[BUG] firewall WONT accept subnet /24 for internal LAN; only accepts /32 ?!?

[silentashes]

This is thoroughly confusing (and somewhat frustrating).

** I tried to attach a .PNG screenshot -- 55KB in size -- but it errors with "The upload folder is full. Please try a smaller file and/or contact an administrator." (I'm guessing either the forum is out of attachment space, or newbies don't have upload rights) **

Setup on physical machine:
* eBox v1.3.5 running on Ubuntu server 9.10
* Ubuntu is also running dhcp3-server
* function: as gateway for home LAN.

I.e., my physical ubuntu box sits between my cable modem and my private home network.
It provides NAT/gateway/firewall/internal DHCP services  for my internal LAN.

Here's the issue:

Whenever I try to add *anything that specifies an internal IP (like my desktop)* -- it could be a firewall rule, a member of an object, ANYTHING --


1. It does not allow me to specify netmask of /24  (which, please correct me if I am wrong -- is default class C, 255.255.255.0  -- is that correct?)

2. Instead, it will only allow netmask of /32 (which is 255.255.255.255 -- correct?).

3. I'm *not using* a /32 netmask anywhere!!!  (Unless I'm even more inept than I thought.)
I'm just using /24 !!!  (255.255.255.0 -- NOT 255.255.255.255!!!)

So what the h*** is going on?!


background info:
I was able to use iptables to set up Ubuntu as a gateway, bridging eth0 and eth1, and set up NAT/Masquerade rules within iptables - but too much work to figure out how to secure it well -- and also, I couldn't get port forwarding figured out.

So decided to use something with a more straightforward interface, and found eBox.


Details of network setup:
-- interface eth0 connected directly to cable modem (obtains an external dhcp lease from my ISP)
--- eth0 is marked as "external" in the ebox interface

-- interface eth1 connected to internal, home network -- it goes through a basic 4-port switch (actually a router functioning as DHCP forwarder. essentially just a switch.)
--- eth1 *isn't* marked as "external" (because it's internal)

-- My internal network (connected to eth1 using above-mentioned switch) is 192.168.1.0, 255.255.255.0
-- desktop PC connected to the switch (which is on the same subnet; it's the only internal network i have -- again this is just a basic home network)



Someone shed some light on this?
Or at least, clarify any questions about it?

I'm pretty frustrated right now...
Maybe not mission-critical, but from where I'm standing, this seems to be a broken functionality.


Thanks for any help -- or clarification -- anyone can provide.
I really appreciate it.
/silentashes

[Javier Amor Garcia]

This works as expected. A submask of 32 bits is correct for hosts IPs, the other masks are only required for network's addresses.

For this reason when you enter, for example, 192.168.0.1/24 it raises error because there is a invalid _network_ address.

[silentashes]

Thanks for the response -- I can see the logic behind it.

However, it still seems extremely strange that a subnet mask specific to an individual host would be different from the network it is a part of.

Is this standard industry practice?
Or is this a convention that eBox came up with?

I've never heard of hosts being designated as having a /32 subnet mask....

By definition, a host is always part of some network.  So wouldn't it be more consistent to specify it as having the netmask that is particular to the network it belongs to  (in this case, /24)?


Case in point:
When I type "ifconfig" on my workstation, it tells me that my netmask is 255.255.255.0
It does *not* say that my workstation's netmask is 255.255.255.255.

I understand the reasoning that the netmask is only for designating network addresses, but it still seems highly inconsistent with the conventions I'm familiar with -- having worked in IT for three years.

Not to mention the fact that my workstation's own operating system considers itself to have a Class C netmask!

Again, I'd like to know if this is standard practice elsewhere?
It seems that eBox might better be served by following standard -- or at least, commonly-known -- conventions.

Thanks again for the reply.

This works as expected. A submask of 32 bits is correct for hosts IPs, the other masks are only required for network's addresses.

For this reason when you enter, for example, 192.168.0.1/24 it raises error because there is a invalid _network_ address.

[MOSAiX]

It is standard.

If you want that clients can only access a specific server in your network, you have to use the server's ip and the netmask /32. This tells the Firewall that the IP is a specific host, not a network.

Please inform about networking.

[silentashes]

Okay... It still seems bizarre, but okay.

Thanks for the info, guys.