When I ping an address
on the internet side of my firewall I do not get the reply packets
unless the host being pinged has a route to the "loc" network.
My network configuration:
Address Connected to
192.168.8.80 eth0
192.168.8.86 eth0
192.168.8.101 Firewall-eth0
192.168.1.60 eth1
The computer at 192.168.8.80 has a route through 192.168.8.101 to
192.168.1.0/24.
Here is what happens when I ping the following addresses from
192.168.1.60
192.168.8.80
Reply received
192.168.8.86 No reply
192.168.8.101 Reply received
Internet addr No reply (Internet addr is any non-RFC1918
address)
There is more to the problem than what I''ve shown above, but this
is the simplest example that shows the problem. I''ve checked
everything mentioned in FAQ #15. I''m thinking the problem is a
NAT/MASQ issue. Wireshark shows that replies from the .86 address
are going to the wrong MAC address. Here is my masq file:
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth1 192.168.1.0/24 #loc zone
eth1 192.168.4.0/24 #guest zone
eth2 192.168.2.0/24 #lab zone
Shorewall version is 4.5.0.3 running on Ubuntu 10.04.4. On
starting shorewall I see the following three messages which may
(or may not) be problematic:
1. WARNING: Shorewall no longer uses broadcast addresses in rule
generation when Address Type Match is available :
/etc/shorewall/interfaces
2. WARNING: Shorewall no longer uses broadcast addresses in rule
generation when Address Type Match is available :
/etc/shorewall/interfaces
3. Compiling /usr/share/shorewall/action.Invalid for chain
%Invalid...
My goal with this system is to have a three interface firewall
with the DMZ replaced by a restricted zone.
Interface eth0 is connected by a cable modem to the internet and
gets its address by DHCP.
Interface eth2 is the restricted "lab" zone; computers in this
zone only have ping and samba access to computers in the "loc"
zone. Computers in the "lab" zone are running Windows 2000 and
98
and can''t be upgraded to newer operating systems. Therefore,
they
are not allowed any internet access.
Interface eth1 has two zones, "loc" and "guest". The
"loc" zone
basically has unrestricted outgoing access to the internet and
samba access to the "lab" zone. It has no access to the
"guest"
zone. The "guest" zone has no access to either the
"lab" or "loc"
zones. It does have unrestricted access to the internet. I know
that by changing routing tables users in the "loc" zone can
access
computers in the "guest" zone and vice-versa, but this is not a
concern.
Computers in the "loc" zone get a fixed address (192.168.1.0/24)
by DHCP. Any computer that does not have a MAC in the DHCP
configuration file gets a DHCP address from the 192.168.4.0/24
group.
Other than ssh to the firewall computer, there are no servers that
need to receive connections from the internet.
Here are the interfaces, hosts, and zones files:
Interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
tcpflags,nosmurfs,routefilter,logmartians,dhcp
- eth1 192.168.1.255,192.168.4.255
tcpflags,nosmurfs,routefilter,logmartians,dhcp
lab eth2 192.168.2.255
tcpflags,nosmurfs,routefilter,logmartians,dhcp
Hosts
#ZONE HOST(S) OPTIONS
loc eth1:192.168.1.0/24 -
guest eth1:192.168.4.0/24 -
Zones
#ZONE TYPE OPTIONS IN OUT
fw firewall
net ipv4 # The internet on eth0
loc ipv4 # Adherent network on eth1 with internet access
lab ipv4 # Adherent network on eth2 with NO internet access
guest ipv4 # Guest network on eth1 with internet access
Sorry for the long-winded post; I''m just getting started with
firewalls. If someone with more knowledge than I could look over
my files and tell me if my configuration will do what I want, or
what changes I need to make, I would really appreciate it.
Brent
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure