[Shorewall-users] netfilter + vpn + how/why + etc... Take-2

Wed, 17 Sep 2008 07:43:14 -0700 

This is Take-2: I don't think my original message was received,
considering it hasn't shown up on the sourceforge web interface and no
copy was mailed to me
Ignore it if its a duplicate.

Hi,

I have a few questions about the inner workings of netfilter
(a graphical layout of my network setup @
https://aequorin.homeunix.net:62389/local/media/network-graph.png)

1)      These are the syslog entries for some simple connection tests.
        Shorewall/netfilter has been set to record all stateful connections
        
        SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN 
is set.
        
        Why is this? Why is SSH not lan(br0) -> $FW ?
        
        You mentioned that unless the physdev flag is set, shorewall only
cares about lan(br0) <-> $FW
        
        Why does PHYSIN get set for SSH ?

ping(server->lan)
Sep 14 23:42:45 veridian kernel: [618269.196281]
Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255
LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631
LEN=165

ssh
Sep 14 23:45:15 veridian kernel: [618418.797081]
Shorewall:phys2fw:ACCEPT:IN=br0 OUT= PHYSIN=eth0
MAC=00:01:29:f5:f0:26:00:18:01:5b:a8:72:08:00 SRC=207.172.176.168
DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=32555 DF
PROTO=TCP SPT=45664 DPT=48232 WINDOW=8192 RES=0x00 SYN URGP=0

openvpn (3 types)
Sep 14 23:46:54 veridian kernel: [618517.248260]
Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0
SRC=192.168.1.225 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=33 PROTO=UDP SPT=137 DPT=137 LEN=76
Sep 14 23:46:53 veridian kernel: [618516.835299]
Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255
LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631
LEN=165
Sep 14 23:46:59 veridian kernel: [618522.262747]
Shorewall:phys2vpn:ACCEPT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=tap0
SRC=192.168.1.1 DST=239.255.255.250 LEN=429 TOS=0x00 PREC=0x00 TTL=4
ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=409

ping(vpn client->server)
Sep 14 23:50:50 veridian kernel: [618753.216549]
Shorewall:lan2fw:REJECT:IN=br0 OUT= PHYSIN=tap0
MAC=00:01:29:f5:f0:26:00:ff:09:52:47:a0:08:00 SRC=192.168.1.225
DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=101 PROTO=ICMP
TYPE=8 CODE=0 ID=1 SEQ=3

ping(vpn server->client)
Sep 14 23:52:34 veridian kernel: [618857.273217]
Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255
LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631
LEN=165

ping(vpn client->lan)
Sep 14 23:55:39 veridian kernel: [619041.782974]
Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0
SRC=192.168.1.225 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128
ID=123 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6

2)      How do the PHYSIN/PHYSOUT 'flags' get set? What criteria has to be
met. Does the bridge interface set these flags ?

3)      Is the following a correct generalization of traffic pasing through
netfilter:

        (normal, no vpn)
                incoming:               phys(eth0)      ->                      
$FW
                outgoing:               $FW                     ->              
        lan(br)
                
        (vpn)
                outgoing:               phys(eth0)      ->                      
vpn(tap0)
                                                                        
---then---
                                                $FW                     ->      
                lan(br0)
                                                
                incoming:               vpn(tap0)       ->                      
phys(eth0)
                                                                        
---or-----
                                                lan(br0)        ->              
        $FW
                                                
                so outgoing vpn traffic has to pass through netfilter twice, 
first
phys(eth0) -> vpn(tap0), then $FW -> lan(br0)
                
                while incoming vpn traffic passes through netfilter once, but 
goes
one of two possible 'routes' depending on the destination ((vpn client
-> lan) vs (vpn client -> vpn server))
                
                
4)      The shorewall docs mention that the lan(br0) zone exists b/c it is
not possible to do $FW->vpn(tap0) or $FW->phys(eth0)

        Is this because netfilter in kernels >=2.6.20 cannot recognize
$FW->vpn(tap0) or $FW->phys(eth0) ?
        ... because I havent seens any traffic that would match
$FW->vpn(tap0) or $FW->phys(eth0).
        
much appreciated,
orbisvicis

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to