Hi, I have a setup based on the "Two interface" model, with very little
changes. The fw is my linux PC, the loc zone is a subnet on a second
network interface (eth1).
The PC has a DHCP server for the eth1 interface. Now, in the interfaces
file I did not add the "dhcp" option to the eth1 interface, and the
default policy is rejecting packets from loc to fw, so I was expecting
that DHCP would not work for PCs in the loc zone. But instead it's
working, discover-offer-etc. all ok, an IP is assigned. After, and only
after, I can see from the logs that all the following requests on port
67 (every about 5 minutes) are rejected.
How it this? Am I misunderstanding how the firewall work? I recognize
that a DHCP request is something at somewhat a lower level than the
firewall, after all the requesting PC has not an IP yet, but I would
like to be 100% confident on how the whole firewall is working.
Shouldn't the concept of "zones" filter everything from a given zone?
Bye and thank you very much for your attention.
Some data:
shorewall version: 5.0.7.2 (in debian testing)
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether d8:50:e6:d2:b7:9b brd ff:ff:ff:ff:ff:ff
inet 193.205.130.201/24 brd 193.205.130.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::da50:e6ff:fed2:b79b/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
link/ether 00:02:b3:61:48:39 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
ip route show
default via 193.205.130.253 dev eth0
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 linkdown
193.205.130.0/24 dev eth0 proto kernel scope link src 193.205.130.201
interfaces:
net eth0
dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth1 tcpflags,nosmurfs,routefilter,logmartians
loc wlan0 tcpflags,nosmurfs,routefilter,logmartians
zones:
fw firewall
net ipv4
loc ipv4
policy:
loc net ACCEPT
net all DROP info
$FW all ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
--
Michele Alessandrini
Dipartimento di Ingegneria dell'Informazione
Università Politecnica delle Marche
Via Brecce Bianche, 12
60131 Ancona (AN) - ITALY
Phone: +39 071 2204787
Fax: +39 071 2204464
La seguente informativa e' inserita in automatico dal sistema al fine esclusivo
della realizzazione dei fini istituzionali dell'ente.
INVESTI NELLA RICERCA
il 5 per mille all'Universita' Politecnica delle Marche e' un investimento per
i giovani, per il loro futuro - C.F. 00382520427
http://www.univpm.it/5_per_mille
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
