Vieri Di Paola wrote: > Hi, > > I just setup a bridge with kernel 2.6.20 and followed > the instructions at > http://www.shorewall.net/NewBridge.html. > > Since zone definitions are now IP-based and not > ports-based then doesn't this imply a weaker security > mechanism? > In the NewBridge.html example, hosts 192.168.1.{10,11} > would have to be somehow "trusted" otherwise they > could just change their IP address accordingly and > Shorewall would treat it as part of the loc zone > instead of net. > The maclist option may help a bit but security would > still be an issue. > > Am I missing something or is it a natural consequence > of the now-reduced physdev feature? > > I have another different issue regarding the 2.6.20 > bridge setup. > In pre-2.6.20 with identical Shorewall configuration > settings, hosts in the loc zone that did not have a > static route for a 10.215.0.0 remote destination but > had the shorewall bridge as their gateway (thus using > it as a "router") would communicate with the remote > subnets because of the routeback option. > After following the NewBridge.html instructions in a > 2.6.20 system, only 10.215.144.0 hosts in the loc zone > get routed to the remote 10.215.0.0 subnets. Other > ranges fail (eg. 10.215.145.0 and our netmask is > 255.255.252.0). > > I would gladly post a shorewall dump but I won't be > able to until Monday. > Maybe the information I post below is enough. > > 10.215.237.251 and 10.215.5.95 are remote hosts that > 10.215.145.245 (in loc zone) is trying to reach > through gateway 10.215.144.6. > Host 10.215.145.245 only has a default gateway set to > the Shorewall bridge 10.215.144.91. > (this odd use of a routing bridge is for temporary > convenience only) > > In the logs I see this: > > Jun 1 13:38:36 inf-fw2 Shorewall:loc2net:DROP:IN=br0 > OUT=br0 PHYSIN=eth1 SRC=10.215.145.245 > DST=10.215.237.251 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=44720 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46592 > Jun 1 13:46:03 inf-fw2 Shorewall:loc2net:DROP:IN=br0 > OUT=br0 PHYSIN=eth1 SRC=10.215.145.245 DST=10.215.5.95 > LEN=92 TOS=0x00 PREC=0x00 TTL=17 ID=50143 PROTO=ICMP > TYPE=8 CODE=0 ID=512 SEQ=62208 > > # cat /etc/shorewall/hosts > #ZONE HOST(S) > OPTIONS > loc br0:10.215.144.0/22!10.215.144.92 > routeback >
This /22 doesn't cover the /16 from your routing below. /sbin/shorewall ipcalc 10.215.144.0/22 CIDR=10.215.144.0/22 NETMASK=255.255.252.0 NETWORK=10.215.144.0 BROADCAST=10.215.147.255 has 10.215.237.251 and 10.215.5.95 outside of your loc zone. Did you want a /16 here? Your treating the whole /16 as loc right? > # cat /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net br0 detect > routefilter,tcpflags > #net br0 10.215.147.255 > > Interface configuration: > > bridge_br0="eth0 eth1" > config_br0=( "10.215.144.91 netmask 255.255.252.0" ) > brctl_br0=( "stp on" ) > routes_br0=( > "-net 10.215.0.0 netmask 255.255.0.0 gw 10.215.144.6" this is the /16... from above > "default via 10.215.144.92" > ) Hope that is the issue. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
