subject:"\[Shorewall\-users\] shorewall VLANs and network ranges"

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-18 Thread Vieri Di Paola

On Fri, Nov 16, 2018 at 6:50 PM Tom Eastep  wrote:
>
> You would see the same thing with other protocols. If you look at the
> last entry in the iptrace output that you posted, you will see that the
> last rule matched is rule #4 in the chain dmz12-fw which is:
>
>10   600 ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0 
>ctstate RELATED,ESTABLISHED
>
> Since there was a ping flow established before you swapped the cable,
> there was an entry in the conntrack table for that flow:
>
> icmp 1 29 src=192.168.215.200 dst=192.168.215.1 type=8 code=0 id=1 
> packets=117 bytes=7020 src=192.168.215.1 dst=192.168.215.200 type=0 code=0 
> id=1 packets=117 bytes=7020 mark=0 use=1
>
> As long as that entry hasn't timed out (and at the time of the dump, it
> wouldn't time out for another 29 seconds), packets matching that entry
> will be accepted by rule 4.
>
> If you had simply stopped pinging for 30 seconds then started pinging
> again, those later echo-request packets would have been dropped.

A huge thanks for this explanation!
It's really great to know what happens under the hood.

Vieri


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-16 Thread Tom Eastep

On 11/16/18 4:34 AM, Vieri Di Paola wrote:
> On Thu, Nov 15, 2018 at 8:48 PM Tom Eastep  wrote:
>> That's what I believe also.
>>
>> Vieri - Do I understand correctly that after you physically reconfigure,
>> things settle down after some period of time and work properly (and stay
>> working properly)? If so, I don't believe that there is anything here to
>> worry about.
> Simon and Tom, thank you for looking into this.
>
> I've noticed that it doesn't really matter if I put the Windows 10
> host to sleep for 30 seconds. It happens with any host (Linux, etc.),
> and the easy way to "make things work" is to simply disconnect the
> host cable from the switch (port with VLAN ID 11 Untagged, in my
> case), wait *at least* 30 seconds, and finally connect the cable to
> another switch port (VLAN ID 12 Untagged, in my case). If I honor this
> time lag, everything behaves "as expected". In my previous tests, I
> would move the cable from one port to another on the switch in way
> less than 30 seconds.
>
> I haven't found any ARP timeout setting on this particular switch,
> even though I've seen this option somewhere on another brand or model.
>
> Anyway, yes, once the physical connections are settled, everything
> seems to work fine. However, I have to keep in mind that any change in
> the wiring requires to keep the switch port down for at least 30
> seconds.
>
> I'm really curious though, so I took another look at the logs.
> The shorewall iptrace below was taken from my previous post at
> https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog
> .That's when things were "not working right". According to the trace,
> the packets are actually entering chain dmz12-fw. They should be
> dropped, but they are apparently not according to what I see on the
> client host itself.
>
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: raw:PREROUTING:policy:13 IN=br0
> OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:PREROUTING:rule:1 IN=br0
> OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:PREROUTING:policy:9
> IN=br0 OUT= PHYSIN=enp8s5_12
> MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200
> DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=9994 PROTO=ICMP
> TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:INPUT:policy:1 IN=br0
> OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:INPUT:rule:6 IN=br0 OUT=
> PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:br0_in:rule:4 IN=br0
> OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
> Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:dmz12-fw:rule:4 IN=br0
> OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
>
> So I then searched the shorewall log and found this:
>
> Nov 15 09:36:40 inf-fw2 kernel: Shorewall:dmz12-fw:DROP:IN=br0 OUT=
> PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=62 TOS=0x00 PREC=0x00
> TTL=128 ID=9995 PROTO=UDP SPT=50892 DPT=53 LEN=42
>
> There's nothing regarding ICMP.
> I would have expected something like:
>
> Nov 16 09:36:40 inf-fw2 kernel: Shorewall:dmz12-fw:DROP:IN=br0 OUT=
> PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
> SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
> TTL=128 ID=19982 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=22595
> (this line was taken today from a "working environment")
>
> Basically, what puzzles me most is that the "iptrace" shows that the
> dmz12-fw filter is being applied to the ICMP message, but nothing is
> logged regarding ICMP in syslog.
> I'm wondering if this behavior is ICMP-specific. I haven't tried other
> protocols and ports.

