[Shorewall-users] Is working only inside eth1...

Tom Eastep teastep at shorewall.net
Sat Apr 3 07:26:48 PST 2004


Tom Eastep wrote:

> 
> And if you falsified your IP addresses in your first report then please 
> don't do it again. I based my first response on the addresses that your 
> reported and I don't have the time or the patience to play games with 
> people who believe that keeping their IP address structure a secret 
> somehow keeps them safer.

Hmmmmm --- The more that I look at your rules, the less that I understand:

ACCEPT     fw:200.176.54.1    net            tcp     53

Fine -- you say that 200.176.54.1 is your eth1 IP address

ACCEPT     net            loc:200.176.54.1    icmp    8

Huh?? Now all of a sudden, 200.176.54.1 is the IP address of a system in 
the 'loc' zone!!!!

ACCEPT     all            loc:200.176.54.155    tcp    80

So 200.176.54.155 must be the IP address of a web server in the local zone.

And finally we have:

ACCEPT     all            loc:146.164.54.155    tcp    110

So you appear to have a 146.164.155.* also in your local zone.

The point here that none of these IP addresses are reserved by RFC 1918. 
In fact, 200.176.54.155 is cm-net-cwb-C8B0369B.brdterra.com.br and the 
146.xxxx address also appears legitimate.

200.200.200.22 however smells like a fake.

The reason that I suggested removing the masq entry is because these 
perfectly valid public IP addresses should be internet accessible so 
traffic from them shouldn't have to be masqueraded to the bogus 
200.200.xxx address. Since removing the the masq entry produces the 
result it did, I can only conclude that hosts on the eth0 side of your 
router don't know how to route traffic to hosts on the eth1 side. That 
has nothing to do with the configuration of your firewall/router 
(although as I point out above, there are some configuration problems in 
that router).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list