[leaf-user] RE: can't ping dmz - loc
Hi Again Hello Group I have some problems in my connection to and from DMZ and LOC all other than LOC - DMZ works I'm using shorewall 1.4.8 with the three interfaces config examples not only ping but also ssh can't connect I imagine it's a small detail i missed but hell i can't find it, The ping failures you report, namely -- ping dmz - loc failure network unreachable ping dmz - loc failure ctrl+c 100% loss -- usually indicate a problem with tsome routing table. But since you didn't include a listing of either routing table (ip route show for the LEAF router; who knows for the DMZ host) in the some stuff you provided, that's only a guess. 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.100 128.142.112.0/20 dev eth0 proto kernel scope link src 128.142.121.254 default via 128.142.112.1 dev eth0 If I read this stuff right, you changed the network numbering of your DMZ in /etc/network/interfaces away from the detault. But perhaps you did not change the corresponding entries in /etc/network.conf? i don't have a /etc/network.conf ?? this is the default /etc/interfaces, as i understand, i can't have dmz on same network as the loc here it is 192.168.1.x for both the dmz and loc ?? auto eth1 iface eth1 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.1.100 masklen 24 broadcast 192.168.1.255 Finally, you *might* have a configuration problem on the DMZ host you are testing from. if i can ping dmz-fw-loc but not dmz-loc, then my dmz host net config is ok, right ?? Regards Lasse Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: can't ping dmz - loc
Sorry - I was getting Dachstein and Bering muddled in my head when I replied before. You're right -- no /etc/network.conf in Bering. And apparently it is not a routing table problem, at least not on the Bering router, based on your new report. I can't figure out what you mean by i can ping dmz-fw-loc but not dmz-loc in what you wrote below. So I cannot answer that part of your question. Most likely when you changed the DMZ addressing away from the default, you created a mismatch between the actual interfaces/networks and one of the Shorewall settings, but offhand I don't know which one ... you can check this through Bering's Shorewall menu choice. It is possible to have both the LAN and the DMZ on the same IP-address network ... I do it here, for example, though I don't use Bering ... you just have to get the routing table and firewall rulesets right. For competent security, you want the LAN and the DMZ to be separate *physical* networks (in practice, separate Ethernets, usually), but that's a separate issue from IP-address networks. As I said last time, unless someone else can spot the problem from the fragmentary info you sent, you'll need to provide proper diagnostics, as described in the SR FAQ, to get targeted help. At 06:15 PM 12/17/2003 +0100, and hansen wrote: Hi Again Hello Group I have some problems in my connection to and from DMZ and LOC all other than LOC - DMZ works I'm using shorewall 1.4.8 with the three interfaces config examples not only ping but also ssh can't connect I imagine it's a small detail i missed but hell i can't find it, The ping failures you report, namely -- ping dmz - loc failure network unreachable ping dmz - loc failure ctrl+c 100% loss -- usually indicate a problem with tsome routing table. But since you didn't include a listing of either routing table (ip route show for the LEAF router; who knows for the DMZ host) in the some stuff you provided, that's only a guess. 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.100 128.142.112.0/20 dev eth0 proto kernel scope link src 128.142.121.254 default via 128.142.112.1 dev eth0 If I read this stuff right, you changed the network numbering of your DMZ in /etc/network/interfaces away from the detault. But perhaps you did not change the corresponding entries in /etc/network.conf? i don't have a /etc/network.conf ?? this is the default /etc/interfaces, as i understand, i can't have dmz on same network as the loc here it is 192.168.1.x for both the dmz and loc ?? auto eth1 iface eth1 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.1.100 masklen 24 broadcast 192.168.1.255 Finally, you *might* have a configuration problem on the DMZ host you are testing from. if i can ping dmz-fw-loc but not dmz-loc, then my dmz host net config is ok, right ?? --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: can't ping dmz - loc
snip You state here your subnets are 192.168.1.0/24 and 192.168.10.0/24 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.100 128.142.112.0/20 dev eth0 proto kernel scope link src 128.142.121.254 default via 128.142.112.1 dev eth0 snip Yet below, you state eth2 = 192.168.1.100 i don't have a /etc/network.conf ? this is the default /etc/interfaces, as i understand, i can't have dmz on same network as the loc here it is 192.168.1.x for both the dmz and loc ?? auto eth1 iface eth1 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.1.100 masklen 24 broadcast 192.168.1.255 If this is true, that's your problem. Your routing table doesn't match your interfaces table. What is the result of ip addr show? Tony --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: can't ping dmz - loc
