On Tue, 14 May 2002 23:25:43 PDT Eric House wrote:
> Using Bering rc2, I'm trying to set up a router with eth0 external
> (ATT cable modem), eth1 a wired Ethernet LAN, and eth2 a wireless
> Ethernet LAN. Though I may eventually want to put an
> externally-reachable webserver on one of the LANs, I don't think I
> want a dmz. That is, I want all hosts on eth1 and eth2 to have full
> access to each other as if they were all on the same subnet.
Assuming you've named your shorewall zones "net", "loc" and "wlan" (in
/etc/shorewall/{zones,interfaces}, you could pass traffic freely from
"loc" to "wlan" by adding policies in /etc/shorewall/policy:
#SOURCE DESTINATION POLICY LOG LEVEL
# You could also change the existing "loc -> net" to "loc -> all".
# Doing so would allow unfiltered access from loc to the firewall.
loc wlan ACCEPT info
# New policy to give the wlan access to the private net.
wlan loc ACCEPT info
This is probably obvious, but...
Be careful; unless you take further precautions, the policies above
will allow anyone with a wireless card nearby (or not-so-nearby with
a wireless card and an antenna) full access to the network hanging
off eth1.
> All interfaces come up fine. 'ip addr' shows all three with the IP
> addresses I'd expect: eth0's assigned via pump, eth1's 192.168.1.254
> and eth2's 192.168.2.254. Further, the wired LAN on eth1 seems to be
> working correctly. A host there gets assigned an IP via dhcpd, and
> dig shows that names are being resolved by the router at
> 192.168.1.254.
>
> The host on eth1 can ping 192.168.2.254 (the router's eth2 interface),
> but cannot ping any hosts on eth2.
>From memory, Tom Eastep's shorwall.lrp (and I think Jacques's version,
too) have a rule in /etc/shorewall/rules like so:
ACCEPT loc fw icmp 8
that allows the loc -> fw:192.168.2.254 ping. The policy outlined
above would permit loc -> wlan pings. You could also leave the
policy as-is and allow selected traffic through by adding rules
like these:
# pings between wlan and loc
ACCEPT loc wlan icmp 8
ACCEPT wlan loc icmp 8
# http, https and ssh between wlan and loc
ACCEPT loc wlan tcp www,https,ssh
ACCEPT wlan loc tcp www,https,ssh
> A host on the wireless LAN also gets an IP via dhcp, but DNS isn't working
> for it (though its resolv.conf file shows that it correctly got the DNS
> server: 192.168.1.254.) Like the eth1 host, it can ping the router's other
> internal interface, but can't ping hosts on the other LAN.
You probably need to add a rule to allow the DNS queries:
ACCEPT wlan fw:192.168.1.254 udp domain
> I'm guessing that I need to coerce shorewall into letting those icmp
> packets across the eth1/eth2 boundary. Is the firewall also
> responsible for the failure of DNS on eth2? More generally, has
> anyone posted suggestions for making this configuration work?
Running a "tail -f" on /var/log/messages while you are debugging
the rules can be a huge help. tcpdump(.lrp) can come in handy too,
when log output isn't sufficient to debug the problem. Hope that
helps at least a little.
--Brad
> Thanks,
>
> --Eric House
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
