Re: [Shorewall-users] shorewall VLANs and network ranges

[Tom Eastep]

On 11/14/18 12:29 AM, Vieri Di Paola wrote:
> On Wed, Nov 14, 2018 at 12:53 AM Tom Eastep <teas...@shorewall.net> wrote:
>> Because you have given interface enp8s5 an IP address and have assigned
>> it to the dmz zone, and your rules allow ping from dmz -> fw. The bridge
>> configuration never comes into play. In a valid bridge configuration,
>> the bridge port interfaces have no IP configuration and are only defined
>> to Shorewall as bport interfaces.
> You lost me there.
>
> As far as I can tell, I haven't set any IP address to enp8s5 or
> assigned it to the dmz zone.
> Here's what I have in my interfaces file:
>
> dmz     enp5s0         routeback,dhcp,proxyarp=1
> dmzx    br0             bridge,dhcp,proxyarp=1
> dmz0    br0:enp8s5              routeback
> dmz1    br0:enp8s5_1            routeback
> dmz11   br0:enp8s5_11   routeback
>
> Also, this is my network configuration which is the same as the one
> reported in the SW dump:
>
> # ip addr show enp8s5
> 8: enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> master br0 state UP group default qlen 1000
>     link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>        valid_lft forever preferred_lft forever
> # ip addr show enp8s5_1
> 60: enp8s5_1@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master br0 state UP group default qlen 1000
>     link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>        valid_lft forever preferred_lft forever
> # ip addr show enp8s5_11
> 61: enp8s5_11@enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master br0 state UP group default qlen 1000
>     link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>        valid_lft forever preferred_lft forever
> # ip addr show br0
> 62: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>     link/ether 00:e3:c0:5f:81:5d brd ff:ff:ff:ff:ff:ff
>     inet 192.168.215.1/24 brd 192.168.215.255 scope global br0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::2e3:c0ff:fe5f:815d/64 scope link
>        valid_lft forever preferred_lft forever
> # ip addr show enp5s0
> 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>     link/ether 68:05:ca:11:64:30 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.210.1/23 brd 192.168.211.255 scope global enp5s0
>        valid_lft forever preferred_lft forever
>     inet 192.168.212.1/24 brd 192.168.212.255 scope global enp5s0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::6a05:caff:fe11:6430/64 scope link
>        valid_lft forever preferred_lft forever
>
> As you can see from the above, enp8s5 does not have an IP address
> configured. Only br0 has a management IP address which I need anyway.
> Also, br0 only covers enp8s5, enp8s5_1 and enp8s5_11, not enp5s0.
>
> The traffic's source address reported in this dump is not in the dmz
> zone but in dmz1, ie. the traffic flow is through the br0 bridge.
>
> Have I overlooked something?
>
No -- I was apparently confusing enp8s5 with enp5s0 (I hate this new NIC
naming convention).

It appears that *no* traffic entered via enp5s0 during the period of
time covered by the dump:

Chain br0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 dmz0_frwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         PHYSDEV match --physdev-in enp8s5 policy match dir in pol none 
<================
   25  4464 dmz1_frwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         PHYSDEV match --physdev-in enp8s5_1 policy match dir in pol none
    0     0 dmz11_frwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
          PHYSDEV match --physdev-in enp8s5_11 policy match dir in pol none
    0     0 dmzx_frwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         policy match dir in pol none

Chain br0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 dmz0-fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         PHYSDEV match --physdev-in enp8s5 policy match dir in pol none 
<===============
   49  4424 dmz1-fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         PHYSDEV match --physdev-in enp8s5_1 policy match dir in pol none
    0     0 dmz11-fw   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         PHYSDEV match --physdev-in enp8s5_11 policy match dir in pol none
    0     0 dmzx-fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         policy match dir in pol none

Or, at least, none made it as far as the filter table. So I suggest
analyzing the packet flow with 'shorewall iptrace -s 192.168.215.201 -d
192.168.215.1' so we can see how netfilter is processing the echo
request packets'.

-Tom

-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users