Hello: CentOS Shorewall 4.0.5 I am trying to setup a very simple network with (1) firewall server (2) dmz servers. I have IP: 65.103.190.104/28 mask: 255.255.255.248 (8 IP addresses available from Qwest). Network is as below: 65.103.190.104: Network 65.103.190.105: FW 65.103.190.106: NS1 65.103.190.108: NS2 65.103.190.110: Gateway 65.103.190.111: Broadcast SETUP: ------ I have a Firewall server connecting to the Gateway on eth0 and to two DMZ on eth1 (via a hub). The /etc/shorewall/rule file is as follows (these are the FIRST six lines in the RULE file): ACCEPT net $FW icmp echo-request ACCEPT net dmz icmp echo-request ACCEPT $FW net icmp echo-request ACCEPT $FW dmz icmp echo-request ACCEPT dmz net icmp echo-request ACCEPT dmz $FW icmp echo-request PROBLEM: -------- I can PING from $FW to Net, $FW to dmz, dmz to $FW & dmz to net BUT I can''t PING from net to $FW or dmz. FYI, I can PING from net to my GATEWAY IP (65.103.190.110). I have search the Google and have looked into Shorewall FAQ. Help!! Kirt ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
On Fri, Nov 30, 2007 at 05:40:14PM -0700, kbajwa wrote:> -------- > > I can PING from $FW to Net, $FW to dmz, dmz to $FW & dmz to net > BUT I can''t PING from net to $FW or dmz. > > FYI, I can PING from net to my GATEWAY IP (65.103.190.110). > > I have search the Google and have looked into Shorewall FAQ. >http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Hello: CentOS Shorewall 4.0.5 I am trying to setup a very simple network with (i) firewall server & (ii) two dmz servers sitting behind the FW server. When I am loading the CentOS on the FW server, the CentOS sets up the "Security Level & Firewall" as follows: 1. Firewall Options: Enabled. The default setting are ''checked'' SSH. 2. SELinux: Enforcing I leave both these options as default. My question is, after I install Shorewall Firewall on the FW server, what should I do with these two settings? a. Leave them as they are? b. Disable one or both? c. Do they conflict with Shorewall FW? The same question goes for the DMZ servers? Thanks in advance. Kirt ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
kbajwa wrote:> Hello: > > CentOS > Shorewall 4.0.5 > > I am trying to setup a very simple network with (i) firewall server & (ii) > two dmz servers sitting behind the FW server. > > When I am loading the CentOS on the FW server, the CentOS sets up the > "Security Level & Firewall" as follows: > > 1. Firewall Options: Enabled. > The default setting are ''checked'' SSH. > > 2. SELinux: Enforcing > > I leave both these options as default. > > My question is, after I install Shorewall Firewall on the FW server, what > should I do with these two settings? > > a. Leave them as they are? > b. Disable one or both? > c. Do they conflict with Shorewall FW? > > The same question goes for the DMZ servers? >Disclaimer: I run no Redhat or Centos systems. You should turn off the firewall on all three systems. Shorewall 4.0.5 should co-exist fine with SELinux. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
On Sat, 2007-12-01 at 11:24 -0800, Tom Eastep wrote:> kbajwa wrote:> > CentOS > > Shorewall 4.0.5 > > > > I am trying to setup a very simple network with (i) firewall server & (ii) > > two dmz servers sitting behind the FW server. > > > > When I am loading the CentOS on the FW server, the CentOS sets up the > > "Security Level & Firewall" as follows: > > > > 1. Firewall Options: Enabled. > > The default setting are ''checked'' SSH.> Disclaimer: I run no Redhat or Centos systems. > > You should turn off the firewall on all three systems.I believe this to be true and rather generic. Although I do not use any RHEL or CentOS systems myself, either -- the distro provided "Firewall wizard" either uses a different approach, or actually uses and configures Shorewall internally. In the first case, after setting up a custom Shorewall, if you ever use and apply that wizard again, your network is likely to become dysfunctional until restarting Shorewall. In the latter case, the worst that can happen would be overwritten Shorewall config -- possibly even leaving your network completely down, due to the wizard assuming an incompatible, old Shorewall version. Generally: Unless you happen to know that it does work -- either stick to the wizard, or configure the service manually. Switching between both is likely to break things. (With a notable exception of service provided tools, like swat in the SMB case. This generally holds true for any third party, including distro, wizard-style thingy.) Now, what about ping and the subject? ;) karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Hello: SYSTEM CentOS 5.1 (2.6.18-53.1.13.e15 SHOREWALL [root@fw1 ~]# shorewall version 4.0.9 [root@fw1 ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:80:ad:16:e6:43 brd ff:ff:ff:ff:ff:ff inet 65.103.190.105/29 brd 65.103.190.111 scope global eth0 inet6 fe80::280:adff:fe16:e643/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:38:c4:c9 brd ff:ff:ff:ff:ff:ff inet 192.168.0.105/24 brd 192.168.0.255 scope global eth1 inet6 fe80::230:1bff:fe38:c4c9/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 [root@fw1 ~]# ip route show 65.103.190.106 dev eth1 scope link 65.103.190.107 dev eth1 scope link 65.103.190.104/29 dev eth0 proto kernel scope link src 65.103.190.105 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.105 169.254.0.0/16 dev eth1 scope link default via 65.103.190.110 dev eth0 SHOREWALL/Rules: # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ############################################################################ ################################################ #ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ## PING (Port: 7 - icmp) ACCEPT net $FW icmp echo-request ACCEPT net dmz icmp echo-request ACCEPT $FW dmz icmp echo-request ACCEPT dmz $FW icmp echo-request ## HTTP/s (Port: 80/443) #ACCEPT net $FW tcp http #ACCEPT net $FW tcp https ACCEPT net dmz tcp http ACCEPT net dmz tcp https # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE LINUX SETTINGS 1. Firewall Options: Disabled. 2. SELinux: Enforcing ------------------------------------------ I have a simple setup: One Firewall Server (eth0: 65.103.190.105) & Two Servers in the DMZ (eth0: 65.103.190.106/107) PROBLEM/QUESTION: I CAN NOT access the NET from the FW server. However, I can access the NET (WEB) from both Servers in the DMZ. Now if I stop the SHOREWALL on the FW Server, I can access the NET and any Web site. What do I need to change in the Firewall Server? I have searched on GOOGLE and looked in SHOREWALL FAQ!! HELP. Kirt ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
kbajwa wrote:> Hello: > > SYSTEM > CentOS 5.1 (2.6.18-53.1.13.e15 > > SHOREWALL > [root@fw1 ~]# shorewall version 4.0.9 > > [root@fw1 ~]# ip addr show > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen > 1000 > link/ether 00:80:ad:16:e6:43 brd ff:ff:ff:ff:ff:ff > inet 65.103.190.105/29 brd 65.103.190.111 scope global eth0 > inet6 fe80::280:adff:fe16:e643/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen > 1000 > link/ether 00:30:1b:38:c4:c9 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.105/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::230:1bff:fe38:c4c9/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > > [root@fw1 ~]# ip route show > 65.103.190.106 dev eth1 scope link > 65.103.190.107 dev eth1 scope link > 65.103.190.104/29 dev eth0 proto kernel scope link src 65.103.190.105 > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.105 > 169.254.0.0/16 dev eth1 scope link > default via 65.103.190.110 dev eth0 > > SHOREWALL/Rules: > # > # Shorewall version 4 - Rules File > # > # For information on the settings in this file, type "man shorewall-rules" > # > # The manpage is also online at > # http://www.shorewall.net/manpages/shorewall-rules.html > # > ############################################################################ > ################################################ > #ACTION SOURCE DEST PROTO DEST COMMENTS > # PORT(S) > ## PING (Port: 7 - icmp) > ACCEPT net $FW icmp echo-request > ACCEPT net dmz icmp echo-request > ACCEPT $FW dmz icmp echo-request > ACCEPT dmz $FW icmp echo-request > ## HTTP/s (Port: 80/443) > #ACCEPT net $FW tcp http > #ACCEPT net $FW tcp https > ACCEPT net dmz tcp http > ACCEPT net dmz tcp https > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > LINUX SETTINGS > > 1. Firewall Options: Disabled. > 2. SELinux: Enforcing > > ------------------------------------------ > I have a simple setup: > > One Firewall Server (eth0: 65.103.190.105) & > Two Servers in the DMZ (eth0: 65.103.190.106/107) > > PROBLEM/QUESTION: > > I CAN NOT access the NET from the FW server. However, I can access the NET > (WEB) from both Servers in the DMZ. > > Now if I stop the SHOREWALL on the FW Server, I can access the NET and any > Web site. > > What do I need to change in the Firewall Server? > > I have searched on GOOGLE and looked in SHOREWALL FAQ!!Probably need to add a "fw net ACCEPT" policy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom: I added the line in /etc/shorewall/rules: ACCEPT fw net tcp http ACCEPT fw net tcp https I re-started "shorewall", it did not work. Then I tried; ACCEPT $FW net tcp http ACCEPT $FW net tcp https Re-started "shorewall", it did not work. Any further suggestion? Thanks. Kirt -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, February 26, 2008 2:19 PM To: kbajwa@tibonline.net; Shorewall Users Subject: Re: [Shorewall-users] Firewall Setting: Web display> > ------------------------------------------ > I have a simple setup: > > One Firewall Server (eth0: 65.103.190.105) & > Two Servers in the DMZ (eth0: 65.103.190.106/107) > > PROBLEM/QUESTION: > > I CAN NOT access the NET from the FW server. However, I can access the NET > (WEB) from both Servers in the DMZ. > > Now if I stop the SHOREWALL on the FW Server, I can access the NET and any > Web site. > > What do I need to change in the Firewall Server? > > I have searched on GOOGLE and looked in SHOREWALL FAQ!!Probably need to add a "fw net ACCEPT" policy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
kbajwa wrote:> Tom: > > I added the line in /etc/shorewall/rules: > > ACCEPT fw net tcp http > ACCEPT fw net tcp https > > I re-started "shorewall", it did not work. > > Then I tried; > > ACCEPT $FW net tcp http > ACCEPT $FW net tcp https > > Re-started "shorewall", it did not work. > > Any further suggestion?a) I told you what to do. b) You apparently didn''t do it. c) ''it didn''t work'' is a complaint, not a problem report -- see http://www.shorewall.net/support.htm#Guidelines d) if you didn''t follow my suggestion and only added the two rules you''ve shown above, then your firewall can''t resolve DNS names. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hello: I have a simple setup: One Firewall Server (eth0: 65.103.190.105) & Two Servers in the DMZ (eth0: 65.103.190.106/107) PROBLEM/QUESTION: As you will notice that I have opened both FTP & SSH to the DMZ servers on the FW server. However when I display open ports using "http://www.grc.com": DMZ1, FTP is not open but SSH is open! DMZ2 both FTP and SSH are not open! It is two days of setting, re-setting, reading, and now I need HELP in locating the problem! PLEASE HELP! Kirt ------------------------------------------------- Following is my setup/system information: ------------------------------------------------- SYSTEM CentOS 5.1 (2.6.18-53.1.13.e15 SHOREWALL [root@fw1 ~]# shorewall version 4.0.9 [root@fw1 ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:80:ad:16:e6:43 brd ff:ff:ff:ff:ff:ff inet 65.103.190.105/29 brd 65.103.190.111 scope global eth0 inet6 fe80::280:adff:fe16:e643/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:38:c4:c9 brd ff:ff:ff:ff:ff:ff inet 192.168.0.105/24 brd 192.168.0.255 scope global eth1 inet6 fe80::230:1bff:fe38:c4c9/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 [root@fw1 ~]# ip route show 65.103.190.106 dev eth1 scope link 65.103.190.107 dev eth1 scope link 65.103.190.104/29 dev eth0 proto kernel scope link src 65.103.190.105 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.105 169.254.0.0/16 dev eth1 scope link default via 65.103.190.110 dev eth0 SHOREWALL/Rules: # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ############################################################################ ################################################ #ACTION SOURCE DEST PROTO DEST COMMENTS # ## PING (Port: 7 - icmp) ACCEPT net $FW icmp echo-request ACCEPT net dmz icmp echo-request ACCEPT $FW dmz icmp echo-request ACCEPT dmz $FW icmp echo-request # ## FTP (Port:21) Note: Open this port when updating Web pages ACCEPT net $FW tcp ftp #ACCEPT net $FW udp ftp ACCEPT net dmz tcp ftp #ACCEPT net dmz udp ftp # ## ssh (Port:22) ACCEPT net $FW tcp ssh ACCEPT net $FW udp ssh ACCEPT net dmz tcp ssh ACCEPT net dmz udp ssh # ## HTTP/s (Port: 80/443) #ACCEPT net $FW tcp http #ACCEPT net $FW tcp https ACCEPT net dmz tcp http ACCEPT net dmz tcp https # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE LINUX SETTINGS 1. Firewall Options: Disabled. 2. SELinux: Enforcing ------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
kbajwa wrote:> > PLEASE HELP! >This post and your other thread indicate that you have not read and followed the two-interface QuickStart Guide (http://www.shorewall.net/two-interface.htm). We''re here to help but we can''t be a substitute for reading the documentation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> kbajwa wrote: > >> >> PLEASE HELP! >> > > This post and your other thread indicate that you have not read and > followed the two-interface QuickStart Guide > (http://www.shorewall.net/two-interface.htm). We''re here to help but we > can''t be a substitute for reading the documentation.If you read that document, you will learn that DNAT rules are required to allow access from the internet to local servers with RFC 1918 addresses. See also, Shorewall FAQ 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/