[Firehol-support] nat/redirect problem

Phil Whineray phil.whineray at gmail.com
Wed Jun 27 21:29:24 CEST 2012


Les

On Wed, Jun 27, 2012 at 08:07:15PM +1000, Les Stott wrote:
> Ok a weird one.....or I don't know what I'm doing ;}

This is odd, but mainly because I can't readily imagine how you get:

> Jun 25 11:54:47 gateway kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 SRC=192.168.1.5 DST=10.0.1.145 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40547 PROTO=ICMP TYPE=0 CODE=0 ID=21016 SEQ=773

Which specifically tells us that an ICMP echo reply did not match any
FireHOL rule, so was dropped. It should have been allowed because it
would be related traffic to the incoming request.

In fact, the likely answer has just come to me by stating it in words.

I believe your topology is as follows (best view in a fixed-width font!)

  192.168.1.0/24     10.0.0.0/16
         |               |
         +---- cisco ----+
         |               |
         |               |
firehol -+               |
         |               |
         |               |
      X -|               |- Y

The most likely reason for the ICMP replies not being considered
"related" is that the incoming request did not go through the firewall.

If the cisco box emits packets straight to machines on the 192.168.1.0
ethernet segment then X will respond. It will send the response packet
to the firehol machine for forwarding by dint of your routing rules. The
firehol firewall will drop the response because it didn't see a request.

The reverse works because you are allowing pings in the firewall config.
This means the request is accepted. The response _would_ therefore be
accepted too but in fact probably avoids the firewall as it happens.

You probably need to change things so that the cisco routes only to the
firehol machine. If it were me I would plug it into a separate ethernet
port since your current setup makes it very easy to avoid the firewall
for a host on the ethernet segment.

If that's not an option you may be able to force it to send all incoming
traffic to the firewall despite being on the same subnet as the
destination machine (but I can't help you with cisco config, sorry).

Alternatively you could set up stateless firewall rules but firehol
won't be much help. As is hopefully obvious, if packets are being
delivered straight from cisco to machines on the 192.168.1.0/24 network
the firewall is not really isolating things properly anyway, in this
case.

Hope this all helps!

Regards
Phil




More information about the Firehol-support mailing list