Shorewall users - Mar 2011 - shorewall bridge: BP-zone to BP-zone rules and policies

I have a bridge setup with lan and wan bp-zones.

I''m pinging successfully from a host in the lan bp-zone with IP addr
10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89 and this
is reflected in the Conntrack Table (see dump).

According to the documentation I should be able to set policies and rules
between 2 bp-zones (eg. lan -> wan; wan -> lan).
I must have set them wrong because I''m expecting to REJECT all traffic
between lan and wan.
However, pings between hosts in wan and lan are working both ways...

Please take a look at my shorewall dump at:
http://213.96.91.201/temp/dump.gz

Why are pings wan2lan and lan2wan working?
How can I block them?

Thanks!

Vieri


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

On 3/25/11 3:33 AM, Vieri Di Paola wrote:
> I have a bridge setup with lan and wan bp-zones.
> 
> I''m pinging successfully from a host in the lan bp-zone with IP
addr 10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89 and
this is reflected in the Conntrack Table (see dump).
> 
> According to the documentation I should be able to set policies and rules
between 2 bp-zones (eg. lan -> wan; wan -> lan).
> I must have set them wrong because I''m expecting to REJECT all
traffic between lan and wan.
> However, pings between hosts in wan and lan are working both ways...
> 
> Please take a look at my shorewall dump at:
> http://213.96.91.201/temp/dump.gz
> 
> Why are pings wan2lan and lan2wan working?
Because your configuration is allowing all br0->br0 traffic.
> How can I block them?
Configure your firewall correctly. If you will send me a tarball of
/etc/shorewall, I''ll take a look.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

On 3/26/11 9:09 AM, Tom Eastep wrote:
> On 3/25/11 3:33 AM, Vieri Di Paola wrote:
>> I have a bridge setup with lan and wan bp-zones.
>>
>> I''m pinging successfully from a host in the lan bp-zone with
IP addr 10.215.146.70 to a host in the wan bp-zone with IP addr 10.215.146.89
and this is reflected in the Conntrack Table (see dump).
>>
>> According to the documentation I should be able to set policies and
rules between 2 bp-zones (eg. lan -> wan; wan -> lan).
>> I must have set them wrong because I''m expecting to REJECT all
traffic between lan and wan.
>> However, pings between hosts in wan and lan are working both ways...
>>
>> Please take a look at my shorewall dump at:
>> http://213.96.91.201/temp/dump.gz
>>
>> Why are pings wan2lan and lan2wan working?
> 
> Because your configuration is allowing all br0->br0 traffic.
> 
>> How can I block them?
> 
> Configure your firewall correctly. If you will send me a tarball of
> /etc/shorewall, I''ll take a look.
Okay -- this is very subtle and I will try to make it less so, but the
problem has to do with your hosts.FHM entries.

I assume that you know which bridge port the IPSEC tunnels come in
through (eth0 or eth1). So specify that interface rather than br0 and
you should be okay.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

--- On Sun, 3/27/11, Tom Eastep <teastep@shorewall.net> wrote:
> Okay -- this is very subtle and I will try to make it less
> so, but the
> problem has to do with your hosts.FHM entries.
> 
> I assume that you know which bridge port the IPSEC tunnels
> come in
> through (eth0 or eth1). So specify that interface rather
> than br0 and
> you should be okay.
I''ll try that asap.

Thank you very much.

Vieri


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

--- On Sun, 3/27/11, Tom Eastep <teastep@shorewall.net> wrote:
> Okay -- this is very subtle and I will try to make it less
> so, but the
> problem has to do with your hosts.FHM entries.
> 
> I assume that you know which bridge port the IPSEC tunnels
> come in
> through (eth0 or eth1). So specify that interface rather
> than br0 and
> you should be okay.
It seems to be working now.

Thank you very much.

Vieri

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf