Re: [Shorewall-users] Setting Up a DMZ Fail
On 11/13/2017 05:51 PM, Colony.three via Shorewall-users wrote: > > >> Original Message >> Subject: Re: [Shorewall-users] Setting Up a DMZ Fail >> Local Time: November 13, 2017 4:37 PM >> UTC Time: November 14, 2017 12:37 AM >> From: teas...@shorewall.net >> To: shorewall-users@lists.sourceforge.net >> >> On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: >> >> I've given up on trying to set up a Private Virtual Network in >> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >> So I've now assigned a hardware ethernet port to the DMZ VM >> and one to >> the router VM, just like all the other VMs. The DMZ and >> router have >> their own IP class C's (different from the LAN). I'm uneasy with >> this, as if an interface could be put in promiscuous... >> But what else am I going to do? Using a bridge isn't very >> secure as >> it depends on a software driver, and if a flaw is found/exists in >> that? It is hard to get bolt-sure isolation from some VMs, with >> communication in others. >> With hardware interfaces and SNAT MASQUERADE defined for the >> LAN IP >> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >> machine. Nothing in the logs, as usual. >> >> Presuming that my LAN has to be NATted to the DMZ in the router to SSH >> into it, I added in snat: >> >> Your LAN does NOT have to be NATted to your DMZ. >> >> SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh >> Not understanding what to put in () (and it doesn't work without >> something) I put in an IP that's in the same class C as the DMZ, which >> otherwise isn't being used. 192.168.1.2 is the source IP in the >> LAN and >> 10.1.111.2 is the DMZ interface in the router which is supposed to >> point >> to the DMZ machine at 10.1.111.30. >> But now Shorewall won't start because it does not recognize the >> service >> ssh! WTH? I knew it's good but just to be sure I checked >> /etc/services, and yep, port 22. >> >> You are missing the protocol column. Also, the syntax of the >> destination >> column requires an interface name. >> Even if this worked, another problem with this is that if I snat >> all SSH >> traffic to the DMZ, I can no longer SSH out to The Internets. >> Everything gets turned around to the DMZ. >> I can't believe there isn't a writeup on this anywhere. >> >> >> >> What is different about your configuration and the one shown in the >> Three Interface Howto (http://www.shorewall.org/ >> three-interface.htm)? >> >> -Tom >> > The problem was with my DMZ VM. I found I couldn't get out of it to do > anything, and nobody could get in. Only had access through the KVM > console. I'm so exhausted that I don't remember what was wrong, but all > is working now and I've taken backups of this clean snapshot on which I > can base experiments. > > Still left with the question of the most secure way to join the DMZ to > the network. Right now I'm using hardware SR-IOV interfaces, but they > could be put in promiscuous mode. KVM's Private Virtual Netwoking > didn't work, and the software bridge driver in the host could have > exploitable flaws. > > Wondering what best practice is for KVM DMZ isolation? (And I'm > probably not the only one here) I personally use the software bridge. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> Original Message > Subject: Re: [Shorewall-users] Setting Up a DMZ Fail > Local Time: November 13, 2017 4:37 PM > UTC Time: November 14, 2017 12:37 AM > From: teas...@shorewall.net > To: shorewall-users@lists.sourceforge.net > > On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: > >>> I've given up on trying to set up a Private Virtual Network in >>> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >>> So I've now assigned a hardware ethernet port to the DMZ VM and one to >>> the router VM, just like all the other VMs. The DMZ and router have >>> their own IP class C's (different from the LAN). I'm uneasy with >>> this, as if an interface could be put in promiscuous... >>> But what else am I going to do? Using a bridge isn't very secure as >>> it depends on a software driver, and if a flaw is found/exists in >>> that? It is hard to get bolt-sure isolation from some VMs, with >>> communication in others. >>> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP >>> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >>> machine. Nothing in the logs, as usual. >> >> Presuming that my LAN has to be NATted to the DMZ in the router to SSH >> into it, I added in snat: >> >> Your LAN does NOT have to be NATted to your DMZ. >> >> SNAT(10.1.111.3) 192.168.1.2 10.1.111.2ssh >> Not understanding what to put in () (and it doesn't work without >> something) I put in an IP that's in the same class C as the DMZ, which >> otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and >> 10.1.111.2 is the DMZ interface in the router which is supposed to point >> to the DMZ machine at 10.1.111.30. >> But now Shorewall won't start because it does not recognize the service >> ssh! WTH? I knew it's good but just to be sure I checked >> /etc/services, and yep, port 22. >> >> You are missing the protocol column. Also, the syntax of the destination >> column requires an interface name. >> Even if this worked, another problem with this is that if I snat all SSH >> traffic to the DMZ, I can no