You would see the same thing with other protocols. If you look at the
last entry in the iptrace output that you posted, you will see that the
last rule matched is rule #4 in the chain dmz12-fw which is:

   10   600 ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0   
 ctstate RELATED,ESTABLISHED

Since there was a ping

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-16 Thread Vieri Di Paola

On Thu, Nov 15, 2018 at 8:48 PM Tom Eastep  wrote:
>
> That's what I believe also.
>
> Vieri - Do I understand correctly that after you physically reconfigure,
> things settle down after some period of time and work properly (and stay
> working properly)? If so, I don't believe that there is anything here to
> worry about.

Simon and Tom, thank you for looking into this.

I've noticed that it doesn't really matter if I put the Windows 10
host to sleep for 30 seconds. It happens with any host (Linux, etc.),
and the easy way to "make things work" is to simply disconnect the
host cable from the switch (port with VLAN ID 11 Untagged, in my
case), wait *at least* 30 seconds, and finally connect the cable to
another switch port (VLAN ID 12 Untagged, in my case). If I honor this
time lag, everything behaves "as expected". In my previous tests, I
would move the cable from one port to another on the switch in way
less than 30 seconds.

I haven't found any ARP timeout setting on this particular switch,
even though I've seen this option somewhere on another brand or model.

Anyway, yes, once the physical connections are settled, everything
seems to work fine. However, I have to keep in mind that any change in
the wiring requires to keep the switch port down for at least 30
seconds.

I'm really curious though, so I took another look at the logs.
The shorewall iptrace below was taken from my previous post at
https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog
.That's when things were "not working right". According to the trace,
the packets are actually entering chain dmz12-fw. They should be
dropped, but they are apparently not according to what I see on the
client host itself.

Nov 15 09:36:40 inf-fw2 kernel: TRACE: raw:PREROUTING:policy:13 IN=br0
OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:PREROUTING:rule:1 IN=br0
OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:PREROUTING:policy:9
IN=br0 OUT= PHYSIN=enp8s5_12
MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200
DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=9994 PROTO=ICMP
TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: mangle:INPUT:policy:1 IN=br0
OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:INPUT:rule:6 IN=br0 OUT=
PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:br0_in:rule:4 IN=br0
OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395
Nov 15 09:36:40 inf-fw2 kernel: TRACE: filter:dmz12-fw:rule:4 IN=br0
OUT= PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=9994 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16395

So I then searched the shorewall log and found this:

Nov 15 09:36:40 inf-fw2 kernel: Shorewall:dmz12-fw:DROP:IN=br0 OUT=
PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=62 TOS=0x00 PREC=0x00
TTL=128 ID=9995 PROTO=UDP SPT=50892 DPT=53 LEN=42

There's nothing regarding ICMP.
I would have expected something like:

Nov 16 09:36:40 inf-fw2 kernel: Shorewall:dmz12-fw:DROP:IN=br0 OUT=
PHYSIN=enp8s5_12 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=19982 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=22595
(this line was taken today from a "working environment")

Basically, what puzzles me most is that the "iptrace" shows that the
dmz12-fw filter is being applied to the ICMP message, but nothing is
logged regarding ICMP in syslog.
I'm wondering if this behavior is ICMP-specific. I haven't tried other
protocols and ports.

Anyway, I can live with it. Thanks again.

Vieri

___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-15 Thread Tom Eastep

On 11/15/18 9:47 AM, Simon Matter wrote:
>> OK, I'm seeing a very odd behavior here, but at least I can now easily
>> reproduce the issue.
>>
>> I have a test host with IP address 192.168.215.200 pinging continously
>> the Shorewall FW at 192.168.215.1.
>> At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5
>> on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1
>> tagged). It gets the ICMP replies just fine, as expected according to
>> my Shorewall rules.
>>
>> I've captured dumps and traces while this was happening (I can see
>> traffic on VLAN 11, nothing on VLAN 12 which is OK):
>>
>> SW DUMP:
>> https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q
>> SW TRACE:
>> https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy
>>
>> I then disconnected the test host's ethernet cable from the Switch and
>> plugged it into another port on the same Switch but with VLAN ID 12
>> Untagged.
>> The test host keeps pinging FW at 192.168.215.1 successfully when it
>> SHOULDN'T because of my Shorewall rules and policies.
>> A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP
>> requests/replies.
>> A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11
>> traffic.
>>
>> I grabbed a SW dump, SW trace and a tcpdump:
>>
>> TCPDUMP on enp8s5_12:
>> https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER
>> TCPDUMP on enp8s5:
>> https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U
>> SW DUMP:
>> https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9
>> SW TRACE:
>> https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog
>>
>> The test host is a Windows 10 laptop. Disconnecting its ethernet cable
>> and putting it back in did not change anything. However, I noticed
>> that if I put the laptop in sleep mode and woke it up again after AT
>> LEAST 30 seconds, traffic behavior would finally be "as expected", ie.
>> the test host would fail pinging the FW.
> 
> I can't follow you here with all the details and dumps...
> 
> It just sounds to me like it has something to do with ARP caches, on a
> switch, on a host, on a router?
> 
> Or even more fun, host routes generated through ICMP redirect messages?
> 

That's what I believe also.

