ok]
2736521499:2736521499(0) ack 3117450766 win 24820
 (DF) (ttl 53, id 47299, len 48)

22:41:34.579127 host4-220-static.35-85-b.business.telecomitalia.it.1444
> mail.tin.it.smtp: S [tcp sum ok] 4081621080:4081621080(0) win
16384  (DF) (ttl 127, id 3989, len 48)

22:41:34.593491 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: . [tcp sum ok]
1:1(0) ack 1 win 24820 (DF) (ttl 53, id 62320, len 40)

22:41:34.693925 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: S [tcp sum ok]
2752920413:2752920413(0) ack 4081621081 win 24820
 (DF) (ttl 53, id 62321, len 48)

22:41:48.192888 mail.tin.it.smtp >
host4-220-static.35-85-b.business.telecomitalia.it.1444: S [tcp sum ok]
2752920413:2752920413(0) ack 4081621081 win 24820
 (DF) (ttl 53, id 62322, len 48)


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi,

enabling martian log,
it gives this:

cat /var/log/syslog

Aug 26 23:21:11 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:11 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:21:14 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:14 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:21:15 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:15 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:21:21 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:21 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:21:22 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:22 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:21:35 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:35 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:22:02 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:22:02 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Aug 26 23:22:56 fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:22:56 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

Strange it seems that
the private lan is not masqeraded when i connect to port that in
tcrules is marked to go out with the HDSL table?!? I must be doing
something wrong! This is my masq file:

###############################################################################

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC

eth0                    85.35.220.4     85.35.219.18

eth1                    85.35.219.18    85.35.220.4

eth0                     eth3           85.35.219.18

eth1                     eth3           85.35.220.4

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi,
> 
> enabling martian log, it gives this:
> 
> 
> cat /var/log/syslog
> 
> 
> Aug 26 23:21:11 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:11 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:21:14 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:14 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:21:15 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:15 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:21:21 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:21 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:21:22 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:22 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:21:35 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:21:35 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:22:02 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:22:02 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> Aug 26 23:22:56 fw-dreamar kernel: martian source 172.16.33.13 from 
> 62.211.72.20, on dev eth1
> Aug 26 23:22:56 fw-dreamar kernel: ll header: 
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
> 
> 
> Strange it seems that the private lan is not masqeraded when i connect to
port
> that in tcrules is marked to go out with the HDSL table?!? I must be doing 
> something wrong! This is my masq file:
>
Yes...
> 
>
###############################################################################
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
> eth0                    85.35.220.4     85.35.219.18
> eth1                    85.35.219.18    85.35.220.4
> eth0                     eth3           85.35.219.18
> eth1                     eth3           85.35.220.4
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
Where does 172.16.33.13 live? Just a guess on eth2? Can''t really tell
without a "dump". From your other post, that is defined as "dmz
eth2" in the interfaces file right? 172.16.0.0 are rfc1918 reserved
right? Then you need to masq/snat them, try adding:

eth0                    eth2     85.35.219.18
eth1                    eth2     85.35.220.4


Jerry





-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Jerry,

nop, the host 172.16.33.13/24 is on the lan interface eth3.

If you need more info, let me know! 

This is my setup:

providers:

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY      OPTIONS    
COPY
ADSL    1       1       main            eth0            85.35.219.17  track 
eth2,eth3
HDSL    2       2       main            eth1            85.35.220.2   track 
eth2,eth3
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

zones:

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net1    ipv4
net2    ipv4
dmz     ipv4
loc     ipv4
vpn1    ipv4
vpn2    ipv4
vpn3    ipv4
knock   ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net1    eth0            detect          routeback,norfc1918,blacklist
net2    eth1            detect          routeback,norfc1918,blacklist
dmz     eth2            detect          blacklist
loc     eth3            detect          blacklist
vpn1    tun0            detect
vpn2    tun1            detect
vpn3    tun2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

route_rules:

#SOURCE                 DEST                    PROVIDER        PRIORITY
172.16.33.211           -                       HDSL            1000 
172.16.33.82            192.168.11.82           HDSL            1000 
172.16.33.13            192.168.11.252          HDSL            1000 
172.16.33.11            192.168.0.0/24          HDSL            1000 
172.16.33.11            192.168.11.0/24         HDSL            1000 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

masq:

###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)   IPSEC
eth0                     eth3           85.35.219.18
eth1                     eth3           85.35.220.4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

started: (here i add the routing entries that previously was added by
the openvpn config file, but since they are cleared when i restart
shorewall I''ve put them here)

###############################################################################
ip route add 192.168.11.0/24 dev tun0 table ADSL 
ip route add 192.168.0.0/24 dev tun0 table ADSL
ip route add 192.168.11.0/24 dev tun1 table HDSL
ip route add 192.168.0.0/24 dev tun1 table HDSL
# Default routes
ip route add 192.168.11.0/24 dev tun0
ip route add 192.168.0.0/24 dev tun0
ip route add 10.9.0.0/24 dev tun0
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

