Hi Doug,

It sounds like Linus' suggestion worked for you (thanks Linus!).  If you don't want to have asymmetric traffic you might also be able to use NAT to make the traffic flow symmetrically through the firewall, but this will depend on how your firewall is setup.  In case you are interested here's an example in our cookbook of using NAT in an asymmetric environment.




On Wed, Feb 23, 2011 at 9:26 AM, Love, Doug <doug.love@hp.com> wrote:

Apparently you read just enough to see the heart of my problem. Thank You!

And yes, you are definitely correct that the presence of the multi-homed host on the firewalled subnet certainly has the *potential* to render the firewall useless... And just like the English language there seems to be an exception to every rule...
The multi-homed host is HPUX and gated has been disabled to hopefully reduce this potential. -- The multi-homed host is a necessary evil I need to work around.

Thanks again for your help AND thoughts,

-----Original Message-----
From: Linus van Geuns [mailto:linus@vangeuns.name]
Sent: Wednesday, February 23, 2011 9:26 AM
To: Love, Doug
Cc: fwbuilder-discussion@lists.sourceforge.net
Subject: Re: [Fwbuilder-discussion] fwbuilder, netfilter and asymetric routes

Hey "Love[,] Do[u]g", :-)

On Wed, Feb 23, 2011 at 5:01 PM, Love, Doug <doug.love@hp.com> wrote:
> More specifically I can see (via /proc/net/ip_conntrack) attempts from any lab-subnet host, XX.XX.XX.2, to the fw-subnet Multi-homed IF, YY.YY.YY.14. And on the Multi-homed host I can see that this connection attempt is received, but the corresponding ACK back is returned through the other IF, the lab-subnet IF, XX.XX.XX.203 to the originating XX.XX.XX.2. - This asymmetric route back (bypassing the firewall) causes the connection attempt (ssh, rsh, etc.) to appear hung because netfilter never sees the return response.

I didn't read all the details, but sounds like you want the firewall rules applying to your multi-homed host situation to be stateless.
You can switch to stateless firewalling on a per rule basis using fwbuilder - I think it's somewhere in "Options".

Alternatively you could do the firewallig on the multi-homed host itself.
You should evaluate, whether your rules for firewalling the dual-homed situation are rendered useless by that multi-homed host accepting incoming traffic for all it's IP addresses w/o considering the input interface.

Regards, Linus
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
Fwbuilder-discussion mailing list