[vuurmuur 0.8~rc1-1; Kernel 4.5]
Hi,
I use a FritzBox inside the LAN (_not_ as the gateway), and I had some
difficulties with that setup and vuurmuur resp. Linux kernel settings,
leading to only intermittent connectivity for the FritBox.
Not really a bug in vuurmuur, but something to keep in mind when using
vuurmuur, or to put at the end of /etc/init.d/vuurmuur start section.
1) connections with connmark = 0
When the FritzBox sent DNS requests (to my fw host) before vuurmuur
installed its CONNMARK magic, that connection would end up in
conntrack with mark==0 end never expire, because the FritzBox would
keep retrying. Packages output to a mark==0 connection are dropped by
vuurmuur.
Manual workaround (to be applied just after vuurmuur installs its
rules):
conntrack -D -mark 0 # forget connections that haven't been marked my
vuurmuur
Any requests after that are properly marked with mark==1 and allowed
by vuurmuur.
2) arp
The FritzBox has its own IP subnet, but sits on the same ethernet as
the rest of the LAN.
With the Linux default setting of "0" for
/proc/sys/net/ipv4/conf/<device>/arp_announce
my fw host would send arp requests for the FritzBox using its primary
address (not its FritzBox-net-address) as "tell"-address. These
apparently get dropped by the FritzBox (no interface in that subnet)
and connectivity stalls until the FritzBox initiates an arp.
Manual workaround:
echo "2" >/proc/sys/net/ipv4/conf/<device>/arp_announce
# s.
https://support.cumulusnetworks.com/hc/en-us/articles/203859616-Default-ARP-Settings-in-Cumulus-Linux
This instructs the kernel to always use the best local address in
arp requests, not just any local address.
Regards
Matthias
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Vuurmuur-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
