Hi, In order to blacklist rfc1918 networks from the Internet, I use NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a minor problem which I think shorewall should warn before. One of the firewalls I configured had the 172.16.0.0/20 as the internal interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling NULL_ROUTE_RFC1918, routing for the internal interface disappeared and blacklisted. I think this behaviour conflicts with the manual, which says: "...When combined with route filtering (ROUTE_FILTER=Yes or routefilter in shorewall-interfaces[9](5)), this option ensures that packets with an RFC1918 source address are only accepted from interfaces having known routes to networks using such addresses." I looked around for a way to customize this option to exclude 172.16/20, but it appears that there are none, so maybe shorewall should check for exact route matches before adding rfc1918 blacklists. Or is there another way to fix this? (Apart from narrowing the range of the internal network) Regards, -- Can Bican ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
On 11/8/10 11:37 PM, Can Bican wrote:> Hi, > > In order to blacklist rfc1918 networks from the Internet, I use > NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a > minor problem which I think shorewall should warn before. One of the > firewalls I configured had the 172.16.0.0/20 as the internal > interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling > NULL_ROUTE_RFC1918, routing for the internal interface disappeared and > blacklisted. I think this behaviour conflicts with the manual, which > says: > > "...When combined with route filtering (ROUTE_FILTER=Yes or > routefilter in shorewall-interfaces[9](5)), this option ensures that > packets with an RFC1918 source address are only accepted from > interfaces having known routes to networks using such addresses." > > I looked around for a way to customize this option to exclude > 172.16/20, but it appears that there are none, so maybe shorewall > should check for exact route matches before adding rfc1918 blacklists. > > Or is there another way to fix this? (Apart from narrowing the range > of the internal network) >NULL_ROUTE_RFC1918 creates these three routes: unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 Because 172.16.0.0/20 is more specific than 172.16.0.0.12, the above null route does not masq your route to your internal interface. Here is the main routing table on my own firewall: gateway:~# ip route ls 172.20.0.2 dev tun0 proto kernel scope link src 172.20.0.1 70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121 172.20.0.0/25 via 172.20.0.2 dev tun0 172.20.1.0/24 dev eth4 proto kernel scope link src 172.20.1.254 10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11 unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 224.0.0.0/4 dev eth4 scope link gateway:~# Note that I have a number of routes to subnets of 172.16.0.0/12 but those routes appear in the routing table before 172.16.0.0/12. So something else must be going on with your configuration. Please forward the output of ''shorewall dump'' with NULL_ROUTE_RFC1918 enabled and I''ll take a look (you can send it to me privately if you like). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
You can always just put some rules in to drop RFC1918 traffic. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
My bad, the internal network is actually /12, not /20. I'm sending you the output of shorewall dump in a separate email. Thanks. On Tue, Nov 9, 2010 at 5:11 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/8/10 11:37 PM, Can Bican wrote: >> Hi, >> >> In order to blacklist rfc1918 networks from the Internet, I use >> NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a >> minor problem which I think shorewall should warn before. One of the >> firewalls I configured had the 172.16.0.0/20 as the internal >> interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling >> NULL_ROUTE_RFC1918, routing for the internal interface disappeared and >> blacklisted. I think this behaviour conflicts with the manual, which >> says: >> >> "...When combined with route filtering (ROUTE_FILTER=Yes or >> routefilter in shorewall-interfaces[9](5)), this option ensures that >> packets with an RFC1918 source address are only accepted from >> interfaces having known routes to networks using such addresses." >> >> I looked around for a way to customize this option to exclude >> 172.16/20, but it appears that there are none, so maybe shorewall >> should check for exact route matches before adding rfc1918 blacklists. >> >> Or is there another way to fix this? (Apart from narrowing the range >> of the internal network) >> > > NULL_ROUTE_RFC1918 creates these three routes: > > unreachable 192.168.0.0/16 > unreachable 172.16.0.0/12 > unreachable 10.0.0.0/8 > > Because 172.16.0.0/20 is more specific than 172.16.0.0.12, the above > null route does not masq your route to your internal interface. Here is > the main routing table on my own firewall: > > gateway:~# ip route ls > 172.20.0.2 dev tun0 proto kernel scope link src 172.20.0.1 > 70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121 > 172.20.0.0/25 via 172.20.0.2 dev tun0 > 172.20.1.0/24 dev eth4 proto kernel scope link src 172.20.1.254 > 10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11 > unreachable 192.168.0.0/16 > unreachable 172.16.0.0/12 > unreachable 10.0.0.0/8 > 224.0.0.0/4 dev eth4 scope link > gateway:~# > > Note that I have a number of routes to subnets of 172.16.0.0/12 but > those routes appear in the routing table before 172.16.0.0/12. > > So something else must be going on with your configuration. Please > forward the output of 'shorewall dump' with NULL_ROUTE_RFC1918 enabled > and I'll take a look (you can send it to me privately if you like). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 11/9/10 2:05 PM, Can Bican wrote:> My bad, the internal network is actually /12, not /20. I''m sending you > the output of shorewall dump in a separate email.There is a problem with the current code when a route matching an entire RFC1918 subnet exists. The attached patch corrects the problem in Shorewall 4.4.14 and applies with an offset to 4.4.6. patch /usr/share/shorewall/Shorewall/Providers < NULL_ROUTE.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America''s Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
Thank you, it works well. I had to manually patch it manually though, I prefer to keep the Ubuntu provided version. -- Can Bican On Wed, Nov 10, 2010 at 12:54 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/9/10 2:05 PM, Can Bican wrote: >> My bad, the internal network is actually /12, not /20. I'm sending you >> the output of shorewall dump in a separate email. > > There is a problem with the current code when a route matching an entire > RFC1918 subnet exists. The attached patch corrects the problem in > Shorewall 4.4.14 and applies with an offset to 4.4.6. > > patch /usr/share/shorewall/Shorewall/Providers < NULL_ROUTE.patch > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users