Shorewall users - Jan 2011 - Creating/Protecting a Subnet

I have an admin machine, and a backup server which does backups.  The backup
server has IPMI so I can do lights-out admin, and I want to allow this from the
admin machine only.  IPMI is completely unfirewalled, and so it must have a
different class C than working networks....  this is just how it is.

I''ve set the IPMI IP on the backup server to 192.168.10.4, and created
a virtual interface (eth0:1) on the admin machine with IP 192.168.10.1.  But
after following the Multiple Zones Through One Interface instructions
(http://www.shorewall.net/Multiple_Zones.html) Shorewall simply blocks all
traffic.

What could be wrong/ is there another way that actually works?


------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

On 1/20/11 8:41 AM, Carl Cook wrote:
> I have an admin machine, and a backup server which does backups.  The
> backup server has IPMI so I can do lights-out admin, and I want to
> allow this from the admin machine only.  IPMI is completely
> unfirewalled, and so it must have a different class C than working
> networks....  this is just how it is.
> 
> I''ve set the IPMI IP on the backup server to 192.168.10.4, and
> created a virtual interface (eth0:1) on the admin machine with IP
> 192.168.10.1.  But after following the Multiple Zones Through One
> Interface instructions (http://www.shorewall.net/Multiple_Zones.html)
> Shorewall simply blocks all traffic.
> 
> What could be wrong/ is there another way that actually works?
Very hard to guess without knowing exactly what you did. Please provide
the output of ''shorewall dump'' collected as described at
http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

if ipmi is unfirewalled, any user who can jack into an open port can just
use ipmi.  that''s not good.  you should segregate ipmi to a dedicated
vlan
at the switch if possible.  iptables rules are probably not the best way to
go about securing this situation.

On Thu, Jan 20, 2011 at 8:56 AM, Tom Eastep <teastep@shorewall.net> wrote:
> On 1/20/11 8:41 AM, Carl Cook wrote:
> > I have an admin machine, and a backup server which does backups.  The
> > backup server has IPMI so I can do lights-out admin, and I want to
> > allow this from the admin machine only.  IPMI is completely
> > unfirewalled, and so it must have a different class C than working
> > networks....  this is just how it is.
> >
> > I''ve set the IPMI IP on the backup server to 192.168.10.4,
and
> > created a virtual interface (eth0:1) on the admin machine with IP
> > 192.168.10.1.  But after following the Multiple Zones Through One
> > Interface instructions (http://www.shorewall.net/Multiple_Zones.html)
> > Shorewall simply blocks all traffic.
> >
> > What could be wrong/ is there another way that actually works?
>
> Very hard to guess without knowing exactly what you did. Please provide
> the output of ''shorewall dump'' collected as described at
> http://www.shorewall.net/support.htm#Guidelines.
>
> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Thu 20 January 2011 15:57:22 Christ Schlacta wrote:
> if ipmi is unfirewalled, any user who can jack into an open port can just
> use ipmi.  that''s not good.  you should segregate ipmi to a
dedicated vlan
> at the switch if possible.  iptables rules are probably not the best way to
> go about securing this situation.
I know, but the switch is in my home.  Not worried about it here.

See, my LAN has the HTPC, my work laptop, and the backup server.  I need the
backup server as the HTPC has terabytes of my favorite movies & shows, and
nowadays it''s not practical to back up to anything but disk. 
I''ve built a little SuperMicro mobo in a cube chassis with a SuperMicro
3x5 drive carrier, to put in the garage for backing up, in case of theft or fire
of my other machines.

I got the mobo with IPMI, which is a wonderful improvement.  I''ve set
IPMI to a different class C in case my main LAN ever gets broken into from
outside, and on my work laptop that class C is a subnet of the wlan interface. 
I wasn''t able to make that subnet get through Shorewall until I set it
up in /etc/network/interfaces with the ''up  ip'' command, as in
the Shorewall wiki.  Now it works fine. (Thanks for pitching in Tom)

I''ve had a terrible time with rsync and btrfs, but now seem to have
them under control as well, and may just have a fine automated system going. 
Still testing.  Next will be setting the backup server up to record my security
cameras with ZoneMinder!


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

you might look into amanda for your backups, it''s quite nice.  also,
ask
yourself "Can I re-rip(download?) this if I lose it?", before you
bother
wasting money on drive space to back it up.  that''s enough OT for now
though~~

On Thu, Jan 20, 2011 at 5:02 PM, <CACook@quantum-sci.com> wrote:
> On Thu 20 January 2011 15:57:22 Christ Schlacta wrote:
> > if ipmi is unfirewalled, any user who can jack into an open port can
just
> > use ipmi.  that''s not good.  you should segregate ipmi to a
dedicated
> vlan
> > at the switch if possible.  iptables rules are probably not the best
way
> to
> > go about securing this situation.
>
> I know, but the switch is in my home.  Not worried about it here.
>
> See, my LAN has the HTPC, my work laptop, and the backup server.  I need
> the backup server as the HTPC has terabytes of my favorite movies &
shows,
> and nowadays it''s not practical to back up to anything but disk. 
I''ve built
> a little SuperMicro mobo in a cube chassis with a SuperMicro 3x5 drive
> carrier, to put in the garage for backing up, in case of theft or fire of
my
> other machines.
>
> I got the mobo with IPMI, which is a wonderful improvement.  I''ve
set IPMI
> to a different class C in case my main LAN ever gets broken into from
> outside, and on my work laptop that class C is a subnet of the wlan
> interface.  I wasn''t able to make that subnet get through
Shorewall until I
> set it up in /etc/network/interfaces with the ''up  ip''
command, as in the
> Shorewall wiki.  Now it works fine. (Thanks for pitching in Tom)
>
> I''ve had a terrible time with rsync and btrfs, but now seem to
have them
> under control as well, and may just have a fine automated system going.
>  Still testing.  Next will be setting the backup server up to record my
> security cameras with ZoneMinder!
>
>
>
>
------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Thu 20 January 2011 17:16:57 Christ Schlacta wrote:
> you might look into amanda for your backups, it''s quite nice. 
also, ask
> yourself "Can I re-rip(download?) this if I lose it?", before you
bother
> wasting money on drive space to back it up.  that''s enough OT for
now
> though~~
Not familiar with Amanda, and rsync is quite challenging, but it allows highly
efficient differential backups over the network (SSH, compressed transfer). 
Also, I can mount a BTRFS snapshot from any date and recover the files as they
were on that date.

"Can I re-rip(download?) this if I lose it?"  Problem is remembering
the names of all these fine movies, and getting quality copies.  This is 30
years of my favorite movies and TV shows (ever heard of Danger Man?), and
I''m still building.

Do you know that a WD Green 2TB drive is now $80? (with rebate)  I went ahead
and bought three (with 64MB cache!), and have slots for two more in my backup
server.  Not even filling one yet;  will be using one for HD security cameras. 
Disk is the only practical method of backing up anymore.  I''m backing
up each machine once a week (cron), and can do a full restore over the GB
network through SSH.  Running BTRFS RAID arrays, to which disks can be added and
balanced on-the-fly.  The backup server is way at the back of my (detached)
garage, down low in case of fire.  About $600 all-in, and I have more peace of
mind than in a long time.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d