Re: [Shorewall-users] shorewall VLANs and network ranges

Wed, 14 Nov 2018 00:33:01 -0800 

On Wed, Nov 14, 2018 at 12:53 AM Tom Eastep <teas...@shorewall.net> wrote:
>
> Because you have given interface enp8s5 an IP address and have assigned
> it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
> configuration never comes into play. In a valid bridge configuration,
> the bridge port interfaces have no IP configuration and are only defined
> to Shorewall as bport interfaces.

You lost me there.

As far as I can tell, I haven't set any IP address to enp8s5 or
assigned it to the dmz zone.
Here's what I have in my interfaces file:

dmz     enp5s0         routeback,dhcp,proxyarp=1
dmzx    br0             bridge,dhcp,proxyarp=1
dmz0    br0:enp8s5              routeback
dmz1    br0:enp8s5_1            routeback
dmz11   br0:enp8s5_11   routeback

Also, this is my network configuration which is the same as the one
reported in the SW dump:

# ip addr show enp8s5
8: enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master br0 state UP group default qlen 1000
    link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
       valid_lft forever preferred_lft forever
# ip addr show enp8s5_1
60: enp8s5_1@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
    link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
       valid_lft forever preferred_lft forever
# ip addr show enp8s5_11
61: enp8s5_11@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue master br0 state UP group default qlen 1000
    link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
       valid_lft forever preferred_lft forever
# ip addr show br0
62: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
    link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
    inet 192.168.215.1/24 brd 192.168.215.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
       valid_lft forever preferred_lft forever
# ip addr show enp5s0
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0
       valid_lft forever preferred_lft forever
    inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0
       valid_lft forever preferred_lft forever
    inet6 fe80::6a05:caff:fe11:6430/64 scope link
       valid_lft forever preferred_lft forever

As you can see from the above, enp8s5 does not have an IP address
configured. Only br0 has a management IP address which I need anyway.
Also, br0 only covers enp8s5, enp8s5_1 and enp8s5_11, not enp5s0.

The traffic's source address reported in this dump is not in the dmz
zone but in dmz1, ie. the traffic flow is through the br0 bridge.

Have I overlooked something?

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to