Hi,
I have a setup problem with Shorewall 4.0.6, which I can't figure out why
it is not working:
I want to install a fireall with 2 extra interfaces :
- My serv ("dmz") zone is a /28 subnet behind eth1, with a small number of SUN
servers (IPs between ABC.DEF.75.1 and .13), one of which is a DHCP server for
the 75 subnet.
- The loc zone are PCs in the 75 subnet behind eth2 with IPs between
ABC.DEF.75.17 and .253
- The fw zone is the firewall itself (SuSE 10.2) (eth0)
The setup of the network cards is:
eth0 eth1 (for zone serv) eth2 (for zone loc)
IP: ABC.DEF.70.201 ABC.DEF.75.14 ABC.DEF.75.254
HN: pcfw0 (prompt) (pcfw0) (prompt) (pcfw0) (prompt)
SM: 255.255.255.0 255.255.255.240 255.255.255.0
GA: ABC.DEF.70.254 ABC.DEF.70.254 ABC.DEF.70.254
BA: ABC.DEF.70.255 ABC.DEF.75.15 ABC.DEF.75.255
NS1: ABC.DEF.254.100 ABC.DEF.254.100 ABC.DEF.254.100
NS2: ABC.DEF.254.101 ABC.DEF.254.101 ABC.DEF.254.101
NS3: ABD.XYZ.254.100 ABD.XYZ.254.100 ABD.XYZ.254.100
/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
serv ipv4
/etc/shorewall/interfaces
net eth0 detect proxyarp,tcpflags,routefilter,nosmurfs,logmartians,norfc1918
serv eth1 detect dhcp
loc eth2 detect dhcp,tcpflags,nosmurfs,blacklist
(no masq file, no proxyarp file)
This is also the setup for a firewall for the same local network
(Shorewall 1.0.3) which works for several years. I just want to replace
the older PC with a newer one ...
I have tested out this setup on that newer PC disconnected from our
local network, using 3 extra PC's (one to simulate a 'serv' zone PC, 75.10,
one for a 'loc' zone PC, 75.121, one for a 'net' zone PC, 70.200.
I checked out onnections between many different zone combinations, all
behaved as wanted and expected in the test setup.
When I put the new firewall in out real network, NOT a single connection
works, pings report Unreachable, or No route. (?)
The output of netstat -nr is:
Destination Gateway Genmask Flags MSS Window irtt Iface
ABC.DEF.75.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
ABC.DEF.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
ABC.DEF.70.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 ABC.DEF.70.254 0.0.0.0 UG 0 0 0 eth0
In /var/log/firewall I get DROP and REJECT messages for connections with
also should be dropped or rejected according to my rules en policy setup.
For connections that should work (but don't), I do not get a DROP or
REJECT message..
In /var/log/messages however there are a lot of strange messages
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.230 on eth0
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.145 on eth0
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.100 on eth0
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.38 on eth0
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.87 on eth0
kernel martian source ABC.DEF.254.100 from ABC.DEF.75.188 on eth0
(the IPs on the right hand side are those of PCs currently in use on
our local network)
why isn't is working???
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
