kbajwa | 1 Dec 01:40 2007
Picon

PING does not work


Hello:

CentOS
Shorewall 4.0.5

I am trying to setup a very simple network with (1) firewall server (2) dmz
servers.

I have IP: 65.103.190.104/28 mask: 255.255.255.248 (8 IP addresses available
from Qwest).

Network is as below:

65.103.190.104:  Network
65.103.190.105:  FW
65.103.190.106:  NS1
65.103.190.108:  NS2
65.103.190.110:  Gateway
65.103.190.111:  Broadcast

SETUP:
------

I have a Firewall server connecting to the Gateway on eth0 and to two DMZ on
eth1 (via a hub).

The /etc/shorewall/rule file is as follows (these are the FIRST six lines in
the RULE file):

(Continue reading)

Roberto C. Sánchez | 1 Dec 01:46 2007

Re: PING does not work

On Fri, Nov 30, 2007 at 05:40:14PM -0700, kbajwa wrote:
> --------
> 
> I can PING from $FW to Net, $FW to dmz, dmz to $FW & dmz to net 
> BUT I can't PING from net to $FW or dmz.
> 
> FYI, I can PING from net to my GATEWAY IP (65.103.190.110).
> 
> I have search the Google and have looked into Shorewall FAQ.
> 
http://www.shorewall.net/support.htm

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
(Continue reading)

kbajwa | 1 Dec 20:06 2007
Picon

PING does not work

Hello:

CentOS
Shorewall 4.0.5

I am trying to setup a very simple network with (i) firewall server & (ii)
two dmz servers sitting behind the FW server.

When I am loading the CentOS on the FW server, the CentOS sets up the
"Security Level & Firewall" as follows:

1. Firewall Options: Enabled. 
	The default setting are 'checked' SSH.

2. SELinux: Enforcing

I leave both these options as default.

My question is, after I install Shorewall Firewall on the FW server, what
should I do with these two settings?

a. Leave them as they are?
b. Disable one or both?
c. Do they conflict with Shorewall FW?

The same question goes for the DMZ servers?

Thanks in advance.

Kirt
(Continue reading)

Tom Eastep | 1 Dec 20:24 2007
Picon

Re: PING does not work

kbajwa wrote:
> Hello:
> 
> CentOS
> Shorewall 4.0.5
> 
> I am trying to setup a very simple network with (i) firewall server & (ii)
> two dmz servers sitting behind the FW server.
> 
> When I am loading the CentOS on the FW server, the CentOS sets up the
> "Security Level & Firewall" as follows:
> 
> 1. Firewall Options: Enabled. 
> 	The default setting are 'checked' SSH.
> 
> 2. SELinux: Enforcing
> 
> I leave both these options as default.
> 
> My question is, after I install Shorewall Firewall on the FW server, what
> should I do with these two settings?
> 
> a. Leave them as they are?
> b. Disable one or both?
> c. Do they conflict with Shorewall FW?
> 
> The same question goes for the DMZ servers?
> 

Disclaimer: I run no Redhat or Centos systems.
(Continue reading)

Chuck Kollars | 1 Dec 22:48 2007
Picon

?: backup ISP & static IP addresses

We have both the drop we normally use from our regular
ISP, and a backup drop from our backup ISP. Initially
we figured changeover would be real easy -- just
unplug one and plug in the other, no effect on
Shorewall, no firewall reboot, no secondary
consequences.

(We don't need the complication of load balancing
because both drops are plenty wide enough to carry all
our traffic by themselves. We don't need an unattended
failover scheme because we can monitor and  physically
switch the cables just as quickly. And we accept that
most of our connections will break once every few
years when an emergency forces us to switch drops.
We're fully satisfied with this "dumb" solution and
aren't motivated to try to change it; we just want to
make it work.)

Here's our potential problem: our static IP was of
course delegated by our regular ISP, and we suspect it
_may_ be specific to that ISP only. If that's the case
and we use the static IP address from our regular ISP
with our backup drop, we _may_ be be ticking off the
ISPs, and it _may_ not even work. 

What do other folks who have more than one ISP and
static IP addresses do?

thanks!

(Continue reading)

Tom Eastep | 1 Dec 23:47 2007
Picon

Re: ?: backup ISP & static IP addresses

Chuck Kollars wrote:

> 
> What do other folks who have more than one ISP and
> static IP addresses do?

