On 09/24/2018 01:55 PM, Boris wrote: > Am 24.09.2018 um 19:12 schrieb Tom Eastep: >> On 09/05/2018 08:16 AM, Boris wrote: >>> Hej SW-list, >>> >>> This is the first time that I'm writing directly to the SW list. First >>> of all, I want to thank you for this great software! I can hardly >>> believe that I have been using SW for more than 15 years - embedded in >>> the also great environment of LEAF (Linux Embedded Appliance Framework >>> (formerly Firewall)). >>> >>> And now, for the first time, I have a problem that I don't understand >>> and hope for help: >>> My LEAF box (Ver. 6.x with SW 5.1.7.2 on Alix hardware) worked great on >>> a VDSL internet line with 25 Mbps / 5Mbps. I used a FritzBox 7490 as >>> modem (PassThrough). I have a web server and a mail server in a DMZ >>> segment, a few desktop PCs in the LAN segment and a few wireless devices >>> in a WLAN segment. The box also serves as an OpenVPN server. Nothing >>> really extraordinary, I think. >>> >>> A few hours ago I got a new internet line switched with higher >>> bandwidth. Unfortunately, I don't (yet) have any detailed technical >>> specifications for the line other than the bandwidth (100Mbps / 40Mbps). >>> A new FritzBox 7590 serves as modem. During a conversation with the >>> support of the provider the keyword 'VLAN 7' was mentioned. This seems >>> to indicate a BNG connection from Telekom, but I didn't have to set up >>> VLAN tagging. >>> >>> Now to the problem description: With the unchanged SW configuration, >>> REJECTS of TCP packets from and to the zone 'net' occur, which were >>> transported correctly before the switchover! It looks like some packets >>> are passing through sporadically, but I can't secure that and I can't >>> even reproduce it. All other zones work fine with each other, so >>> loc-wlan, wlan-dmz, dmz-loc and so on. In addition, icmp packets are >>> transported over the zone net without any problems. >>> In order to be able to use my environment, I removed all restrictions as >>> a temporary solution, with a global statement in /shorewall/policy: >>> all all ACCEPT >>> This is of course undesirable and I am looking for the cause of the >>> problem. I asked the provider for detailed specifications of the line. >>> Maybe someone has an idea here? I deactivated the global ACCEPT again >>> and made a dump, which is attached. >>> >>> Many thanks and many greetings, >>> >>> >> >> Your internet interface is now eth0, not ppp0. So you need to change >> your configuration. >> >> -Tom >> > > Hej Tom, > > thank you very much for your statement! > > I'm sure you have one or more very good reason to come to this > conclusion. Could you please give a little explanation? > > Finally, I'm afraid you missunderstood my description of the situation. > > ppp is still doing the login and ppp0 is the interface that 'owns' the > public IP: > > # ip addr sh: > > [snip] > 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UNKNOWN group default qlen 1000 > link/ether 00:0d:b9:13:fb:d8 brd ff:ff:ff:ff:ff:ff > [snip] > 13: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc > pfifo_fast state UNKNOWN group default qlen 3 > link/ppp > inet 217.70.192.188 peer 213.178.81.101/32 scope global ppp0 > valid_lft forever preferred_lft forever > > Of course I tried to follow your hint and changed ppp0 into eth0 in > /etc/shorewall/interfaces and /etc/shorewall/snat. Did I miss something > to change? > As result, no client in loc, wlan or dmz could connect to any host in > net. So I switched back.... >
Okay. I looked at the log messages and assumed that eth0 was the net interface since all of the messages: a) Had eth0 as the source interface. b) Were created out of the INPUT or FORWARD chain. This is an indication that eth0 is not defined to Shorewall yet packets are being received on that interface. This is very strange since eth0 doesn't even have an IP address. Given that all of the logged packets are apparently response packets, it would seem that response IP packets are being sent to your firewall from the Fritzbox rather than (or in addition to) being sent via PPPoE. That is why an all->all policy of ACCEPT is allowing your firewall to work. If that analysis is correct, then the problem is not in your Shorewall configuration but in the configuration of PPPoE link. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
