Gentoo Forums :: View topic - How to access website through LAN and security issues?

How to access website through LAN and security issues?

View unanswered posts
View posts from last 24 hours

Goto page Previous 1, 2, 3, 4

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Tue Mar 15, 2016 7:38 pm Post subject:

Neddy,

NeddySeagoon wrote:

paul_chany,

A network bridge always has two or more interfaces. It connects the subnets on all the member networks together.
Its just like a road bridge. To be useful, it needs two (or more) ends.
Its the software equivalent of a hardware network hub, all packets go everywhere.

Would you try to cross a road bridge that had only one end?

More seriously, is it possible that you intended to add more devices later and later never arrived?

I understand now what do you mean about bridging network interfaces.
My friend helped me out to set up my home software Access Point this way.
Look into /etc/config.d/net file:

Quote:

# null setup for eth1 (lan Ethernet port)
# (this will be owned by the bridge, br0)
config_eth1="null"
# null setup for wlp1s0 (WiFi adaptor)
# (this will be owned by hostapd)
config_wlan0="null"
# bridge address (we ignore wifi here, it'll be added by hostapd)
config_br0="192.168.50.1 netmask 255.255.255.0 brd 192.168.50.255"
# no default route set for br0, leave forwarding etc. to shorewall
# add the lan Ethernet port (enp4s1) only to br0
# hostapd will add the WiFi adaptor (wlp1s0)
brctl_br0="setfd 0
sethello 10
stp off"
bridge_br0="eth1"

Now, I changed my mind: I want to set my home network like this:

Code:

This way become my Raspberry Pi 2 Model, aka RasPi 2 ( webserver -nginx, moodle) in to DMZ zone of my Shorewall firewall.
What do you think?
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Tue Mar 15, 2016 8:27 pm Post subject:

paul_chany,

Heres my setup

Code:

|
-------+-------
| VDSL - Phone |
| PPoE |
-------+-------
|
|
|
-----------+----------
| Router - Public IP |
| NAT |
| eth1 eth2 eth3|
----------------------

I have a static public IP, which my router gets on Interface ppp0. That's carried over its eth0.
The fully protected wired network on eth1 uses 192.168.100.0/24
The wireless network on eth2 uses 192.168.54.0/24 My wireless network is not permitted to connect to the wired network, except in response to requests from the wired network.
eth3 is for the DMZ. A few choice ports from the internet are forwarded here.

My firewall (Shorewall) is fairly paranoid. The policy everywhere is deny. That means I have to write rules to allow all outgoing traffic.
Individual systems on my network do not need their own firewalls, Shorewall on the router does it all.
To add to the interest, my router is a kernel virtual machine.

WiFi is not very secure, anyone could be using it, so its kept separate.
Using a policy of deny is part of my security. If something nasty goes get in, it will make it difficult for it to phone home.

Rather than using a bridge, which lets your internet traffic go everywhere, I would run shorewall only on Bubba2 and make it firewall for itself and the rest of your network.
I guess your cable modem does NAT to the 192.168.50.0/24 network?

See the Gentoo Home Router Guide. It does not cover the use of Shorewall.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Tue Mar 15, 2016 8:34 pm Post subject:

Neddy,

NeddySeagoon wrote:

paul_chany,

Heres my setup

Rather than using a bridge, which lets your internet traffic go everywhere, I would run shorewall only on Bubba2 and make it firewall for itself and the rest of your network.
I guess your cable modem does NAT to the 192.168.50.0/24 network?

See the Gentoo Home Router Guide. It does not cover the use of Shorewall.

Thank you very much for advices me.
I don't know whether my cable modem does NAT to the 192.168.50.0/24 network.
How can I know that?
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Tue Mar 15, 2016 9:31 pm Post subject:

paul_chany,

You have posted

route -n:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.85.143.254 0.0.0.0 UG 2 0 0 eth0
95.85.140.0 0.0.0.0 255.255.252.0 U 2 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

/etc/conf.d/net:

# null setup for eth1 (lan Ethernet port)
# (this will be owned by the bridge, br0)
config_eth1="null"
# null setup for wlp1s0 (WiFi adaptor)
# (this will be owned by hostapd)
config_wlan0="null"

and that your public IP was at one time, 95.85.141.171.

