Hello, I use shorewall at Debian Linux, Lenny and Squeeze, On the machine with the firewall I have to stop shorewall for use "aptitude update" or "aptitude install". If shorewall runs I cannot use aptitude on the firewall, but I can use aptitude on the other machines which use the same firewall. Is there a special rule and a macro to allow the use of aptitude on the firewall? My rules looks like that: ACCEPT net $FW tcp 52022 SMTP/ACCEPT net loc:192.168.1.2 SMTP/ACCEPT loc:192.168.1.2 net SMTPS/ACCEPT net loc:192.168.1.2 SMTPS/ACCEPT loc:192.168.1.2 net HTTP/ACCEPT net $FW HTTP/ACCEPT $FW net HTTP/ACCEPT net loc:192.168.1.4 tcp 80 HTTP/ACCEPT loc:192.168.1.4 net tcp 80 HTTP/ACCEPT net loc:192.168.1.5 tcp 80 HTTP/ACCEPT loc:192.168.1.5 net tcp 80 HTTP/ACCEPT net loc:192.168.1.5 tcp 8088 HTTP/ACCEPT loc:192.168.1.5 net tcp 8088 HTTPS/ACCEPT net $FW HTTPS/ACCEPT $FW net Webmin/ACCEPT net $FW Webmin/ACCEPT net loc:192.168.1.3 Webmin/ACCEPT loc:192.168.1.3 net IMAP/ACCEPT net loc:192.168.1.2 IMAP/ACCEPT loc:192.168.1.2 net IMAPS/ACCEPT net loc:192.168.1.2 IMAPS/ACCEPT loc:192.168.1.2 net POP3/ACCEPT net loc:192.168.1.2 POP3/ACCEPT loc:192.168.1.2 net POP3S/ACCEPT net loc:192.168.1.2 POP3S/ACCEPT loc:192.168.1.2 net SSH/ACCEPT net $FW SSH/ACCEPT $FW net SSH/ACCEPT loc net SSH/ACCEPT net loc SSH/ACCEPT loc $FW SSH/ACCEPT $FW loc AllowICMPs/ACCEPT net $FW AllowICMPs/ACCEPT loc net Ping/ACCEPT net $FW Ping/ACCEPT $FW net Ping/ACCEPT loc $FW Ping/ACCEPT $FW loc Ping/ACCEPT loc net Ping/ACCEPT net loc FTP/ACCEPT net loc FTP/ACCEPT loc net FTP/ACCEPT net $FW FTP/ACCEPT $FW net DNS/ACCEPT net $FW DNS/ACCEPT $FW net DNS/ACCEPT loc $FW DNS/ACCEPT $FW loc OpenVPN/ACCEPT net $FW OpenVPN/ACCEPT $FW net Thanks for your help, Andreas ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
Andreas =?utf-8?q?G=C3=BCnther?= wrote:>I use shorewall at Debian Linux, Lenny and Squeeze, On the machine with the >firewall I have to stop shorewall for use "aptitude update" or "aptitude >install". >If shorewall runs I cannot use aptitude on the firewall, but I can >use aptitude >on the other machines which use the same firewall. > >Is there a special rule and a macro to allow the use of aptitude on the >firewall?I''m assuming you have a fw -> net (or default) policy that''s blocking all outbound traffic from the firewall. You need to allow connections from your firewall machine to the relevant Debian sources. This may be HTTP or FTP (most likely HTTP) depending on the sources defined in /etc/apt/sources.list. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
On May 3, 2011, at 5:08 AM, Andreas Günther wrote:> Hello, > > I use shorewall at Debian Linux, Lenny and Squeeze, On the machine with the > firewall I have to stop shorewall for use "aptitude update" or "aptitude > install". > If shorewall runs I cannot use aptitude on the firewall, but I can use aptitude > on the other machines which use the same firewall. > > Is there a special rule and a macro to allow the use of aptitude on the > firewall?What ''Shorewall'' message shows up in your log when you try to update? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
Hello Simon, I believe, I have found the rule:> I''m assuming you have a fw -> net (or default) policy that''s blocking > all outbound traffic from the firewall. > > You need to allow connections from your firewall machine to the > relevant Debian sources. This may be HTTP or FTP (most likely HTTP) > depending on the sources defined in /etc/apt/sources.list.In my rules I add HTTP(ACCEPT) $FW net And that was it. So I can also use aptitude at the firewall without stopping shorewall. Thanks for your support. Andreas ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd