Thanks Mike,


Yes, Linus' suggestion did work perfectly!

I just added an additional stateless rule for just the multi-homed host for only a select set of protocols/services (e.g. ssh).


Also my previous few NAT based experiments/tests were unsuccessful. So thanks for the doc pointer, the additional NAT based rules/security might be handy.


And thanks again for the quick responses, hopefully one day I can return the favor.



From: Mike Horn []
Sent: Wednesday, February 23, 2011 10:36 AM
To: Love, Doug
Cc: Linus van Geuns;
Subject: Re: [Fwbuilder-discussion] fwbuilder, netfilter and asymetric routes


Hi Doug,


It sounds like Linus' suggestion worked for you (thanks Linus!).  If you don't want to have asymmetric traffic you might also be able to use NAT to make the traffic flow symmetrically through the firewall, but this will depend on how your firewall is setup.  In case you are interested here's an example in our cookbook of using NAT in an asymmetric environment.







On Wed, Feb 23, 2011 at 9:26 AM, Love, Doug <> wrote:


Apparently you read just enough to see the heart of my problem. Thank You!

And yes, you are definitely correct that the presence of the multi-homed host on the firewalled subnet certainly has the *potential* to render the firewall useless... And just like the English language there seems to be an exception to every rule...
The multi-homed host is HPUX and gated has been disabled to hopefully reduce this potential. -- The multi-homed host is a necessary evil I need to work around.

Thanks again for your help AND thoughts,

-----Original Message-----
From: Linus van Geuns []
Sent: Wednesday, February 23, 2011 9:26 AM
To: Love, Doug
Subject: Re: [Fwbuilder-discussion] fwbuilder, netfilter and asymetric routes

Hey "Love[,] Do[u]g", :-)

On Wed, Feb 23, 2011 at 5:01 PM, Love, Doug <> wrote:
> More specifically I can see (via /proc/net/ip_conntrack) attempts from any lab-subnet host, XX.XX.XX.2, to the fw-subnet Multi-homed IF, YY.YY.YY.14. And on the Multi-homed host I can see that this connection attempt is received, but the corresponding ACK back is returned through the other IF, the lab-subnet IF, XX.XX.XX.203 to the originating XX.XX.XX.2. - This asymmetric route back (bypassing the firewall) causes the connection attempt (ssh, rsh, etc.) to appear hung because netfilter never sees the return response.

I didn't read all the details, but sounds like you want the firewall rules applying to your multi-homed host situation to be stateless.
You can switch to stateless firewalling on a per rule basis using fwbuilder - I think it's somewhere in "Options".

Alternatively you could do the firewallig on the multi-homed host itself.
You should evaluate, whether your rules for firewalling the dual-homed situation are rendered useless by that multi-homed host accepting incoming traffic for all it's IP addresses w/o considering the input interface.

Regards, Linus
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
Fwbuilder-discussion mailing list