Hi, I''ve been trying to prove one week a new firewall, but it does not work. Neither the DMZ servers accessing the internet or via the Internet is accessed my servers. My network has three NIC: eth0 - net, eth1 - loc, eth2 - dmz. Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 Loc have private ip: 31.212.11.88/255.255.255.192 Dmz have public ip: 192.168.0.130/255.255.255.0 My provider route the dmz public ip throught net public ip. Pelase, anybody can help me? I read and search a lot, but i don''t find any solution. Thanks a lot for your help. My config files are (I doesn''t use nat, masq, dnat, snat, proxyarp,... I need this?) ZONES fw firewall net ipv4 loc ipv4 dmz ipv4 INTERFACES net eth0 87.88.110.183 tcpflags,dhcp,routefilter,nosmurfs,logmartians loc eth1 192.168.0.255 tcpflags,nosmurfs dmz eth2 31.212.11.127 POLICY loc net ACCEPT info loc dmz ACCEPT info loc $FW ACCEPT info loc all REJECT info $FW net ACCEPT info $FW dmz ACCEPT info $FW loc ACCEPT info $FW all REJECT info dmz net ACCEPT info dmz $FW ACCEPT info dmz loc REJECT info dmz all REJECT info net dmz DROP info net $FW DROP info net loc DROP info net all ACCEPT info all all REJECT info RULES (only one, for example) ACCEPT net dmz:31.212.11.119 tcp 80 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, If i''m not wrong, you must use NAT. So, try to put this lines on MASQ file: eth0 eth1 eth0 eth2 And yous rules file: DNAT net dmz:31.212.11.119 tcp 80 [ ]''s On Tue, May 27, 2008 at 7:14 AM, Support - Cetemmsa <support@cetemmsa.es> wrote:> Hi, > > I''ve been trying to prove one week a new firewall, but it does not work. > > Neither the DMZ servers accessing the internet or via the Internet is > accessed my servers. > > My network has three NIC: eth0 - net, eth1 - loc, eth2 - dmz. > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 > Loc have private ip: 31.212.11.88/255.255.255.192 > Dmz have public ip: 192.168.0.130/255.255.255.0 > > My provider route the dmz public ip throught net public ip. > > Pelase, anybody can help me? I read and search a lot, but i don''t find any > solution. > > Thanks a lot for your help. > > My config files are (I doesn''t use nat, masq, dnat, snat, proxyarp,... I > need this?) > > ZONES > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > > INTERFACES > net eth0 87.88.110.183 > tcpflags,dhcp,routefilter,nosmurfs,logmartians > loc eth1 192.168.0.255 tcpflags,nosmurfs > dmz eth2 31.212.11.127 > > POLICY > loc net ACCEPT info > loc dmz ACCEPT info > loc $FW ACCEPT info > loc all REJECT info > $FW net ACCEPT info > $FW dmz ACCEPT info > $FW loc ACCEPT info > $FW all REJECT info > dmz net ACCEPT info > dmz $FW ACCEPT info > dmz loc REJECT info > dmz all REJECT info > net dmz DROP info > net $FW DROP info > net loc DROP info > net all ACCEPT info > all all REJECT info > > RULES (only one, for example) > ACCEPT net dmz:31.212.11.119 tcp 80 > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Bruno Ayub. bruno.ayub@gmail.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Support - Cetemmsa wrote:> Hi, > > I''ve been trying to prove one week a new firewall, but it does not work. > > Neither the DMZ servers accessing the internet or via the Internet is > accessed my servers. > > My network has three NIC: eth0 - net, eth1 - loc, eth2 - dmz. > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 > Loc have private ip: 31.212.11.88/255.255.255.192That isn''t a ''private'' network.> Dmz have public ip: 192.168.0.130/255.255.255.0And that isn''t public. Are did you switch those?> > My provider route the dmz public ip throught net public ip. > > Pelase, anybody can help me? I read and search a lot, but i don''t find any > solution.Please submit a complete problem report as described at http://www.shorewall.net/support.htm. Your configuration files show what you think your configuration should look like; a ''shorewall dump'', collected as described at that URL will tell us what it actually looks like. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Support - Cetemmsa wrote:> Hi, > > I''ve been trying to prove one week a new firewall, but it does not work. > > Neither the DMZ servers accessing the internet or via the Internet is > accessed my servers. > > My network has three NIC: eth0 - net, eth1 - loc, eth2 - dmz. > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 > Loc have private ip: 31.212.11.88/255.255.255.192 > Dmz have public ip: 192.168.0.130/255.255.255.0 > > My provider route the dmz public ip throught net public ip. > > Pelase, anybody can help me? I read and search a lot, but i don''t find any > solution. > > Thanks a lot for your help. > > My config files are (I doesn''t use nat, masq, dnat, snat, proxyarp,... I > need this?) > > ZONES > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > > INTERFACES > net eth0 87.88.110.183 > tcpflags,dhcp,routefilter,nosmurfs,logmartians > loc eth1 192.168.0.255 tcpflags,nosmurfs > dmz eth2 31.212.11.127 >> dmz $FW ACCEPT infoThat is a very poor policy! If your servers are hacked, the attacker has direct access to your firewall! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Bruno Ayub wrote:> Hi, > > If i''m not wrong, you must use NAT. So, try to put this lines on MASQ file: > > eth0 eth1 > eth0 eth2Only the first entry needs to be there. The DMZ has public IP addresses that are routed through the public IP address on eth0.