n***@graumannschaft.org
2016-12-07 18:29:27 UTC
Hello,
My linux setup for years has included lxc containers to isolate services and programs with a
bridge, shorewall and dnsmasq managing access of the containers to the host, each other
and the outside network (via the hosts NICs). All of the required configurations are ansibled,
so it takes comparatively little time to set all for this up - yet also implies a lack of oversight ...
which came to bite me.
The bridge has assigned 192.168.0.1 and the corresponding subnet.
My /etc/shorewall/zones looks like this:
fw firewall
net ipv4
dmz ipv4
The /etc/shorewall/interfaces like so:
net enp0s+
dhcp,tcpflags,logmartians,nosmurfs,optional
net wlp2s+
dhcp,tcpflags,logmartians,nosmurfs,optional
dmz br0
tcpflags,logmartians,nosmurfs,bridge,routeback
The /etc/shorewall/masq like this:
wlp2s+ 192.168.0.0/16
When entering a new subnet and setting up a fresh machine I failed to recognize that the
subnet used was actually 192.168.0.0 and with above setup managed to involuntarily
interfere with the routing outside of my machine.
The main question here is: is there anything beyond paying attention to the subnets used
that either me (in my configuration) or the local admin (in his setup) could have done to
prevent the interference?
Am I correct in the assumption that correctly adding
"enp20s+ 192.168.0.0/16" to the masq file (it was unfortunately an enp* interface I used)
would have prevented much of the issue?
Thank you for any insight into this.
Sincerely, Joh
My linux setup for years has included lxc containers to isolate services and programs with a
bridge, shorewall and dnsmasq managing access of the containers to the host, each other
and the outside network (via the hosts NICs). All of the required configurations are ansibled,
so it takes comparatively little time to set all for this up - yet also implies a lack of oversight ...
which came to bite me.
The bridge has assigned 192.168.0.1 and the corresponding subnet.
My /etc/shorewall/zones looks like this:
fw firewall
net ipv4
dmz ipv4
The /etc/shorewall/interfaces like so:
net enp0s+
dhcp,tcpflags,logmartians,nosmurfs,optional
net wlp2s+
dhcp,tcpflags,logmartians,nosmurfs,optional
dmz br0
tcpflags,logmartians,nosmurfs,bridge,routeback
The /etc/shorewall/masq like this:
wlp2s+ 192.168.0.0/16
When entering a new subnet and setting up a fresh machine I failed to recognize that the
subnet used was actually 192.168.0.0 and with above setup managed to involuntarily
interfere with the routing outside of my machine.
The main question here is: is there anything beyond paying attention to the subnets used
that either me (in my configuration) or the local admin (in his setup) could have done to
prevent the interference?
Am I correct in the assumption that correctly adding
"enp20s+ 192.168.0.0/16" to the masq file (it was unfortunately an enp* interface I used)
would have prevented much of the issue?
Thank you for any insight into this.
Sincerely, Joh