Vieri - Do I understand correctly that after you physically reconfigure,
things settle down after some period of time and work properly (and stay
working properly)? If so, I don't believe that there is anything here to
worry about.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-15 Thread Simon Matter

> OK, I'm seeing a very odd behavior here, but at least I can now easily
> reproduce the issue.
>
> I have a test host with IP address 192.168.215.200 pinging continously
> the Shorewall FW at 192.168.215.1.
> At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5
> on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1
> tagged). It gets the ICMP replies just fine, as expected according to
> my Shorewall rules.
>
> I've captured dumps and traces while this was happening (I can see
> traffic on VLAN 11, nothing on VLAN 12 which is OK):
>
> SW DUMP:
> https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q
> SW TRACE:
> https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy
>
> I then disconnected the test host's ethernet cable from the Switch and
> plugged it into another port on the same Switch but with VLAN ID 12
> Untagged.
> The test host keeps pinging FW at 192.168.215.1 successfully when it
> SHOULDN'T because of my Shorewall rules and policies.
> A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP
> requests/replies.
> A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11
> traffic.
>
> I grabbed a SW dump, SW trace and a tcpdump:
>
> TCPDUMP on enp8s5_12:
> https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER
> TCPDUMP on enp8s5:
> https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U
> SW DUMP:
> https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9
> SW TRACE:
> https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog
>
> The test host is a Windows 10 laptop. Disconnecting its ethernet cable
> and putting it back in did not change anything. However, I noticed
> that if I put the laptop in sleep mode and woke it up again after AT
> LEAST 30 seconds, traffic behavior would finally be "as expected", ie.
> the test host would fail pinging the FW.

I can't follow you here with all the details and dumps...

It just sounds to me like it has something to do with ARP caches, on a
switch, on a host, on a router?

Or even more fun, host routes generated through ICMP redirect messages?

Regards,
Simon



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-15 Thread Vieri Di Paola

OK, I'm seeing a very odd behavior here, but at least I can now easily
reproduce the issue.

I have a test host with IP address 192.168.215.200 pinging continously
the Shorewall FW at 192.168.215.1.
At first, I connect it to Switch Port with VLAN ID 11 Untagged (enp8s5
on the FW is connected to Switch Port VLAN 11 tagged + 12 tagged + 1
tagged). It gets the ICMP replies just fine, as expected according to
my Shorewall rules.

I've captured dumps and traces while this was happening (I can see
traffic on VLAN 11, nothing on VLAN 12 which is OK):

SW DUMP: https://drive.google.com/open?id=1_wLPvrowWGE4CPFYMQSzqxz0_FvZXm4q
SW TRACE: https://drive.google.com/open?id=1AXzSDhBTN62veUPYjzVxgddPEBdY1Amy

I then disconnected the test host's ethernet cable from the Switch and
plugged it into another port on the same Switch but with VLAN ID 12
Untagged.
The test host keeps pinging FW at 192.168.215.1 successfully when it
SHOULDN'T because of my Shorewall rules and policies.
A tcpdump on the enp8s5_12 interface shows VLAN 12 traffic and ICMP
requests/replies.
A tcpdump on the enp8s5_11 interface shows that there's no more VLAN 11 traffic.

I grabbed a SW dump, SW trace and a tcpdump:

TCPDUMP on enp8s5_12:
https://drive.google.com/open?id=1JVSOMNsXmPA1gKaVhYguZr0VmKzwSOER
TCPDUMP on enp8s5:
https://drive.google.com/open?id=1pxyuMP6lynquB_BEks56HzjPqeWg-J6U
SW DUMP: https://drive.google.com/open?id=1donyBraZpwKSyNG4w75LGkfPvlwgf3B9
SW TRACE: https://drive.google.com/open?id=1eFYjF9HPi144uzl2Y_oDZxtMCDq4fSog

The test host is a Windows 10 laptop. Disconnecting its ethernet cable
and putting it back in did not change anything. However, I noticed
that if I put the laptop in sleep mode and woke it up again after AT
LEAST 30 seconds, traffic behavior would finally be "as expected", ie.
the test host would fail pinging the FW.

