On 11/8/10 11:37 PM, Can Bican wrote: > Hi, > > In order to blacklist rfc1918 networks from the Internet, I use > NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a > minor problem which I think shorewall should warn before. One of the > firewalls I configured had the 172.16.0.0/20 as the internal > interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling > NULL_ROUTE_RFC1918, routing for the internal interface disappeared and > blacklisted. I think this behaviour conflicts with the manual, which > says: > > "...When combined with route filtering (ROUTE_FILTER=Yes or > routefilter in shorewall-interfaces[9](5)), this option ensures that > packets with an RFC1918 source address are only accepted from > interfaces having known routes to networks using such addresses." > > I looked around for a way to customize this option to exclude > 172.16/20, but it appears that there are none, so maybe shorewall > should check for exact route matches before adding rfc1918 blacklists. > > Or is there another way to fix this? (Apart from narrowing the range > of the internal network) >
NULL_ROUTE_RFC1918 creates these three routes: unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 Because 172.16.0.0/20 is more specific than 172.16.0.0.12, the above null route does not masq your route to your internal interface. Here is the main routing table on my own firewall: gateway:~# ip route ls 172.20.0.2 dev tun0 proto kernel scope link src 172.20.0.1 70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121 172.20.0.0/25 via 172.20.0.2 dev tun0 172.20.1.0/24 dev eth4 proto kernel scope link src 172.20.1.254 10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11 unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 224.0.0.0/4 dev eth4 scope link gateway:~# Note that I have a number of routes to subnets of 172.16.0.0/12 but those routes appear in the routing table before 172.16.0.0/12. So something else must be going on with your configuration. Please forward the output of 'shorewall dump' with NULL_ROUTE_RFC1918 enabled and I'll take a look (you can send it to me privately if you like). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
