I have had a shorewall 3 interface router configuration setup for quite some time. Recently I decided to add Open VPN to the mix and added a bridge interface that tied to eth1. Everything seems to work except for all of the rules dealing with $FW. These rules which used to work now don''t. The only changes I made to my shore wall configuration was to switch all references of eth1 to br0. For instance I cannot SSH from the net to the box anymore. ACCEPT NET $FW TCP 22 is in the rules. Note if I do sudo shorewall clear I can SSH just fine indicating that opensshd is still functioning properly. I have found no references of Shorewall ignoring $FW online thus I come to you for help. It is possible that they are out there, but all of my searches yield information not relevant to this issue. Thanks in advance Shorewall v 4.0.15 ubuntu 9.04-server X64 setup: eth0 --> Net eth1 --> LAN --> Trusted eth2 --> Wifi --> Secured but not trusted. ############### /etc/shorewall/zones ############### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 wifi ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE ############### shorewall/masq ############### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 br0 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ############### shorewall/interfaces ############### net eth0 detect tcpflags,dhcp,routefilter,nosmurfs loc br0 192.168.37.255 routeback wifi eth2 192.168.2.255 ############### shorewall/policy ############### # # Policies for traffic originating from the local LAN (loc) # loc all ACCEPT # # Policies for traffic originating from the wifi # wifi net ACCEPT wifi all DROP # THE FOLLOWING POLICY MUST BE LAST all all DROP ############### ############### ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Fri, Sep 18, 2009 at 11:27:32AM -0600, Ben wrote:> loc all ACCEPT >Here you need: fw all ACCEPT> # > # Policies for traffic originating from the wifi > # > wifi net ACCEPT > wifi all DROP > > # THE FOLLOWING POLICY MUST BE LAST > all all DROP >Also, the recommended way to specify the last like is with REJECT (instead of DROP). If that first suggestion above does not work, I will need to see the output of ''shorewall dump''. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf