[Shorewall-users] Re: [leaf-user] 3 Bering problems

Tom Eastep teastep@shorewall.net
Thu, 4 Jul 2002 07:18:46 -0700 (PDT)


On Thu, 4 Jul 2002, Tom Eastep wrote:

> On Wed, 3 Jul 2002, Nachman Yaakov Ziskind wrote:
> 
> > 
> > 1) Incoming connections to the servers are identified as coming from the
> > router, not the original IP address. This makes life difficult for several
> > reasons. How do I address this?
> >
> 
> The "rules" above do exactly that.
> 
> On my web site and in my posts on mailing lists, I have consistently
> recommended that people use a DNS solution rather than an IP solution to
> the problem that you sere trying to solve (basically the problem
> described in Shorewall FAQ #2). When I made that recommendation to you, 
> you replied:
> 
> "I have no clue what Bind 9 views is, or how to set it up. But I suspect
> it involves doing things through DNS. I further suspect it will be like
> pulling teeth with every w/s pointing to my ISP's DNS servers. I suppose I
> *could* just load a hosts file on every workstation. Ouch."
> 
> Given your response, I made the recommendation that resulted in the rules
> that you have above. One of the features of that solution is that all
> redirected connections look to the server as if they were initiated by the
> firewall. That is absolutely necessary since the server MUST reply back
> through the firewall so that the firewall can "de-NAT" the reply packets.
> 
> If having the connections appear to come from the firewall is a problem 
> for you then you need to switch to a DNS solution.
> 

After I had posted, I realized that there is another issue here that may 
be what you are really complaining about. If your 'loc' zone is defined 
entirely in terms of interfaces then you problably want to revise your 
rules to read:

ACCEPT  loc:10.1.1.0/24 loc:10.1.1.1    tcp     smtp    -    216.236.142.81:10.1.1.200
ACCEPT  loc:10.1.1.0/24 loc:10.1.1.252  tcp     www     -    216.236.142.82:10.1.1.200
ACCEPT  loc:10.1.1.0/24 loc:10.1.1.253  tcp     www     -    216.236.142.83:10.1.1.200
ACCEPT  loc:10.1.1.0/24 loc:10.1.1.254  tcp     www     -    216.236.142.84:10.1.1.200

That will restrict the scope of SNAT to connections originating on the 
local system. With the rules that you posted (and assuming that 'loc' is 
defined in terms of one or more interfaces), connections originating from 
outside your firewall will also appear to originate from the firewall.

Sorry that I was so dense on the first go-around. I will also change the 
FAQ to make this point clear.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net