Shorewall users - Oct 2008 - Shorewall and Bridge...

Hi all

I have a firewall host working very well...
I setting up a openvpn on this firewall...
My vpn is working on a bridge mode.
I have this interfaces:

br0  inet addr:172.168.1.1  Bcast:172.168.1.255  Mask:255.255.255.0
eth0   inet addr:10.1.1.5  Bcast:10.1.1.255  Mask:255.255.255.0
eth2   inet6 addr: fe80::217:9aff:fe7f:c7ec/64 Scope:Link
tap0   inet6 addr: fe80::2ff:31ff:fe46:207d/64 Scope:Link

/etc/network/interfaces is:
# The primary network interface
auto eth0
iface eth0 inet static
address 10.1.1.5
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1

auto br0
iface br0 inet static
address 172.168.1.1
netmask 255.255.255.0
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ip link set tap0 up
pre-up /sbin/ip link set eth2 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth2
pre-up /usr/sbin/brctl addif br0 tap0
pre-down /usr/sbin/brctl delif br0 eth2
pre-down /sbin/ip link set eth2 down
pre-down /usr/sbin/brctl delif br0 tap0
pre-down /sbin/ip link set tap0 down
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun --dev tap0

Route table:

oot@falcon:/etc/shorewall# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
br0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0
eth0
0.0.0.0         10.1.1.1        0.0.0.0         UG    100    0        0
eth0

I have this on shorewall interfaces files:

#loc    eth2
loc     br0     detect  routeback
net     eth0    detect  tcpflags,routefilter,nosmurfs,logmartians

What is happen is:

When I have the bridge interface up (i.e. BR0), my clients inside the
lan, can''t surf on web, instead via squid proxy.
Other problem that appears now is that all my DNAT rules don''t work any
more:
I try this, on rules file:

DNAT	net	loc:172.168.1.20	tcp	3389
DNAT	net	loc:172.168.1.20	tcp	4899

But don''t work...

What can I do?

Thanks...



-- 
Gilberto Nunes


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gilberto Nunes wrote:
> Hi all
> 
> I have a firewall host working very well...
> I setting up a openvpn on this firewall...
> My vpn is working on a bridge mode.
> I have this interfaces:
> 
> br0  inet addr:172.168.1.1  Bcast:172.168.1.255  Mask:255.255.255.0
> eth0   inet addr:10.1.1.5  Bcast:10.1.1.255  Mask:255.255.255.0
> eth2   inet6 addr: fe80::217:9aff:fe7f:c7ec/64 Scope:Link
> tap0   inet6 addr: fe80::2ff:31ff:fe46:207d/64 Scope:Link
> 
> /etc/network/interfaces is:
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 10.1.1.5
> network 10.1.1.0
> netmask 255.255.255.0
> broadcast 10.1.1.255
> gateway 10.1.1.1
> 
> auto br0
> iface br0 inet static
> address 172.168.1.1
> netmask 255.255.255.0
> pre-up /usr/sbin/openvpn --mktun --dev tap0
> pre-up /sbin/ip link set tap0 up
> pre-up /sbin/ip link set eth2 up
> pre-up /usr/sbin/brctl addbr br0
> pre-up /usr/sbin/brctl addif br0 eth2
> pre-up /usr/sbin/brctl addif br0 tap0
> pre-down /usr/sbin/brctl delif br0 eth2
> pre-down /sbin/ip link set eth2 down
> pre-down /usr/sbin/brctl delif br0 tap0
> pre-down /sbin/ip link set tap0 down
> post-down /usr/sbin/brctl delbr br0
> post-down /usr/sbin/openvpn --rmtun --dev tap0
> 
> Route table:
> 
> oot@falcon:/etc/shorewall# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 172.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
> 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 0.0.0.0         10.1.1.1        0.0.0.0         UG    100    0        0
eth0
> 
> I have this on shorewall interfaces files:
> 
> #loc    eth2
> loc     br0     detect  routeback
> net     eth0    detect  tcpflags,routefilter,nosmurfs,logmartians
> 
> What is happen is:
> 
> When I have the bridge interface up (i.e. BR0), my clients inside the
> lan, can''t surf on web, instead via squid proxy.
> Other problem that appears now is that all my DNAT rules don''t
work any
> more:
> I try this, on rules file:
> 
> DNAT net loc:172.168.1.20 tcp 3389
> DNAT net loc:172.168.1.20 tcp 4899
> 
> But don''t work...
> 
> What can I do?
Be sure that IP_FORWARDING=On in shorewall.conf. If that isn''t the
problem then please submit another problem report as described at
http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gilberto Nunes wrote:
> Hi Tom
> 
> Thank you for your response...
> 
> I check shorewall.conf file, and I found this line:
> 
> IP_FORWARDING=Keep
> 
> May be I have to change to IP_FORWARDING=yes?
I told you to be sure it was set to ''On''. Why would you set it
to ''Yes''?
''Yes'' is not ''On''!

