shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: [Shorewall-users] Blocking ISP's rfc1918 addres

[Shorewall-users] Blocking ISP's rfc1918 addresses & unblocking local domain

From: Erik Mundall <emundall_at_nospam>
Date: Fri Jan 13 2012 - 21:53:35 GMT
To: <shorewall-users@lists.sourceforge.net>

I have an ISP who has seemingly left its local network completely open to me. While supposedly their RFC1918 addresses should not conflict with the ones on our network (they told me this), and of course our router only provides DHCP service to our own LAN, I am still rather annoyed at having conflicting devices respond to ICMP (ping). The ISP has at least 1500 live LAN IP addresses, mostly in the 192.168.x.x range, which I have some devices on as well.

I've read the FAQ's and did not find what I was looking for. It seems that shorewall has removed the "norfc1918" option now. I've tried Google, and tried many configurations of shorewall to no avail in attempting to limit pinging of RFC1918 addresses to my own LAN, setup on eth1. The ISP gives me a static external address, to which our domain name points, which comes in on eth0 of the linux box.

The problem with the ISP's LAN remaining transparent to me is that it is hard to find devices with unknown IPs on my local LAN. (I'm still finding and mapping the network as the new IT guy here, and some things like the Dell PowerConnect 5224 were on unknown IPs.) Running an nmap to find live IPs turned up so many from outside of our own LAN that it was impossible to know which IP was the one I needed.

Additionally, I'm having trouble accessing the domain name of the server from within the LAN. I can pull up a webpage with an IP address, such as by 10.0.0.1, but the domain cannot be reached. I'm running a Squid transparent proxy, but as I've tried opening it completely to access of the server, I don't know if it's a squid problem or a misconfiguration elsewhere. Is there any way that shorewall can just map the domain name to bypass squid for the fw zone?

For most everything else, the firewall is functioning well. I'm not a trained techie, so thank you for your graciousness where I may be ignorant. A status file is attached, and if anything else is needed, let me know. Thank you!

Sincerely,

Erik.

                                               

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users