One piece of what you wrote is especially perplexing, though, namely --
This one needs a bit more explanation. Since the external connection is a PPPoE connection, just where are you doing this ping'ing *from*? From out on the Internet, pings to your private addresses should not get even close to your LANs; the ISP's routers should stop them before they ever encounter your rulesets. If you traceroute to these addresses, do they really prove to be on your LANs (or are you just able to ping *some* hosts with 192.168.17.d addresses)?most disturbing is my ability to ping internal clients on both internal networks from the EXTERNAL network - even masq'd clients. I know the norfc1918 option on zone net will stop this but shouldn't the overall policy of net2all prevent this?
In any case, a look at the underlying iptables rulesets will probably let us see where any problem is.
At 10:27 PM 11/1/02 -0400, Jeff Clark wrote:
I'm setting up a Bering rc-4 box with pppoe net access and two internal networks - not a DMZ just 2 seperate internal networks. I want traffic blocked between the internal networks and from the 2nd network to the net.I've set up 3 zones: net is pppoe through eth0 ofl is 192.168.17.0/24 on 192.168.17.254 thorugh eth1 onl is 192.168.170.0/24 on 192.168.170.253 through eth2 Offline and Online are arbitrary names only, referring only to what we call each network in the office...think of them as A and B. Offline is to be masq'd and Online is not - Online is actually to be completely isolated from the internet and Offline. Think of Online as Area 51 - it simply doesn't "exist" to anyone outside of the office - it will be connected to an ipsec tunnel after I get the rest of this setup working to connect to a remote facility. Here are my zone, ifaces, policy and rules: # cat /etc/shorewall/zones | grep -v "#" net Net Internet ofl Offline Offline network onl Online Online network TOH-FW-1: -root- # cat /etc/shorewall/interfaces | grep -v "#" net ppp0 - routefilter ofl eth1 - routestopped onl eth2 - TOH-FW-1: -root- # cat /etc/shorewall/policy | grep -v '#' ofl net ACCEPT fw net ACCEPT net all DROP info all all REJECT info TOH-FW-1: -root- # cat /etc/shorewall/rules | grep -v '#' ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT net fw tcp 22 ACCEPT ofl fw tcp 22 ACCEPT ofl fw udp 53 ACCEPT ofl fw tcp 80 ACCEPT net fw tcp 37 # shorewall stop;shorewall start Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Stopping Shorewall...Processing /etc/shorewall/stop ... done. Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Initializing... Determining Zones... Zones: net ofl onl Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: ppp0:0.0.0.0/0 Offline Zone: eth1:0.0.0.0/0 Online Zone: eth2:0.0.0.0/0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT net fw tcp 22" added. Rule "ACCEPT ofl fw tcp 22" added. Rule "ACCEPT ofl fw udp 53" added. Rule "ACCEPT ofl fw tcp 80" added. Rule "ACCEPT net fw tcp 37" added. Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy DROP for net to fw using chain net2all Policy REJECT for ofl to fw using chain all2all Policy ACCEPT for ofl to net using chain ofl2net Masqueraded Subnets and Hosts: To 0.0.0.0/0 from eth1 through ppp0 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Processing /etc/shorewall/OUTPUT ... Processing /etc/shorewall/start ... Shorewall Started My problems begin with the fact that shorewall does show a REJECT policy for the onl network with the all2all chain even though it appears to establish one - I cannot ftp or ssh from ofl to onl or access the net from ofl. However, I can ping freely between the networks and most disturbing is my ability to ping internal clients on both internal networks from the EXTERNAL network - even masq'd clients. I know the norfc1918 option on zone net will stop this but shouldn't the overall policy of net2all prevent this? I've tried setting up DROP or REJECT rules for onl2ofl/ofl2onl with icmp - echo-request OR explicit onl2ofl/ofl2onl REJECT or DROP policies, with or without filterping set on the interfaces. None of this prevents me pinging to or from all three networks. It is not a big thing, but using ping to map my protected networks is something I need to prevent to calm the IT gods at corporate, as well as my nerves. I've been working at this for 12 solid hours now and I am convinced I'm missing something very simple here.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
