OK, so I take it there are no shorewall rules that are associated with route
filtering. Is route filtering then an operation performed by the kernel, as per RFC
1812? Deciding what routes to trust from what sources?
Also, how is this related to IPSEC? I am curious because we have had no success with
IPsec between some machines on campus. A "no route found" message was found in a log
file -- with spoofprotect=NO and no routefilter option --.
(see previous post of Erichs about no route found).
As the script below seems to indicate, the first thing done is to set all
.../ethx/rp_filters to 0. Then set the interfaces with route_filter options to 1.
But, as Tom's message below indicates, we need to set .../all/rp_filter to 1. The
script does not do this. (Why? Done somewhere else?)
BTW, This is in Bering 1.2, and from a previous search through the archives (see
previous post "spoofprotect=NO versus YES") I found that Tom Eastep wrote the
following... Thought I would include this.
THx -- Rick.
============== Begin Snip ======================
There are several problems here.
a) The advice that /proc/sys/net/ipv4/conf/eth0/rp_filter should be zero
is bogus. I ran an IPSEC tunnel with that flag set to 1 for over a year
with no problems other than an annoying message when IPSEC started. You
*might* see problems if /proc/sys/net/ipv4/conf/all/rp_filter is also
set (that"s required to actually perform route-based filtering on those
interfaces whose flag is also set).
b) There is another way in which that flag can be turned on:
/etc/shorewall/interfaces -- routefilter option.
c) /proc has no backing store; it is a file system materialized in
memory with no disk underneath it. So it is impossible to back up that
setting in the literal sense. What you rather need to do is to change
those config files that cause the flag to be set to 1 (such as
/etc/network/options and /etc/shorewall/interfaces) then back up THOSE
files.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
============== End Snip =========================
-----Original Message-----
From: Erich Titl [mailto:[EMAIL PROTECTED]
Sent: Monday, October 11, 2004 5:28 PM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: Re: [leaf-user] routefilter option makes no difference in rules
At 16:40 11.10.2004 -0400, you wrote:
>Hello, list:
>I tried an experiment and added the routefilter option on eth0 to the
>internet. Before I did that, with spoofprotect = yes in
>/etc/network/options, I executed iptables -L.
>Then, put the routefilter option on eth0 in shorewall, rebooted, and ran
>iptables again. Comparing both files yielded no differences.
>
>Any ideas?
Mhhh try to.....
here seems to be the relevant code from firewall
interfaces="`find_interfaces_by_option routefilter`"
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
if [ -f $file ]; then
echo 1 > $file
else
error_message \
"Warning: Cannot set route filtering on $interface"
fi
done
As you see, this is not doing anything to the netfilter, so of course you
will not see anything by looking at them
cheers
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
