shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Blocking ISP's rfc1918 ad

Re: [Shorewall-users] Blocking ISP's rfc1918 addresses & unblocking local domain

From: Tom Eastep <teastep_at_nospam>
Date: Sat Jan 14 2012 - 05:52:14 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Jan 13, 2012, at 1:53 PM, Erik Mundall wrote:

> I have an ISP who has seemingly left its local network completely open to me. While supposedly their RFC1918 addresses should not conflict with the ones on our network (they told me this), and of course our router only provides DHCP service to our own LAN, I am still rather annoyed at having conflicting devices respond to ICMP (ping). The ISP has at least 1500 live LAN IP addresses, mostly in the 192.168.x.x range, which I have some devices on as well.
>
> I've read the FAQ's and did not find what I was looking for. It seems that shorewall has removed the "norfc1918" option now. I've tried Google, and tried many configurations of shorewall to no avail in attempting to limit pinging of RFC1918 addresses to my own LAN, setup on eth1. The ISP gives me a static external address, to which our domain name points, which comes in on eth0 of the linux box.

Live by Google -- die by Google. The successor to 'norfc1918' is NULL_ROUTE_RFC1918=Yes in shorewall.conf.

> Additionally, I'm having trouble accessing the domain name of the server from within the LAN. I can pull up a webpage with an IP address, such as by 10.0.0.1, but the domain cannot be reached. I'm running a Squid transparent proxy, but as I've tried opening it completely to access of the server, I don't know if it's a squid problem or a misconfiguration elsewhere. Is there any way that shorewall can just map the domain name to bypass squid for the fw zone?

From the dump output you posted, there are DNS requests being sent from the 'loc' zone to the 'fw' zone, but none being sent from the 'fw' zone to the 'net' zone (even though such traffic is allowed). So I would check the named configuration on your firewall.

Hope this helps,

-Tom

Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users