Tom Eastep
2008-Jan-06 05:42 UTC
Re: Shorewall on Debian 3.1 - Blocks all network traffic - fw, net and loc
CtrlChar wrote:> here''s the dump file for my issue- >1) fw->net is wide open -- it is not blocked. 2) fw->loc is wide open -- it is not blocked. 3) loc->all is blocked because you have no loc->xxx policies and no loc->loc-xxx rules. So the all->all REJECT policy is blocking all traffic from the loc zone. 2) loc->net is also blocked by the fact that IP forwarding is disabled (IP_FORWARDING in shorewall.conf). I suggest that you follow the howto at http://www.shorewall.net/two-interfaces.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Jan-06 05:56 UTC
Re: Shorewall on Debian 3.1 - Blocks all network traffic - fw, net and loc
Tom Eastep wrote:> CtrlChar wrote: >> here''s the dump file for my issue- >> > > 1) fw->net is wide open -- it is not blocked. > 2) fw->loc is wide open -- it is not blocked. > 3) loc->all is blocked because you have no loc->xxx policies and no > loc->loc-xxx rules. So the all->all REJECT policy is blocking all > traffic from the loc zone. > 2) loc->net is also blocked by the fact that IP forwarding is disabled > (IP_FORWARDING in shorewall.conf). > > I suggest that you follow the howto at > http://www.shorewall.net/two-interfaces.htm.That should have been http://www.shorewall.net/two-interface.htm But given that you are running an old version of Shorewall, http://www.shorewall.net/3.0/two-interface.htm may be more to the point. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/