While I don't feel that the redundancy of a second ISP is worth the cost
 for me personally, if I had two uplinks I would:

a) Have two external NICs in my firewall; one for each ISP
b) Describe both as 'optional' in /etc/shorewall/providers
c) Specify 'balance' on both (why not?)
d) If one of the links goes down, simply take the interface down
(ifdown) and restart Shorewall.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
(Continue reading)

Tom Eastep | 1 Dec 23:59 2007
Picon

Re: ?: backup ISP & static IP addresses

Chuck Kollars wrote:

> 
> Here's our potential problem: our static IP was of
> course delegated by our regular ISP, and we suspect it
> _may_ be specific to that ISP only. If that's the case
> and we use the static IP address from our regular ISP
> with our backup drop, we _may_ be be ticking off the
> ISPs, and it _may_ not even work. 

Of course it won't work.

Outbound, the default gateway will suddenly not exist.

Inbound, the rest of the internet is not going to suddenly start routing
that IP address through a totally different ISP.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
(Continue reading)

Karsten Bräckelmann | 2 Dec 11:40 2007
Picon

Re: ?: backup ISP & static IP addresses

On Sat, 2007-12-01 at 14:47 -0800, Tom Eastep wrote:
> Chuck Kollars wrote:
> 
> > What do other folks who have more than one ISP and
> > static IP addresses do?
> 
> While I don't feel that the redundancy of a second ISP is worth the cost
>  for me personally, if I had two uplinks I would:
> 
> a) Have two external NICs in my firewall; one for each ISP
> b) Describe both as 'optional' in /etc/shorewall/providers
> c) Specify 'balance' on both (why not?)
> d) If one of the links goes down, simply take the interface down
> (ifdown) and restart Shorewall.

Of course, this works for outbound traffic only.

Since you mentioned a static IP, Toms other comment still stands. The
rest of the Internet will not suddenly start routing their traffic
differently. This applies mainly, in case DNS resolves to that (primary
ISPs) static IP and you are running publicly accessible services in your
network (MX, http, etc).

  karsten

--

-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
(Continue reading)

Karsten Bräckelmann | 2 Dec 12:04 2007
Picon

Re: PING does not work

On Sat, 2007-12-01 at 11:24 -0800, Tom Eastep wrote:
> kbajwa wrote:

> > CentOS
> > Shorewall 4.0.5
> > 
> > I am trying to setup a very simple network with (i) firewall server & (ii)
> > two dmz servers sitting behind the FW server.
> > 
> > When I am loading the CentOS on the FW server, the CentOS sets up the
> > "Security Level & Firewall" as follows:
> > 
> > 1. Firewall Options: Enabled. 
> > 	The default setting are 'checked' SSH.

> Disclaimer: I run no Redhat or Centos systems.
> 
> You should turn off the firewall on all three systems.

I believe this to be true and rather generic.

Although I do not use any RHEL or CentOS systems myself, either -- the
distro provided "Firewall wizard" either uses a different approach, or
actually uses and configures Shorewall internally.

In the first case, after setting up a custom Shorewall, if you ever use
and apply that wizard again, your network is likely to become
dysfunctional until restarting Shorewall. In the latter case, the worst
that can happen would be overwritten Shorewall config -- possibly even
leaving your network completely down, due to the wizard assuming an
(Continue reading)

James Gray | 3 Dec 04:31 2007
Picon

Odd ICMP-Redirect behaviour

Hi All,

We are using a transparent proxy on our LAN.  The redirection is handled by 
the firewall which is running Shorewall-Perl 4.0.4-1.  The method for 
achieving this is exactly as laid out in the Shorewall docs:
http://www.shorewall.net/Shorewall_Squid_Usage.html

Now for the strange part.  Some of our users, all Mac OSX 10.5.1, get their 
routing tables hosed when using transparent proxy.  The sequence goes like 
this:

1. Open a URL in a DMZ eg, https://mail.lan.domain.com/
   This will work and display our webmail interface.
2. Now open the same URL without the SSL (ie, http://mail.lan...)
   This time the transparent proxy rule is invoked, and the client receives an
   ICMP-redirect to use the proxy.  Unfortunately this rewrites the route for
   the internal mail server with the proxy as the gateway!

If you swap the sequence, the SSL site will fail as the route has already been 
rewritten by accessing over port 80 and the proxy wont transparently handle 
SSL traffic (nor should it!).

Here's an example before the ICMP-redirect:

iceman:~ james$ sudo route get mail
   route to: mail
destination: default
       mask: default
    gateway: firewall
  interface: en1
(Continue reading)


Gmane