I grabbed tcpdumps during this last phase:

TCPDUMP on enp8s5_12:
https://drive.google.com/open?id=1N7nFuCIDrEnTMjmL-licXQdWNl1-zVpi
TCPDUMP on enp8s5:
https://drive.google.com/open?id=1nv3VRelC6WicJauQTXqAWffb-HV5l5DL

If I compare the SW traces, I don't see anything strange at first
glance. Before moving the network cable, traffic was filtered through
dmz11-fw. Afterwards, it was filtered through dmz12-fw. So it "sounds"
right.

Any thoughts?

Vieri


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-14 Thread Vieri Di Paola

On Wed, Nov 14, 2018 at 6:14 PM Tom Eastep  wrote:
>
> No -- I was apparently confusing enp8s5 with enp5s0 (I hate this new NIC
> naming convention).
>
> It appears that *no* traffic entered via enp5s0 during the period of
> time covered by the dump:

hmm,,, you mean enp8s5, right? ;-)

> Or, at least, none made it as far as the filter table. So I suggest
> analyzing the packet flow with 'shorewall iptrace -s 192.168.215.201 -d
> 192.168.215.1' so we can see how netfilter is processing the echo
> request packets'.

I'll do an iptrace asap. In the meantime, I've noticed something
really weird. After a "while" (not quantifiable yet), the traffic
seems to flow "as expected", and the Shorewall rules/policies are
being "applied", finally. However, I've also noticed the following
*after everything seemed to be working OK*:

1) one host was connected to Switch Port with VLAN 11 Untagged (host1)
2) another host to Switch Port VLAN 12 Untagged (host2)
3) the Shorewall br0 config now includes vlans 1, 11, 12 and is
working "fine", apparently. For instance, according to my new rules,
vlan 11 hosts can only ping dst_host1, vlan 12 hosts can only ping
dst_host2. So, host1 can ping dst_host1, host2 can ping dst_host2.
All's fine until I switch the cables of both host1 and host2, ie. I
connect host1 to Switch Port with VLAN 12 Untagged, and host2 to
Switch Port VLAN 11 Untagged. I was expecting to see DROPped packets
on both hosts. Instead, they were pinging just fine.
4) tcpdump -i enp8s5 -n -e vlan showed that the ICMP packets from
host1 were marked with "vlan 12", packets from host2 were marked with
"vlan 11" (it was the other way around before switching the cables on
the Switch). So everything "seems" to be OK, but the SW rules/policies
are not honored.
5) finally, if I wait a "while", the packets are suddenly "DROPped",
according to my SW rules. I do not do anything at all on the Shorewall
system -- not even a reload.
6) it also seems that restarting the Switch fixes these issues...
Again, I have NOT touched the switch's configuration. Also, the above
tcpdump (-e vlan) seems to reflect the right VLAN IDs each time. In
any case, I haven't done this so often as to confirm that restarting
the switch actually "fixes things".

So at this point it could be anything.

I'll perform an iptrace and post the results asap.

Thanks,

Vieri

___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-14 Thread Tom Eastep

On 11/14/18 12:29 AM, Vieri Di Paola wrote:
> On Wed, Nov 14, 2018 at 12:53 AM Tom Eastep  wrote:
>> Because you have given interface enp8s5 an IP address and have assigned
>> it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
>> configuration never comes into play. In a valid bridge configuration,
>> the bridge port interfaces have no IP configuration and are only defined
>> to Shorewall as bport interfaces.
> You lost me there.
>
> As far as I can tell, I haven't set any IP address to enp8s5 or
> assigned it to the dmz zone.
> Here's what I have in my interfaces file:
>
> dmz enp5s0 routeback,dhcp,proxyarp=1
> dmzxbr0 bridge,dhcp,proxyarp=1
> dmz0br0:enp8s5  routeback
> dmz1br0:enp8s5_1routeback
> dmz11   br0:enp8s5_11   routeback
>
> Also, this is my network configuration which is the same as the one
> reported in the SW dump:
>
> # ip addr show enp8s5
> 8: enp8s5:  mtu 1500 qdisc fq_codel
> master br0 state UP group default qlen 1000
> link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
> inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>valid_lft forever preferred_lft forever
> # ip addr show enp8s5_1
> 60: enp8s5_1@enp8s5:  mtu 1500 qdisc
> noqueue master br0 state UP group default qlen 1000
> link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
> inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>valid_lft forever preferred_lft forever
> # ip addr show enp8s5_11
> 61: enp8s5_11@enp8s5:  mtu 1500 qdisc
> noqueue master br0 state UP group default qlen 1000
> link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
> inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>valid_lft forever preferred_lft forever
> # ip addr show br0
> 62: br0:  mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
> inet 192.168.215.1/24 brd 192.168.215.255 scope global br0
>valid_lft forever preferred_lft forever
> inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>valid_lft forever preferred_lft forever
> # ip addr show enp5s0
> 2: enp5s0:  mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff
> inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0
>valid_lft forever preferred_lft forever
> inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0
>valid_lft forever preferred_lft forever
> inet6 fe80::6a05:caff:fe11:6430/64 scope link
>valid_lft forever preferred_lft forever
>
> As you can see from the above, enp8s5 does not have an IP address
> configured. Only br0 has a management IP address which I need anyway.
> Also, br0 only covers enp8s5, enp8s5_1 and enp8s5_11, not enp5s0.
>
> The traffic's source address reported in this dump is not in the dmz
> zone but in dmz1, ie. the traffic flow is through the br0 bridge.
>
> Have I overlooked something?
>
No -- I was apparently confusing enp8s5 with enp5s0 (I hate this new NIC
naming convention).