--------------------------------------
Where does 172.16.33.13 live? Just a guess on eth2? Can''t really tell
without a "dump". From your other post, that is defined as "dmz
eth2" in the interfaces file right? 172.16.0.0 are rfc1918 reserved
right? Then you need to masq/snat them, try adding:

eth0                    eth2     85.35.219.18
eth1                    eth2     85.35.220.4

Jerry


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi Jerry,
> 
> nop, the host 172.16.33.13/24 is on the lan interface eth3.
> 
> If you need more info, let me know! 
> 
> This is my setup:
> 
Giacomo,

Please read my post from earlier in the week about how to submit a
problem report.

WE DON''T WANT TO SEE YOUR %$#@ FILES AGAIN

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

sorry but I''ve read
about the proper way of asking questions only now! I''ve attached the
shorewall dump file and the syslog messages.

I cannot connect from
an internal lan host 172.16.33.13/24 on interface eth3 out of interface
eth1 (net1) and back on. I''ve marked the connection (to port 25,110) in
tcrules, from the syslog messages it seems that the connections its not
masqed.

You can find also all
the shorewall config files in previous post if you ever need it.

ciao



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi Tom,
> 
> 
> sorry but I''ve read about the proper way of asking questions only
now! I''ve
> attached the shorewall dump file and the syslog messages.
> 
> 
> I cannot connect from an internal lan host 172.16.33.13/24 on interface
eth3 out
> of interface eth1 (net1) 
eth1 is ''net2''. So which is it? eth1 or net1?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

sorry i mistyped  :-[ ! It''s eth1 (net2).


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:
> Hi Tom,
> 
> 
> sorry i mistyped :-[ ! It''s eth1 (net2).
> 
I don''t see anything that you can change. We''ve seen this
before -- some
kernels insist on using the main routing table for martian detection so
if you don''t specify ''balance'' for an interface (so
it doesn''t appear in
the main table''s default route), then you get martian problems on that
interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

ok if i put the balance
option in the providers config file, now the internal host is able to
go out from the eth1 interface and come back, an no martian log are
registered. Just for curiosity, why without the balance option the
martian log show like the remote source pretend to come back to a non
masqed private ip like showed here:

------

Aug 26 23:21:11
fw-dreamar kernel: martian source 172.16.33.13 from
62.211.72.20, on dev eth1

Aug 26 23:21:11 fw-dreamar kernel: ll header:
00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00

------

As i stated in the
previous posts, one of my wan line is non flat (you pay for the traffic
you send), if i put balance on the to be used isp and balance=2 to the
non flat line, does the traffic from the lan just use the first line
and than i reroute traffic with tcrules/route_rules when i want to. Or
both line are balanced and thus used without my control?

The last thing I''ve to
decide is where to put this routing entries:

#Add default routes for
the two OpenVPN tunnels to the two ISP table:

ip route add
192.168.11.0/24 dev tun0 table ADSL 

ip route add 192.168.0.0/24 dev tun0 table ADSL

ip route add 192.168.11.0/24 dev tun1 table HDSL

ip route add 192.168.0.0/24 dev tun1 table HDSL

# Add OpenVPN default routes to the main table 

ip route add 192.168.11.0/24 dev tun0

ip route add 192.168.0.0/24 dev tun0

ip route add 10.9.0.0/24 dev tun0

Because each time i
restart shorewall, the two extra routing table gets cleared, i cannot
put them during openvpn init. So I''ve put them in the started config
file of shorewall (even if every time i restart shorewall it gives me
"RTNETLINK answers: FILE exists", because shorewall added them during
startup! Can someone give a hint on how to add those entries only if
they are not already there? Maybe with a little script? ). Maybe a
"static_routes" config file in shorewall would be nice!

