Michael Weickel - iQom Business Services GmbH
2010-Apr-16 15:41 UTC
Route availability check
Hi list, is it true that Shorewall is not willing to forward traffic from a source-ip which is not reachable by a static route from Shorewall itself? To say it on another way. If Shorewall´s routing interface is neither connected nor able to reach that source ip does it forward or deny it? So the situation is the following. I send from an ip which is not part of interface nor hosts file. But Shorewall should forward that packet as well matching the default route without knowing a way back to the source ip. All I see is a packet arriving on the local interface but I dont see it to leave the eternal one nor I see any drop or reject by shorewall. If I tell Shorewall the route to the source ip it works fine but I dont want this route to be configured and I want to know if this is maybe a Shorewall feature which can be turned off? And if it is a Shorewall feature does anybody knows if there is an article to read about? The same feature is available von Cisco, there it is called ip-verify-unicast-source-reachable. Thanks Mike ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Michael Weickel - iQom Business Services GmbH wrote:> Hi list, > > is it true that Shorewall is not willing to forward traffic from a source-ip > which is not reachable by a static route from Shorewall itself? To say it on > another way. If Shorewall´s routing interface is neither connected nor able > to reach that source ip does it forward or deny it? > > So the situation is the following. I send from an ip which is not part of > interface nor hosts file. But Shorewall should forward that packet as well > matching the default route without knowing a way back to the source ip. > > All I see is a packet arriving on the local interface but I don’t see it to > leave the eternal one nor I see any drop or reject by shorewall. If I tell > Shorewall the route to the source ip it works fine but I don’t want this > route to be configured and I want to know if this is maybe a Shorewall > feature which can be turned off? And if it is a Shorewall feature does > anybody knows if there is an article to read about? > > The same feature is available von Cisco, there it is called > ip-verify-unicast-source-reachable.In Shorewall, it's called route filtering. In the kernel, it's called Reverse-path filtering. Both Shorewall and sysctl.conf can be used to control it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Michael Weickel - iQom Business Services GmbH
2010-Apr-16 17:39 UTC
Re: Route availability check
Great, thanks. Although the packet arrives first on a local interface the feature has to be turned off on the outgoing interface and not on the local (incoming) one, right? Cheers Mike -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Freitag, 16. April 2010 17:52 An: Shorewall Users Betreff: Re: [Shorewall-users] Route availability check Michael Weickel - iQom Business Services GmbH wrote:> Hi list, > > is it true that Shorewall is not willing to forward traffic from asource-ip> which is not reachable by a static route from Shorewall itself? To say iton> another way. If Shorewall´s routing interface is neither connected norable> to reach that source ip does it forward or deny it? > > So the situation is the following. I send from an ip which is not part of > interface nor hosts file. But Shorewall should forward that packet as well > matching the default route without knowing a way back to the source ip. > > All I see is a packet arriving on the local interface but I dont see itto> leave the eternal one nor I see any drop or reject by shorewall. If I tell > Shorewall the route to the source ip it works fine but I dont want this > route to be configured and I want to know if this is maybe a Shorewall > feature which can be turned off? And if it is a Shorewall feature does > anybody knows if there is an article to read about? > > The same feature is available von Cisco, there it is called > ip-verify-unicast-source-reachable.In Shorewall, it''s called route filtering. In the kernel, it''s called Reverse-path filtering. Both Shorewall and sysctl.conf can be used to control it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Michael Weickel - iQom Business Services GmbH wrote:> Great, thanks. Although the packet arrives first on a local interface the > feature has to be turned off on the outgoing interface and not on the local > (incoming) one, right?It has to be turned off on any interface where you expect incoming packets with a SOURCE IP that would not be routed out of that same interface using the main routing table (in 2.6.32 or 33 the facility has been modified to use policy routing for the decision). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev