Hi all, I have a bridged firewall and am unable to ssh from the privileged part into the unprivileged part.
I am trying to configure shorewall on a device (nano) that bridges 2 parts of my local network - 'ofen' and 'tech'. turris is my router to the internet. Shorewall is running on 'nano'. nano has a bridge br0 between eth0 (connected to the switch connecting to turris and all other devices on 'ofen') and wlan0 (hostapd running, offering the 'tech' network) tech <-> nano <-> ofen <-> turris <-> inet clients that connect to 'tech' are using the DNS and DHCP from the 'ofen' network. Both networks use the same subnet. I added rules allowing DNS and DHCP in /etc/shorewall/rules - this works. Iin general connections originating from tech targeting ofen should be dropped. Connections from ofen to tech should be accepted. Background is that in tech I put some devices that I do not want to let phone home, e.g. IP cam that I still want to access from my computer. The policy file is quite simple: ofen all ACCEPT debug all fw ACCEPT fw all ACCEPT all all REJECT debug nano is running armbian (based on Ubuntu Bionic) with shorewall 5.1.12.2 and a 4.4 kernel for rk3399 chipset. When trying to ssh from a member of ofen (192.168.1.239) to a member of tech (192.1688.1.247) I get the following in the logfile: Dec 22 22:50:36 localhost kernel: [ 6426.160957] ofen-tech ACCEPT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=wlan0 MAC=b8:27:eb:25:63:bd:d4:3d :7e:f6:78:26:08:00:45:00:00:3c:7d:d7:40:00:40:06:37:ae:c0:a8:01:ef:c0:a8:01:f7:91:28:00:16:83:65:82:7d:00:00:00:00:a0:02:fa:f0:c8:da:0 0:00:02:04:05:b4:04:02:08:0a:9c:ed:ca:ee SRC=192.168.1.239 DST=192.168.1.247 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32215 DF PROTO=TCP SP T=37160 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 Dec 22 22:50:36 localhost kernel: [ 6426.173197] tech-ofen REJECT IN=br0 OUT=br0 PHYSIN=wlan0 PHYSOUT=eth0 MAC=d4:3d:7e:f6:78:26:b8:27 :eb:25:63:bd:08:00 SRC=192.168.1.247 DST=192.168.1.239 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=37160 WINDOW=2896 0 RES=0x00 ACK SYN URGP=0 Dec 22 22:50:38 localhost kernel: [ 6428.176904] ofen-tech ACCEPT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=wlan0 MAC=b8:27:eb:25:63:bd:d4:3d :7e:f6:78:26:08:00:45:00:00:3c:7d:d8:40:00:40:06:37:ad:c0:a8:01:ef:c0:a8:01:f7:91:28:00:16:83:65:82:7d:00:00:00:00:a0:02:fa:f0:c0:fa:0 0:00:02:04:05:b4:04:02:08:0a:9c:ed:d2:ce SRC=192.168.1.239 DST=192.168.1.247 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32216 DF PROTO=TCP SP T=37160 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 Dec 22 22:50:38 localhost kernel: [ 6428.191862] tech-ofen REJECT IN=br0 OUT=br0 PHYSIN=wlan0 PHYSOUT=eth0 MAC=d4:3d:7e:f6:78:26:b8:27 :eb:25:63:bd:08:00 SRC=192.168.1.247 DST=192.168.1.239 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=37160 WINDOW=2896 0 RES=0x00 ACK SYN URGP=0 Similar things happen if I put up an apache2 on a member of 'tech' and try to access it from 'ofen'. It was my understanding that with the above policy bidirectional connections can be established, if they are initiated by a member of subzone ofen. But it seems I am either missing a piece of the puzzle or having a major misunderstanding in how networking works. Regards & Happy Holidays Markus
shorewall_dump.tar.bz2
Description: application/bzip
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