Putting this all together shows that eth0 gets your public IP and eth1 and wlan0 are in a bridge.
Shorewall does NAT between eth0 and br0. That's odd but as long as you do not want to treat wired and wireless separately, its OK.

Its a bad idea to add a server to br0 because if it is ever compromised, there is nothing between it and your network.
You should add another interface to Bubba2 to use for your DMZ. This will keep your server(s) which are exposed to the internet, separate from your LAN.
e.g. eth2 on 192.168.25.1/24. wlan1 would do too. The important thing is to keep your servers on a physically separate network segment from everything else.

Breaking up br0 is only useful if you want to apply different firewall rules to wired and wireless hosts.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Thu Mar 24, 2016 4:55 pm Post subject:

NeddySeagoon,

NeddySeagoon wrote:

paul_chany,

You have posted

route -n:

/etc/conf.d/net:

# null setup for eth1 (lan Ethernet port)
# (this will be owned by the bridge, br0)
config_eth1="null"
# null setup for wlp1s0 (WiFi adaptor)
# (this will be owned by hostapd)
config_wlan0="null"

Now I'm using an usb ethernet adapter on my Bubba2. Because it is a headless powerpc box, I can't add more ethernet ports to it as I could on a regular PC box ( with adding another ethernet network card ).

Code:

# lsusb -t

shows:

Code:

/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=fsl-ehci/1p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 1: Dev 3, If 0, Class=Vendor Specific Class, Driver=pegasus, 480M
|__ Port 2: Dev 8, If 0, Class=Vendor Specific Class, Driver=rtl8192cu, 480M

where Port 1: Dev 3 is the Bus 001 Device 003: ID 07a6:8515 ADMtek, Inc. AN8515 Ethernet USB Ethernet Adapter,
and Port 2: Dev 8 is the Bus 001 Device 008: ID 0586:341f ZyXEL Communications Corp. NWD2205 802.11n Wireless N Adapter [Realtek RTL8192CU] USB wireless Adapter.

On my Bubba2 eth0 is WAN ( net zone ), eth1 is LAN ( loc zone ) with WiFi as WLAN and eth2 is DMZ ( dmz zone ).

Code:

# ifconfig
br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 192.168.50.1 netmask 255.255.255.0 broadcast 192.168.50.255
inet6 fe80::222:2ff:fe00:73d prefixlen 64 scopeid 0x20<link>
ether 00:22:02:00:07:3d txqueuelen 0 (Ethernet)
RX packets 1338 bytes 86621 (84.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44 bytes 3000 (2.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:22:02:00:07:3c txqueuelen 1000 (Ethernet)
RX packets 1085 bytes 89784 (87.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 91 bytes 7905 (7.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::222:2ff:fe00:73d prefixlen 64 scopeid 0x20<link>
ether 00:22:02:00:07:3d txqueuelen 1000 (Ethernet)
RX packets 1312 bytes 121353 (118.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 74 bytes 8144 (7.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device base 0x2000

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.50.2 netmask 255.255.255.0 broadcast 192.168.50.254
inet6 fe80::200:e8ff:fe00:11f1 prefixlen 64 scopeid 0x20<link>
ether 00:00:e8:00:11:f1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Now the routing table of Bubba2 is:

Code:

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.85.167.254 0.0.0.0 UG 2 0 0 eth0
95.85.160.0 0.0.0.0 255.255.248.0 U 2 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

The /etc/conf.d/net on Bubba2 is:

Code:

# WAN Shorewall: net zone
config_eth0="dhcp"
# LAN + WiFi Shorewall: loc zone
# null setup for eth1 (lan Ethernet port)
# (this will be owned by the bridge, br0)
config_eth1="null"
# null setup for wlp1s0 (WiFi adaptor)
# (this will be owned by hostapd)
config_wlan0="null"
# bridge address (we ignore wifi here, it'll be added by hostapd)
config_br0="192.168.50.1 netmask 255.255.255.0 brd 192.168.50.255"
# no default route set for br0, leave forwarding etc. to shorewall
# add the lan Ethernet port (enp4s1) only to br0
# hostapd will add the WiFi adaptor (wlp1s0)
brctl_br0="setfd 0
sethello 10
stp off"
bridge_br0="eth1"

# DMZ Shorewall: dmz zone
config_eth2="192.168.50.2 netmask 255.255.255.0 brd 192.168.50.254"

In /etc/init.d I have:

Code:

@net.br0
@net.eth0
@net.eth1
@net.eth2
@net.wlan0

These are symlinks that points to:
-> net.lo
I did run:

Code:

# rc-update add net.eth2 default

to start eth2 too when booting.
In /etc/dnsmasq.conf I have:

Code:

# be a good citizen
domain-needed
bogus-priv
filterwin2k
# prevent wildcard matching
listen-address=192.168.50.1
bind-interfaces
# disables dnsmasq reading any other files
# like /etc/resolv.conf for nameservers
# no-resolv
# here is the explicit nameserver WE will use (Google)
# (clients will get 192.168.50.1)
# server=8.8.8.8
# Interface to bind to
interface=br0
# Specify starting_range,end_range,lease_time
dhcp-range=192.168.50.151,192.168.50.200,12h

# Raspberry Pi in the DMZ zone
dhcp-host=B8:27:EB:AC:CB:F1,192.168.50.200,24h

I'm using Shorewall firewall to set up:
interfaces, policy, rules, shorewall.conf, stoppedrules and zones.

After I reboot my Bubba2 I can't even SSH into it from LAN.
Moreover, I can't reach Internet from LAN, ping gentoo.org, etc.
Why?
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Thu Mar 24, 2016 10:06 pm Post subject:

paul_chany,

Two interfaces in the same subnet is a bad idea.

Code:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

The kernel looks at the destination IP address in every outgoing packet and applies the rules in the routing table, from the bottom up.
From your routing table, all packets going to 192.168.50.0/24 are sent to eth2. That rule is applied first. The rule for br0 is never reached.
The rule at the top matches everything. It sends traffic to your ISP.

Change the 50 in your entire DMZ subnet, so its a subnet in its own right. You will need to change other things too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Fri Mar 25, 2016 7:57 am Post subject:

NeddySeagoon,

NeddySeagoon wrote:

paul_chany,

Two interfaces in the same subnet is a bad idea.

Code:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

I changed it to 51:
In /etc/conf.d/net

Code:

# DMZ Shorewall: dmz zone
config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.50.255"

In /etc/dnsmasq.conf

Code:

# Specify starting_range,end_range,lease_time
dhcp-range=192.168.50.151,192.168.50.200,12h
dhcp-range=192.168.51.151,192.168.51.200,12h

# Raspberry Pi in the DMZ zone
dhcp-host=B8:27:EB:AC:CB:F1,192.168.51.200,24h

Code:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

Still can't SSH into Bubba2 from LAN, still can't reach Internet from LAN, can't ping Bubba2: br0: 192.168.50.1, eth2: 192.168.51.1, Raspberry Pi 2: 192.168.51.200, http://gentoo.org, 8.8.8.8. Why?
Because I did make some mistakes.
Finally, it works.. almost! I can to reach Internet from my LAN, but I can not ping my webserver in dmz zone and can not reach it's homepage. I can SSH into my Bubba2 but can not SSH into my Raspberry Pi 2. Why?
/etc/conf.d/net

Code:

# DMZ Shorewall: dmz zone
config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.51.255"

/etc/dnsmasq.conf

Code:

# Interface to bind to
interface=br0,eth2
# Specify starting_range,end_range,lease_time
dhcp-range=lan,192.168.50.151,192.168.50.200,12h
dhcp-range=dmz,192.168.51.151,192.168.51.200,12h

# Raspberry Pi in the DMZ zone
dhcp-host=B8:27:EB:AC:CB:F1,192.168.51.200,24h

If I try to ssh from my desktop machine in LAN into Raspberry Pi 2 which is my webserver in DMZ zone, then I get:
ssh: connect to host 192.168.51.200 port 22: No route to host

I can't figure out what to add to /etc/conf.d/net and /etc/dnsmasq.conf files to get this working?
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Fri Mar 25, 2016 8:27 pm Post subject:

paul_chany,

Code:

# DMZ Shorewall: dmz zone
config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.50.255"

I hope that 192.168.50.255 there is a typo. It should be 51

Code:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

There is no default route there, in fact eth0 is not listed at all. This bit is missing.

Code:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.85.143.254 0.0.0.0 UG 2 0 0 eth0
95.85.140.0 0.0.0.0 255.255.252.0 U 2 0 0 eth0

_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Sat Mar 26, 2016 7:44 am Post subject:

NeddySeagoon,

NeddySeagoon wrote:

paul_chany,

Code:

# DMZ Shorewall: dmz zone
config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.50.255"

I hope that 192.168.50.255 there is a typo. It should be 51

Code:

There is no default route there, in fact eth0 is not listed at all. This bit is missing.

Code:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.85.143.254 0.0.0.0 UG 2 0 0 eth0
95.85.140.0 0.0.0.0 255.255.252.0 U 2 0 0 eth0

I correct the IP address:

Code:

# DMZ Shorewall: dmz zone
config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.51.255"

Now the routing table is:

Code:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.85.182.254 0.0.0.0 UG 2 0 0 eth0
95.85.182.0 0.0.0.0 255.255.255.0 U 2 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2

I can SSH into my Raspberry Pi 2 from my LAN.
I can open webserver: http://cspl.hu on RasPi2 from my LAN. Can you open it from the Internet too?
I think it works now.
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Sat Mar 26, 2016 9:26 am Post subject:

paul_chany, It says Kistechnikusok távképzése at the top. Then there is a button to join the Free Software Foundation and at the bottom it says GNU/linux, nginx, moodle Raspberry Pi 2 Model B V1.1 Copyright 2016 Csányi Pál All on a green background. I think the Raspberry Pi 2 Model B V1.1 is a bit of a give away. Well done _________________ Regards, NeddySeagoon Computer users fall into two groups:- those that do backups those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Sat Mar 26, 2016 12:55 pm Post subject:

NeddySeagoon wrote:

paul_chany,

It says Kistechnikusok távképzése at the top. Then there is a button to join the Free Software Foundation and at the bottom it says
GNU/linux, nginx, moodle
Raspberry Pi 2 Model B V1.1
Copyright 2016 Csányi Pál

All on a green background.

I think the Raspberry Pi 2 Model B V1.1 is a bit of a give away.

Well done

Almost well done.
When I'm trying to emerge a package from my DMZ zone - from RasPi2 I get error message:

Code:

>>> Emerging (1 of 1) sys-process/htop-1.0.3::gentoo
>>> Downloading 'http://de-mirror.org/gentoo/distfiles/htop-1.0.3.tar.gz'
--2016-03-26 13:15:37-- http://de-mirror.org/gentoo/distfiles/htop-1.0.3.tar.gz
Resolving de-mirror.org... 217.72.206.21, 2001:8d8:5c0:404::3
Connecting to de-mirror.org|217.72.206.21|:80... failed: Connection refused.
Connecting to de-mirror.org|2001:8d8:5c0:404::3|:80... failed: Network is unreachable.
>>> Downloading 'http://hisham.hm/htop/releases/1.0.3/htop-1.0.3.tar.gz'
--2016-03-26 13:15:37-- http://hisham.hm/htop/releases/1.0.3/htop-1.0.3.tar.gz
Resolving hisham.hm... 69.163.225.224
Connecting to hisham.hm|69.163.225.224|:80... failed: Connection refused.
!!! Couldn't download 'htop-1.0.3.tar.gz'. Aborting.
* Fetch failed for 'sys-process/htop-1.0.3', Log file:
* '/var/tmp/portage/sys-process/htop-1.0.3/temp/build.log'