It appears that *no* traffic entered via enp5s0 during the period of
time covered by the dump:

Chain br0_fwd (1 references)
 pkts bytes target prot opt in out source   destination 

0 0 dmz0_frwd  all  --  *  *   0.0.0.0/00.0.0.0/0   
 PHYSDEV match --physdev-in enp8s5 policy match dir in pol none 
<
   25  4464 dmz1_frwd  all  --  *  *   0.0.0.0/00.0.0.0/0   
 PHYSDEV match --physdev-in enp8s5_1 policy match dir in pol none
0 0 dmz11_frwd  all  --  *  *   0.0.0.0/00.0.0.0/0  
  PHYSDEV match --physdev-in enp8s5_11 policy match dir in pol none
0 0 dmzx_frwd  all  --  *  *   0.0.0.0/00.0.0.0/0   
 policy match dir in pol none

Chain br0_in (1 references)
 pkts bytes target prot opt in out source   destination 

0 0 dmz0-fwall  --  *  *   0.0.0.0/00.0.0.0/0   
 PHYSDEV match --physdev-in enp8s5 policy match dir in pol none 
<===
   49  4424 dmz1-fwall  --  *  *   0.0.0.0/00.0.0.0/0   
 PHYSDEV match --physdev-in enp8s5_1 policy match dir in pol none
0 0 dmz11-fw   all  --  *  *   0.0.0.0/00.0.0.0/0   
 PHYSDEV match --physdev-in enp8s5_11 policy match dir in pol none
0 0 dmzx-fwall  --  *  *   0.0.0.0/00.0.0.0/0   
 policy match dir in pol none

Or, at least, none made it as far as the filter table. So I suggest
analyzing the packet flow with 'shorewall iptrace -s 192.168.215.201 -d
192.168.215.1' so we can see how netfilter is processing the echo
request packets'.

-Tom

-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A:

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-14 Thread Vieri Di Paola

On Wed, Nov 14, 2018 at 12:53 AM Tom Eastep  wrote:
>
> Because you have given interface enp8s5 an IP address and have assigned
> it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
> configuration never comes into play. In a valid bridge configuration,
> the bridge port interfaces have no IP configuration and are only defined
> to Shorewall as bport interfaces.

You lost me there.

As far as I can tell, I haven't set any IP address to enp8s5 or
assigned it to the dmz zone.
Here's what I have in my interfaces file:

dmz enp5s0 routeback,dhcp,proxyarp=1
dmzxbr0 bridge,dhcp,proxyarp=1
dmz0br0:enp8s5  routeback
dmz1br0:enp8s5_1routeback
dmz11   br0:enp8s5_11   routeback

Also, this is my network configuration which is the same as the one
reported in the SW dump:

# ip addr show enp8s5
8: enp8s5:  mtu 1500 qdisc fq_codel
master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
   valid_lft forever preferred_lft forever
# ip addr show enp8s5_1
60: enp8s5_1@enp8s5:  mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
   valid_lft forever preferred_lft forever
# ip addr show enp8s5_11
61: enp8s5_11@enp8s5:  mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
   valid_lft forever preferred_lft forever
# ip addr show br0
62: br0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.215.1/24 brd 192.168.215.255 scope global br0
   valid_lft forever preferred_lft forever
inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
   valid_lft forever preferred_lft forever
# ip addr show enp5s0
2: enp5s0:  mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0
   valid_lft forever preferred_lft forever
inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0
   valid_lft forever preferred_lft forever
inet6 fe80::6a05:caff:fe11:6430/64 scope link
   valid_lft forever preferred_lft forever

As you can see from the above, enp8s5 does not have an IP address
configured. Only br0 has a management IP address which I need anyway.
Also, br0 only covers enp8s5, enp8s5_1 and enp8s5_11, not enp5s0.

