Re: [Shorewall-users] /31 Network on Firewall

Thu, 23 Jan 2020 13:05:04 -0800 

On 1/23/20 11:38 AM, Tom Eastep wrote:
> On 1/23/20 10:53 AM, Eero Volotinen wrote:
>> https://www.google.fi/amp/s/blog.cloudtrooper.net/2017/09/19/setting-up-31-interfaces-and-bgp-on-a-centos-machine/amp/
>>
>> it should work. follow the guide.
>>
> 
> I suspect that there will be anomalies with Shorewall, however, because
> both IP addresses will be broadcast addresses (one the network address
> and the other the network broadcast address).
> 
> teastep@Asus:~/shorewall/web$ shorewall ipcalc 68.140.187.76/31
>    CIDR=68.140.187.76/31
>    NETMASK=255.255.255.254
>    NETWORK=68.140.187.76
>    BROADCAST=68.140.187.77
> teastep@Asus:~/shorewall/web$
> 
> So, for example, the dropBcast action will drop all traffic to either
> address. That can be fixed, but it will take a change to the Shorewall
> code to special-case /31.
> 
> Also, the 'nosmurfs' interface option cannot be used as it will cause
> all packets with the gateway address as the source IP to be dropped.
> 

I've taken another look and the above issues should not present major
problems. There will be a minor problem in that multiple rules for
address 255.255.255.255 can be generated, because that is the broadcast
address reported by 'ip -f inet addr show'.

root@gateway:~# ip addr ls dev br2
15: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default qlen 1000
    link/ether 92:45:6b:91:0e:91 brd ff:ff:ff:ff:ff:ff
    inet 172.20.4.2/31 brd 255.255.255.255 scope global br2
       valid_lft forever preferred_lft forever
    inet6 fe80::9045:6bff:fe91:e91/64 scope link
       valid_lft forever preferred_lft forever
root@gateway:~#

So please let us know if you encounter any major problem...

Thanks,

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to