Shorewall users - Aug 2007 - Bridged firewall

Hello all,
I am trying to understand how would I manage traffic going using the new 
4.0 changes.

I have configured a bridge in my net interface and on that bridge is my 
dmz. I have two other machines on the DMZ and one of these machines 
happens to be a asterisk server and the other a mail server.

My goal using the bridge was originally to manage the bandwidth being 
sent over the bridge and centralize my firewall configuration.  So what 
I have right now looks like this.

            net0--/
                      |----------------br-net_dmz ------lan0
            dmz0--\
                         \
                          \--------- asterisk
                            \---------- mail

So my goal was to use the dmz0 interface as my controlling interface for 
the bandwidth.

What happens with the configuration I have right now is the tcrules 
complain that dmz0 is down, that is not actually true, it just does not 
have an IP address.
Does the traffic controlling in shorewall require an address to control 
the bandwidth?

Secondly I thought that I could actually do rules between the interfaces 
over the bridge.
Basically I wanted to control  net0 to dmz0 and I thought this was 
possible but it seems that it doesn''t work.

I do get some blocking at dmz0 but I am not sure why. I seem to only be 
blocking on some things but it should be blocking on everything based on 
my config right now.

I actually have my policy setup like this

Policy

lan       all     
ACCEPT

vpn      all      
ACCEPT

dmz     net     
ACCEPT

fw        all      
ACCEPT

net      dmz     DROP    
$LOG

world  dmz     DROP    
$LOG

net      all     DROP      
$LOG

all       all     REJECT    $LOG


Interfaces

world   br-wan_dmz      detect          
bridge,routefilter,dhcp,blacklist,routeback

net       br-wan_dmz:net0                  # nothing allowed here
dmz     br-wan_dmz:dmz0                  # nothing allowed here
lan       lan0                   detect           
dhcp,blacklist,routeback

vpn      tun+                  detect          routeback

Is it possible to do what I want? Will I need to use ebtables to get what I am
looking for?

Thanks, and if any logs are needed please let me know.

-- 		    
Philip S. Hempel

Cell: 574-261-2878
Phone: 317-324-1108



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Philip S. Hempel wrote:
> Hello all,
> I am trying to understand how would I manage traffic going using the new 
> 4.0 changes.
>
>   
I forgot to mention I am using shorewall perl

Thanks again


-- 
Philip S. Hempel

Cell: 574-261-2878
Phone: 317-324-1108



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Philip S. Hempel wrote:
> 
> What happens with the configuration I have right now is the tcrules 
> complain that dmz0 is down, that is not actually true, it just does not 
> have an IP address.
> Does the traffic controlling in shorewall require an address to control 
> the bandwidth?
The attached patch should correct that problem.
> 
> Secondly I thought that I could actually do rules between the interfaces 
> over the bridge.
> Basically I wanted to control  net0 to dmz0 and I thought this was 
> possible but it seems that it doesn''t work.
> 
> I do get some blocking at dmz0 but I am not sure why. I seem to only be 
> blocking on some things but it should be blocking on everything based on 
> my config right now.
There is nothing that I can do with that problem statement. It doesn''t
contain enough information to let us even understand the problem, let alone
solve it.

What we need is:

a) The output of "shorewall dump" collected as described at
http://www.shorewall.net/support.htm#Guidelines.

b) A *concise* statement of what you tried, what you expected to happen and
what you actually observed happening.
> 
> I actually have my policy setup like this
> 
<folded copy of config files deleted>
> 
> Is it possible to do what I want?
Should be.
> Will I need to use ebtables to get what I am looking for?
I wouldn''t think so. But we''ll need a more complete problem
report to solve
your problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> Philip S. Hempel wrote:
>
>   
>> What happens with the configuration I have right now is the tcrules 
>> complain that dmz0 is down, that is not actually true, it just does not
>> have an IP address.
>> Does the traffic controlling in shorewall require an address to control
>> the bandwidth?
>>     
>
> The attached patch should correct that problem.
>   
>> Secondly I thought that I could actually do rules between the
interfaces
>> over the bridge.
>> Basically I wanted to control  net0 to dmz0 and I thought this was 
>> possible but it seems that it doesn''t work.
>>
>> I do get some blocking at dmz0 but I am not sure why. I seem to only be
>> blocking on some things but it should be blocking on everything based
on
>> my config right now.
>>     
>
> There is nothing that I can do with that problem statement. It
doesn''t
> contain enough information to let us even understand the problem, let alone
> solve it.
>
> What we need is:
>
> a) The output of "shorewall dump" collected as described at
> http://www.shorewall.net/support.htm#Guidelines.
>   
Sorry about that got a little ahead of myself.
> b) A *concise* statement of what you tried, what you expected to happen and
> what you actually observed happening.
>
>   
I get these errors as well in my syslog when restarting shorewall

"physdev match: using --physdev-out in the OUTPUT, FORWARD and 
POSTROUTING chains for non-bridged traffic is not supported anymore."


OK, I just I did not expect the sip connections and others that the 
asterisk server initiates from behind the dmz were going to be allowed 
back in.
I was expecting that when I started the asterisk server I would not see 
the connections being allowed back in from the viop provider, but they are.

In fact without the rules for allowing the sip or iax ports I cannot 
make a connection to the server behind the dmz with any voip clients 
from the net.
So everything is working as expected in respect to net initiated 
connections.

And with the patch that was given to me by Tom, I actually have full 
control over the bandwidth from the dmz as well. This is great!

Thanks for the help.

-- 
Philip S. Hempel

Cell: 574-261-2878
Phone: 317-324-1108




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Philip S. Hempel wrote:
>>   
> 
> I get these errors as well in my syslog when restarting shorewall
> 
> "physdev match: using --physdev-out in the OUTPUT, FORWARD and
> POSTROUTING chains for non-bridged traffic is not supported anymore."
That issue is addressed in Shorewall FAQ 64
(http://www.shorewall.net/FAQ.htm#faq64.
> 
> 
> OK, I just I did not expect the sip connections and others that the
> asterisk server initiates from behind the dmz were going to be allowed
> back in.
> I was expecting that when I started the asterisk server I would not see
> the connections being allowed back in from the viop provider, but they are.
What do you mean by "allowed back in"? Do you mean response traffic?
Or do
you mean related connections? The former are admitted by the fact that
Shorewall configures a stateful firewall; the latter are permitted by the
SIP conntrack module which Shorewall loads by default.
> 
> In fact without the rules for allowing the sip or iax ports I cannot
> make a connection to the server behind the dmz with any voip clients
> from the net.
> So everything is working as expected in respect to net initiated
> connections.
> 
> And with the patch that was given to me by Tom, I actually have full
> control over the bandwidth from the dmz as well. This is great!
> 
> Thanks for the help.
So at this point, do you still have a problem that needs solving? It''s
unclear from your post.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/