shorewall-users June 2011 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Shorewall bridge (newbrid

Re: [Shorewall-users] Shorewall bridge (newbridge) configuration

From: Tom Eastep <teastep_at_nospam>
Date: Mon Jun 06 2011 - 17:45:45 GMT
To: shorewall-users@lists.sourceforge.net

On 06/06/2011 10:02 AM, David Rayner wrote:
> I have configured a Fedora 15 installation to operate as a two interface
> bridge.
>
> I have followed the instructions from
> http://www.shorewall.net/3.0/NewBridge.html and configured shorewall, but
> cant seem to restrict traffic from a pc within the net zone.
>
> The local zone and net zone pc's share the same ip subnet, 192.168.7.x but
> when the firewall is started I can still ping from the pc (192.168.7.116) on
> the net zone to any pc on the local zone.
>
> The ip addresses seem correctly assigned to the correct zones. If I try to
> ping from the bridge to the pc on the net zone I receive fw2net messages in
> the log, and fw2loc when pinging a pc on the local zone.
>
> It appears I am missing something, any pointers would be appreciated.

The document you have been reading applies to the Shorewall 3.x series;
hopefully, you are running Shorewall 4.4 on Fedora 15. There are more
recent articles that apply to Shorewall 4.4 and bridging. See the
Documentation index linked from the Shorewall home page.

>
> See below for my config:
>
> Hosts:
> #ZONE HOST(S) OPTIONS
> loc br0:192.168.7.0/24!192.168.7.116
>
> Rules:
> #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
> # LEVEL BURST MASK
> loc net ACCEPT
> net all DROP info
> All all REJECT info

That isn't the rules file -- it's the policy file. And your fw->net
policy is REJECT (from the all->all REJECT entry) so unless you have
exceptions in the rules file, you aren't going to be able to access the
net at all from the Shorewall box).
>
> Interfaces:
> #ZONE INTERFACE BROADCAST OPTIONS
> net br0 192.168.7.255

Broadcast addresses are no longer required -- you're probably getting a
warning from that.

>
> Zones
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> loc:net ipv4

-Tom
-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users