________________________________
From: Tom Eastep <teas...@shorewall.net>
To: Vieri Di Paola <vieridipa...@yahoo.com>; Shorewall Users
<shorewall-users@lists.sourceforge.net>
Sent: Wednesday, May 7, 2014 5:57 PM
Subject: Re: [Shorewall-users] cannot ping through shorewall firewall (second
example)
On 5/7/2014 6:01 AM, Vieri Di Paola wrote:
>> Hi again,
>>
>> I'd like to add another dump to my report.
>> I'm unable to ping from host in "LAN" zone with IP address 10.215.144.7
>> to host in "CAIB" zone with IP address 10.215.5.95.
>>
> 10.214.5.95 is not in the CAIB zone. It is in the LAN zone. And again,
> why would two hosts on the LAN communicate via the Shorewall box?
Actually, 10.215.5.95 (not 10.214.5.95) is beyond enp2s0f0 (beyond
172.20.11.49), ie. within what is defined as "CAIB" zone. 10.215.144.7 is
within the "LAN" zone so they must communicate via the shorewall firewall.
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:04:75:9e:17:8f brd ff:ff:ff:ff:ff:ff
inet 192.168.210.1/23 brd 192.168.211.255 scope global enp1s7
valid_lft forever preferred_lft forever
inet 192.168.212.1/24 brd 192.168.212.255 scope global enp1s7
valid_lft forever preferred_lft forever
inet6 fe80::204:75ff:fe9e:178f/64 scope link
valid_lft forever preferred_lft forever
3: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:15:17:d3:5e:f6 brd ff:ff:ff:ff:ff:ff
inet 172.20.11.62/28 brd 172.20.11.63 scope global enp2s0f0
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fed3:5ef6/64 scope link
valid_lft forever preferred_lft forever
4: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:15:17:d3:5e:f7 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/28 brd 172.16.0.15 scope global enp2s0f1
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fed3:5ef7/64 scope link
valid_lft forever preferred_lft forever
5: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:17:31:83:79:7c brd ff:ff:ff:ff:ff:ff
inet 10.215.144.91/16 brd 10.215.255.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet 192.168.144.91/24 brd 192.168.144.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet 10.215.144.6/16 brd 10.215.255.255 scope global secondary enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::217:31ff:fe83:797c/64 scope link
valid_lft forever preferred_lft forever
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.2 0.0.0.0 UG 4 0 0 enp2s0f1
10.99.137.21 172.20.11.49 255.255.255.255 UGH 3 0 0 enp2s0f0
10.215.0.0 172.20.11.49 255.255.128.0 UG 3 0 0 enp2s0f0
10.215.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s8
10.215.128.0 172.20.11.49 255.255.240.0 UG 3 0 0 enp2s0f0
10.215.144.90 172.16.0.2 255.255.255.255 UGH 4 0 0 enp2s0f1
10.215.144.92 172.16.0.2 255.255.255.255 UGH 4 0 0 enp2s0f1
10.215.147.61 172.16.0.1 255.255.255.255 UGH 4 0 0 enp2s0f1
10.215.147.62 192.168.210.1 255.255.255.255 UGH 2 0 0 enp1s7
10.215.148.0 172.20.11.49 255.255.252.0 UG 3 0 0 enp2s0f0
10.215.152.0 172.20.11.49 255.255.248.0 UG 3 0 0 enp2s0f0
10.215.160.0 172.20.11.49 255.255.224.0 UG 3 0 0 enp2s0f0
10.215.192.0 172.20.11.49 255.255.224.0 UG 3 0 0 enp2s0f0
10.215.224.0 172.20.11.49 255.255.240.0 UG 3 0 0 enp2s0f0
10.215.240.0 172.20.11.49 255.255.252.0 UG 3 0 0 enp2s0f0
10.215.244.0 172.20.11.49 255.255.254.0 UG 3 0 0 enp2s0f0
10.215.249.0 172.20.11.49 255.255.255.0 UG 3 0 0 enp2s0f0
10.215.250.0 172.20.11.49 255.255.254.0 UG 3 0 0 enp2s0f0
10.215.252.0 172.20.11.49 255.255.252.0 UG 3 0 0 enp2s0f0
85.119.193.3 172.20.11.49 255.255.255.255 UGH 3 0 0 enp2s0f0
85.119.193.4 172.20.11.49 255.255.255.255 UGH 3 0 0 enp2s0f0
85.119.193.16 172.20.11.49 255.255.255.255 UGH 3 0 0 enp2s0f0
85.119.193.36 172.20.11.49 255.255.255.255 UGH 3 0 0 enp2s0f0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
172.16.0.0 0.0.0.0 255.255.255.240 U 0 0 0 enp2s0f1
172.20.11.48 0.0.0.0 255.255.255.240 U 0 0 0 enp2s0f0
192.168.144.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s8
192.168.210.0 0.0.0.0 255.255.254.0 U 0 0 0 enp1s7
192.168.212.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s7
192.168.250.0 10.215.147.115 255.255.255.0 UG 5 0 0 enp0s8
192.168.251.0 10.215.147.115 255.255.255.0 UG 5 0 0 enp0s8
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