The traffic's source address reported in this dump is not in the dmz
zone but in dmz1, ie. the traffic flow is through the br0 bridge.

Have I overlooked something?

Vieri


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-13 Thread Tom Eastep

On 11/13/18 6:09 AM, Vieri Di Paola wrote:
> Here's another shorewall dump while pinging from a host with IP
> address 192.168.215.201 connected to a VLAN 1 Untagged switch port to
> the $FW's IP address 192.168.210.1 whose ethernet interface is
> connected to a VLAN 1 Tagged switch port (it is also Tagged VLAN 11).
> 
> https://drive.google.com/open?id=1Yir0pYxF4FfrfnE8THFQa09kaDPD6CsZ
> 
> I'm expecting DROPs because of my policy. The only ACCEPT rule I have is:
> 
> Ping/ACCEPT:infodmz11   $FW
> 
> However, the ICMP requests/replies are flowing.
> 
> # tcpdump -n -i enp8s5 -e
> dropped privs to tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes
> 15:00:41.249573 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11488,
> length 40
> 15:00:41.249643 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11488, length 40
> 15:00:42.252547 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11489,
> length 40
> 15:00:42.252594 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11489, length 40
> 15:00:43.255624 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11490,
> length 40
> 15:00:43.255683 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11490, length 40
> 15:00:44.259597 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11491,
> length 40
> 15:00:44.259666 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11491, length 40
> 15:00:45.262619 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11492,
> length 40
> 15:00:45.262671 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11492, length 40
> 15:00:46.265721 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11493,
> length 40
> 15:00:46.265779 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11493, length 40
> 15:00:46.697949 48:ee:0c:37:8e:2e > 01:80:c2:00:00:0e, ethertype LLDP
> (0x88cc), length 60: LLDP, length 46
> 15:00:47.268733 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11494,
> length 40
> 15:00:47.268814 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11494, length 40
> 15:00:48.272706 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11495,
> length 40
> 15:00:48.272752 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11495, length 40
> 15:00:49.120878 fc:ec:da:a0:40:a5 > ff:ff:ff:ff:ff:ff, ethertype
> 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
> 192.168.210.48.50227 > 255.255.255.255.10001: UDP, length 146
> 15:00:49.121759 fc:ec:da:a0:40:a5 > 33:33:00:00:00:01, ethertype
> 802.1Q (0x8100), length 212: vlan 1, p 0, ethertype IPv6,
> fe80::feec:daff:fea0:40a5.43336 > ff02::1.10001: UDP, length 146
> 15:00:49.121950 fc:ec:da:a0:3d:a7 > ff:ff:ff:ff:ff:ff, ethertype
> 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
> 192.168.210.49.57553 > 255.255.255.255.10001: UDP, length 146
> 15:00:49.275777 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11496,
> length 40
> 15:00:49.2758

[Shorewall-users] shorewall VLANs and network ranges

2018-11-13 Thread Vieri Di Paola

Here's another shorewall dump while pinging from a host with IP
address 192.168.215.201 connected to a VLAN 1 Untagged switch port to
the $FW's IP address 192.168.210.1 whose ethernet interface is
connected to a VLAN 1 Tagged switch port (it is also Tagged VLAN 11).

https://drive.google.com/open?id=1Yir0pYxF4FfrfnE8THFQa09kaDPD6CsZ

I'm expecting DROPs because of my policy. The only ACCEPT rule I have is:

Ping/ACCEPT:infodmz11   $FW

However, the ICMP requests/replies are flowing.

