Hello all,
first of all I must admit I''m a total newbie on firewall related
things. Anyway: I''m trying to setup a small NAS in my LAN (behind a
router) as a *services* provider (ftp, web, openvpn ... ). The box has only one
interface: eth0.
For OpenVPN to work as expected with a tap interface I had to create a bridge:
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000d0b994479 no eth0
tap
As ShorewallGeek pointed me to the homepage notice stating that since kernel
2.6.20 there are problems in Shorewall itself, I upgraded to version 4.0 along
with shorewall-perl.
upgrading the previous *really* simple Shorewall config for the box is driving
me crazy, because of the restrictions imposed (plus the aforementioned newbie
state).
The problem is: how do I translate the policy
ACCEPT $fw net
?
I tried to add a policy like:
ACCEPT $fw world
where world is defined as br0
but:
# ping -c 3 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
where 192.168.1.147 is the ip of the box and 192.168.1.254 is the ip of the
router/gateway in the LAN.
in the logs I get:
Shorewall:fw2world:REJECT:IN= OUT=br0 SRC=192.168.1.147
DST=192.168.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21586 SEQ=1
thanks for your patience and attention.
--
The Peach
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
The Peach wrote:> Hello all, > first of all I must admit I''m a total newbie on firewall related things. Anyway: I''m trying to setup a small NAS in my LAN (behind a router) as a *services* provider (ftp, web, openvpn ... ). The box has only one interface: eth0. > > For OpenVPN to work as expected with a tap interface I had to create a bridge: > # brctl show > bridge name bridge id STP enabled interfaces > br0 8000.000d0b994479 no eth0 > tap > > As ShorewallGeek pointed me to the homepage notice stating that since kernel 2.6.20 there are problems in Shorewall itself, I upgraded to version 4.0 along with shorewall-perl. > > upgrading the previous *really* simple Shorewall config for the box is driving me crazy, because of the restrictions imposed (plus the aforementioned newbie state). > > The problem is: how do I translate the policy > ACCEPT $fw net > ? > I tried to add a policy like: > ACCEPT $fw world > where world is defined as br0 > but: > # ping -c 3 192.168.1.254 > PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. >>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable >>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable >>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable > > where 192.168.1.147 is the ip of the box and 192.168.1.254 is the ip of the router/gateway in the LAN. > > in the logs I get: > Shorewall:fw2world:REJECT:IN= OUT=br0 SRC=192.168.1.147 > DST=192.168.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=21586 SEQ=1In order to be of any help to you, we need to see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. -- ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Thu, 18 Dec 2008 07:11:32 -0800 Shorewall wrote:> In order to be of any help to you, we need to see the output of > ''shorewall dump'' collected as described at > http://www.shorewall.net/support.htm#Guidelines.here it is: http://rafb.net/p/SptseQ56.html -- The Peach ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
The Peach wrote:> On Thu, 18 Dec 2008 07:11:32 -0800 > Shorewall wrote: > >> In order to be of any help to you, we need to see the output of >> ''shorewall dump'' collected as described at >> http://www.shorewall.net/support.htm#Guidelines. > > here it is: http://rafb.net/p/SptseQ56.html >It turns out, The Peach was doing ''shorewall refresh'' rather than ''shorewall restart'' after making configuration changes. Once that confusion was cleared up, all was well. -- ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Thu, 18 Dec 2008 11:29:56 -0800 Shorewall wrote:> all was well.thanks again ;) -- The Peach ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/