Hello, all. I''ve been trying to get shorewall to get LISa working on my Gentoo box. It works as long as I have shorewall turned off, but whenever I turn it on, it seems to block all LISa activity. I have TCP port 7741 opened (as per lisa-home.sourceforge.net), and nmap says it''s open. Ethereal indicates that LISa is communicating via TCP port 7741, from 127.0.0.1 to 127.0.0.1. Any ideas? Thanks! --Dane ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Dane Mutters wrote:> Hello, all. > > I''ve been trying to get shorewall to get LISa working on my Gentoo box. It > works as long as I have shorewall turned off, but whenever I turn it on, it > seems to block all LISa activity. I have TCP port 7741 opened (as per > lisa-home.sourceforge.net), and nmap says it''s open. Ethereal indicates that > LISa is communicating via TCP port 7741, from 127.0.0.1 to 127.0.0.1. > Any ideas? Thanks!Shorewall allows all traffic on the loopback interface, so i can''t see how it could possibly affect it. Are you saying you can''t get to the administration interface, or that LISa monitoring of those hosts doesn''t work? According to that site, "The hosts are checked using ICMP echo requests." So, if you mean the latter, you need to allow ICMP echo (code 8) traffic from your box to all of the hosts in question. You could do this via policy or rules. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Thanks for the reply. Perhaps I have something messed-up in my shorewall configuration files. Here''s /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS GATEWAY # loc eth0 192.168.1.255 net ppp0 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Here''s /etc/shorewall/zones: #ZONE DISPLAY COMMENTS net Internet The big, bad internet loc Local Local area network #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE Here''s /etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW all ACCEPT all all REJECT info #LAST LINE -- DO NOT REMOVE Here''s /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP AllowSMB loc $FW AllowPing loc $FW AllowPing $FW all ACCEPT all all tcp 7741 AllowSSH loc $FW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Any ideas? Thanks for your help! --Dane On Sunday 08 January 2006 11:34 pm, Paul Gear wrote:> Dane Mutters wrote: > > Hello, all. > > > > I''ve been trying to get shorewall to get LISa working on my Gentoo box. > > It works as long as I have shorewall turned off, but whenever I turn it > > on, it seems to block all LISa activity. I have TCP port 7741 opened (as > > per lisa-home.sourceforge.net), and nmap says it''s open. Ethereal > > indicates that LISa is communicating via TCP port 7741, from 127.0.0.1 to > > 127.0.0.1. Any ideas? Thanks! > > Shorewall allows all traffic on the loopback interface, so i can''t see > how it could possibly affect it. Are you saying you can''t get to the > administration interface, or that LISa monitoring of those hosts doesn''t > work? > > According to that site, "The hosts are checked using ICMP echo > requests." So, if you mean the latter, you need to allow ICMP echo > (code 8) traffic from your box to all of the hosts in question. You > could do this via policy or rules. > > Paul > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Monday 09 January 2006 12:02, Dane Mutters wrote:> Thanks for the reply. > > Perhaps I have something messed-up in my shorewall configuration files. > Here''s /etc/shorewall/interfaces:The information requested at http://www.shorewall.net/2.0/support.htm would be a lot more useful... (I assume that you are running Shorewall 2.x since your /etc/shorewall/zones file uses that format). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dane Mutters wrote:> ... > Perhaps I have something messed-up in my shorewall configuration files. > ... > Here''s /etc/shorewall/policy: > > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > $FW all ACCEPT > all all REJECT info > ... > Here''s /etc/shorewall/rules: > ... > AllowPing $FW allI can''t see any major problems with that, but it''s hard to say without seeing log messages. Add a policy combination for all of your zones (e.g. fw2loc, loc2fw, fw2net, net2fw, etc.) and set it to log level info. Then start shorewall and show us the resulting log messages. If you''re not sure how to do any of this, you need to read the troubleshooting information on http://shorewall.net.> ACCEPT all all tcp 7741You definitely shouldn''t need this. If you''re accessing your LISa on the local machine (i.e. http://localhost:7741), you shouldn''t need *any* rules to allow it. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Alright...I''ve installed version 3.0.2 via portage. Here are my new rules. (The zones and interfaces are the same, and there is nothing in the log file, custom-set [via /etc/shorewall.conf] to /var/log/shorewall.) #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW Ping/ACCEPT:info loc fw SMB/ACCEPT:info loc fw ACCEPT:info fw fw tcp 7741 ACCEPT:info loc fw ACCEPT:info fw loc REJECT:info net fw ACCEPT:info fw fw #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I know some of these are a bit redundant, but I want to make sure I catch everything in the log file. Thanks for your help. --Dane ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Dane Mutters wrote:> Alright...I''ve installed version 3.0.2 via portage. Here are my new rules. > (The zones and interfaces are the same, and there is nothing in the log file, > custom-set [via /etc/shorewall.conf] to /var/log/shorewall.)Setting the variable in shorewall.conf doesn''t change the location. It just tells shorewall where to look. You need to check your /etc/syslog.conf for the actual location and set the location in shorewall.conf to be the same.> #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) DEST > LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > Ping/ACCEPT:info loc fw > SMB/ACCEPT:info loc fw > ACCEPT:info fw fw tcp 7741 > ACCEPT:info loc fw > ACCEPT:info fw loc > REJECT:info net fw > ACCEPT:info fw fw > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEThat is all very wrong. You should be adding the info part in your *policy* file. What you''ve done is add rules that are not specific (i''m surprised they''re not syntax errors). A review of the Shorewall quick start guide on the web site would be a good idea when you''re still making mistakes like this. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Monday 09 January 2006 21:32, Paul Gear wrote:> Dane Mutters wrote: > > Alright...I''ve installed version 3.0.2 via portage. Here are my new > > rules. (The zones and interfaces are the same, and there is nothing in > > the log file, custom-set [via /etc/shorewall.conf] to > > /var/log/shorewall.) >I hope you are aware that /etc/shorewall/shorewall.conf does not determine where the log messages are written. It rather tells /sbin/shorewall where to look for those messages.> That is all very wrong. You should be adding the info part in your > *policy* file. What you''ve done is add rules that are not specific (i''m > surprised they''re not syntax errors).They are warnings... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for the constructive criticism, guys. :-) I''ve gone through and redone my policy and rules files, and now I have this: /etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT all all REJECT info #LAST LINE -- DO NOT REMOVE /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW SMB/ACCEPT loc fw Ping/ACCEPT loc fw ACCEPT loc fw tcp 7741 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE As for the "info" bit, I read in the configuration file that you can have "ACTION:info" in the rules file, but I took it out for good measure. Unfortunately, still no go with LISa. Do you have any further advice? Thanks. --Dane ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Tuesday 10 January 2006 21:42, Dane Mutters wrote:> > Do you have any further advice?Yes -- at some point, you are going to have to stop posting your configuration files on this list and start debugging your problem. And, if you want our help with that, I''ve already told you that we need to see the information asked for at http://www.shorewall.net/support.html (look under "Getting Help" and follow the link for your version of Shorewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 11 January 2006 15:18, Dane Mutters wrote:> > Ok...sorry. I''m pretty new to shorewall troubleshooting, so please be > patient with me. >For what it''s worth, I just enabled Lisa on the box I''m writing this on and it seems to work ok (and the Box runs Shorewall). ''Network Browsing'' seems to work fine. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 11 January 2006 15:18, Dane Mutters wrote:> > Attached are the output of "shorewall dump" and "shorewall show log", as > requested on the "getting help" page.Don''t know what to tell you -- in the 7-8 minutes covered by the "shorewall dump", the Shorewall-generated ruleset did not drop or reject a single packet. You need to look at your log to see if there are any other non-Shorewall clues. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 13 January 2006 17:39, you wrote:> Thanks for the help (and the file). I was still unable to get it working > with shorewall (I even asked on linuxquestions.org). Nmap says that the > port''s open, so it must be open, but for some reason LISa doesn''t work > unless I use "shorewall clear". I uninstalled shorewall and intalled > firestarter (even though I like shorewall better), and with the same > apparent > configuration, LISa now works. *scratches head* > > I hesitate to call it a bug since I''m really no expert, but do you think > it''s possible that it is one? Do you need any further information to > determine if that''s a possibility?I''m delighted that you have found a solution to your problem and hope that firestarter continues to meet your needs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key