Hatim Diab
2010-Apr-15 00:31 UTC
Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall
Hello All,
I¹ve installed the vanilla shorewall F12, I¹ve got it installed on a couple
of other servers with no problems. no matter how I define the zones and
interfaces, shorewall logs and allows, rejects or drops only traffic to
world.
ACCEPT:info net:<myip>/32 $FW icmp
Shorewall:world2fw:REJECT:IN=br0
ACCEPT:info world:<myip>/32 $FW icmp
Shorewall:world2fw:ACCEPT:IN=br0
Cheers
Hatim
cat zones
############################################################################
###
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
world ipv4
net:world bport
loc:world bport
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
cat interfaces
############################################################################
###
#ZONE INTERFACE BROADCAST OPTIONS
world br0 detect bridge,logmartians,nosmurfs,norfc1918
net br0:eth0
loc br0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
cat policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
shorewall version
4.4.8
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
link/ether <> brd ff:ff:ff:ff:ff:ff
inet6 <>/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether <> brd ff:ff:ff:ff:ff:ff
inet6 <>/64 scope link
valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
link/ether 00:0a:cd:19:d2:56 brd ff:ff:ff:ff:ff:ff
inet <server IP adress>/25 brd <brcast> scope global br0
inet6 <>/64 scope link
valid_lft forever preferred_lft forever
Ps masked information and real Ips
$ ip route show
<my net> dev br0 proto kernel scope link src <my ip>
169.254.0.0/16 dev br0 scope link metric 1004
default via <gateway ip> dev br0
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-15 01:17 UTC
Re: Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall
Hatim Diab wrote:> Hello All, > > I¹ve installed the vanilla shorewall F12, I¹ve got it installed on a couple > of other servers with no problems. no matter how I define the zones and > interfaces, shorewall logs and allows, rejects or drops only traffic to > world.Please see http://www.shorewall.net/support.htm#Guidelines for the information that we need to diagnose *connection problems*. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Hatim Diab
2010-Apr-15 01:48 UTC
Re: Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall
Sorry, file attached On 4/14/10 9:17 PM, "Tom Eastep" <teastep@shorewall.net> wrote:> Hatim Diab wrote: >> Hello All, >> >> I¹ve installed the vanilla shorewall F12, I¹ve got it installed on a couple >> of other servers with no problems. no matter how I define the zones and >> interfaces, shorewall logs and allows, rejects or drops only traffic to >> world. > > Please see http://www.shorewall.net/support.htm#Guidelines for the > information that we need to diagnose *connection problems*. > > -Tom------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-16 14:51 UTC
Re: Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall
Hatim Diab wrote:>>> I¹ve installed the vanilla shorewall F12, I¹ve got it installed on a couple >>> of other servers with no problems. no matter how I define the zones and >>> interfaces, shorewall logs and allows, rejects or drops only traffic to >>> world.Okay. From the firewall itself, the only control you have on output is to ''world'' in this configuration. Are you saying that you cannot control some other traffic? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev