Hi all I have a fw with 5 zones: eth0: green - the inside eth1: blue - wifi eth2: orang - dmz eth3: red - internet.... Traffic from green to red and orange works, trafic from orang to red just disapear (THE PROBLEM). Blue to red work like a charm, Orang to green works with DNAT. So now I wonder what the screwup is.... I can ssh to machines in the DMZ. But can''t ping anything except other machines in DMZ. No trafffic from the net to DMZ as all replies are eaten by the FW. Shorewall trace is attached.>ip addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:44:ba:0c brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0 inet6 fe80::215:17ff:fe44:ba0c/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:44:ba:0d brd ff:ff:ff:ff:ff:ff inet 10.11.12.65/29 brd 10.11.12.71 scope global eth1 inet6 fe80::215:17ff:fe44:ba0d/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:44:ba:0e brd ff:ff:ff:ff:ff:ff inet 83.140.35.233/29 brd 83.140.35.239 scope global eth2 inet6 fe80::215:17ff:fe44:ba0e/64 scope link valid_lft forever preferred_lft forever 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:44:ba:0f brd ff:ff:ff:ff:ff:ff inet 83.140.35.230/29 brd 83.140.35.231 scope global eth3 inet6 fe80::215:17ff:fe44:ba0f/64 scope link valid_lft forever preferred_lft forever 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:30:48:91:46:46 brd ff:ff:ff:ff:ff:ff inet 10.167.31.169/29 brd 10.167.31.175 scope global eth4 inet6 fe80::230:48ff:fe91:4646/64 scope link valid_lft forever preferred_lft forever 7: eth5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:30:48:91:46:47 brd ff:ff:ff:ff:ff:ff inet 10.8.8.89/29 brd 10.8.8.95 scope global eth5 9: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN link/ether 8e:f7:73:f8:08:dc brd ff:ff:ff:ff:ff:f */sbin/shorewall version* 4.0.13> ip route show10.8.8.88/29 dev eth5 proto kernel scope link src 10.8.8.89 10.11.12.64/29 dev eth1 proto kernel scope link src 10.11.12.65 10.167.31.168/29 dev eth4 proto kernel scope link src 10.167.31.169 83.140.35.232/29 dev eth2 proto kernel scope link src 83.140.35.233 83.140.35.224/29 dev eth3 proto kernel scope link src 83.140.35.230 192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.1 169.254.0.0/16 dev eth5 scope link default via 83.140.35.225 dev eth3 -- To think before you speak is like wiping your arse before you take a dump! - A. Anka. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Leif Bergman wrote:> > Hi all > > I have a fw with 5 zones: > > eth0: green - the inside > eth1: blue - wifi > eth2: orang - dmz > eth3: red - internet.... > > Traffic from green to red and orange works, trafic from orang to red > just disapear (THE PROBLEM).Do the systems in the DMZ have the proper default gateway defined? -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Sun, Oct 12, 2008 at 7:09 PM, Tom Eastep <teastep@shorewall.net> wrote:> Leif Bergman wrote: > > > > Hi all > > > > I have a fw with 5 zones: > > > > eth0: green - the inside > > eth1: blue - wifi > > eth2: orang - dmz > > eth3: red - internet.... > > > > Traffic from green to red and orange works, trafic from orang to red > > just disapear (THE PROBLEM). > > Do the systems in the DMZ have the proper default gateway defined? > > -TomThey have th fw''s dmz interface as gw: ]# ip route show 83.140.35.232/29 dev eth0 proto kernel scope link src 83.140.35.234 169.254.0.0/16 dev eth0 scope link default via 83.140.35.233 dev eth0> > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- To think before you speak is like wiping your arse before you take a dump! - A. Anka. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Leif Bergman wrote:> > > On Sun, Oct 12, 2008 at 7:09 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > Leif Bergman wrote: > > > > Hi all > > > > I have a fw with 5 zones: > > > > eth0: green - the inside > > eth1: blue - wifi > > eth2: orang - dmz > > eth3: red - internet.... > > > > Traffic from green to red and orange works, trafic from orang to red > > just disapear (THE PROBLEM). > > Do the systems in the DMZ have the proper default gateway defined? > > -Tom > > > They have th fw''s dmz interface as gw: > ]# ip route show > 83.140.35.232/29 <http://83.140.35.232/29> dev eth0 proto kernel scope > link src 83.140.35.234 <http://83.140.35.234> > 169.254.0.0/16 <http://169.254.0.0/16> dev eth0 scope link > default via 83.140.35.233 <http://83.140.35.233> dev eth0Then we''re going to need to see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Tue, Oct 14, 2008 at 3:15 PM, Tom Eastep <teastep@shorewall.net> wrote:> Leif Bergman wrote: > > > > > > On Sun, Oct 12, 2008 at 7:09 PM, Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net>> wrote: > > > > Leif Bergman wrote: > > > > > > Hi all > > > > > > I have a fw with 5 zones: > > > > > > eth0: green - the inside > > > eth1: blue - wifi > > > eth2: orang - dmz > > > eth3: red - internet.... > > > > > > Traffic from green to red and orange works, trafic from orang to > red > > > just disapear (THE PROBLEM). > > > > Do the systems in the DMZ have the proper default gateway defined? > > > > -Tom > > > > > > They have th fw''s dmz interface as gw: > > ]# ip route show > > 83.140.35.232/29 <http://83.140.35.232/29> dev eth0 proto kernel scope > > link src 83.140.35.234 <http://83.140.35.234> > > 169.254.0.0/16 <http://169.254.0.0/16> dev eth0 scope link > > default via 83.140.35.233 <http://83.140.35.233> dev eth0 > > Then we''re going to need to see the output of ''shorewall dump'' collected > as described at http://www.shorewall.net/support.htm > > -TomHope you find something useful....> > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- To think before you speak is like wiping your arse before you take a dump! - A. Anka. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Leif Bergman wrote:> Hope you find something useful....Unless the upstream router is routing 83.140.35.232/29 via 83.140.35.230, you need to use proxy arp. You can either add entries for each system in orange to the /etc/shorewall/proxyarp file or you can set the proxyarp=1 on eth3 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Leif Bergman wrote: > >> Hope you find something useful.... > > Unless the upstream router is routing 83.140.35.232/29 via > 83.140.35.230, you need to use proxy arp. You can either add entries for > each system in orange to the /etc/shorewall/proxyarp file or you can set > proxyarp=1 on eth3 in /etc/shorewall/interfaces.The first method is slightly preferred because when you use the second, an attacker in the same broadcast domain can map your internal networks using ARP. Not a big deal, I grant you, but why make things any easier? -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Fri, Oct 17, 2008 at 4:48 PM, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > Leif Bergman wrote: > > > >> Hope you find something useful.... > > > > Unless the upstream router is routing 83.140.35.232/29 via > > 83.140.35.230, you need to use proxy arp. You can either add entries for > > each system in orange to the /etc/shorewall/proxyarp file or you can set > > proxyarp=1 on eth3 in /etc/shorewall/interfaces. > > The first method is slightly preferred because when you use the second, > an attacker in the same broadcast domain can map your internal networks > using ARP. Not a big deal, I grant you, but why make things any easier? > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >That''s whats happens when your ISP is bought up by a bigger company. *grrr* But it works from my "red" testmachine. Now I''ll just have to get the new ISP to change to a working config... Thanks for your effort... -- To think before you speak is like wiping your arse before you take a dump! - A. Anka. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/