This Debian-specific issue is clearly documented in the two-interface
QuickStart Guide (http://www.shorewall.net/two-interfaces.htm).

From ''man shorewall.conf'' (which is available on the Shorewall
website
in case you are still running 3.2.6 which didn''t have manpages).

       IP_FORWARDING=[On|Off|Keep]
           This parameter determines whether Shorewall enables or
           disables IPV4 Packet Forwarding
           (/proc/sys/net/ipv4/ip_forward).
           Possible values are:

           On or on
               packet forwarding will be enabled.

           Off or off
               packet forwarding will be disabled.

           Keep or keep
               Shorewall will neither enable nor disable packet
               forwarding.

           If this variable is not set or is given an empty value
           (IP_FORWARD="") then IP_FORWARD=On is assumed.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gilberto Nunes wrote:
> Wow! Thank you buddy!
> 
> I change IP_FORWARING to On and it''s work!
> But, how you say:
> 
> "If this variable is not set or is given an empty value
(IP_FORWARD="")
> then IP_FORWARD=On is assumed."
> 
> I don''t know why do not work properly before I change the line...
> However, I very happy now...
>
I give up.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

--- Tom Eastep <teastep@shorewall.net> wrote on Wed, 10.22.2008:

<snip>
> I give up.
> 
> -Tom
> -- 
<snip>

Dear Mr. Eastep,

I cannot thank you enough for the humungous job and the endless effort you are
putting into Shorewall. It''s a totally amazing and dependable product
that has it''s fixed place on all linux machines at work, home, and
wherever I am asked to lend a hand in securing linux machines and networks for
years..
That and all the support for free, what can I say... outstanding. Thank you
again.
Considering the jaded (under)tone in some of your mails, I very much hope you do
not think about "giving up".
Pretty please. Don''t.
Thanks also to all the helpful people on the mailing lists.

Sorry for hijacking/spamming the thread. I just felt I had to say this right
here right now.

Cheers and greetings from a happy user and usually invisible lurker.
H.T.
+++ATH$%&&§"&%


      


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hellmut Tümmler wrote:
> 
> Sorry for hijacking/spamming the thread. I just felt I had to say this
right here right now.
> 
> Cheers and greetings from a happy user and usually invisible lurker.
Thanks, Hellmut!

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

>Dear Mr. Eastep,
>
>I cannot thank you enough for the humungous job and the endless 
>effort you are putting into Shorewall. It''s a totally amazing and 
>dependable product that has it''s fixed place on all linux machines 
>at work, home, and wherever I am asked to lend a hand in securing 
>linux machines and networks for years..
>That and all the support for free, what can I say... outstanding. 
>Thank you again.
>Considering the jaded (under)tone in some of your mails, I very much 
>hope you do not think about "giving up".
>Pretty please. Don''t.
>Thanks also to all the helpful people on the mailing lists.
I''d like to second that. I''m on a number of technical lists
(trying
to ''do my bit'' and contribute as I can) and they are all much
the
same - a seemingly endless stream of new users, some of whom clearly 
haven''t read the documentation available or completely lack the 
underlying skills (no idea at all about IP addressing is quite 
common). I try to chip in when I can, but I lack the in depth 
knowledge of the ''inside workings'' that Tom has - I manage
better on
one or two other lists.

I can quite understand the weary tone of some of Tom''s posts - more 
than once I''ve had to restrain myself when answering (yet again) a 
simple fundamental question from someone who clearly didn''t try and 
help themselves first.

So even if it doesn''t seem like it at times, there are plenty of us 
who appreciate your hard work.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Simon Hobson wrote:
> I try to chip in when I can
And I truly appreciate your participation.
> So even if it doesn''t seem like it at times, there are plenty of
us
> who appreciate your hard work.
> 
Thanks, Simon.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep wrote:
> Simon Hobson wrote:
>
>   
>> I try to chip in when I can
>>     
>
>   
I''m a lurker and I''m a bit cautious about posting solutions. 
Not enough
knowledge.  I too appreciate Mr Eastep''s slightly irascible but prompt
answers to almost every question that is posted.  I''ve learned a lot by
reading this list.
>> So even if it doesn''t seem like it at times, there are plenty
of us
>> who appreciate your hard work.
>>     
Ditto that many times over.  Thank you.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Alan Madill wrote:
> Tom Eastep wrote:
>   
>> Simon Hobson wrote:
>>
>>   
>>     
>>> I try to chip in when I can
>>>     
>>>       
>>   
>>     
> I''m a lurker and I''m a bit cautious about posting
solutions.  Not enough
> knowledge.  I too appreciate Mr Eastep''s slightly irascible but
prompt
> answers to almost every question that is posted.  I''ve learned a
lot by
> reading this list.
>
>   
>>> So even if it doesn''t seem like it at times, there are
plenty of us
>>> who appreciate your hard work.
>>>     
>>>       
> Ditto that many times over.  Thank you.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
is it shorewall appreciation day?
i''ll keep it short ;)

thank you Tom.

greetings,

Randall


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/