Re: [Shorewall-users] Setting Up a DMZ Fail
> Original Message > Subject: Re: [Shorewall-users] Setting Up a DMZ Fail > Local Time: November 13, 2017 4:37 PM > UTC Time: November 14, 2017 12:37 AM > From: teas...@shorewall.net > To: shorewall-users@lists.sourceforge.net > > On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: > >>> I've given up on trying to set up a Private Virtual Network in >>> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >>> So I've now assigned a hardware ethernet port to the DMZ VM and one to >>> the router VM, just like all the other VMs. The DMZ and router have >>> their own IP class C's (different from the LAN). I'm uneasy with >>> this, as if an interface could be put in promiscuous... >>> But what else am I going to do? Using a bridge isn't very secure as >>> it depends on a software driver, and if a flaw is found/exists in >>> that? It is hard to get bolt-sure isolation from some VMs, with >>> communication in others. >>> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP >>> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >>> machine. Nothing in the logs, as usual. >> >> Presuming that my LAN has to be NATted to the DMZ in the router to SSH >> into it, I added in snat: >> >> Your LAN does NOT have to be NATted to your DMZ. >> >> SNAT(10.1.111.3) 192.168.1.2 10.1.111.2ssh >> Not understanding what to put in () (and it doesn't work without >> something) I put in an IP that's in the same class C as the DMZ, which >> otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and >> 10.1.111.2 is the DMZ interface in the router which is supposed to point >> to the DMZ machine at 10.1.111.30. >> But now Shorewall won't start because it does not recognize the service >> ssh! WTH? I knew it's good but just to be sure I checked >> /etc/services, and yep, port 22. >> >> You are missing the protocol column. Also, the syntax of the destination >> column requires an interface name. >> Even if this worked, another problem with this is that if I snat all SSH >> traffic to the DMZ, I can no longer SSH out to The Internets. >> Everything gets turned around to the DMZ. >> I can't believe there isn't a writeup on this anywhere. > > What is different about your configuration and the one shown in the > Three Interface Howto (http://www.shorewall.org/ > three-interface.htm)? > > -Tom The problem was with my DMZ VM. I found I couldn't get out of it to do anything, and nobody could get in. Only had access through the KVM console. I'm so exhausted that I don't remember what was wrong, but all is working now and I've taken backups of this clean snapshot on which I can base experiments. Still left with the question of the most secure way to join the DMZ to the network. Right now I'm using hardware SR-IOV interfaces, but they could be put in promiscuous mode. KVM's Private Virtual Netwoking didn't work, and the software bridge driver in the host could have exploitable flaws. Wondering what best practice is for KVM DMZ isolation? (And I'm probably not the only one here)-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: > >> I've given up on trying to set up a Private Virtual Network in >> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >> >> So I've now assigned a hardware ethernet port to the DMZ VM and one to >> the router VM, just like all the other VMs. The DMZ and router have >> their own IP class C's (different from the LAN). I'm uneasy with >> this, as if an interface could be put in promiscuous... >> >> But what else am I going to do? Using a bridge isn't very secure as >> it depends on a software driver, and if a flaw is found/exists in >> that? It is hard to get bolt-sure isolation from some VMs, with >> communication in others. >> >> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP >> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >> machine. Nothing in the logs, as usual. > > Presuming that my LAN has to be NATted to the DMZ in the router to SSH > into it, I added in snat: Your LAN does NOT have to be NATted to your DMZ. > SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh > > Not understanding what to put in () (and it doesn't work without > something) I put in an IP that's in the same class C as the DMZ, which > otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and > 10.1.111.2 is the DMZ interface in the router which is supposed to point > to the DMZ machine at 10.1.111.30. > > But now Shorewall won't start because it does not recognize the service > ssh! WTH? I knew it's good but just to be sure I checked > /etc/services, and yep, port 22. You are missing the protocol column. Also, the syntax of the destination column requires an interface name. > > Even if this worked, another problem with this is that if I snat all SSH > traffic to the DMZ, I can no longer SSH out to The Internets. > Everything gets turned around to the DMZ. > > I can't believe there isn't a writeup on this anywhere. > What is different about your configuration and the one shown in the Three Interface Howto (http://www.shorewall.org/ three-interface.htm)? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> I've given up on trying to set up a Private Virtual Network in virt-manager > (KVM), as it does not work. (CentOS7.4 all 'round) > > So I've now assigned a hardware ethernet port to the DMZ VM and one to the > router VM, just like all the other VMs. The DMZ and router have their own IP > class C's (different from the LAN). I'm uneasy with this, as if an interface > could be put in promiscuous... > > But what else am I going to do? Using a bridge isn't very secure as it > depends on a software driver, and if a flaw is found/exists in that? It is > hard to get bolt-sure isolation from some VMs, with communication in others. > > With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ > IP, the LAN can get out to the WAN -- but not the DMZ machine. Nothing in > the logs, as usual. Presuming that my LAN has to be NATted to the DMZ in the router to SSH into it, I added in snat: SNAT(10.1.111.3) 192.168.1.2 10.1.111.2ssh Not understanding what to put in () (and it doesn't work without something) I put in an IP that's in the same class C as the DMZ, which otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and 10.1.111.2 is the DMZ interface in the router which is supposed to point to the DMZ machine at 10.1.111.30. But now Shorewall won't start because it does not recognize the service ssh! WTH? I knew it's good but just to be sure I checked /etc/services, and yep, port 22. Even if this worked, another problem with this is that if I snat all SSH traffic to the DMZ, I can no longer SSH out to The Internets. Everything gets turned around to the DMZ. I can't believe there isn't a writeup on this anywhere.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
I've given up on trying to set up a Private Virtual Network in virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) So I've now assigned a hardware ethernet port to the DMZ VM and one to the router VM, just like all the other VMs. The DMZ and router have their own IP class C's (different from the LAN). I'm uneasy with this, as if an interface could be put in promiscuous... But what else am I going to do? Using a bridge isn't very secure as it depends on a software driver, and if a flaw is found/exists in that? It is hard to get bolt-sure isolation from some VMs, with communication in others. With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ IP, the LAN can get out to the WAN -- but not the DMZ machine. Nothing in the logs, as usual.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> We need to see the output of 'shorewall dump'. Please forward it as a > compressed attachment; you can send it to me privately if you like. > > -Tom It's a problem for me to get emails to you Tom, or I would have sent it. Spam protections have eclipsed my one-horse hosting service (which has all but collapsed), and this is all about my trying to move to my own cloud instance. Last time, you gave me two additional addresses to try, but one bounced, and I never heard back from you on the other so don't know whether it went through. I'm about ready to hand-deliver a printout to you... (I'm in Edmonds)-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3
On 11/13/2017 12:07 PM, Simon Hobson wrote: > Johannes Graumannwrote: > >> 1) Are there any nice, comprehensive interfaces to sort through the >> plethora of switches available with filters for more than the bare >> bones protocol requirements usually present? > Not that I know of - PITA isn't it ? > >> 2) Can anyone recommend a switch that fulfills the following minimal >> requirements: >> - rack-mountable >> - 1GB transfer rate >> - >= 16 ports >> - private VLAN support >> - IGMP v3 (needed for Telekom streaming TV offering in Germany). > I've used a few HP switches (mostly Procurve 1800 & 1900) at work and been > very happy with them - but I don't think either of these models do your RFC > 3376 IGMP. A quick search for "procurve rfc 3376 24G"* gives a selection of > other models that appear to have this feature - the 2510-24G seems to have it > and be quite affordable second hand. > > * I included 24G to see 24 port gigabit models. > > > They tend to be available on secondhand sites, and as long as the previous > owner hasn't had a warranty claim**, then you get a lifetime warranty on > them. And the warranty service is brilliant (we had a couple of failures, but > then our environment wasn't "kind" to them) - fill in the details online, you > get a replacement switch the next day, you swap all the bits over (rack > mounting ears, modules, etc), then you ship the broken one back. > > ** Technically the warranty only applies to the original purchaser, but as > long as they haven't registered it in their own name then HP need never know > ;-) > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users I run the Netgear GS728TP, altho VLANning requires you to hold a broom in the air while holding your mouth crooked and hopping on one leg. 0xF8ED1710.asc Description: application/pgp-keys -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3
Johannes Graumannwrote: > 1) Are there any nice, comprehensive interfaces to sort through the > plethora of switches available with filters for more than the bare > bones protocol requirements usually present? Not that I know of - PITA isn't it ? > 2) Can anyone recommend a switch that fulfills the following minimal > requirements: > - rack-mountable > - 1GB transfer rate > - >= 16 ports > - private VLAN support > - IGMP v3 (needed for Telekom streaming TV offering in Germany). I've used a few HP switches (mostly Procurve 1800 & 1900) at work and been very happy with them - but I don't think either of these models do your RFC 3376 IGMP. A quick search for "procurve rfc 3376 24G"* gives a selection of other models that appear to have this feature - the 2510-24G seems to have it and be quite affordable second hand. * I included 24G to see 24 port gigabit models. They tend to be available on secondhand sites, and as long as the previous owner hasn't had a warranty claim**, then you get a lifetime warranty on them. And the warranty service is brilliant (we had a couple of failures, but then our environment wasn't "kind" to them) - fill in the details online, you get a replacement switch the next day, you swap all the bits over (rack mounting ears, modules, etc), then you ship the broken one back. ** Technically the warranty only applies to the original purchaser, but as long as they haven't registered it in their own name then HP need never know ;-) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
On 11/13/2017 08:02 AM, Colony.three via Shorewall-users wrote: > >> Typical setup. All systems running CentOS7.4 on KVM. Shorewall >> 5.0.14.1. Communication with DMZ by a virtual private bridge built in >> virt-manager, and communication between LAN machines is by SRIOT >> ethernet hardware. >> >> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I >> followed the doc for 3 interface, setting the SNAT file: >> .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 >> (DMZ: 10. LAN: 192.) >> >> LAN masquerades through the router fine. From the router I can ping >> the dmz and ssh to it just fine. >> >> Problem is the dmz machine can't ping out; can't even get >> nameservice. And dmesg in both the dmz and router show -nothing- in >> dmesg. >> >> Also I can't ssh from the lan to the dmz machine. I can ping it from >> the router, and ssh in, but not from the LAN. >> > > Here's the routing table on the router: > > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default 50-105-82-1.hll 0.0.0.0 UG 0 0 0 eth1 > 10.1.111.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 50.105.82.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1 > link-local 0.0.0.0 255.255.0.0 U 1002 0 0 > ens10 > link-local 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 > link-local 0.0.0.0 255.255.0.0 U 1004 0 0 eth0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens10 > > > > I can see why the LAN and DMZ should masquerade through the router to > the world (although the DMZ does not). But how would I wire it so I can > ssh from the LAN to the DMZ? Seems like SSH should go from the LAN into > the router, and then out the DMZ because that's where its destination > address is. So no masquerading should be necessary? Unfortunately it > is not, and there's nothing in the logs. > We need to see the output of 'shorewall dump'. Please forward it as a compressed attachment; you can send it to me privately if you like. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Setting Up a DMZ Fail
> Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1. > Communication with DMZ by a virtual private bridge built in virt-manager, and > communication between LAN machines is by SRIOT ethernet hardware. > > The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I > followed the doc for 3 interface, setting the SNAT file: > .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 > (DMZ: 10. LAN: 192.) > > LAN masquerades through the router fine. From the router I can ping the dmz > and ssh to it just fine. > > Problem is the dmz machine can't ping out; can't even get nameservice. And > dmesg in both the dmz and router show -nothing- in dmesg. > > Also I can't ssh from the lan to the dmz machine. I can ping it from the > router, and ssh in, but not from the LAN. Here's the routing table on the router: # route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default 50-105-82-1.hll 0.0.0.0 UG0 00 eth1 10.1.111.00.0.0.0 255.255.255.0 U 0 00 eth0 50.105.82.0 0.0.0.0 255.255.240.0 U 0 00 eth1 link-local 0.0.0.0 255.255.0.0 U 1002 00 ens10 link-local 0.0.0.0 255.255.0.0 U 1003 00 eth1 link-local 0.0.0.0 255.255.0.0 U 1004 00 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 ens10 I can see why the LAN and DMZ should masquerade through the router to the world (although the DMZ does not). But how would I wire it so I can ssh from the LAN to the DMZ? Seems like SSH should go from the LAN into the router, and then out the DMZ because that's where its destination address is. So no masquerading should be necessary? Unfortunately it is not, and there's nothing in the logs.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Setting Up a DMZ Fail
Typical setup. All systems running CentOS7.4 on KVM. Shorewall 5.0.14.1. Communication with DMZ by a virtual private bridge built in virt-manager, and communication between LAN machines is by SRIOT ethernet hardware. The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I followed the doc for 3 interface, setting the SNAT file: .MASQUERADE 10.1.111.30/32,192.168.1.0/24 eth1 (DMZ: 10. LAN: 192.) LAN masquerades through the router fine. From the router I can ping the dmz and ssh to it just fine. Problem is the dmz machine can't ping out; can't even get nameservice. And dmesg in both the dmz and router show -nothing- in dmesg. Also I can't ssh from the lan to the dmz machine. I can ping it from the router, and ssh in, but not from the LAN.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3
Hello, After I was pointed years ago to soekris.eu for a appropriate home FW and was/am very happy with that, I'm trying again for segmenting the appliances/IoT part of the network downstream of the FW ... 1) Are there any nice, comprehensive interfaces to sort through the plethora of switches available with filters for more than the bare bones protocol requirements usually present? 2) Can anyone recommend a switch that fulfills the following minimal requirements: - rack-mountable - 1GB transfer rate - >= 16 ports - private VLAN support - IGMP v3 (needed for Telekom streaming TV offering in Germany). Thanks for any hints. Sincerely, Joh -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users