>>> Failed to emerge sys-process/htop-1.0.3, Log file:

>>> '/var/tmp/portage/sys-process/htop-1.0.3/temp/build.log'

When I'm trying to 'emerge --sync' from my LAN - from my desktop machine, I get error message:

Code:

# emerge --sync
>>> Syncing repository 'gentoo' into '/usr/portage'...
>>> Starting rsync with rsync://81.91.253.252/gentoo-portage...
Welcome to starling.gentoo.org / rsync.gentoo.org

Server Address : 81.91.253.252, 2a01:90:200:10::1a
Contact Name : mirror-admin@gentoo.org
Hardware : 2 x Intel(R) Xeon(R) CPU E5649 @ 2.53GHz, 3959MB RAM
Sponsor : Qube Managed Services Limited, Zurich, Switzerland, EU

Please note: common gentoo-netiquette says you should not sync more
than once a day. Users who abuse the rsync.gentoo.org rotation
may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Wed Dec 16 19:40:44 UTC 2015

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)
rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]
>>> Retrying...

>>> Starting retry 1 of 4 with rsync://91.186.30.235/gentoo-portage
Welcome to boobie.gentoo.org / rsync.gentoo.org

Server Address :
Contact Name : mirror-admin@gentoo.org
Hardware : 2 x Intel(R) Xeon(R) CPU 3050 @ 2.13GHz, 3956MB RAM
Sponsor : EUKhost, Maidenhead, England

Please note: common gentoo-netiquette says you should not sync more
than once a day. Users who abuse the rsync.gentoo.org rotation
may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Thu Jul 24 06:32:46 UTC 2014

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)
rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]
>>> Retrying...

>>> Starting retry 2 of 4 with rsync://176.28.50.119/gentoo-portage
Welcome to quetzal.gentoo.org / rsync.gentoo.org

Server Address : 2a01:488:67:1000:b01c:3277:0:1
Contact Name : mirror-admin@gentoo.org
Hardware : 4 x Intel(R) Xeon(R) CPU E5649 @ 2.53GHz, 16073MB RAM
Sponsor : Host Europe, Cologne, Germany, EU

Please note: common gentoo-netiquette says you should not sync more
than once a day. Users who abuse the rsync.gentoo.org rotation
may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Wed Dec 16 19:33:43 UTC 2015

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)
rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]
>>> Retrying...

>>> Starting retry 3 of 4 with rsync://[2a01:90:200:10::1a]/gentoo-portage
rsync: failed to connect to 2a01:90:200:10::1a (2a01:90:200:10::1a): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]
>>> Retrying...

>>> Starting retry 4 of 4 with rsync://[2a01:488:67:1000:b01c:3277:0:1]/gentoo-portage
rsync: failed to connect to 2a01:488:67:1000:b01c:3277:0:1 (2a01:488:67:1000:b01c:3277:0:1): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]
>>> Retrying...
!!! Exhausted addresses for rsync.gentoo.org
>>> Syncing repository 'gentoo-b2' into '/usr/local/portage/gentoo-b2'...
/usr/bin/git pull
Already up-to-date.
=== Sync completed for gentoo-b2

When I 'emerge --sync' from my Bubba2 ( this is the firewall/gateway ) then I get messages:

Code:

...
<snipped intentionally>
sent 27.79K bytes received 5.28M bytes 37.75K bytes/sec
total size is 411.87M speedup is 77.65
=== Sync completed for gentoo
>>> Syncing repository 'sakaki-tools-lite' into '/usr/local/portage/sakaki-tools-lite'...
/usr/bin/git pull
* waiting for lock on /var/log/emerge.log ... [ ok ]
>>> Syncing repository 'gentoo-b2' into '/usr/local/portage/gentoo-b2'...
/usr/bin/git pull
fatal: unable to access 'https://github.com/sakaki-/sakaki-tools-lite.git/': Failed to connect to github.com port 443: Connection refused
fatal: unable to access 'https://github.com/sakaki-/gentoo-b2-overlay.git/': Failed to connect to github.com port 443: Connection refused
!!! git pull error in /usr/local/portage/gentoo-b2
!!! git pull error in /usr/local/portage/sakaki-tools-lite

I added smoe rules into Shorewall:
on RasPi ( DMZ zone )
# Gentoo emerge

Code:

Rsync(ACCEPT)<->$FW<---><------>net
Rsync(ACCEPT)<->net<---><------>$FW
HTTP(ACCEPT)<-->$FW<---><------>net
HTTP(ACCEPT)<-->net<---><------>$FW
Web(ACCEPT)<--->$FW<---><------>net
Web(ACCEPT)<--->net<---><------>$FW

on Bubba2 ( firewall )

Code:

# Gentoo emerge
Rsync(ACCEPT)<->$FW<---><------>net
Rsync(ACCEPT)<->loc<---><------>net
Rsync(ACCEPT)<->dmz<---><------>net

but does not help. What could be now the problem?
I can Ping gentoo.org from RasPi2 ( DMZ zone ), Bubba2 ( $FW ) and desktop machine ( LOC zone, aka LAN ).
_________________
Best, Pali

NeddySeagoon
Administrator

Joined: 05 Jul 2003
Posts: 54212
Location: 56N 3W

Posted: Sat Mar 26, 2016 2:01 pm Post subject:

paul_chany,

Look in your shorewall logs.

Did you restart shorewall after you made the changes?

Do you really have IPv6?
It seems you have IPv6 connectivity somehow, as you contacted a server at

Code:

>>> Starting retry 3 of 4 with rsync://[2a01:90:200:10::1a]/gentoo-portage

Are you aware that IPv4 and IPv6 are completely separate. Shorewall works for IPv4 only. You need Shorewall6 for IPv6.
The concept of NAT does not exist in IPv6, all IPv6 addresses are public, so a boundary firewall is essential.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

paul_chany
Tux's lil' helper

Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

Posted: Sat Mar 26, 2016 3:31 pm Post subject:

NeddySeagoon wrote:

paul_chany,

Look in your shorewall logs.

Did you restart shorewall after you made the changes?

Do you really have IPv6?
It seems you have IPv6 connectivity somehow, as you contacted a server at

Code:

>>> Starting retry 3 of 4 with rsync://[2a01:90:200:10::1a]/gentoo-portage

I do not use IPv6 at all, I think at least.
In shorewall zones file I have:
on desktop ( loc zone ):

Code:

fw firewall
net ipv4
loc ipv4

on RasPi ( dmz zone ):

Code:

fw firewall
net ipv4

on Bubba ( firewall/gateway ):

Code:

fw firewall
net ipv4
loc ipv4
dmz ipv4

So I don't know why wants emerge to reach gentoo-portage with IPv6?
Finally, I solved it with shorewall rules on Bubba2:

Code:

# Gentoo emerge
Rsync(ACCEPT) $FW net
Rsync(ACCEPT) loc net
Rsync(ACCEPT) dmz net
Web(ACCEPT) $FW net
Web(ACCEPT) loc net
Web(ACCEPT) dmz net

_________________
Best, Pali

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT Goto page Previous 1, 2, 3, 4
Page 4 of 4

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy