Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
>  Original Message 
> Subject: Re: [Shorewall-users] Setting Up a DMZ Fail
> Local Time: November 13, 2017 4:37 PM
> UTC Time: November 14, 2017 12:37 AM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote:
>
>>> I've given up on trying to set up a Private Virtual Network in
>>> virt-manager (KVM), as it does not work.  (CentOS7.4 all 'round)
>>> So I've now assigned a hardware ethernet port to the DMZ VM and one to
>>> the router VM, just like all the other VMs.  The DMZ and router have
>>> their own IP class C's (different from the LAN).  I'm uneasy with
>>> this, as if an interface could be put in promiscuous...
>>> But what else am I going to do?  Using a bridge isn't very secure as
>>> it depends on a software driver, and if a flaw is found/exists in
>>> that?  It is hard to get bolt-sure isolation from some VMs, with
>>> communication in others.
>>> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP
>>> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ
>>> machine.  Nothing in the logs, as usual.
>>
>> Presuming that my LAN has to be NATted to the DMZ in the router to SSH
>> into it, I added in snat:
>>
>> Your LAN does NOT have to be NATted to your DMZ.
>>
>> SNAT(10.1.111.3) 192.168.1.2   10.1.111.2ssh
>> Not understanding what to put in () (and it doesn't work without
>> something) I put in an IP that's in the same class C as the DMZ, which
>> otherwise isn't being used.  192.168.1.2 is the source IP in the LAN and
>> 10.1.111.2 is the DMZ interface in the router which is supposed to point
>> to the DMZ machine at 10.1.111.30.
>> But now Shorewall won't start because it does not recognize the service
>> ssh!  WTH?  I knew it's good but just to be sure I checked
>> /etc/services, and yep, port 22.
>>
>> You are missing the protocol column. Also, the syntax of the destination
>> column requires an interface name.
>> Even if this worked, another problem with this is that if I snat all SSH
>> traffic to the DMZ, I can no longer SSH out to The Internets.
>> Everything gets turned around to the DMZ.
>> I can't believe there isn't a writeup on this anywhere.
>
> What is different about your configuration and the one shown in the
> Three Interface Howto (http://www.shorewall.org/
> three-interface.htm)?
>
> -Tom

The problem was with my DMZ VM.  I found I couldn't get out of it to do 
anything, and nobody could get in.  Only had access through the KVM console.  
I'm so exhausted that I don't remember what was wrong, but all is working now 
and I've taken backups of this clean snapshot on which I can base experiments.

Still left with the question of the most secure way to join the DMZ to the 
network.  Right now I'm using hardware SR-IOV interfaces, but they could be put 
in promiscuous mode.  KVM's Private Virtual Netwoking didn't work, and the 
software bridge driver in the host could have exploitable flaws.

Wondering what best practice is for KVM DMZ isolation?  (And I'm probably not 
the only one here)--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Tom Eastep 
On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote:
> 
>> I've given up on trying to set up a Private Virtual Network in
>> virt-manager (KVM), as it does not work.  (CentOS7.4 all 'round)
>>
>> So I've now assigned a hardware ethernet port to the DMZ VM and one to
>> the router VM, just like all the other VMs.  The DMZ and router have
>> their own IP class C's (different from the LAN).  I'm uneasy with
>> this, as if an interface could be put in promiscuous...
>>
>> But what else am I going to do?  Using a bridge isn't very secure as
>> it depends on a software driver, and if a flaw is found/exists in
>> that?  It is hard to get bolt-sure isolation from some VMs, with
>> communication in others.
>>
>> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP
>> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ
>> machine.  Nothing in the logs, as usual.
> 
> Presuming that my LAN has to be NATted to the DMZ in the router to SSH
> into it, I added in snat:

Your LAN does NOT have to be NATted to your DMZ.

> SNAT(10.1.111.3) 192.168.1.2   10.1.111.2    ssh
> 
> Not understanding what to put in () (and it doesn't work without
> something) I put in an IP that's in the same class C as the DMZ, which
> otherwise isn't being used.  192.168.1.2 is the source IP in the LAN and
> 10.1.111.2 is the DMZ interface in the router which is supposed to point
> to the DMZ machine at 10.1.111.30.
> 
> But now Shorewall won't start because it does not recognize the service
> ssh!  WTH?  I knew it's good but just to be sure I checked
> /etc/services, and yep, port 22.

