Hi all, I''ve been using shorewall on one server for quite some time just as a firewall, and I''ve been running firestarter on a server at home as a masq/firewall to a local network. I decided I didn''t like firestarter anymore because of how much I liked shorewall on my standalone server. I finally underwent the task of overhauling this system at home and have installed ubuntu edgy and installed the tarball of shorewall on it since the apt packages were only running 3.0.7. Everything seems to be running. I''ve got dhcpd listening on eth0 (local) and eth1 (net) is about to receive its IP via dhcp from my ISP, but when hit ''repair'' on my local windows box, it fails to receive an IP via dhcp, and nothing shows up in the logs on the firewall. I used the guide at http://www.shorewall.net/two-interface.htm to set things up, but it did not discuss anything about eth0 and eth1 configuration. My only change is that eth1 is my external interface because apparently ubuntu read my network cards in backwards order. I don''t know what to set at the gateway address on eth0 (inside) and I''m using 10.1.0.1/255.255.255.0 as the IP/mask for eth0. If I use itself as the gateway I get the message "default route ignored on interface eth0" from shorewall start. Please view the dump and my network details at this address: http://www.nanovox.com/~steve/homenetwork.html Thanks, Steve ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Steven Kiehl wrote:> Everything seems to be running. I''ve got dhcpd listening on eth0 > (local) and eth1 (net) is about to receive its IP via dhcp from my ISP, > but when hit ''repair'' on my local windows box, it fails to receive an IP > via dhcp, and nothing shows up in the logs on the firewall.If you "shorewall clear", does it work? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Steven Kiehl wrote:> > I don''t know what to set at the gateway address on eth0 (inside) and I''m > using 10.1.0.1/255.255.255.0 <http://10.1.0.1/255.255.255.0> as the > IP/mask for eth0. If I use itself as the gateway I get the message > "default route ignored on interface eth0" from shorewall start.A host needs one *and only one* default route/gateway (unless you have multiple internet connections as described at http://www.shorewall.net/MultiISP.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 12/29/06, Tom Eastep <teastep@shorewall.net> wrote:> > Steven Kiehl wrote: > > > Everything seems to be running. I''ve got dhcpd listening on eth0 > > (local) and eth1 (net) is about to receive its IP via dhcp from my ISP, > > but when hit ''repair'' on my local windows box, it fails to receive an IP > > via dhcp, and nothing shows up in the logs on the firewall. > > If you "shorewall clear", does it work?"shorewall clear" does not appear to fix the issue. It says "Clearing shorewall..." then "IP Forwarding Enabled" and then "done." But after it''s done, I still cannot get an IP from the firewall''s dhcpd server. Still no messages come up on the logs for any sort of IP leases or attempts. Not even any shorewall messages. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Interestingly enough, I did the age-old restart the computer trick and that has fixed the dhcp issue, but now I don''t seem to have any dns servers on the local network. Am I forced to copy the dns from /etc/resolv.conf? or is there a trick I can use to locally point workstations to the firewall and have the firewall redirect the requests to my ISP? I''d prefer not to run any sort of tinydns or bind server since I expect I''ll be running a lot on it as it is. On 12/30/06, Steven Kiehl <nanovox@gmail.com> wrote:> > > > On 12/29/06, Tom Eastep <teastep@shorewall.net> wrote: > > > > Steven Kiehl wrote: > > > > > Everything seems to be running. I''ve got dhcpd listening on eth0 > > > (local) and eth1 (net) is about to receive its IP via dhcp from my > > ISP, > > > but when hit ''repair'' on my local windows box, it fails to receive an > > IP > > > via dhcp, and nothing shows up in the logs on the firewall. > > > > If you "shorewall clear", does it work? > > > "shorewall clear" does not appear to fix the issue. It says "Clearing > shorewall..." then "IP Forwarding Enabled" and then "done." But after it''s > done, I still cannot get an IP from the firewall''s dhcpd server. Still no > messages come up on the logs for any sort of IP leases or attempts. Not > even any shorewall messages. > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Steven Kiehl wrote:> > > On 12/29/06, *Tom Eastep* <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > Steven Kiehl wrote: > > > Everything seems to be running. I''ve got dhcpd listening on eth0 > > (local) and eth1 (net) is about to receive its IP via dhcp from > my ISP, > > but when hit ''repair'' on my local windows box, it fails to > receive an IP > > via dhcp, and nothing shows up in the logs on the firewall. > > If you "shorewall clear", does it work? > > > "shorewall clear" does not appear to fix the issue. It says "Clearing > shorewall..." then "IP Forwarding Enabled" and then "done." But after > it''s done, I still cannot get an IP from the firewall''s dhcpd server. > Still no messages come up on the logs for any sort of IP leases or > attempts. Not even any shorewall messages. >The reason Tom asked this question is that if you do a shorewall clear, that clears all iptables rules, and effectively removes any firewalling. Thus, after a shorewall clear, if it doesn''t work, that means that your problem is not shorewall related, and thus this is the wrong forum to ask questions, although many friendly people sometimes will provide you with help for off topic problems if you are lucky. So, before even thinking about a firewall, you need to make sure your system is behaving as it should (which yours is apparently not).> ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Steven Kiehl wrote:> Everything seems to be running. I''ve got dhcpd listening on eth0 > (local) and eth1 (net) is about to receive its IP via dhcp from my ISP, > but when hit ''repair'' on my local windows box, it fails to receive an IP > via dhcp, and nothing shows up in the logs on the firewall.There are plenty of reasons for dhcp to fail that aren''t related to the firewall. Steven Kiehl wrote:>Interestingly enough, I did the age-old restart the computer trick >and that has fixed the dhcp issueNow, does it stay working when you start the firewall ? If not then look to the firewall config, otherwise look elsewhere.>, but now I don''t seem to have any dns servers on the local network. >Am I forced to copy the dns from /etc/resolv.conf? or is there a >trick I can use to locally point workstations to the firewall and >have the firewall redirect the requests to my ISP? I''d prefer not >to run any sort of tinydns or bind server since I expect I''ll be >running a lot on it as it is.You do ONE (and only one) of two things : 1) Via DHCP you hand out the IP addresses of your ISPs DNS servers to your network devices (or statically configure the same addresses if you use static configs. 2) You hand out the address of ''a server'' (probably your gateway machine in this case) on your internal network and run a DNS resolver on that. Bind is a doddle to set up, just copy the sample config that meets your needs - probably just use the forward-only example and fill in your ISPs DNS servers for the forwarders. A distinct advantage of running an internal server is that you can properly serve up names/addresses for your internal network to your clients - so you can access a device by name instead of having to remember it''s address. Just one thing, please leave in the RFC1918 stub zones that are in the Bind sample configs - they avoid Bind going to the root servers to try and resolve all those private internal addresses (like 192.168.1.1) that things keep looking up. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV