[Firehol-support] Router/gateway running ok with static routes but with FireHol dont work!!! II

Costa Tsaousis costa at tsaousis.gr
Sun Oct 9 11:32:15 CEST 2005 

Rèmy Arthur de Abreu Pestana wrote:

>2) In machine gate-8:
>Interfaces
>eth0      Link encap:Ethernet  HWaddr 00:10:5A:CA:3D:53
>          inet addr:BBB.BBB.4.10  Bcast:BBB.BBB.7.255  Mask:255.255.252.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>eth1      Link encap:Ethernet  HWaddr 00:10:5A:CA:C7:2C
>          inet addr:BBB.BBB.8.1   Bcast:BBB.BBB.11.255  Mask:255.255.252.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
>BBB.BBB.4.10     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
>BBB.BBB.8.1      0.0.0.0         255.255.255.255 UH        0 0          0 eth1
>BBB.BBB.4.0      BBB.BBB.4.10    255.255.252.0   UG        0 0          0 eth0
>BBB.BBB.4.0      0.0.0.0         255.255.252.0   U         0 0          0 eth0
>BBB.BBB.8.0      BBB.BBB.8.1     255.255.252.0   UG        0 0          0 eth1
>BBB.BBB.8.0      0.0.0.0         255.255.252.0   U         0 0          0 eth1
>127.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 lo
>0.0.0.0          BBB.BBB.4.2     0.0.0.0         UG        0 0          0 eth0
>
>  
>
To my understanding, the above should be:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
BBB.BBB.4.0      0.0.0.0         255.255.252.0   U         0 0          0 eth0
BBB.BBB.8.0      0.0.0.0         255.255.252.0   U         0 0          0 eth1
BBB.BBB.12.0     BBB.BBB.4.11    255.255.252.0   UG        0 0          0 eth?
127.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0          BBB.BBB.4.2     0.0.0.0         UG        0 0          0 eth0

>3) In machine gate-12:
>Interfaces
>eth0      Link encap:Ethernet  HWaddr 00:10:5A:CA:3D:58
>          inet addr:BBB.BBB.4.11  Bcast:BBB.BBB.7.255  Mask:255.255.252.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>eth1      Link encap:Ethernet  HWaddr 00:10:5A:CA:C7:E7
>          inet addr:BBB.BBB.12.1   Bcast:BBB.BBB.15.255  Mask:255.255.252.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
>BBB.BBB.4.11     0.0.0.0         255.255.255.255 UH        0 0          0 eth1
>BBB.BBB.12.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
>BBB.BBB.4.0      BBB.BBB.4.11    255.255.252.0   UG        0 0          0 eth1
>BBB.BBB.4.0      0.0.0.0         255.255.252.0   U         0 0          0 eth1
>BBB.BBB.12.0     BBB.BBB.12.1    255.255.252.0   UG        0 0          0 eth0
>BBB.BBB.12.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
>127.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 lo
>0.0.0.0          BBB.BBB.4.2     0.0.0.0         UG        0 0          0 eth1
>
>  
>
To my understanding, the above should be:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
BBB.BBB.4.0      0.0.0.0         255.255.252.0   U         0 0          0 eth1
BBB.BBB.8.0      BBB.BBB.4.10    255.255.252.0   UG        0 0          0 eth?
BBB.BBB.12.0     0.0.0.0         255.255.252.0   U         0 0          0 eth0
127.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0          BBB.BBB.4.2     0.0.0.0         UG        0 0          0 eth1

>With the above configuration, the internet is ok on all machines, but
>some connections between machines in my lan dont work (probabilly about
>routing when running this config in fireHOL), for example:
>
>1) Any machine in subnet 8 don't talk with any machine in subnet 12 or with server-1 in subnet 4.
>2) Client-8-1 with server-1 dont work
>3) Client-8-1 with client-12-1 dont work.
>4) Client-12-1 with server-1 dont work
>5) Client-12-1 with client-8-1 dont work.
>6) Machines in subnet 4 talk each to other.
>7) Some Machines in subnet 4 don't talk with clients in subnet 12 or 8.
>  
>
As I understand it, the only involvement of fw-sr004 in all problematic 
communication, is the ICMP redirects it needs to send in order to make 
everyone aware of the topology. Is that right?
Could you please check if you have ICMP packets dropped in fw-sr004?

>The static routes can coexist with the FireHol?
>  
>
Sure. Why not? The 'router' blocks in firehol do not alter your routing 
table.

>From your previous email, I believe that my topology is not correctly
>defined by the syntax of fireHol.
>  
>
No, I didn't said that. I said that I don't know what your topology is.
Anyway, after viewing the configuration I can only say that normally the 
router 'lan2lan' will never match anything. In your setup, fw-sr004 will 
only send ICMP redirects and deny to route traffic from eth0 to eth0, 
since all the machines in eth0 as capable of talking to each other. 
Therefore router lan2lan is not needed.

>How to define the sugested dependencies between of diverse gateways on the
>firewall/router machine (fw-sr004), using the syntax of firehol. Must be
>enabled some special caracteristic in kernel?
>
>PS) When turn off Firehol the routing comes back to exist.
>  
>
When FireHOL drops some traffic, it logs it (not all of it, just some of 
it). Could you please provide a few lines of what gets logged when the 
communication is blocked?

Regards,

Costa

More information about the Firehol-support mailing list