You are missing the protocol column. Also, the syntax of the destination
column requires an interface name.

> 
> Even if this worked, another problem with this is that if I snat all SSH
> traffic to the DMZ, I can no longer SSH out to The Internets. 
> Everything gets turned around to the DMZ.
> 
> I can't believe there isn't a writeup on this anywhere.
> 

What is different about your configuration and the one shown in the
Three Interface Howto (http://www.shorewall.org/
three-interface.htm)?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
> I've given up on trying to set up a Private Virtual Network in virt-manager 
> (KVM), as it does not work.  (CentOS7.4 all 'round)
>
> So I've now assigned a hardware ethernet port to the DMZ VM and one to the 
> router VM, just like all the other VMs.  The DMZ and router have their own IP 
> class C's (different from the LAN).  I'm uneasy with this, as if an interface 
> could be put in promiscuous...
>
> But what else am I going to do?  Using a bridge isn't very secure as it 
> depends on a software driver, and if a flaw is found/exists in that?  It is 
> hard to get bolt-sure isolation from some VMs, with communication in others.
>
> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ 
> IP, the LAN can get out to the WAN -- but not the DMZ machine.  Nothing in 
> the logs, as usual.

Presuming that my LAN has to be NATted to the DMZ in the router to SSH into it, 
I added in snat:
SNAT(10.1.111.3) 192.168.1.2   10.1.111.2ssh

Not understanding what to put in () (and it doesn't work without something) I 
put in an IP that's in the same class C as the DMZ, which otherwise isn't being 
used.  192.168.1.2 is the source IP in the LAN and 10.1.111.2 is the DMZ 
interface in the router which is supposed to point to the DMZ machine at 
10.1.111.30.

But now Shorewall won't start because it does not recognize the service ssh!  
WTH?  I knew it's good but just to be sure I checked /etc/services, and yep, 
port 22.

Even if this worked, another problem with this is that if I snat all SSH 
traffic to the DMZ, I can no longer SSH out to The Internets.  Everything gets 
turned around to the DMZ.

I can't believe there isn't a writeup on this anywhere.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
I've given up on trying to set up a Private Virtual Network in virt-manager 
(KVM), as it does not work.  (CentOS7.4 all 'round)

So I've now assigned a hardware ethernet port to the DMZ VM and one to the 
router VM, just like all the other VMs.  The DMZ and router have their own IP 
class C's (different from the LAN).  I'm uneasy with this, as if an interface 
could be put in promiscuous...

But what else am I going to do?  Using a bridge isn't very secure as it depends 
on a software driver, and if a flaw is found/exists in that?  It is hard to get 
bolt-sure isolation from some VMs, with communication in others.

With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ IP, 
the LAN can get out to the WAN -- but not the DMZ machine.  Nothing in the 
logs, as usual.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
> We need to see the output of 'shorewall dump'. Please forward it as a
> compressed attachment; you can send it to me privately if you like.
>
> -Tom

It's a problem for me to get emails to you Tom, or I would have sent it.  Spam 
protections have eclipsed my one-horse hosting service (which has all but 
collapsed), and this is all about my trying to move to my own cloud instance.

Last time, you gave me two additional addresses to try, but one bounced, and I 
never heard back from you on the other so don't know whether it went through.

I'm about ready to hand-deliver a printout to you...  (I'm in Edmonds)--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3