longer SSH out to The Internets. >> Everything gets turned around to the DMZ. >> I can't believe there isn't a writeup on this anywhere. > > What is different about your configuration and the one shown in the > Three Interface Howto (http://www.shorewall.org/ > three-interface.htm)? > > -Tom The problem was with my DMZ VM. I found I couldn't get out of it to do anything, and nobody could get in. Only had access through the KVM console. I'm so exhausted that I don't remember what was wrong, but all is working now and I've taken backups of this clean snapshot on which I can base experiments. Still left with the question of the most secure way to join the DMZ to the network. Right now I'm using hardware SR-IOV interfaces, but they could be put in promiscuous mode. KVM's Private Virtual Netwoking didn't work, and the software bridge driver in the host could have exploitable flaws. Wondering what best practice is for KVM DMZ isolation? (And I'm probably not the only one here)-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: > >> I've given up on trying to set up a Private Virtual Network in >> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >> >> So I've now assigned a hardware ethernet port to the DMZ VM and one to >> the router VM, just like all the other VMs. The DMZ and router have >> their own IP class C's (different from the LAN). I'm uneasy with >> this, as if an interface could be put in promiscuous... >> >> But what else am I going to do? Using a bridge isn't very secure as >> it depends on a software driver, and if a flaw is found/exists in >> that? It is hard to get bolt-sure isolation from some VMs, with >> communication in others. >> >> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP >> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >> machine. Nothing in the logs, as usual. > > Presuming that my LAN has to be NATted to the DMZ in the router to SSH > into it, I added in snat: Your LAN does NOT have to be NATted to your DMZ. > SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh > > Not understanding what to put in () (and it doesn't work without > something) I put in an IP that's in the same class C as the DMZ, which > otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and > 10.1.111.2 is the DMZ interface in the router which is supposed to point > to the DMZ machine at 10.1.111.30. > > But now Shorewall won't start because it does not recognize the service > ssh! WTH? I knew it's good but just to be sure I checked > /etc/services, and yep, port 22. You are missing the protocol column. Also, the syntax of the destination column requires an interface name. > > Even if this worked, another problem with this is that if I snat all SSH > traffic to the DMZ, I can no longer SSH out to The Internets. > Everything gets turned around to the DMZ. > > I can't believe there isn't a writeup on this anywhere. > What is different about your configuration and the one shown in the Three Interface Howto (http://www.shorewall.org/ three-interface.htm)? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> I've given up on trying to set up a Private Virtual Network in virt-manager > (KVM), as it does not work. (CentOS7.4 all 'round) > > So I've now assigned a hardware ethernet port to the DMZ VM and one to the > router VM, just like all the other VMs. The DMZ and router have their own IP > class C's (different from the LAN). I'm uneasy with this, as if an interface > could be put in promiscuous... > > But what else am I going to do? Using a bridge isn't very secure as it > depends on a software driver, and if a flaw is found/exists in that? It is > hard to get bolt-sure isolation from some VMs, with communication in others. > > With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ > IP, the LAN can get out to the WAN -- but not the DMZ machine. Nothing in > the logs, as usual. Presuming that my LAN has to be NATted to the DMZ in the router to SSH into it, I added in snat: SNAT(10.1.111.3) 192.168.1.2 10.1.111.2ssh Not understanding what to put in () (and it doesn't work without something) I put in an IP that's in the same class C as the DMZ, which otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and 10.1.111.2 is the DMZ interface in the router which is supposed to point to the DMZ machine at 10.1.111.30. But now Shorewall won't start because it does not recognize the service ssh! WTH? I knew it's good but just to be sure I checked /etc/services, and yep, port 22. Even if this worked, another problem with this is that if I snat all SSH traffic to the DMZ, I can no longer SSH out to The Internets. Everything gets turned around to the DMZ. I can't believe there isn't a writeup on this anywhere.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