That''s all, thanks.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sun, 2006-08-27 at 12:24 +0200, Giacomo Lancella
wrote:
> Just for curiosity, why without the balance option the martian log
> show like the remote source pretend to come back to a non masqed
> private ip like showed here:
> Aug 26 23:21:11 fw-dreamar kernel: martian source 172.16.33.13 from
> 62.211.72.20, on dev eth1
> Aug 26 23:21:11 fw-dreamar kernel: ll header:
> 00:50:04:0c:1a:15:00:a0:f9:06:bc:a5:08:00
I just realized that you have been mis-reading these (admittedly
confusing) messages; 172.16.33.13 is the *destination* IP address (the
packet has already undergone NAT).
> As i stated in the previous posts, one of my wan line is non flat (you
> pay for the traffic you send), if i put balance on the to be used isp
> and balance=2 to the non flat line, does the traffic from the lan just
> use the first line and than i reroute traffic with tcrules/route_rules
> when i want to. Or both line are balanced and thus used without my
> control?
You have complete control.
> 
> 
> The last thing I''ve to decide is where to put this routing
entries:
> 
> 
> #Add default routes for the two OpenVPN tunnels to the two ISP table:
> 
> ip route add 192.168.11.0/24 dev tun0 table ADSL 
> ip route add 192.168.0.0/24 dev tun0 table ADSL
> ip route add 192.168.11.0/24 dev tun1 table HDSL
> ip route add 192.168.0.0/24 dev tun1 table HDSL
> # Add OpenVPN default routes to the main table 
> ip route add 192.168.11.0/24 dev tun0
> ip route add 192.168.0.0/24 dev tun0
> ip route add 10.9.0.0/24 dev tun0
> 
> 
> Because each time i restart shorewall, the two extra routing table
> gets cleared, i cannot put them during openvpn init. So I''ve put
them
> in the started config file of shorewall (even if every time i restart
> shorewall it gives me "RTNETLINK answers: FILE exists", because
> shorewall added them during startup! Can someone give a hint on how to
> add those entries only if they are not already there? Maybe with a
> little script? ). Maybe a "static_routes" config file in
shorewall
> would be nice!
I gave you the solution to that problem -- if you choose to ignore my
advise then please stop asking. There is absolutely no reason to put
those OpenVPN routes in the secondary tables if you just add a couple of
routing rules. OpenVPN was the primary reason that I added routing
rules!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom,

I''m here to try to
solve some issue and learn some good stuff, and i take note of all the
replies to my questions. So I''m not ignoring anything. I''m not
a
shorewall expert, and maybe I''m missing something, but adding and entry
in the route_rules to route vpn traffic through the main routing table
sound confusing to me, and i explain you why. But don''t be nervous if i
say something stupid  ;-) 

I run two vpn gateway
tunnel:

------HDSL--------

BERING(A)
|                             |  BERING(B)

------ADSL--------

LAN = 172.16.33.0/24 on
BERING(A)

LAN = 192.168.11.0/24
on BERING(B)

What i do is, that the
lan on BERING(A) use the vpn tunnel on the ADSL line to reach the lan
on BERING(B) and vice versa. The  vpn tunnel on the HDSL line is used
only by some services and for special scope, because the upstream of
that line is superior, all manages by tcrules entries.

As soon as my BERING(A)
startup (the same on the other), the main routing table do not contain
an entry to be able to reach the remote lan. The communication is only
available from bering<->bering (remote endpoint). So the first
thing i do is to add on both bering box the routes to the remotes
subnet using the started config file:

On BERING(A): ip route
add 192.168.11.0/24 dev tun0

On BERING(B): ip route
add 172.16.33.0/24 dev tun0

In this way the
communication LAN<->LAN work perfect.

So if i add, as you
said, the two entries in the route_rules table, to route through the
main table without adding the remote lan subnet  route to it, the
firewall do not know how to reach the destination. Or not?

Again, i then add  these routes also to the started config file:

ip route add 192.168.11.0/24 dev tun0 table ADSL

ip route add 192.168.0.0/24 dev tun0 table ADSL

ip route add 192.168.11.0/24 dev tun1 table HDSL

ip route add 192.168.0.0/24 dev tun1 table HDSL

because using route_rules/tcrules, i can move some traffic between the
two remote lan, on the HDSL line. 

So, the vpn traffic flaw per default through the dsl line using the
routes in the main table (I''ve added in started config file) and then i
use route_rules/tcrules to pass some traffic between remotes lan on the
other isp.

This entries:

#SOURCE                 DEST                    PROVIDER        PRIORITY
-                       192.168.11.0/24         main            1000
-                       192.168.0.0/24          main            1000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

without adding first default routes to remote lans, either using openvpn config
file (through "up ./default.routes") or using as i do the started
config file of shorewall, would just tell the system to look in the main table
to find a way but without finding it. And i suppose that if I''ve a
route to the remotes lan in the main table on both firewall, i do not need to
add an ip rule for the "default traffic", but just use them to filter
the default route and use the other isp using entries in extra tables.

I repeat this is my knowledge and i don''t pretend to be right! So the
purpose of these mails is to be sure that I''m using the best method and
not doing stupid thinghs :-) .

Thanks.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Giacomo Lancella wrote:

<pages of stuff snipped>

My recommendation to you is to not use Shorewall Multi-ISP support but
to manage routing yourself.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Giacomo Lancella wrote:
> 
> <pages of stuff snipped>
> 
> My recommendation to you is to not use Shorewall Multi-ISP support but
> to manage routing yourself.
> 
At some point, I may create a routing companion product to Shorewall
that can be configured/started/stopped/restarted indepent of Shorewall.
That is what I should have done in the first place because firewall
rules and routing should be able to be manipulated separately; the
current integration of the two into one product prevents that. The only
reason that I released multi-ISP in its current form is that I was
quitting the project at the time and I wanted to release the code I had
been working on.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642