[Firehol-support] Oddly unmatched in-out routing
Daniel Pittman
daniel at rimspace.net
Sat Nov 4 02:12:34 GMT 2006
G'day. I manage a network using Firehol at the gateway for firewalling.
Behind this gateway sit five different /26 through /28 network segments,
for historical reasons, all of which are routed.
A small number of the machines on the internal network need to talk
between the subnets, and a few of them are also crippled appliance type
devices where I can't add appropriate static routes.[1]
Anyway, the gateway can happily route traffic between the relevant
machines, and I wanted to allow that with Firehol, so I added this rule:
router int inface eth0 outface eth0
route all accept
eth0 is, of course, the interface behind which all those segments live.
I put this in as the first router entry and, just to wave dead chickens,
also tried it as the last entry with exactly the same behaviour.
This, I thought, would be sufficient to permit the traffic to flow
through. It wasn't though -- I got no traffic, and log reports in:
PASS-unknown: ...
So, apparently the router statement in question was not matching the
traffic.
Have I missed something obvious? I don't think so, you see, because
adding this to the Firehol configuration as the last line worked:
iptables -I FORWARD -i eth0 -o eth0 -j ACCEPT
So, as far as I can tell the system /should/ generate appropriate
rules. The stuff the router in question shows did look identical...
Any hints about where I should look?
Regards,
Daniel
Footnotes:
[1] Yes, I do hate this. Thanks for asking.
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact at digital-infrastructure.com.au
http://digital-infrastructure.com.au/
More information about the Firehol-support
mailing list