# tcpdump -n -i enp8s5 -e
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes
15:00:41.249573 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11488,
length 40
15:00:41.249643 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11488, length 40
15:00:42.252547 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11489,
length 40
15:00:42.252594 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11489, length 40
15:00:43.255624 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11490,
length 40
15:00:43.255683 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11490, length 40
15:00:44.259597 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11491,
length 40
15:00:44.259666 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11491, length 40
15:00:45.262619 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11492,
length 40
15:00:45.262671 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11492, length 40
15:00:46.265721 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11493,
length 40
15:00:46.265779 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11493, length 40
15:00:46.697949 48:ee:0c:37:8e:2e > 01:80:c2:00:00:0e, ethertype LLDP
(0x88cc), length 60: LLDP, length 46
15:00:47.268733 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11494,
length 40
15:00:47.268814 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11494, length 40
15:00:48.272706 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11495,
length 40
15:00:48.272752 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11495, length 40
15:00:49.120878 fc:ec:da:a0:40:a5 > ff:ff:ff:ff:ff:ff, ethertype
802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
192.168.210.48.50227 > 255.255.255.255.10001: UDP, length 146
15:00:49.121759 fc:ec:da:a0:40:a5 > 33:33:00:00:00:01, ethertype
802.1Q (0x8100), length 212: vlan 1, p 0, ethertype IPv6,
fe80::feec:daff:fea0:40a5.43336 > ff02::1.10001: UDP, length 146
15:00:49.121950 fc:ec:da:a0:3d:a7 > ff:ff:ff:ff:ff:ff, ethertype
802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
192.168.210.49.57553 > 255.255.255.255.10001: UDP, length 146
15:00:49.275777 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11496,
length 40
15:00:49.275830 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
> 192.168.215.201: ICMP echo reply, id 1, seq 11496, length 40
15:00:50.278810 00:24:54:d9

[Shorewall-users] shorewall VLANs and network ranges

2018-11-13 Thread Vieri Di Paola

-- Forwarded message -
From: Vieri Di Paola 
Date: Tue, Nov 13, 2018 at 11:34 AM
Subject: Re: [Shorewall-users] shorewall VLANs and network ranges
To: 
>
> Here's the shorewall dump when I try to ping $FW (192.168.215.1) from
> a host in "dmz0" with IP address 192.168.215.200:
>
> https://drive.google.com/open?id=1ldm7DZvTEgaMqtt7Rt_PydWGd-XcSwWd
>
> The dmz0 host gets ICMP replies from the Firewall. Why?
> How can I properly reject this traffic?

Well, oddly enough, the ICMP traffic started to be rejected AFTER
quite a while...

Still though, I'm expecting to see a REJECT message on a regular basis
in Shorewall's log because the host at 192.168.215.200 is pinging
192.168.210.1 continuously.
Instead, here's the log:

Nov 13 11:43:50 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32297 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7884
Nov 13 11:43:51 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32298 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7885
Nov 13 11:43:52 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32299 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7886
Nov 13 11:43:53 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32302 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7887
Nov 13 11:43:58 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32305 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7888
Nov 13 11:43:59 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32310 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7889
Nov 13 11:44:00 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32311 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7890
Nov 13 11:44:01 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32313 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7891
Nov 13 11:44:02 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32314 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7892
Nov 13 11:44:03 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32315 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7893
Nov 13 11:44:04 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32316 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7894
Nov 13 11:44:05 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32318 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7895
Nov 13 11:44:06 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32319 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7896
Nov 13 11:44:07 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32320 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7897
Nov 13 11:44:08 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32321 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7898
Nov 13 11:44:09 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32326 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7899
Nov 13 11:44:10 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT=
PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00
SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=32329 PROT

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-13 Thread Vieri Di Paola

On Thu, Nov 8, 2018 at 5:49 PM Tom Eastep  wrote:
> > I was also trying to configure a bridge,
>
> There is *nothing* unique about VLAN interfaces, as far as Shorewall is
> concerned. Treat them just as you would non-VLAN ethernet devices.

OK, so I went for a bridge config.

It seems to be working as I expect it to.

However, there's one case where things don't seem to add up.

The switch the Shorewall firewall is connecting to has:

ports 1-10,13-44 Untagged VLAN 1
ports 45-48 Tagged VLAN 1 + Tagged VLAN 11 + TAGGED VLAN 12
port 11 Untagged VLAN 1
port 12 Untagged VLAN 12

When I connect the Shorewall Firewall to any one of the ports 45-48,
it seems that my Shorewall rules/policy are as I expect them to be.

However, if I connect my Shorewall interface to any one of the ports
1-10,13-44, I am expecting to REJECT packets according to my policy
here below (last line):

dmz11   lan ACCEPT  info
dmz11   $FW ACCEPT  info
dmz1lan ACCEPT  info
dmz1$FW ACCEPT  info
dmz0lan REJECT  info
dmz0$FW REJECT  info

Here's the shorewall dump when I try to ping $FW (192.168.215.1) from
a host in "dmz0" with IP address 192.168.215.200:

https://drive.google.com/open?id=1ldm7DZvTEgaMqtt7Rt_PydWGd-XcSwWd

The dmz0 host gets ICMP replies from the Firewall. Why?
How can I properly reject this traffic?

