Shorewall users - May 2009 - Allowing traffic within same zone on multi-subnet interface

Hi list,

I''m struggling with this problem for a long time, hopefully someone  
can explain me what I''m doing wrong:

I have a shorewall installation with

interfaces
net	eth0
-	eth1

hosts
loc	10.0.10.0/24
loc	10.0.20.0/24
+some other zones and subnets

there are aliases on eth1 for gateways for the two loc subnets

eth1:1 10.0.10.1
eth1:2 10.0.20.1

Everything works fine, loc zone can go to the net, net can go to the  
loc zone.

The problem is that hosts from one subnet in loc zone can not access  
other loc hosts from the second subnet.
For example 10.0.10.100 can not ping nor access 10.0.20.100. Pinging  
from 10.0.10.100 to 10.0.10.200 obviously works as it does not go  
through shorewall.

I''m able to workaround this by defining another loc1 zone and putting  
10.0.20.0 into loc1, then defining policy and rules between loc and  
loc1.

What I''m in fact trying to do is to do ''routeback'' on
a interface with
multiple zones and multiple subnets. How to do it? Note that defining  
new zone for each new subnet is possible, but does not scale very well  
once the number of subnets increases.

I want to add multiple subnets to the same zone because all hosts from  
these subnets actually fall under the same rules, they can talk to  
each other, they are equal. They only need to be in separate subnets  
because of their geographical location.

thanx for any hints and help, feel free to ask if you need more  
information,
Martin (very happy shorewall user)...



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects

Martin Man wrote:
> thanx for any hints and help, feel free to ask if you need more
Please submit the output of ''shorewall dump'' collected as
described at
http://www.shorewall.net/support.htm#Guidelines.

I could ask you a bunch of questions but the dump will answer all of
them. You may forward the dump to upload@shorewall.net, if you like.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects

Hi Tom,


On May 15, 2009, at 19:10, Tom Eastep wrote:
> Martin Man wrote:
>
>> thanx for any hints and help, feel free to ask if you need more
>
> Please submit the output of ''shorewall dump'' collected as
described at
> http://www.shorewall.net/support.htm#Guidelines.
>
> I could ask you a bunch of questions but the dump will answer all of
> them. You may forward the dump to upload@shorewall.net, if you like.
Interestingly enough, when I tried to reproduce the problem in my  
simplified lab, everything is working as expected, I will try to add  
few more zones and subnets to each interface to see whether I can  
reproduce it.
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
thanx,
Martin



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects

Hi again,

for the list archives I''m replying to myself. I got confused that  
''routeback'' option can not be specified within interfaces file
for
multi zone interfaces, but I have not realized that
''routeback'' can be
specified in hosts file. Adding the option to /etc/shorewall/hosts  
solved my problem...

thanx,
Martin

On May 15, 2009, at 18:11, Martin Man wrote:
> Hi list,
>
> I''m struggling with this problem for a long time, hopefully
someone
> can explain me what I''m doing wrong:
>
> I have a shorewall installation with
>
> interfaces
> net	eth0
> -	eth1
>
> hosts
> loc	10.0.10.0/24
> loc	10.0.20.0/24
> +some other zones and subnets
>
> there are aliases on eth1 for gateways for the two loc subnets
>
> eth1:1 10.0.10.1
> eth1:2 10.0.20.1
>
> Everything works fine, loc zone can go to the net, net can go to the  
> loc zone.
>
> The problem is that hosts from one subnet in loc zone can not access  
> other loc hosts from the second subnet.
> For example 10.0.10.100 can not ping nor access 10.0.20.100. Pinging  
> from 10.0.10.100 to 10.0.10.200 obviously works as it does not go  
> through shorewall.
>
> I''m able to workaround this by defining another loc1 zone and  
> putting 10.0.20.0 into loc1, then defining policy and rules between  
> loc and loc1.
>
> What I''m in fact trying to do is to do
''routeback'' on a interface
> with multiple zones and multiple subnets. How to do it? Note that  
> defining new zone for each new subnet is possible, but does not  
> scale very well once the number of subnets increases.
>
> I want to add multiple subnets to the same zone because all hosts  
> from these subnets actually fall under the same rules, they can talk  
> to each other, they are equal. They only need to be in separate  
> subnets because of their geographical location.
>
> thanx for any hints and help, feel free to ask if you need more  
> information,
> Martin (very happy shorewall user)...
>
>
------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables
> unlimited royalty-free distribution of the report engine
> for externally facing server and web deployment.
>
http://p.sf.net/sfu/businessobjects_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals.
Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com