Erik Mundall
2012-Jan-13 21:53 UTC
Blocking ISP''s rfc1918 addresses & unblocking local domain
I have an ISP who has seemingly left its local network completely open to me. While supposedly their RFC1918 addresses should not conflict with the ones on our network (they told me this), and of course our router only provides DHCP service to our own LAN, I am still rather annoyed at having conflicting devices respond to ICMP (ping). The ISP has at least 1500 live LAN IP addresses, mostly in the 192.168.x.x range, which I have some devices on as well. I''ve read the FAQ''s and did not find what I was looking for. It seems that shorewall has removed the "norfc1918" option now. I''ve tried Google, and tried many configurations of shorewall to no avail in attempting to limit pinging of RFC1918 addresses to my own LAN, setup on eth1. The ISP gives me a static external address, to which our domain name points, which comes in on eth0 of the linux box. The problem with the ISP''s LAN remaining transparent to me is that it is hard to find devices with unknown IPs on my local LAN. (I''m still finding and mapping the network as the new IT guy here, and some things like the Dell PowerConnect 5224 were on unknown IPs.) Running an nmap to find live IPs turned up so many from outside of our own LAN that it was impossible to know which IP was the one I needed. Additionally, I''m having trouble accessing the domain name of the server from within the LAN. I can pull up a webpage with an IP address, such as by 10.0.0.1, but the domain cannot be reached. I''m running a Squid transparent proxy, but as I''ve tried opening it completely to access of the server, I don''t know if it''s a squid problem or a misconfiguration elsewhere. Is there any way that shorewall can just map the domain name to bypass squid for the fw zone? For most everything else, the firewall is functioning well. I''m not a trained techie, so thank you for your graciousness where I may be ignorant. A status file is attached, and if anything else is needed, let me know. Thank you! Sincerely, Erik. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
Tom Eastep
2012-Jan-14 05:52 UTC
Re: Blocking ISP''s rfc1918 addresses & unblocking local domain
On Jan 13, 2012, at 1:53 PM, Erik Mundall wrote:> I have an ISP who has seemingly left its local network completely open to me. While supposedly their RFC1918 addresses should not conflict with the ones on our network (they told me this), and of course our router only provides DHCP service to our own LAN, I am still rather annoyed at having conflicting devices respond to ICMP (ping). The ISP has at least 1500 live LAN IP addresses, mostly in the 192.168.x.x range, which I have some devices on as well. > > I''ve read the FAQ''s and did not find what I was looking for. It seems that shorewall has removed the "norfc1918" option now. I''ve tried Google, and tried many configurations of shorewall to no avail in attempting to limit pinging of RFC1918 addresses to my own LAN, setup on eth1. The ISP gives me a static external address, to which our domain name points, which comes in on eth0 of the linux box.Live by Google -- die by Google. The successor to ''norfc1918'' is NULL_ROUTE_RFC1918=Yes in shorewall.conf.> Additionally, I''m having trouble accessing the domain name of the server from within the LAN. I can pull up a webpage with an IP address, such as by 10.0.0.1, but the domain cannot be reached. I''m running a Squid transparent proxy, but as I''ve tried opening it completely to access of the server, I don''t know if it''s a squid problem or a misconfiguration elsewhere. Is there any way that shorewall can just map the domain name to bypass squid for the fw zone?From the dump output you posted, there are DNS requests being sent from the ''loc'' zone to the ''fw'' zone, but none being sent from the ''fw'' zone to the ''net'' zone (even though such traffic is allowed). So I would check the named configuration on your firewall. Hope this helps, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2