On the Shorewall system I can see the following:

# tcpdump -n -i enp8s5 host 192.168.215.200
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:44.376991 IP 192.168.215.200 > 192.168.215.1: ICMP echo request,
id 1, seq 7163, length 40
11:25:44.377038 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply,
id 1, seq 7163, length 40
11:25:45.394745 IP 192.168.215.200 > 192.168.215.1: ICMP echo request,
id 1, seq 7164, length 40
11:25:45.394805 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply,
id 1, seq 7164, length 40
11:25:46.410132 IP 192.168.215.200 > 192.168.215.1: ICMP echo request,
id 1, seq 7165, length 40
11:25:46.410172 IP 192.168.215.1 > 192.168.215.200: ICMP echo reply,
id 1, seq 7165, length 40
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

# tcpdump -n -i enp8s5_1 host 192.168.215.200
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s5_1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

# tcpdump -n -i enp8s5_11 host 192.168.215.200
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s5_11, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Any ideas?

Vieri


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

2018-11-08 Thread Tom Eastep

On 11/8/18 4:56 AM, Vieri Di Paola wrote:
> Hi,
> 
> I'd like to describe my goal here to see if someone can guide me to
> the "best solution".
> 
> A Shorewall server has several ethernet interfaces, and one of them
> (say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11,
> eth0.12).
> 
> So eth0 is then connected to a "trunk" port on a managed switch
> (untagged VLAN 1, tagged VLAN 11, tagged VLAN 12).
> 
> The eth0 IP addr. configuration on the Shorewall system is something
> like 192.168.210.1/24, and the hosts in this LAN segment are within
> this IP addr. range with static IP addresses.
> It is REQUIRED that all hosts in this network have IP addresses within
> this range, and that the Shorewall server use the least IP addresses
> as possible (ie. 1).
> 
> As a simplified practical example, suppose I have the following:
> 
> - 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw 
> 192.168.210.1
> - 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw
> 192.168.210.1
> - 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw 
> 192.168.210.1
> 
> I need Shorewall to manage traffic between these VLANs
> (allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts,
> VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can
> access selected ports on VLAN 1 hosts.
> 
> The usual way to configure VLANs is to use non-overlapping IP ranges
> for each virtual interface.
> However, I cannot do that here.
> 
> I was thinking of using "parallel zones", but I'm not sure that would
> work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall
> Interfaces file).

Of course you can!!!

> 
> I was also trying to configure a bridge, but I don't know if and how I
> can bridge a VLAN with the interface, and then set Shorewall
> BPORT-based rules.
> Something like bridging eth0.1, eth0.11 and eth0.12, setting a
> management IP address 192.168.210.1/24, and then defining bridge zones
> and BPORT rules.
> 
> Can anyone please give me some hints and pointers?
> 

There is *nothing* unique about VLAN interfaces, as far as Shorewall is
concerned. Treat them just as you would non-VLAN ethernet devices.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] shorewall VLANs and network ranges

2018-11-08 Thread Vieri Di Paola

Hi,

I'd like to describe my goal here to see if someone can guide me to
the "best solution".

A Shorewall server has several ethernet interfaces, and one of them
(say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11,
eth0.12).

So eth0 is then connected to a "trunk" port on a managed switch
(untagged VLAN 1, tagged VLAN 11, tagged VLAN 12).

The eth0 IP addr. configuration on the Shorewall system is something
like 192.168.210.1/24, and the hosts in this LAN segment are within
this IP addr. range with static IP addresses.
It is REQUIRED that all hosts in this network have IP addresses within
this range, and that the Shorewall server use the least IP addresses
as possible (ie. 1).

As a simplified practical example, suppose I have the following:

- 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw 192.168.210.1
- 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw
192.168.210.1
- 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw 192.168.210.1

I need Shorewall to manage traffic between these VLANs
(allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts,
VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can
access selected ports on VLAN 1 hosts.

The usual way to configure VLANs is to use non-overlapping IP ranges
for each virtual interface.
However, I cannot do that here.

I was thinking of using "parallel zones", but I'm not sure that would
work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall
Interfaces file).

I was also trying to configure a bridge, but I don't know if and how I
can bridge a VLAN with the interface, and then set Shorewall
BPORT-based rules.
Something like bridging eth0.1, eth0.11 and eth0.12, setting a
management IP address 192.168.210.1/24, and then defining bridge zones
and BPORT rules.

Can anyone please give me some hints and pointers?

Thanks,

Vieri


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

[Shorewall-users] shorewall VLANs and network ranges

[Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

Re: [Shorewall-users] shorewall VLANs and network ranges

[Shorewall-users] shorewall VLANs and network ranges

15 matches

Site Navigation

Mail list logo

Footer information