My bad, the internal network is actually /12, not /20. I'm sending you the output of shorewall dump in a separate email.
Thanks. On Tue, Nov 9, 2010 at 5:11 PM, Tom Eastep <[email protected]> wrote: > On 11/8/10 11:37 PM, Can Bican wrote: >> Hi, >> >> In order to blacklist rfc1918 networks from the Internet, I use >> NULL_ROUTE_RFC1918=Yes and it works perfectly. However, I noticed a >> minor problem which I think shorewall should warn before. One of the >> firewalls I configured had the 172.16.0.0/20 as the internal >> interface, running version 4.4.6 on Ubuntu 10.04.1. Enabling >> NULL_ROUTE_RFC1918, routing for the internal interface disappeared and >> blacklisted. I think this behaviour conflicts with the manual, which >> says: >> >> "...When combined with route filtering (ROUTE_FILTER=Yes or >> routefilter in shorewall-interfaces[9](5)), this option ensures that >> packets with an RFC1918 source address are only accepted from >> interfaces having known routes to networks using such addresses." >> >> I looked around for a way to customize this option to exclude >> 172.16/20, but it appears that there are none, so maybe shorewall >> should check for exact route matches before adding rfc1918 blacklists. >> >> Or is there another way to fix this? (Apart from narrowing the range >> of the internal network) >> > > NULL_ROUTE_RFC1918 creates these three routes: > > unreachable 192.168.0.0/16 > unreachable 172.16.0.0/12 > unreachable 10.0.0.0/8 > > Because 172.16.0.0/20 is more specific than 172.16.0.0.12, the above > null route does not masq your route to your internal interface. Here is > the main routing table on my own firewall: > > gateway:~# ip route ls > 172.20.0.2 dev tun0 proto kernel scope link src 172.20.0.1 > 70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121 > 172.20.0.0/25 via 172.20.0.2 dev tun0 > 172.20.1.0/24 dev eth4 proto kernel scope link src 172.20.1.254 > 10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11 > unreachable 192.168.0.0/16 > unreachable 172.16.0.0/12 > unreachable 10.0.0.0/8 > 224.0.0.0/4 dev eth4 scope link > gateway:~# > > Note that I have a number of routes to subnets of 172.16.0.0/12 but > those routes appear in the routing table before 172.16.0.0/12. > > So something else must be going on with your configuration. Please > forward the output of 'shorewall dump' with NULL_ROUTE_RFC1918 enabled > and I'll take a look (you can send it to me privately if you like). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