to Tom: you mix up the reply, see my first posting :) it's the default example (192.168.1.x) and RH FAQ info to Ray Olszewski Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 unknown 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0b:2b:02:0d:6d brd ff:ff:ff:ff:ff:ff inet 128.142.121.254/20 brd 129.142.127.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0b:2b:02:2a:43 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0b:2b:02:2a:4d brd ff:ff:ff:ff:ff:ff inet 192.168.10.100/24 brd 192.168.10.255 scope global eth2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.100 129.142.112.0/20 dev eth0 proto kernel scope link src 128.142.121.254 default via 129.142.112.1 dev eth0 Shorewall-1.4.8 Status at firewall - Wed Dec 17 19:17:28 UTC 2003 Counters reset Wed Dec 17 17:33:30 UTC 2003 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 159 22494 eth0_inall -- eth0 * 0.0.0.0/00.0.0.0/0 139 11414 eth1_inall -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 eth2_inall -- eth2 * 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 1671 862K eth0_fwd all -- eth0 * 0.0.0.0/00.0.0.0/0 1942 322K eth1_fwd all -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 eth2_fwd all -- eth2 * 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/00.0.0.0/0 udp dpts:67:68 146 9944 fw2net all -- * eth0 0.0.0.0/00.0.0.0/0 129 18328 fw2loc all -- * eth1 0.0.0.0/00.0.0.0/0 0 0 fw2dmz all -- * eth2 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain all2all (7 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/00.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdeficmp -- * * 0.0.0.0/00.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:135 18 1404 reject udp --
[leaf-user] RE: can't ping dmz - loc
sorry Tony Tony..not tom :)) Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: can't ping dmz - loc
At 07:50 PM 12/17/2003 +0100, and hansen wrote: [...] and RH FAQ info to Ray Olszewski [details deleted in reply] OK. I read through the Shorewall rulesets you provided (as well as the rest of the information), and it looks like the router should be letting you ping both ways between dmz and loc, and ssh from loc to dmz (the actual problems you reported in your first message). The ruleset output you quoted, though, is from a time when Shorewall has seen no packets from the dmz (the INPUT and FORWARD chain entries in the default table are all 0 for eth2 as source). Your best bet at this point is to try the tests again, then capture again the output of Shorewall status. Trace through the rulesets and see where they are and are not being incremented, and that should tell you where your problem is. For example, you now report (I've reformatted this a bit in the hope that it will come through in more easily read form): Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot optin out source destination 0 0 DROP !icmp--* * 0.0.0.0/0 0.0.0.0/0 state INVALID 1671 862Keth0_fwd all-- eth0* 0.0.0.0/0 0.0.0.0/0 1942 322Keth1_fwd all-- eth1* 0.0.0.0/0 0.0.0.0/0 0 0 eth2_fwd all-- eth2* 0.0.0.0/0 0.0.0.0/0 0 0 common all-- ** 0.0.0.0/0 0.0.0.0/0 0 0 LOGall-- ** 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 If you ping a dmz host from loc successfully, you should see both the rule for the eth1_fwd and the rule for the eth2_fwd target increment. If both do, the problem is after the icmp packet gets to the dmz host and it replies, so trace through the rules that follow the arrival at eth2_fwd. If only eth1_fwd increments, then trace through the rule chain that outgoing packets traverse (it has about 5 steps) to make sure all the proper rules increment. In this example, the rule sequence you would expect the packet to traverse is: in eth1_fwd: 0 0 loc2dmzall -- * eth2 0.0.0.0/00.0.0.0/0 in loc2dmz: 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 icmp type 8 The ACCEPT target ends the sequence. If these rules all do increment, then the ping packet goes out successfully, but the router never sees a reply (that is, eth2_fwd does not increment), then see what's going on on the dmz host. This is just an example; exactly what you need to check depends on what you find, but I'm sure you can see the logic of following a rule path from this example. I would also double check the configuration (the routing table and any onboard firewall) of the dmz host. If, for example, it thinks it is on 192.168.0.0/16 rather than 192.168.100.0/24, that would be sufficient to explain all the symptoms you've reported (this is an example only). --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: can't ping dmz - loc
I don't get any pkts or bytes even if i browse some web pages only 0 0 ?? i have the info switch at on, in my policy ?? what have i done now :) Shorewall-1.4.8 Chain at - Wed Dec 17 22:00:54 UTC 2003 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 0 0 eth0_inall -- eth0 * 0.0.0.0/00.0.0.0/0 0 0 eth1_inall -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 eth2_inall -- eth2 * 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/00.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 eth2_fwd all -- eth2 * 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/00.0.0.0/0 udp dpts:67:68 0 0 fw2net all -- * eth0 0.0.0.0/00.0.0.0/0 0 0 fw2loc all -- * eth1 0.0.0.0/00.0.0.0/0 0 0 fw2dmz all -- * eth2 0.0.0.0/00.0.0.0/0 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/00.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdeficmp -- * * 0.0.0.0/00.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/00.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0255.255.255. 255 0 0 DROP all -- * * 0.0.0.0/0224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/00.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- *
[leaf-user] RE: can't ping dmz - loc
wait..now, i'm counting packets, so let me investigate this...i'll be back :)) Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: can't ping dmz - loc
Now I got it :)) I have so big and red ears, shit they are hurting me twice as big as my head my gatewaydev on my dmz server were on 192.168.1.x so why have i told you that i can ping net from dmz...shit sorry..and thanks for your help :) Regards Lasse Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html