[Firehol-support] Router/gateway running ok with static routes but with FireHol dont work!!!
Rèmy Arthur de Abreu Pestana
remy at cepel.br
Sun Aug 21 19:55:48 BST 2005
Hi,
Sorry about the delay to respond your email.
I'm a newbie in the philosophy proposed by FireHol.
This is my simplified topology:
Internet
|
| XXX.XXX.20.98 (IP by my Provider with Routing my B Class IPs)
+-------+-------+
| Cisco |
|External Router|
| BBB.BBB.252.1 |
+-------+-------+
|
|
| BBB.BBB.252.0/30
|
|eth1
+-------+-------+
| BBB.BBB.252.2 |
---| fw-sr004 |--- (Firewall/Router with FireHol)
| BBB.BBB.4.2 |
+---------------+
|eth0
|
| BBB.BBB.4.0/22 (Backbone)
|
+------------------+----------+-----------+----------------------+
| ... | | ... |
| | | |
+---------------+ +-------+-------+ +-------+-------+ +-------+-------+
| BBB.BBB.4.110 | | BBB.BBB.4.111 | | BBB.BBB.4.10 | | BBB.BBB.4.11 |
| server-1 | | Server-2 | | Gate-8 | | Gate-12 |
| Windows | | Linux | | BBB.BBB.8.1 | | BBB.BBB.12.1 |
+---------------+ +---------------+ +-------+-------+ +-------+-------+
| |
| |
+-------------------------------+ +-------------------------------+
| BBB.BBB.8.0/22 | | BBB.BBB.12.0/22 |
| | | |
+-------+-------+ +-------+-------+ +-------+-------+ +-------+-------+
| BBB.BBB.8.10 | | BBB.BBB.8.n | | BBB.BBB.12.10 | | BBB.BBB.12.n |
| user-08-1 | ... ... | user-08-n | | user-12-1 | ... ... | user-12-n |
| | | | | | | |
+---------------+ +---------------+ +---------------+ +---------------+
The machine where I instaled FireHol (fw-sr004) is a Pentium IV 3.0Ghz
running Fedora Core 3. The following static routes was made to this machine
work as a old Gateway/router (this machine was an old bad obsolete CISCO
router) in that topology:
1) In machine fwce-sr004:
Interfaces
eth0 Link encap:Ethernet HWaddr 00:11:43:D7:34:53
inet addr:BBB.BBB.4.2 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:11:43:D7:34:54
inet addr:BBB.BBB.252.2 Bcast:BBB.BBB.252.3 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
BBB.BBB.8.0 BBB.BBB.4.10 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.12.0 BBB.BBB.4.11 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
0.0.0.0 BBB.BBB.252.1 0.0.0.0 UG 0 0 0 eth1
2) In machine gate-8:
Interfaces
eth0 Link encap:Ethernet HWaddr 00:10:5A:CA:3D:53
inet addr:BBB.BBB.4.10 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:10:5A:CA:C7:2C
inet addr:BBB.BBB.8.1 Bcast:BBB.BBB.11.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
BBB.BBB.4.10 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
BBB.BBB.8.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
BBB.BBB.4.0 BBB.BBB.4.10 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
BBB.BBB.8.0 BBB.BBB.8.1 255.255.252.0 UG 0 0 0 eth1
BBB.BBB.8.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 BBB.BBB.4.2 0.0.0.0 UG 0 0 0 eth0
3) In machine gate-12:
Interfaces
eth0 Link encap:Ethernet HWaddr 00:10:5A:CA:3D:58
inet addr:BBB.BBB.4.11 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:10:5A:CA:C7:E7
inet addr:BBB.BBB.12.1 Bcast:BBB.BBB.15.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
BBB.BBB.4.11 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
BBB.BBB.12.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
BBB.BBB.4.0 BBB.BBB.4.11 255.255.252.0 UG 0 0 0 eth1
BBB.BBB.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
BBB.BBB.12.0 BBB.BBB.12.1 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.12.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 BBB.BBB.4.2 0.0.0.0 UG 0 0 0 eth1
4) In machine server-1:
Interfaces
eth0 Link encap:Ethernet HWaddr 00:C0:F0:17:DF:DD
inet addr:BBB.BBB.4.111 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:0 Link encap:Ethernet HWaddr 00:C0:F0:17:DF:DD
inet addr:BBB.BBB.4.112 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
BBB.BBB.8.0 BBB.BBB.4.10 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.12.0 BBB.BBB.4.11 255.255.252.0 UG 0 0 0 eth0
BBB.BBB.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 BBB.BBB.4.2 0.0.0.0 UG 0 0 0 eth0
5) In machine server-2 ... server-n (no static routing in this old machines):
eth0 Link encap:Ethernet HWaddr 00:C0:F0:xx:xx:xx
inet addr:BBB.BBB.4.110 Bcast:BBB.BBB.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
BBB.BBB.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 BBB.BBB.4.2 0.0.0.0 UG 0 0 0 eth0
6) In client machines:
Using the default Routing when install windows or Linux in this machines.
Before installing the FireHol firewall all clients/servers(Windows/Linux) in
any of gateways subnets obtain talk between itself in any of subnets.
