I have configured a Fedora 15 installation to operate as a two interface bridge. I have followed the instructions from http://www.shorewall.net/3.0/NewBridge.html and configured shorewall, but cant seem to restrict traffic from a pc within the net zone. The local zone and net zone pc''s share the same ip subnet, 192.168.7.x but when the firewall is started I can still ping from the pc (192.168.7.116) on the net zone to any pc on the local zone. The ip addresses seem correctly assigned to the correct zones. If I try to ping from the bridge to the pc on the net zone I receive fw2net messages in the log, and fw2loc when pinging a pc on the local zone. It appears I am missing something, any pointers would be appreciated. See below for my config: Hosts: #ZONE HOST(S) OPTIONS loc br0:192.168.7.0/24!192.168.7.116 Rules: #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK loc net ACCEPT net all DROP info All all REJECT info Interfaces: #ZONE INTERFACE BROADCAST OPTIONS net br0 192.168.7.255 Zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc:net ipv4 Thanks in advance David ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/06/2011 10:02 AM, David Rayner wrote:> I have configured a Fedora 15 installation to operate as a two interface > bridge. > > I have followed the instructions from > http://www.shorewall.net/3.0/NewBridge.html and configured shorewall, but > cant seem to restrict traffic from a pc within the net zone. > > The local zone and net zone pc''s share the same ip subnet, 192.168.7.x but > when the firewall is started I can still ping from the pc (192.168.7.116) on > the net zone to any pc on the local zone. > > The ip addresses seem correctly assigned to the correct zones. If I try to > ping from the bridge to the pc on the net zone I receive fw2net messages in > the log, and fw2loc when pinging a pc on the local zone. > > It appears I am missing something, any pointers would be appreciated.The document you have been reading applies to the Shorewall 3.x series; hopefully, you are running Shorewall 4.4 on Fedora 15. There are more recent articles that apply to Shorewall 4.4 and bridging. See the Documentation index linked from the Shorewall home page.> > See below for my config: > > Hosts: > #ZONE HOST(S) OPTIONS > loc br0:192.168.7.0/24!192.168.7.116 > > Rules: > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > loc net ACCEPT > net all DROP info > All all REJECT infoThat isn''t the rules file -- it''s the policy file. And your fw->net policy is REJECT (from the all->all REJECT entry) so unless you have exceptions in the rules file, you aren''t going to be able to access the net at all from the Shorewall box).> > Interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net br0 192.168.7.255Broadcast addresses are no longer required -- you''re probably getting a warning from that.> > Zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc:net ipv4-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
Thanks for the reply Tom,> > The document you have been reading applies to the Shorewall 3.x series; > hopefully, you are running Shorewall 4.4 on Fedora 15.My apologies, I missed that. I had though already tried the main shorewall-perl configuration and had the same result. I then stumbled across the v3 docs, and believed that was the correct doc as it covered my kernel version and ''newbridge''.>> Rules: > That isn''t the rules fileSorry, typo> And your fw->net policy is REJECTYes, I knew this, I wanted to get the firewall bridge working then worry about the rest. I have now gone back to the main documentation - http://www.shorewall.net/bridge-Shorewall-perl.html, but am still having the same issue. I cannot restrict any traffic between the net and loc zones on either side of the bridge. I can control traffic to/from the bridge using world zone, but nothing else. My config: FC 15 2.6.38.6-27, Shorewall 4.4.17. Zones - #ZONE TYPE OPTIONS IN OUT fw firewall world ipv4 net:world bport loc:world bport Policy - #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: loc net ACCEPT $FW all ACCEPT net all DROP info all all REJECT info Interfaces - #ZONE INTERFACE BROADCAST OPTIONS world br0 detect bridge net br0:em1 loc br0:em2 Rules - SSH/ACCEPT world $FW Thanks in advance David ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 06/07/2011 04:32 AM, David Rayner wrote:> Thanks for the reply Tom, > >> >> The document you have been reading applies to the Shorewall 3.x series; >> hopefully, you are running Shorewall 4.4 on Fedora 15. > > My apologies, I missed that. I had though already tried the main > shorewall-perl configuration and had the same result. I then stumbled across > the v3 docs, and believed that was the correct doc as it covered my kernel > version and ''newbridge''. > >>> Rules: >> That isn''t the rules file > > Sorry, typo > >> And your fw->net policy is REJECT > > Yes, I knew this, I wanted to get the firewall bridge working then worry > about the rest. > > I have now gone back to the main documentation - > http://www.shorewall.net/bridge-Shorewall-perl.html, but am still having the > same issue. I cannot restrict any traffic between the net and loc zones on > either side of the bridge. I can control traffic to/from the bridge using > world zone, but nothing else.One reason for running a bridge is that you are using KVM. On FC15 with KVM under libvirt, you must include this in your /etc/shorewall/init file: echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables Beginning with Shorewall 4.4.20, Shorewall will set that for you when you define an interface with the ''bridge'' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
> > echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables >That did it, thanks Tom. David ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev