RE: [OCLUG-Tech] Routing traffic by port number to two interfaces

["Rosberg, Michael" <m [ dot ] rosberg [ at ] telesat [ dot ] ca>]

Hi Charles,

 

I'm afraid I haven't worked with Shorewall rulesets before, so I'm not
the best person to comment on your configuration. It shouldn't be too
difficult to validate your config with some testing, as you'd planned to
do. If you don't see the results you were expecting do post back as
there are some more generic ways for us to discuss your firewall setup.

 

Good luck,

MikeR.

 

-----Original Message-----
From: Charles Nadeau [mailto:charles [ dot ] nadeau [ at ] gmail [ dot ] com] 
Sent: Thursday, June 14, 2007 3:39 PM
To: Rosberg, Michael
Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
Subject: Re: [OCLUG-Tech] Routing traffic by port number to two
interfaces

 

Michael,

I went through the documentation of Shorewall and wrote these 4 files
I'll test over the week-end (I am at work now in a Windows-only
environment).

Zones:
#Zone    Type    Options    IN Options    OUT Options 
fw    firewall            
data    ipv4            
rest    ipv4            

Policy:
#Source zone    destination zone    policy    log level    limit:burst
data        rest            drop        
rest        data            drop        
fw        rest            accept    err    
fw        data            accept    err    
data        fw            accept    err    
rest        fw            accept    err    

Interfaces:
#Source zone    destination zone    policy    log level    limit:burst
data        rest            drop        
rest        data            drop        
fw        rest            accept    err    
fw        data            accept    err    
data        fw            accept    err    
rest        fw            accept    err    

Rules:
#Action    Source    Dest    Proto    Dest port(s)    Comments 
Accept    fw    data    tcp    111        #portmapper
Accept    fw    data    udp    111    
Accept    fw    data    tcp    2049        #rpc.nfsd
Accept    fw    data    udp    2049    
Accept    fw    data    tcp    4000:4002    # rpc.statd, rpc.lockd,
rpc.mountd
Accept    fw    data    udp    4000:4002    
Accept    fw    data    tcp    4003        # rpc.rquotad
Accept    fw    data    udp    4003        
Accept    data    fw    tcp    111        #portmapper 
Accept    data    fw    udp    111    
Accept    data    fw    tcp    2049        #rpc.nfsd
Accept    data    fw    udp    2049    
Accept    data    fw    tcp    4000:4002        # rpc.statd, rpc.lockd,
rpc.mountd 
Accept    data    fw    udp    4000:4002    
Accept    data    fw    tcp    4003        # rpc.rquotad
Accept    data    fw    udp    4003    
SMB/Accept    fw    data            #Samba
SMB/Accept    data    fw            
Accept    fw    data    tcp    1077:1080    #NBD
Accept    data    fw    tcp    1077:1080    
Reject    fw    rest    tcp    111        #portmapper
Reject    fw    rest    udp    111    
Reject    fw    rest    tcp    2049        #rpc.nfsd 
Reject    fw    rest    udp    2049    
Reject    fw    rest    tcp    4000:4002    # rpc.statd, rpc.lockd,
rpc.mountd
Reject    fw    rest    udp    4000:4002    
Reject    fw    rest    tcp    4003        # rpc.rquotad
Reject    fw    rest    udp    4003        
Reject    rest    fw    tcp    111        #portmapper
Reject    rest    fw    udp    111    
Reject    rest    fw    tcp    2049        #rpc.nfsd
Reject    rest    fw    udp    2049    
Reject    rest    fw    tcp    4000:4002    # rpc.statd, rpc.lockd,
rpc.mountd
Reject    rest    fw    udp    4000:4002    
Reject    rest    fw    tcp    4003        # rpc.rquotad
Reject    rest    fw    udp    4003    
SMB/Reject    fw    rest            #Samba
SMB/Reject    rest    fw            
Reject    fw    rest    tcp    1077:1080    #NBD
Reject    rest    fw    tcp    1077:1080    

Does the rules file seems right? I set it up to allow data related
traffic between one zone and the file server itself and block it between
the other zone and the file server. I was wondering if I have to specify
both or specifying one implicitly specify the other. 
Thanks!

Charles

On 6/14/07, Rosberg, Michael <m [ dot ] rosberg [ at ] telesat [ dot ] ca> wrote:

> -----Original Message-----
> From: linux-bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca [mailto:linux-
> bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca] On Behalf Of Charles Nadeau
> Sent: Thursday, June 14, 2007 12:08 PM
> To: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> Subject: [OCLUG-Tech] Routing traffic by port number to two interfaces

>
> Hi,
>
> I have a quick question for the networking experts on the list:
>
> I have a file server with two network cards (eth0 and eth1). Each of
them
> will be linked to two different switches. 
> I would like to use one of the two network cards for NFS, NBD and
SMB/CIFS
> traffic only.

Charles,

One option would be to specify the interface(s) that Samba service will
listen on. Take a look at the following config parameter which I cut 
from the smb.conf man page;

"bind interfaces only (G)
              This  global  parameter  allows  the  Samba  admin to
limit what interfaces on a machine will serve SMB requests. It affects
file service smbd(8) and name service nmbd(8) in a slightly different 
ways."

A quick answer to your other questions; yes, it is possible for a Linux
computer to have two network cards on the same IP subnet. In most cases
both interfaces would require a unique IP address. And yes it is 
possible to configure Shorewall (or technically any iptables
implementation) to allow specific applications through one network
interface and not through others.

MikeR.




-- 
Charles Nadeau Ph.D.
http://charlesnadeau.blogspot.com/
http://radio.weblogs.com/0111823/
Un emploi pour moi? Voila mon CV: 
http://resumes.hotjobs.com/charlesnadeau/resumeprincipal
Got a job for me? Here is my Resume:
http://resumes.hotjobs.com/charlesnadeau/resumeprincipal