Re: [Shorewall-users] shorewall VLANs and network ranges

Tom Eastep Tue, 13 Nov 2018 15:53:48 -0800

On 11/13/18 6:09 AM, Vieri Di Paola wrote:
> Here's another shorewall dump while pinging from a host with IP
> address 192.168.215.201 connected to a VLAN 1 Untagged switch port to
> the $FW's IP address 192.168.210.1 whose ethernet interface is
> connected to a VLAN 1 Tagged switch port (it is also Tagged VLAN 11).
> 
> https://drive.google.com/open?id=1Yir0pYxF4FfrfnE8THFQa09kaDPD6CsZ
> 
> I'm expecting DROPs because of my policy. The only ACCEPT rule I have is:
> 
> Ping/ACCEPT:info                dmz11   $FW
> 
> However, the ICMP requests/replies are flowing.
> 
> # tcpdump -n -i enp8s5 -e
> dropped privs to tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes
> 15:00:41.249573 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11488,
> length 40
> 15:00:41.249643 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11488, length 40
> 15:00:42.252547 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11489,
> length 40
> 15:00:42.252594 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11489, length 40
> 15:00:43.255624 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11490,
> length 40
> 15:00:43.255683 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11490, length 40
> 15:00:44.259597 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11491,
> length 40
> 15:00:44.259666 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11491, length 40
> 15:00:45.262619 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11492,
> length 40
> 15:00:45.262671 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11492, length 40
> 15:00:46.265721 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11493,
> length 40
> 15:00:46.265779 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11493, length 40
> 15:00:46.697949 48:ee:0c:37:8e:2e > 01:80:c2:00:00:0e, ethertype LLDP
> (0x88cc), length 60: LLDP, length 46
> 15:00:47.268733 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11494,
> length 40
> 15:00:47.268814 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11494, length 40
> 15:00:48.272706 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11495,
> length 40
> 15:00:48.272752 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11495, length 40
> 15:00:49.120878 fc:ec:da:a0:40:a5 > ff:ff:ff:ff:ff:ff, ethertype
> 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
> 192.168.210.48.50227 > 255.255.255.255.10001: UDP, length 146
> 15:00:49.121759 fc:ec:da:a0:40:a5 > 33:33:00:00:00:01, ethertype
> 802.1Q (0x8100), length 212: vlan 1, p 0, ethertype IPv6,
> fe80::feec:daff:fea0:40a5.43336 > ff02::1.10001: UDP, length 146
> 15:00:49.121950 fc:ec:da:a0:3d:a7 > ff:ff:ff:ff:ff:ff, ethertype
> 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4,
> 192.168.210.49.57553 > 255.255.255.255.10001: UDP, length 146
> 15:00:49.275777 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11496,
> length 40
> 15:00:49.275830 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11496, length 40
> 15:00:50.278810 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11497,
> length 40
> 15:00:50.278883 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11497, length 40
> 15:00:51.282792 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4,
> 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11498,
> length 40
> 15:00:51.282856 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype
> 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1
>> 192.168.215.201: ICMP echo reply, id 1, seq 11498, length 40
> ^C
> 
> Why isn't the ICMP request dropped?
>


Because you have given interface enp8s5 an IP address and have assigned
it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
configuration never comes into play. In a valid bridge configuration,
the bridge port interfaces have no IP configuration and are only defined
to Shorewall as bport interfaces.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall VLANs and network ranges

Reply via email to