[Firewall] Configuration Issues

Chris Vavruska vavruska at gmail.com
Tue Sep 3 14:03:36 CEST 2013


When I first installed the script I could not get NAT/MASQ working. It
looked like I had everything configured properly so I decided to start
debugging the script. I put a few echo's in the code to see if was getting
to the area that NAT was configured. It turned on that EXT_IF was not set
but looking at the configuration it was set. I went to the start of the
script just after the config was read in and printed out $EXT_IF and it was
set there but if I put another printf just after the environment was read
in it was null. I added another ". $CONFIG_FILE" after the env was read in
and NAT was now configured and working.

Any Ideas? I have output of the script run with and without the change if
anyone wants to see. Since it appears to be working I am ok with the change
as long as security wise nothing has changed.

Onto my configuration issue.

I have 3 interfaces, 1 (eth0) connected to my provider which gets it's IP
via DHCP. 2 internal networks (br1 and br2 - 192.168.1.0/24 & 192.168.2.0/24).
Currently br2 is not connected to anything. bind9 and DHCP is running on
the firewall to service the internal network.

I added br1 to TRUSTED_IF which looks to me as if all traffic should be
accepted to the firewall from anything on the br1 network

Here the items I have set in my firewall.conf
> EXT_IF="eth0"
> INT_IF="br1 br2"
> INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"
> INT_NET_BCAST_ADDRESS="192.168.1.255 192.168.2.255"
> NAT=1
> TRUSTED_IF="br1"
> LAN_OPEN_TCP="22"
> LAN_OPEN_UDP="53"

When I try to connect to the vnc server running on the firewall I get the
following in the log:

Sep  2 19:12:32 shaggy kernel: [32429.690498] AIF:LAN-INPUT denied: IN=br1
OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00
SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26564
DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0
Sep  2 19:12:35 shaggy kernel: [32432.679081] AIF:LAN-INPUT denied: IN=br1
OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00
SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26574
DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0

Shouldn't TRUSTED_IF allow this?

I am also seeing the following for a DHCP request.
Sep  2 19:14:40 shaggy kernel: [32557.634624] AIF:LAN-INPUT denied: IN=br1
OUT= PHYSIN=eth1 MAC=ff:ff:ff:ff:ff:ff:00:19:1d:e5:83:d9:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=5143 PROTO=UDP
SPT=68 DPT=67 LEN=308

I really like the way the script allows for the easy addition of rules so I
would like to try and figure this one out.

Any help is appreciated!

Thanks,

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130903/b116a9c7/attachment.html>


More information about the Firewall mailing list