Hi,
I have a few questions about the inner workings of netfilter
(a graphical layout of my network setup @
https://aequorin.homeunix.net:62389/local/media/network-graph.png)
1) These are the syslog entries for some simple connection tests.
Shorewall/netfilter has been set to record all stateful connections
SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN
is set.
Why is this? Why is SSH not lan(br0) -> $FW ?
You mentioned that unless the physdev flag is set, shorewall only cares
about lan(br0) <-> $FW
Why does PHYSIN get set for SSH ?
ping(server->lan)
Sep 14 23:42:45 veridian kernel: [618269.196281] Shorewall:fw2lan:ACCEPT:IN=
OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165
ssh
Sep 14 23:45:15 veridian kernel: [618418.797081]
Shorewall:phys2fw:ACCEPT:IN=br0 OUT= PHYSIN=eth0
MAC=00:01:29:f5:f0:26:00:18:01:5b:a8:72:08:00 SRC=207.172.176.168 DST=
192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=32555 DF PROTO=TCP
SPT=45664 DPT=48232 WINDOW=8192 RES=0x00 SYN URGP=0
openvpn (3 types)
Sep 14 23:46:54 veridian kernel: [618517.248260]
Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=
192.168.1.225 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=33
PROTO=UDP SPT=137 DPT=137 LEN=76
Sep 14 23:46:53 veridian kernel: [618516.835299] Shorewall:fw2lan:ACCEPT:IN=
OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165
Sep 14 23:46:59 veridian kernel: [618522.262747]
Shorewall:phys2vpn:ACCEPT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=
192.168.1.1 DST=239.255.255.250 LEN=429 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF
PROTO=UDP SPT=1900 DPT=1900 LEN=409
ping(vpn client->server)
Sep 14 23:50:50 veridian kernel: [618753.216549]
Shorewall:lan2fw:REJECT:IN=br0 OUT= PHYSIN=tap0
MAC=00:01:29:f5:f0:26:00:ff:09:52:47:a0:08:00 SRC=192.168.1.225 DST=
192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=101 PROTO=ICMP TYPE=8
CODE=0 ID=1 SEQ=3
ping(vpn server->client)
Sep 14 23:52:34 veridian kernel: [618857.273217] Shorewall:fw2lan:ACCEPT:IN=
OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165
ping(vpn client->lan)
Sep 14 23:55:39 veridian kernel: [619041.782974]
Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=
192.168.1.225 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=123
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6
2) How do the PHYSIN/PHYSOUT 'flags' get set? What criteria has to be
met. Does the bridge interface set these flags ?
3) Is the following a correct generalization of traffic pasing through
netfilter:
(normal, no vpn)
incoming: phys(eth0) -> $FW
outgoing: $FW -> lan(br)
(vpn)
outgoing: phys(eth0) -> vpn(tap0)
---then---
$FW -> lan(br0)
incoming: vpn(tap0) -> phys(eth0)
---or-----
lan(br0) -> $FW
so outgoing vpn traffic has to pass through netfilter twice, first
phys(eth0) -> vpn(tap0), then $FW -> lan(br0)
while incoming vpn traffic passes through netfilter once, but goes
one of two possible 'routes' depending on the destination ((vpn client ->
lan) vs (vpn client -> vpn server))
4) The shorewall docs mention that the lan(br0) zone exists b/c it is not
possible to do $FW->vpn(tap0) or $FW->phys(eth0)
Is this because netfilter in kernels >=2.6.20 cannot recognize
$FW->vpn(tap0) or $FW->phys(eth0) ?
... because I havent seens any traffic that would match $FW->vpn(tap0)
or $FW->phys(eth0).
much appreciated,
orbisvicis
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
