OK - I figured out what it is but maybe someone can give an explanation here.
If I use he multiple zones configuration I have to do in addition Hosts v3005 vlan3005:0.0.0.0/0 And of course this seems to be very logic since this means all ip´s on the internet. But I am still confused a lot why this is the first time I have to do it after using Shorewall over years without to be forced to say 0.0.0.0/0. If I use non-multiple configuration it works perfectly as well without the need to configure 0.0.0.0/0 but the broadcast of the subnet, linked to the next-hop pointing Shorewall to the public internet. So from my side there stays nothing against configuring 0.0.0.0/0 in multiple zones but I am still interested why the need occurs in my special environment. Any help would be appreciated. Cheers Mike -----Ursprüngliche Nachricht----- Von: Michael Weickel - iQom Business Services GmbH [mailto:[email protected]] Gesendet: Samstag, 21. November 2009 01:17 An: 'Shorewall Users' Betreff: Policy make troubles once multiple zones are applied Hi all, I am running into some curious problems with hosts and interfaces. My interface vlan3005 has the ip 62.101.100.2/30 I dont have a zone net and no zone fw. One could say my zone v3005 is representing net. I do not have a 0.0.0.0/0 route in main table but ip route show table 22 default via 62.101.100.1 dev vlan3005 and 32764: from all iif vlan3005 lookup 22 32765: from 62.101.100.2 lookup 22 Interfaces - vlan3005 62.101.100.3 Hosts v3005 vlan3005:62.101.100.0/30 Rules ACCEPT v3005 fw tcp 22 Policy fw v3005 ACCEPT If I now try to 'ssh 62.101.100.2' from outside Nov 21 01:15:50 ffmfw01 [ 867.692419] Shorewall:INPUT:DROP:IN=vlan3005 OUT= MAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=109.5.122.3 DST=62.101.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=42964 DF PROTO=TCP SPT=52142 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 And if I try to 'ping 109.5.122.3 -I vlan3003' ping: sendmsg: Operation not permitted Nov 21 01:20:02 ffmfw01 [ 1119.354729] Shorewall:OUTPUT:DROP:IN= OUT=vlan3005 SRC=62.101.100.2 DST=109.5.122.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=46625 SEQ=1 But if I apply the following changes to the above outlined config everything works well for ping from fw to internet and ssh from internet to fw as well. Interfaces vlan3005 vlan3005 62.101.100.3 Hosts #v3005 vlan3005:62.101.100.0/30 I am running Shorewall 3.4.8. Since I´ve managed multiple zones a hundret times and since it makes really no sense to me why it works if multiple zone is switched off with exactly the same policies and rules I appreciate any help on this. Cheers Mike ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
