I can see the light at the end of the tunnel, but I'm not quite there yet.

A reminder of my current network:

Internet providers --- gw1 --- fw2 --- lan, dmz, caib, ibs

I replaced the old fw1 with the new fw2 this morning, and everything seemed to 
work until I found that some lan hosts could not access hosts in the caib and 
ibs zones. They could however access hosts in the wan zone, as well as fw2 
itself.

The strange thing is that two hosts with apparently the same access rules do 
not behave the same way. One can ping, the other can't.

Let's just take one example:

- ping dest IP address 10.215.134.196 in "ibs" zone from "lan" host with IP 
address 10.215.144.48 is OK 
- ping dest IP address 10.215.134.196 in "ibs" zone from "lan" host with IP 
address 10.215.246.47 FAILS 

Same thing happens with dest IP address 10.215.9.172 in "caib" zone.

Please note that host at 10.215.246.47 can ping fw2 and 8.8.8.8 in "wan" zone 
just fine.


This is the "rule" that should match:
ACCEPT    lan:10.215.246.0/23    caib:10.215.0.0-10.215.143.255    all
ACCEPT    lan:10.215.246.0/23    ibs:10.215.0.0-10.215.143.255    all


While performing the first test, I see this on fw2:

# tcpdump -nni enp10s0 host 10.215.246.47
07:41:23.433865 ARP, Request who-has 10.215.134.196 tell 10.215.246.47, length 
46
07:41:28.933987 ARP, Request who-has 10.215.134.196 tell 10.215.246.47, length 
46
07:41:34.434102 ARP, Request who-has 10.215.134.196 tell 10.215.246.47, length 
46
07:41:39.934164 ARP, Request who-has 10.215.134.196 tell 10.215.246.47, length 
46

My current "interfaces" file on fw2 is as follows:

lan     $IF_LAN         routeback,arp_filter=1
wan     $IF_WAN         routeback,arp_filter=1
caib    $IF_CAIB        arp_filter=1
ibs     $IF_IBS         arp_filter=1
dmz     $IF_DMZ         routeback,dhcp
-       lo              -

I unsuccessfully tried adding proxyarp=1 to IF_IBS, but not IF_LAN.

Here's the link to the shorewall dump while doing this test (I added logging to 
the lan-ibs and lan-caib policies):

https://drive.google.com/file/d/0B-tpkY1LkI67LXBXSTlaV1FOeEE/view?usp=sharing

(More) help appreciated.

Vieri

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to