After to install and start Firehol with following configuration:
#!/etc/init.d/firehol
lan_ip="BBB.BBB.4.2"
lan_interface="eth0"
wan_ip="BBB.BBB.252.2"
wan_interface="eth1"
my_valid_nets="BBB.BBB.4.0/22 BBB.BBB.8.0/22 BBB.BBB.12.0/22"
my_nets="BBB.BBB.0.0/16"
my_internal_proxy_with_port_redirect_servers="BBB.BBB.4.2"
# Subespacos importantes...
internal_nets_admin="BBB.BBB.4.0/24"
internal_ips_admin="BBB.BBB.76.20 BBB.BBB.76.150 BBB.BBB.76.154"
my_external_routers="BBB.BBB.252.1"
my_old_all_services_server="BBB.BBB.4.111"
internal_ips_admin="BBB.BBB.8.12"
server_my_rip_ports="udp/520"
client_my_rip_ports="default 520"
server_my_torrent_ports="tcp/6881:6889"
client_my_torrent_ports="6881:6889" #test
TRANSPARENT_SQUID_CLIENTS="${my_nets}"
SQUID_WEB_PORTS="80 443 21"
SQUID_PORT="3128"
SQUID_USERS="squid"
SQUID_EXCLUDE=""
if [ ! -z "${TRANSPARENT_SQUID_CLIENTS}" ] ; then
transparent_proxy "${SQUID_WEB_PORTS}" ${SQUID_PORT} "${SQUID_USERS}" \
inface ${lan_interface} src "${TRANSPARENT_SQUID_CLIENTS}" \
$(test ! -z "${SQUID_EXCLUDE}" && echo "dst not ${SQUID_EXCLUDE}")
fi
interface ${lan_interface} MY-BB src "${my_nets}" dst "${lan_ip}/32"
policy reject
#protection strong
server ICMP accept
server "http https" accept
server squid accept
server "ssh webmin" accept src "${internal_ips_admin}"
client ICMP accept
client "dns smtp ntp syslog tftp" accept dst "${my_old_all_services_server}"
client "http https ftp" accept
client ssh accept
client squid accept
interface ${wan_interface} internet src not "${my_nets} ${UNROUTABLE_IPS}" dst ${wan_ip}/32
policy drop
server ICMP accept
client ICMP accept
client "http https ftp" accept
router lan2lan
server all accept log "teste-server-lanlan" inface eth0 outface eth0
client all accept log "teste-client-lanlan" inface eth0 outface eth0
router int2lan inface eth1 outface eth0 src not "${UNROUTABLE_IPS}" dst "${my_nets}"
#protection strong
server "ping timestamp dns http https ftp pop3 smtp smtps" accept dst "${my_old_all_services_server}"
server "tftp ntp" accept dst "${my_old_all_services_server}" src "${my_external_routers}"
client ICMP accept src "${my_old_all_services_server}"
client "dns ntp smtp smtps" accept src "${my_old_all_services_server}"
client "http https ftp ssh" accept src "${my_nets}"
#client my_torrent accept src "${my_nets}"
#client p2p accept src "${my_nets}"
client "icmp" accept src "${my_nets}" dst "${my_external_routers}"
client "snmp telnet ssh" accept src "${my_nets}" dst "${my_external_routers}"
With the above configuration, the internet is ok on all machines, but
some connections between machines in my lan dont work (probabilly about
routing when running this config in fireHOL), for example:
1) Any machine in subnet 8 don't talk with any machine in subnet 12 or with server-1 in subnet 4.
2) Client-8-1 with server-1 dont work
3) Client-8-1 with client-12-1 dont work.
4) Client-12-1 with server-1 dont work
5) Client-12-1 with client-8-1 dont work.
6) Machines in subnet 4 talk each to other.
7) Some Machines in subnet 4 don't talk with clients in subnet 12 or 8.
The static routes can coexist with the FireHol?
From your previous email, I believe that my topology is not correctly
defined by the syntax of fireHol.
How to define the sugested dependencies between of diverse gateways on the
firewall/router machine (fw-sr004), using the syntax of firehol. Must be
enabled some special caracteristic in kernel?
PS) When turn off Firehol the routing comes back to exist.
PS) I have a problem: I can't put Rip in some old machines in my topology.
PS) To test conections, i use ping and some services on servers/clients.
PS) I'm running squid proxy on machine fw-sr004.
PS) My IP range is BBB.BBB/16 and are valid B Class IPs with routing by my
provider.
Any Sugestion or ideas?
Tanks!!!
Em Tue 09 Aug 2005 19:50, Costa Tsaousis escreveu:
> Hi,
>
> Your question is very generic.
>
> Have you defined the relative routers in firehol.conf?
> Do you have logs of such packets being dropped?
> etc...
>
> Regards,
>
> Costa
>
> On Mon, August 8, 2005 1:24, Rθmy Arthur de Abreu Pestana said:
> > Hi,
> >
> > I have a linux Fedora 3 Router/gateway running ok with static routes to
> > my 4
> > local nets, when running Firehol, the Firewall work but the routing to
> > the nets defined in the static routes don't work when users access
> > machines from
> > the subnets to subnets or from subnets to the backbone in eth0 (Local
> > interface of Firehol/Gateway Machine).
> >
> > Any Idea, suggestion?
> >
> > PS) the IPs on local subnets and my backbone are Valid Internet IPs of my
> > range of valid Internet IPs (XXX.YYY.0.0/16).
> >
> > Tanks!!!
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> > Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
> > QA Security * Process Improvement & Measurement *
> > http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050821/60857e8c/attachment-0003.html>
More information about the Firehol-support
mailing list