----- Original Message -----
From: "Tom Eastep" <[EMAIL PROTECTED]>
To: "Jeff Clark" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, November 02, 2002 10:22 PM
Subject: Re: [leaf-user] Bering RC-4 unexplainable holes in shorewall - long
>
>
> --On Friday, November 01, 2002 10:27:51 PM -0400 Jeff Clark
> <[EMAIL PROTECTED]> wrote:
>
> >
> > My problems begin with the fact that shorewall does show a REJECT policy
> > for the onl network with the all2all chain even though it appears to
> > establish one - I cannot ftp or ssh from ofl to onl or access the net
> > from ofl.
>
> The grammer and logic in the above paragraph defy words
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I have seen far worse on this list that didn't solicit a comment such as
this....=-)
My question was why does the output of 'shorewall start' not list all
zone-to-zone policies? For example, in my original post I stated that I've
create 2 internal zones, 'ofl' and 'onl'. I have not created any policies
or rules to allow traffic between 'ofl' and 'onl'. Therefore I would expect
to see output from 'shorewall start' such as:
Policy REJECT for ofl to onl using chain all2all
Policy REJECT for onl to ofl using chain all2all
As shown in the original post, these policies are not listed. Further
testing at the time showed me that traffic such as ftp or ssh are indeed
rejected between the 2 zones 'onl' and 'ofl'. Further testing today has
shown me that 'shorewall start' only shows policies between zones if the
zones are referenced in a rule. This all makes sense to me now and renders
the above question pointless, unless I'm way off here, in which case please
feel free to correct me.
There is still the question of pinging between networks that are isolated by
policy, which is discussed below.
> >
> > However, I can ping freely between the networks and most disturbing is
my
> > ability to ping internal clients on both internal networks from the
> > EXTERNAL network - even masq'd clients. I know the norfc1918 option on
> > zone net will stop this but shouldn't the overall policy of net2all
> > prevent this?
>
> Pinging and "overall policy" are two different things in Shorewall. Most
> users (probably irrationally) expect to be able to ping even when they
want
> to prevent establishment of any other type of connection -- they see
'ping'
> as the magic bullet that proves connectivity.
>
I agree with you here. If one is preventing ALL connections between
networks then there is no need to ping between those networks - ping within
the network or from the gateway only.
>
> In order to drive down the number of posts that say
>
> <whine>
> I can't ping!!!!
> </whine>
>
> I implemented a shorewall.conf variable called FORWARDPING. If set to Yes,
> this variable causes icmp echo requests to be accepted in the FORWARD
chain
> prior to the application of POLICY. FORWARDPING=Yes is the default
value --
> if you don't like it, you can of course set it to "No".
>
I've since re-read Tom's excellent doc's (after a long break) and
FORWARDPING slapped me square in the forehead. FORWARDPING is now set to
no. ( I knew I was missing something horrendously obvious but that's what
happens after 10 or 12 hours of working on this stuff without stepping away
for a while =-) )
I have now solved my problem of isolating the two networks from each other,
including pinging, with filterping and FORWARDPING set to no. Filterping on
an interface does have a side affect of preventing machines on that network
from pinging that interface if you do not ACCEPT traffic from that zone to
fw. However this is easily overcome by adding the a rule to ACCEPT icmp
from that zone to fw:ip.of.that.ethx/32
Okay, it's 2 am again and I'm rambling...again. Lessons learned are: (a) if
you can't get something to work that should work, take a break every now and
then or you'll end up screwing it up worse, and (b) if you're going to
criticize someone's grammar, spell it correctly (just kidding!!!Please no
flames!) =-)
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
