Question:
What is routing the request sent from any client in 192.168.178.0/24 to the target client in 10.0.0.0/24?
I mean even the gateway 10.0.0.1 is unknown.
Gesendet: Dienstag, 12. April 2016 um 23:35 Uhr
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
On 04/11/2016 05:10 AM, c.mo...@web.de wrote:
> Hi,
>
> in the meantime I have internet access with DNS resolution from loc
> 10.0.0.0/24 and dmz 10.1.0.0/24.
>
> However, I cannot access any client in loc from other clients in
> 192.168.178.0/24.
> I have only access to loc and dmz from server.
>
> What is needed to get access to loc from other clients in 192.168.178.0/24.
>
> Between the router (Fritz!Box) and the server I have a managed
> switch: LCS-GS8208-A
> Do I need to configure a VLAN?
No -- you need to add a policy or add rules. See
http://www.shorewall.org/Introduction.html.
-Tom
>
>
> Regards,
> Thomas
>
> *Gesendet:* Sonntag, 03. April 2016 um 17:27 Uhr
> *Von:* "Tom Eastep" <teas...@shorewall.net>
> *An:* shorewall-users@lists.sourceforge.net
> *Betreff:* Re: [Shorewall-users] Configuration - appropriate
> configuration with 2 default gateways
> On 04/03/2016 01:58 AM, Thomas Schneider wrote:
>> OK.
>>
>> In the guide " Configuration Files Tips and Hints" you advise against
>> usage of DNS Names.
>> I have resolved the DNS names and I understand this article to highlight
>> the risk if the provider changes things on their hand.
>> However, I don't know how to mitigate this risk with a restrictive
>> rule-set in dmz that should only allow access to the update servers.
>>
>> I have now modified masq config file accordingly:
>> root@pc4-svp:/etc/shorewall# cat masq
>> #INTERFACE SOURCE ADDRESS
>> UMB_IF 10.0.0.0/24 217.8.50.86
>> UMB_IF 10.1.0.0/24 217.8.50.86
>>
>> However, I believe I should then correct interfaces config file and set
>> proxyarp=0 for zone dmz.
>> Would you recommend to set the same options for zone dmz as configured
>> for zone loc (adjusting nets=10.1.0.0/24)?
>> root@pc4-svp:/etc/shorewall# cat interfaces
>> #ZONE INTERFACE BROADCAST OPTIONS
>> net UMB_IF -
>>
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
>> net UMP_IF -
>>
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
>> loc INT_IF -
>>
> dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
>> vpn TUN_IF+ - physical=tun+,ignore=1
>> dmz DMZ_IF -
>> routeback,proxyarp=1,required,wait=30
>>
>> After shorewall reset I have started apt update on a different client in
>> loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached
> dump.
>>
> The dump still shows no DNS rules loc->net and dmz->net
>
>> By the way:
>> When creating dump file, I get this output indicating an issue with file
>> /proc/net/nf_conntrack:
>> root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt
>> grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
>> This file does neither exist on my Debian 8 server nor on my Debian Sid
>> notebook.
>>
>
> Install the conntrack package.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> Hi,
>
> in the meantime I have internet access with DNS resolution from loc
> 10.0.0.0/24 and dmz 10.1.0.0/24.
>
> However, I cannot access any client in loc from other clients in
> 192.168.178.0/24.
> I have only access to loc and dmz from server.
>
> What is needed to get access to loc from other clients in 192.168.178.0/24.
>
> Between the router (Fritz!Box) and the server I have a managed
> switch: LCS-GS8208-A
> Do I need to configure a VLAN?
No -- you need to add a policy or add rules. See
http://www.shorewall.org/Introduction.html.
-Tom
>
>
> Regards,
> Thomas
>
> *Gesendet:* Sonntag, 03. April 2016 um 17:27 Uhr
> *Von:* "Tom Eastep" <teas...@shorewall.net>
> *An:* shorewall-users@lists.sourceforge.net
> *Betreff:* Re: [Shorewall-users] Configuration - appropriate
> configuration with 2 default gateways
> On 04/03/2016 01:58 AM, Thomas Schneider wrote:
>> OK.
>>
>> In the guide " Configuration Files Tips and Hints" you advise against
>> usage of DNS Names.
>> I have resolved the DNS names and I understand this article to highlight
>> the risk if the provider changes things on their hand.
>> However, I don't know how to mitigate this risk with a restrictive
>> rule-set in dmz that should only allow access to the update servers.
>>
>> I have now modified masq config file accordingly:
>> root@pc4-svp:/etc/shorewall# cat masq
>> #INTERFACE SOURCE ADDRESS
>> UMB_IF 10.0.0.0/24 217.8.50.86
>> UMB_IF 10.1.0.0/24 217.8.50.86
>>
>> However, I believe I should then correct interfaces config file and set
>> proxyarp=0 for zone dmz.
>> Would you recommend to set the same options for zone dmz as configured
>> for zone loc (adjusting nets=10.1.0.0/24)?
>> root@pc4-svp:/etc/shorewall# cat interfaces
>> #ZONE INTERFACE BROADCAST OPTIONS
>> net UMB_IF -
>>
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
>> net UMP_IF -
>>
> optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
>> loc INT_IF -
>>
> dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
>> vpn TUN_IF+ - physical=tun+,ignore=1
>> dmz DMZ_IF -
>> routeback,proxyarp=1,required,wait=30
>>
>> After shorewall reset I have started apt update on a different client in
>> loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached
> dump.
>>
> The dump still shows no DNS rules loc->net and dmz->net
>
>> By the way:
>> When creating dump file, I get this output indicating an issue with file
>> /proc/net/nf_conntrack:
>> root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt
>> grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
>> This file does neither exist on my Debian 8 server nor on my Debian Sid
>> notebook.
>>
>
> Install the conntrack package.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
