Joshua J. Kugler wrote: > Howdy. Long-time shorewall user here, but first post to the list.
Hello Joshua, > I used the excellent instructions here: http://www.shorewall.net/ProxyARP.htm > to put my servers behind the firewall (under the loc interface) but still be > accessible from outside (net). The problem is, I can't come up with the > rule(s) needed to make those servers accessible by computers in loc. > > From the client, I get a connection refused, and from the firewall I get this > message: > > Shorewall:FORWARD:REJECT:IN=vlan0 OUT=vlan0 SRC=192.168.1.235 > DST=216.115.115.248 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15107 DF PROTO=TCP > SPT=2092 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 There are two things to say about this message: a) The answer to Shorewall FAQ 17 says this about the chain name in a log message: INPUT or FORWARD ... If the chain is FORWARD and the IN and OUT interfaces are the same, then you probably need the 'routeback' option on that interface in /etc/shorewall/interfaces or you need the routeback option in the relevant entry in /etc/shorewall/hosts . So the reason that this traffic is being rejected is because you have not specified 'routeback' on your vlan0 interface. Why do I require 'routeback'? I have this bias that it is silly to route packets out of the same interface that they were received on. When that happens, it says to me that the routing of the LAN connected to the interface is inadequate. So without 'routeback', Shorewall doesn't create rules to handle such traffic. b) There is a more important issue. I beliver that your network is insecure *by design* because it appears that you have internet-accessible servers on the same VLAN as your local systems. Do you think someone who is smart enough to hack one of your servers is too dim-witted to realize that the server is on the same VLAN as a bunch of plump ripe Windows boxes? And that the router (you can't call it a firewall -- it is just a badly conceived router) is sitting off at the side and is not between the servers and the local systems? > vlan0 is the loc zone/interface. (This is an ASUS WL-500GP running OpenWRT, > if it matters). Well, actually, it does matter, because I can't use the > iprange module, since it's not included with that package of iptables, > otherwise, I think I would have solved my problem a while ago. > > In the status output, I can see the rules in the FORWARD chain, but I guess > I'm at a loss in figuring out how to modify those to FORWARD the connections > to the right place. You can probably get it to work by specifying 'routeback' on vlan0 -- but when you get hacked, please do not blame Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