> > And yous rules file: > > DNAT net dmz:31.212.11.119 <http://31.212.11.119/> tcp 80No! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Right! This DMZ has a public IP, sorry! So the firewall must be have the IP_FORWARDING=On on /etc/shorewall.conf. Is this true? And that rule was right. ACCEPT instead DNAT... [ ]''s On Tue, May 27, 2008 at 11:03 AM, Tom Eastep <teastep@shorewall.net> wrote:> Bruno Ayub wrote: > >> Hi, >> >> If i''m not wrong, you must use NAT. So, try to put this lines on MASQ >> file: >> >> eth0 eth1 >> eth0 eth2 >> > > Only the first entry needs to be there. The DMZ has public IP addresses > that are routed through the public IP address on eth0. > > >> And yous rules file: >> >> DNAT net dmz:31.212.11.119 <http://31.212.11.119/> tcp 80 >> > > No! > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Bruno Ayub. bruno.ayub@gmail.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry, You must switch the nets :-( Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 Dmz have public ip: 31.212.11.88/255.255.255.192 Loc have private ip: 192.168.0.130/255.255.255.0 I attach the dump.txt. Thanks a lot Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 15:52 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Support - Cetemmsa wrote:> Hi, > > I''ve been trying to prove one week a new firewall, but it does not work. > > Neither the DMZ servers accessing the internet or via the Internet is > accessed my servers. > > My network has three NIC: eth0 - net, eth1 - loc, eth2 - dmz. > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 Loc > have private ip: 31.212.11.88/255.255.255.192That isn''t a ''private'' network.> Dmz have public ip: 192.168.0.130/255.255.255.0And that isn''t public. Are did you switch those?> > My provider route the dmz public ip throught net public ip. > > Pelase, anybody can help me? I read and search a lot, but i don''t find > any solution.Please submit a complete problem report as described at http://www.shorewall.net/support.htm. Your configuration files show what you think your configuration should look like; a ''shorewall dump'', collected as described at that URL will tell us what it actually looks like. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Sorry, > > You must switch the nets :-( > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 > Dmz have public ip: 31.212.11.88/255.255.255.192 > Loc have private ip: 192.168.0.130/255.255.255.0 > > I attach the dump.txt.Shorewall wasn''t started when that dump was taken! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, The IP_FORWARDING is On. I tried this masq file and doesnt works. MASQ eth0 eth1 eth0 eth2 In another answer I attached the dump.txt file for if helps you. Thanks a lot Toni De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Bruno Ayub Enviado el: martes, 27 de mayo de 2008 16:11 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Right! This DMZ has a public IP, sorry! So the firewall must be have the IP_FORWARDING=On on /etc/shorewall.conf. Is this true? And that rule was right. ACCEPT instead DNAT... [ ]''s On Tue, May 27, 2008 at 11:03 AM, Tom Eastep <teastep@shorewall.net> wrote: Bruno Ayub wrote: Hi, If i''m not wrong, you must use NAT. So, try to put this lines on MASQ file: eth0 eth1 eth0 eth2 Only the first entry needs to be there. The DMZ has public IP addresses that are routed through the public IP address on eth0. And yous rules file: DNAT net dmz:31.212.11.119 <http://31.212.11.119/> tcp 80 No! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Bruno Ayub. bruno.ayub@gmail.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry, please I''m very nerviuos. This is a big problem for me. Thanks a lot for your patience. Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 16:20 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Toni wrote:> Sorry, > > You must switch the nets :-( > > Net have public ip: 87.88.110.182/255.255.255.252 gw 87.88.110.181 Dmz > have public ip: 31.212.11.88/255.255.255.192 Loc have private ip: > 192.168.0.130/255.255.255.0 > > I attach the dump.txt.Shorewall wasn''t started when that dump was taken! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Sorry, please I''m very nerviuos. This is a big problem for me. > > Thanks a lot for your patience.Your DMZ systems should have complete access to the internet (and the internet should have complete access to your DMZ systems) when Shorewall is not running. If your DMZ systems cannot access the internet after "shorewall clear", then you have a problem that doesn''t involve Shorewall at all. So I suggest that you: a) ''shorewall clear'' b) Try to access the internet from one of the systems in the DMZ. c) If that doesn''t work then: 1) Does the DMZ system have 31.212.11.88 as it''s default gateway? It should have! 2) If the default gateway is correct, then I suggest looking at eth2 with tcpdump or wireshark when you try to access the internet. Do you see the traffic? 3) If you see the traffic on eth2 then look at eth0; do you see the traffic there? 4) If you see traffic going out on eth0 but no traffic coming back in, then there is an apparent routing problem at your ISP. 5) If you do see traffic coming back in, then check to be sure that it has the proper destination link level (MAC) address. Let us know what you find out. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks a lot Tom. I tried this. The dmz gateway is correct. After shorewall clear the dmz cannot access the internet and internet cannot access the dmz. But, the problem must be in shorewall because the old iptables script works. Is difficult for me try with tcpdump because the system is alive and I stop all internet service from my customers. I think that the error is the dmz with public address because I tried another configuration with private ip range and works fine. With dmz public address I don''t use nat, masq, dnat, dnat and proxy arp? Thanks a lot Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 16:39 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Toni wrote:> Sorry, please I''m very nerviuos. This is a big problem for me. > > Thanks a lot for your patience.Your DMZ systems should have complete access to the internet (and the internet should have complete access to your DMZ systems) when Shorewall is not running. If your DMZ systems cannot access the internet after "shorewall clear", then you have a problem that doesn''t involve Shorewall at all. So I suggest that you: a) ''shorewall clear'' b) Try to access the internet from one of the systems in the DMZ. c) If that doesn''t work then: 1) Does the DMZ system have 31.212.11.88 as it''s default gateway? It should have! 2) If the default gateway is correct, then I suggest looking at eth2 with tcpdump or wireshark when you try to access the internet. Do you see the traffic? 3) If you see the traffic on eth2 then look at eth0; do you see the traffic there? 4) If you see traffic going out on eth0 but no traffic coming back in, then there is an apparent routing problem at your ISP. 5) If you do see traffic coming back in, then check to be sure that it has the proper destination link level (MAC) address. Let us know what you find out. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Thanks a lot Tom. > > I tried this. > > The dmz gateway is correct. After shorewall clear the dmz cannot access the > internet and internet cannot access the dmz. > > But, the problem must be in shorewall because the old iptables script works.Then there is something that you are not telling us. Because if your ISP is routing the public addresses through the IP address of eth0 then it MUST work when Shorewall isn''t there. If it doesn''t work, then I don''t know how I can help you because your configuration cannot be like you say it is. The way that you describe your system, the DMZ is just routed and requires no NAT or proxy ARP at all.> > Is difficult for me try with tcpdump because the system is alive and I stop > all internet service from my customers. > > I think that the error is the dmz with public address because I tried > another configuration with private ip range and works fine.It could not have worked fine from the private network without masq.> > With dmz public address I don''t use nat, masq, dnat, dnat and proxy arp?Again, you must use masq for the private network. Did you use DNAT, NAT or Proxy ARP in your old configuration? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Again, you must use masq for the private network. Did you use DNAT, NAT > or Proxy ARP in your old configuration?One thing that might be helpful would be to send us the output of "shorewall dump" taken after your old iptables script has run (the working configuration). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:>I think that the error is the dmz with public address because I tried >another configuration with private ip range and works fine.Are you sure of those addresses ? They appear to be reserved :>#whois 31.212.11.88 > >OrgName: Internet Assigned Numbers Authority >OrgID: IANA >Address: 4676 Admiralty Way, Suite 330 >City: Marina del Rey >StateProv: CA >PostalCode: 90292-6695 >Country: US > >NetRange: 31.0.0.0 - 31.255.255.255 >CIDR: 31.0.0.0/8 >NetName: RESERVED-31 >NetHandle: NET-31-0-0-0-1 >Parent: >NetType: IANA Reserved >Comment: >RegDate: >Updated: 2002-09-12------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi, you are rason. I changed the address for the real IP in all of files, but I''m sure that the change is in all of files for not wrong us. Sorry. Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Simon Hobson Enviado el: martes, 27 de mayo de 2008 17:48 Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Toni wrote:>I think that the error is the dmz with public address because I tried >another configuration with private ip range and works fine.Are you sure of those addresses ? They appear to be reserved :>#whois 31.212.11.88 > >OrgName: Internet Assigned Numbers Authority >OrgID: IANA >Address: 4676 Admiralty Way, Suite 330 >City: Marina del Rey >StateProv: CA >PostalCode: 90292-6695 >Country: US > >NetRange: 31.0.0.0 - 31.255.255.255 >CIDR: 31.0.0.0/8 >NetName: RESERVED-31 >NetHandle: NET-31-0-0-0-1 >Parent: >NetType: IANA Reserved >Comment: >RegDate: >Updated: 2002-09-12------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Hi, you are rason. > > I changed the address for the real IP in all of files, but I''m sure that the > change is in all of files for not wrong us. > > > Sorry. >Again, it would be useful to see "shorewall dump" output when the firewall is working properly with your old iptables script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks a lot for your help. I attach my actual firewall script. I erased a lot of lines for simply this. This is an functional example file. Sorry for all. Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 17:35 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Tom Eastep wrote:> Again, you must use masq for the private network. Did you use DNAT, > NAT or Proxy ARP in your old configuration?One thing that might be helpful would be to send us the output of "shorewall dump" taken after your old iptables script has run (the working configuration). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Thanks a lot for your help. > > I attach my actual firewall script. I erased a lot of lines for simply this. > This is an functional example file. > > Sorry for all.I''m also sorry because I don''t have the time to look at and understand your script. I can look at the output of "shorewall dump" and tell immediately what the script is doing; looking at your script would take me hours. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Toni wrote: >> Thanks a lot for your help. >> >> I attach my actual firewall script. I erased a lot of lines for simply >> this. >> This is an functional example file. >> >> Sorry for all. > > I''m also sorry because I don''t have the time to look at and understand > your script. I can look at the output of "shorewall dump" and tell > immediately what the script is doing; looking at your script would take > me hours.I _can_ tell you though that your script is turning on Proxy ARP on all interfaces. So you might try adding the ''proxy_arp'' option to all of the interfaces in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> I _can_ tell you though that your script is turning on Proxy ARP on all > interfaces. So you might try adding the ''proxy_arp'' option to all of the > interfaces in /etc/shorewall/interfaces.Sorry -- the option is ''proxyarp'', not ''proxy_arp''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Tom I attach the new dump. I tried your last recommendation and IT WORKS!!!!! But i don''t know the reason :-( Thanks a lot. Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 18:05 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Toni wrote:> Hi, you are rason. > > I changed the address for the real IP in all of files, but I''m sure > that the change is in all of files for not wrong us. > > > Sorry. >Again, it would be useful to see "shorewall dump" output when the firewall is working properly with your old iptables script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Hi Tom > > I attach the new dump. I tried your last recommendation and IT WORKS!!!!! > > But i don''t know the reason :-(It means that your ISP is _not_ routing your private network through the IP address of eth0 but are rather assuming that the private network is directly accessible. Setting the ''proxyarp'' flag on eth0 and eth2 makes the firewall respond to ARP requests on each of those interfaces for IP addresses routed out of the other interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom, Bruno and Simon, if someday come to Spain, you have a beer!!!! Thanks a lot Toni -----Mensaje original----- De: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: martes, 27 de mayo de 2008 18:56 Para: Shorewall Users Asunto: Re: [Shorewall-users] Problem with my shorewall firewall Toni wrote:> Hi Tom > > I attach the new dump. I tried your last recommendation and IT WORKS!!!!! > > But i don''t know the reason :-(It means that your ISP is _not_ routing your private network through the IP address of eth0 but are rather assuming that the private network is directly accessible. Setting the ''proxyarp'' flag on eth0 and eth2 makes the firewall respond to ARP requests on each of those interfaces for IP addresses routed out of the other interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Toni wrote:> Tom, Bruno and Simon, > > if someday come to Spain, you have a beer!!!!Thanks, Toni. One final note. I wrote:> > It means that your ISP is _not_ routing your private network through the IP > address of eth0 but are rather assuming that the private network is directly > accessible.''private'' should be ''public'' (the public network in your DMZ). Given that this setup works without any masquerading, it appears that your ISP is routing your ''private'' network (192.168.x.x) through the IP of eth0 and is doing NAT on your behalf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Cheers! :-) On Wed, May 28, 2008 at 12:55 PM, Tom Eastep <teastep@shorewall.net> wrote:> Toni wrote: > >> Tom, Bruno and Simon, >> >> if someday come to Spain, you have a beer!!!! >> > > Thanks, Toni. > > One final note. I wrote: > >> >> It means that your ISP is _not_ routing your private network through the >> IP >> address of eth0 but are rather assuming that the private network is >> directly >> accessible. >> > > ''private'' should be ''public'' (the public network in your DMZ). Given that > this setup works without any masquerading, it appears that your ISP is > routing your ''private'' network (192.168.x.x) through the IP of eth0 and is > doing NAT on your behalf. > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Bruno Ayub. bruno.ayub@gmail.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/