[Shorewall-users] How can I ping a private IP
teastep at shorewall.net
Tue Mar 9 07:38:26 PST 2004
On Tuesday 09 March 2004 07:13 am, Tom Eastep wrote:
> On Tuesday 09 March 2004 05:47 am, M Lu wrote:
> > Hello,
> > My network has an external interface, eth0 and 3 internal subnets
> > 10.9.9.x, 10.9.18.x and 10.9.27.x. By accident I saw that I can ping a
> > private IP, which should not be mine, 10.18.9.153.
> > What could be wrong in my setup?
> > Thank you.
> > My shorewall/interfaces contains:
> > net eth0 detect
> > dhcp,routefilter,norfc1918,blacklist loc eth1 detect
> > wifi eth2 detect maclist
> > dmz eth3 detect
> > My interfaces are
> > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> > link/ether 00:60:08:55:a8:fa brd ff:ff:ff:ff:ff:ff
> > inet 10.9.9.254/24 brd 10.9.9.255 scope global eth1
> > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> > link/ether 00:10:4b:21:02:ae brd ff:ff:ff:ff:ff:ff
> > inet 10.9.18.254/24 brd 10.9.18.255 scope global eth2
> > 6: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> > link/ether 00:10:4b:2c:a9:ef brd ff:ff:ff:ff:ff:ff
> > inet 10.9.27.254/24 brd 10.9.27.255 scope global eth3
> Please forward the output of "shorewall show nat" as a text attachment.
There are two issues here:
a) How are you able to route packets across the internet to an RFC 1918
address? The answer to that is that DNAT must be occurring before the
outbound packets reach the internet and that DNAT is also occurring on the
remote end. From the "shorewall show nat" output you sent, it appears that
the outbound DNAT is occurring at your ISP. I don't believe that any form of
tunneling is involved here because the intermediate routers all show up in
the traceroute output.
b) Why didn't 'norfc1918' prevent this? Because that option only checks new
connection requests from the internet; it does not check replies to
connections initiated from your firewall or from your local systems.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users