Michael Weickel - iQom Business Services GmbH
2009-Nov-21 00:16 UTC
Policy make troubles once multiple zones are applied
Hi all, I am running into some curious problems with hosts and interfaces. My interface vlan3005 has the ip 62.101.100.2/30 I dont have a zone net and no zone fw. One could say my zone v3005 is representing net. I do not have a 0.0.0.0/0 route in main table but ip route show table 22 default via 62.101.100.1 dev vlan3005 and 32764: from all iif vlan3005 lookup 22 32765: from 62.101.100.2 lookup 22 Interfaces - vlan3005 62.101.100.3 Hosts v3005 vlan3005:62.101.100.0/30 Rules ACCEPT v3005 fw tcp 22 Policy fw v3005 ACCEPT If I now try to ''ssh 62.101.100.2'' from outside Nov 21 01:15:50 ffmfw01 [ 867.692419] Shorewall:INPUT:DROP:IN=vlan3005 OUTMAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=109.5.122.3 DST=62.101.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=42964 DF PROTO=TCP SPT=52142 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 And if I try to ''ping 109.5.122.3 -I vlan3003'' ping: sendmsg: Operation not permitted Nov 21 01:20:02 ffmfw01 [ 1119.354729] Shorewall:OUTPUT:DROP:INOUT=vlan3005 SRC=62.101.100.2 DST=109.5.122.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=46625 SEQ=1 But if I apply the following changes to the above outlined config everything works well for ping from fw to internet and ssh from internet to fw as well. Interfaces vlan3005 vlan3005 62.101.100.3 Hosts #v3005 vlan3005:62.101.100.0/30 I am running Shorewall 3.4.8. Since I´ve managed multiple zones a hundret times and since it makes really no sense to me why it works if multiple zone is switched off with exactly the same policies and rules I appreciate any help on this. Cheers Mike ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july