2017-11-13 Thread cacook 

On 11/13/2017 12:07 PM, Simon Hobson wrote:
> Johannes Graumann  wrote:
>
>> 1) Are there any nice, comprehensive interfaces to sort through the
>> plethora of switches available with filters for more than the bare
>> bones protocol requirements usually present?
> Not that I know of - PITA isn't it ?
>
>> 2) Can anyone recommend a switch that fulfills the following minimal
>> requirements: 
>> - rack-mountable
>> - 1GB transfer rate
>> - >= 16 ports
>> - private VLAN support
>> - IGMP v3 (needed for Telekom streaming TV offering in Germany).
> I've used a few HP switches (mostly Procurve 1800 & 1900) at work and been 
> very happy with them - but I don't think either of these models do your RFC 
> 3376 IGMP. A quick search for "procurve rfc 3376 24G"* gives a selection of 
> other models that appear to have this feature - the 2510-24G seems to have it 
> and be quite affordable second hand.
>
> * I included 24G to see 24 port gigabit models.
>
>
> They tend to be available on secondhand sites, and as long as the previous 
> owner hasn't had a warranty claim**, then you get a lifetime warranty on 
> them. And the warranty service is brilliant (we had a couple of failures, but 
> then our environment wasn't "kind" to them) - fill in the details online, you 
> get a replacement switch the next day, you swap all the bits over (rack 
> mounting ears, modules, etc), then you ship the broken one back.
>
> ** Technically the warranty only applies to the original purchaser, but as 
> long as they haven't registered it in their own name then HP need never know 
> ;-)
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

I run the Netgear GS728TP, altho VLANning requires you to hold a broom
in the air while holding your mouth crooked and hopping on one leg.






0xF8ED1710.asc
Description: application/pgp-keys
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3

2017-11-13 Thread Simon Hobson 
Johannes Graumann  wrote:

> 1) Are there any nice, comprehensive interfaces to sort through the
> plethora of switches available with filters for more than the bare
> bones protocol requirements usually present?

Not that I know of - PITA isn't it ?

> 2) Can anyone recommend a switch that fulfills the following minimal
> requirements: 
> - rack-mountable
> - 1GB transfer rate
> - >= 16 ports
> - private VLAN support
> - IGMP v3 (needed for Telekom streaming TV offering in Germany).

I've used a few HP switches (mostly Procurve 1800 & 1900) at work and been very 
happy with them - but I don't think either of these models do your RFC 3376 
IGMP. A quick search for "procurve rfc 3376 24G"* gives a selection of other 
models that appear to have this feature - the 2510-24G seems to have it and be 
quite affordable second hand.

* I included 24G to see 24 port gigabit models.


They tend to be available on secondhand sites, and as long as the previous 
owner hasn't had a warranty claim**, then you get a lifetime warranty on them. 
And the warranty service is brilliant (we had a couple of failures, but then 
our environment wasn't "kind" to them) - fill in the details online, you get a 
replacement switch the next day, you swap all the bits over (rack mounting 
ears, modules, etc), then you ship the broken one back.

** Technically the warranty only applies to the original purchaser, but as long 
as they haven't registered it in their own name then HP need never know ;-)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Tom Eastep 
On 11/13/2017 08:02 AM, Colony.three via Shorewall-users wrote:
> 
>> Typical setup.  All systems running CentOS7.4 on KVM.  Shorewall
>> 5.0.14.1.  Communication with DMZ by a virtual private bridge built in
>> virt-manager, and communication between LAN machines is by SRIOT
>> ethernet hardware.
>>
>> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I
>> followed the doc for 3 interface, setting the SNAT file:
>> .MASQUERADE  10.1.111.30/32,192.168.1.0/24   eth1
>> (DMZ: 10.  LAN: 192.)
>>
>> LAN masquerades through the router fine.  From the router I can ping
>> the dmz and ssh to it just fine.
>>
>> Problem is the dmz machine can't ping out;  can't even get
>> nameservice.  And dmesg in both the dmz and router show -nothing- in
>> dmesg.
>>
>> Also I can't ssh from the lan to the dmz machine.  I can ping it from
>> the router, and ssh in, but not from the LAN.
>>
> 
> Here's the routing table on the router:
> 
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref    Use
> Iface
> default 50-105-82-1.hll 0.0.0.0 UG    0  0    0 eth1
> 10.1.111.0    0.0.0.0 255.255.255.0   U 0  0   
> 0 eth0
> 50.105.82.0 0.0.0.0 255.255.240.0   U 0  0    0 eth1
> link-local  0.0.0.0 255.255.0.0 U 1002   0    0
> ens10
> link-local  0.0.0.0 255.255.0.0 U 1003   0    0 eth1
> link-local  0.0.0.0 255.255.0.0 U 1004   0    0 eth0
> 192.168.1.0   0.0.0.0 255.255.255.0   U 0  0    0 ens10
> 
> 
> 
> I can see why the LAN and DMZ should masquerade through the router to
> the world (although the DMZ does not).  But how would I wire it so I can
> ssh from the LAN to the DMZ?  Seems like SSH should go from the LAN into
> the router, and then out the DMZ because that's where its destination
> address is.  So no masquerading should be necessary?  Unfortunately it
> is not, and there's nothing in the logs.
> 

We need to see the output of 'shorewall dump'. Please forward it as a
compressed attachment; you can send it to me privately if you like.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
> Typical setup.  All systems running CentOS7.4 on KVM.  Shorewall 5.0.14.1.  
> Communication with DMZ by a virtual private bridge built in virt-manager, and 
> communication between LAN machines is by SRIOT ethernet hardware.
>
> The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I 
> followed the doc for 3 interface, setting the SNAT file:
> .MASQUERADE  10.1.111.30/32,192.168.1.0/24   eth1
> (DMZ: 10.  LAN: 192.)
>
> LAN masquerades through the router fine.  From the router I can ping the dmz 
> and ssh to it just fine.
>
> Problem is the dmz machine can't ping out;  can't even get nameservice.  And 
> dmesg in both the dmz and router show -nothing- in dmesg.
>
> Also I can't ssh from the lan to the dmz machine.  I can ping it from the 
> router, and ssh in, but not from the LAN.

Here's the routing table on the router:

# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
default 50-105-82-1.hll 0.0.0.0 UG0  00 eth1
10.1.111.00.0.0.0 255.255.255.0   U 0  00 eth0
50.105.82.0 0.0.0.0 255.255.240.0   U 0  00 eth1
link-local  0.0.0.0 255.255.0.0 U 1002   00 ens10
link-local  0.0.0.0 255.255.0.0 U 1003   00 eth1
link-local  0.0.0.0 255.255.0.0 U 1004   00 eth0
192.168.1.0   0.0.0.0 255.255.255.0   U 0  00 ens10

I can see why the LAN and DMZ should masquerade through the router to the world 
(although the DMZ does not).  But how would I wire it so I can ssh from the LAN 
to the DMZ?  Seems like SSH should go from the LAN into the router, and then 
out the DMZ because that's where its destination address is.  So no 
masquerading should be necessary?  Unfortunately it is not, and there's nothing 
in the logs.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Setting Up a DMZ Fail

2017-11-13 Thread Colony.three via Shorewall-users 
Typical setup.  All systems running CentOS7.4 on KVM.  Shorewall 5.0.14.1.  
Communication with DMZ by a virtual private bridge built in virt-manager, and 
communication between LAN machines is by SRIOT ethernet hardware.

The router is a VM with 3 interfaces -- fiberoptic, LAN, DMZ. -- and I followed 
the doc for 3 interface, setting the SNAT file:
.MASQUERADE  10.1.111.30/32,192.168.1.0/24   eth1
(DMZ: 10.  LAN: 192.)

LAN masquerades through the router fine.  From the router I can ping the dmz 
and ssh to it just fine.

Problem is the dmz machine can't ping out;  can't even get nameservice.  And 
dmesg in both the dmz and router show -nothing- in dmesg.

Also I can't ssh from the lan to the dmz machine.  I can ping it from the 
router, and ssh in, but not from the LAN.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Off Topic: Recommendations for 16 port 1GB switch supporting pVLAN & Igmp v3

2017-11-13 Thread Johannes Graumann 
Hello,

After I was pointed years ago to soekris.eu for a appropriate home FW
and was/am very happy with that, I'm trying again for segmenting the
appliances/IoT part of the network downstream of the FW ...

1) Are there any nice, comprehensive interfaces to sort through the
plethora of switches available with filters for more than the bare
bones protocol requirements usually present?

2) Can anyone recommend a switch that fulfills the following minimal
requirements: 
- rack-mountable
- 1GB transfer rate
- >= 16 ports
- private VLAN support
- IGMP v3 (needed for Telekom streaming TV offering in Germany).

Thanks for any hints.

Sincerely, Joh

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users