I've given up on trying to set up a Private Virtual Network in virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) So I've now assigned a hardware ethernet port to the DMZ VM and one to the router VM, just like all the other VMs. The DMZ and router have their own IP class C's (different from the LAN). I'm uneasy with this, as if an interface could be put in promiscuous... But what else am I going to do? Using a bridge isn't very secure as it depends on a software driver, and if a flaw is found/exists in that? It is hard to get bolt-sure isolation from some VMs, with communication in others. With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ IP, the LAN can get out to the WAN -- but not the DMZ machine. Nothing in the logs, as usual.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> We need to see the output of 'shorewall dump'. Please forward it as a > compressed attachment; you can send it to me privately if you like. > > -Tom It's a problem for me to get emails to you Tom, or I would have sent it. Spam protections have eclipsed my one-horse hosting service (which has all but collapsed), and this is all about my trying to move to my own cloud instance. Last time, you gave me two additional addresses to try, but one bounced, and I never heard back from you on the other so don't know whether it went through. I'm about ready to hand-deliver a printout to you... (I'm in Edmonds)-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
On 11/13/2017 08:02 AM, Colony.three via Shorewall-users wrote: > >> Typical setup. All systems running CentOS7.4 on KVM. Shorewall >> 5.0.14.1. Communication with DMZ by a virtual private bridge built in >> virt-manager, and communication between LAN machines is by SRIOT >> ethernet hardware. >> >> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I >> followed the doc for 3 interface, setting the SNAT file: >> .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 >> (DMZ: 10. LAN: 192.) >> >> LAN masquerades through the router fine. From the router I can ping >> the dmz and ssh to it just fine. >> >> Problem is the dmz machine can't ping out; can't even get >> nameservice. And dmesg in both the dmz and router show -nothing- in >> dmesg. >> >> Also I can't ssh from the lan to the dmz machine. I can ping it from >> the router, and ssh in, but not from the LAN. >> > > Here's the routing table on the router: > > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default 50-105-82-1.hll 0.0.0.0 UG 0 0 0 eth1 > 10.1.111.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 50.105.82.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1 > link-local 0.0.0.0 255.255.0.0 U 1002 0 0 > ens10 > link-local 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 > link-local 0.0.0.0 255.255.0.0 U 1004 0 0 eth0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens10 > > > > I can see why the LAN and DMZ should masquerade through the router to > the world (although the DMZ does not). But how would I wire it so I can > ssh from the LAN to the DMZ? Seems like SSH should go from the LAN into > the router, and then out the DMZ because that's where its destination > address is. So no masquerading should be necessary? Unfortunately it > is not, and there's nothing in the logs. > We need to see the output of 'shorewall dump'. Please forward it as a compressed attachment; you can send it to me privately if you like. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1. > Communication with DMZ by a virtual private bridge built in virt-manager, and > communication between LAN machines is by SRIOT ethernet hardware. > > The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I > followed the doc for 3 interface, setting the SNAT file: > .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 > (DMZ: 10. LAN: 192.) > > LAN masquerades through the router fine. From the router I can ping the dmz > and ssh to it just fine. > > Problem is the dmz machine can't ping out; can't even get nameservice. And > dmesg in both the dmz and router show -nothing- in dmesg. > > Also I can't ssh from the lan to the dmz machine. I can ping it from the > router, and ssh in, but not from the LAN. Here's the routing table on the router: # route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default 50-105-82-1.hll 0.0.0.0 UG0 00 eth1 10.1.111.00.0.0.0 255.255.255.0 U 0 00 eth0 50.105.82.0 0.0.0.0 255.255.240.0 U 0 00 eth1 link-local 0.0.0.0 255.255.0.0 U 1002 00 ens10 link-local 0.0.0.0 255.255.0.0 U 1003 00 eth1 link-local 0.0.0.0 255.255.0.0 U 1004 00 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 ens10 I can see why the LAN and DMZ should masquerade through the router to the world (although the DMZ does not). But how would I wire it so I can ssh from the LAN to the DMZ? Seems like SSH should go from the LAN into the router, and then out the DMZ because that's where its destination address is. So no masquerading should be necessary? Unfortunately it is not, and there's nothing in the logs.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Setting Up a DMZ Fail
Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1. Communication with DMZ by a virtual private bridge built in virt-manager, and communication between LAN machines is by SRIOT ethernet hardware. The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I followed the doc for 3 interface, setting the SNAT file: .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 (DMZ: 10. LAN: 192.) LAN masquerades through the router fine. From the router I can ping the dmz and ssh to it just fine. Problem is the dmz machine can't ping out; can't even get nameservice. And dmesg in both the dmz and router show -nothing- in dmesg. Also I can't ssh from the lan to the dmz machine. I can ping it from the router, and ssh in, but not from the LAN.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users