Shorewall version 2.2.1 2 Interface setup. eth1: 10.10.1.3 eth0: 192.168.1.2 modem is 192.168.1.1 I need to be able to connect to my adsl modem, but when shorewall is up I get connection rejected. I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 logdrop # RFC 1918" in "/etc/shorewall/rfc1918" but still getting connection rejected Is there something else I need to change. _________________________________________________________________ Get an all-Ireland weather forecast at MSN Weather! http://www.msn.ie/weather
Hello "P", Please check: http://www.shorewall.net/support.htm and provide the info requested, why all can''t imagine the remainder of the config. If you provide the info, maybe somebody can assist you. Stijn P Hennessy said the following on 01-Mar-05 18:56:> Shorewall version 2.2.1 > 2 Interface setup. > > eth1: 10.10.1.3 > eth0: 192.168.1.2 > > modem is 192.168.1.1 > > I need to be able to connect to my adsl modem, but when shorewall is up > I get connection rejected. > > I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 > logdrop # RFC 1918" in "/etc/shorewall/rfc1918" but still getting > connection rejected > > Is there something else I need to change. > > _________________________________________________________________ > Get an all-Ireland weather forecast at MSN Weather! > http://www.msn.ie/weather > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
shorewall version
2.2.1
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:29:21:ae:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
inet6 fe80::2e0:29ff:fe21:ae55/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:f4:4b:03:06 brd ff:ff:ff:ff:ff:ff
inet 10.10.1.3/8 brd 10.255.255.255 scope global eth1
inet6 fe80::240:f4ff:fe4b:306/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
16: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 213.94.193.89 peer 159.134.155.21/32 scope global ppp0
inet 213.94.193.90/32 scope global ppp0
inet 213.94.193.91/32 scope global ppp0
inet 213.94.193.94/32 scope global ppp0
inet 213.94.193.92/32 scope global ppp0
inet 213.94.193.93/32 scope global ppp0
ip route show
159.134.155.21 dev ppp0 proto kernel scope link src 213.94.193.89
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2
169.254.0.0/16 dev eth1 scope link
10.0.0.0/8 dev eth1 proto kernel scope link src 10.10.1.3
default via 159.134.155.21 dev ppp0
message log
Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0
SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF
PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
>From: Stijn Jonker <SJCJonker@SJC.nl>
>Reply-To: Mailing List for Shorewall Users
><shorewall-users@lists.shorewall.net>
>To: Mailing List for Shorewall Users
<shorewall-users@lists.shorewall.net>
>Subject: Re: [Shorewall-users] Can''t connect to Modem
>Date: Tue, 01 Mar 2005 19:06:42 +0100
>
>Hello "P",
>
>Please check: http://www.shorewall.net/support.htm
>
>and provide the info requested, why all can''t imagine the remainder
of the
>config. If you provide the info, maybe somebody can assist you.
>
>Stijn
>
>P Hennessy said the following on 01-Mar-05 18:56:
>>Shorewall version 2.2.1
>>2 Interface setup.
>>
>>eth1: 10.10.1.3
>>eth0: 192.168.1.2
>>
>>modem is 192.168.1.1
>>
>>I need to be able to connect to my adsl modem, but when shorewall is up
I
>>get connection rejected.
>>
>>I have added "192.168.1.1 RETURN" above the line
"192.168.0.0/16 logdrop
>># RFC 1918" in "/etc/shorewall/rfc1918" but still
getting connection
>>rejected
>>
>>Is there something else I need to change.
>>
>>_________________________________________________________________
>>Get an all-Ireland weather forecast at MSN Weather!
>>http://www.msn.ie/weather
>>
>>_______________________________________________
>>Shorewall-users mailing list
>>Post: Shorewall-users@lists.shorewall.net
>>Subscribe/Unsubscribe:
>>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>>Support: http://www.shorewall.net/support.htm
>>FAQ: http://www.shorewall.net/FAQ.htm
>
>--
>Met Vriendelijke groet/Yours Sincerely
>Stijn Jonker <SJCJonker@sjc.nl>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Fair or foul? Find out at MSN Weather! http://www.msn.ie/weather
Hello again "P", Still guessing, but assuming that you use some sort of ppp (pptp/ppoe) to a dsl or cable modem, it looks like you can connect, as the PPP interface is up. You know your peer (159.134.155.21) and have 6 addresses. The only thing remaining is a proper problem description: See the info on "Problem reporting guidelines" especially: <QUOTE> Please give details about what doesn''t work. Reports that say “I followed the directions and it didn''t work” will elicit sympathy but probably little in the way of help. Again -- if ping from A to B fails, say so (and see below for information about reporting “ping” problems). If Computer B doesn''t show up in “Network Neighborhood” then say so. If access by IP address works but by DNS names it doesn''t then say so. </QUOTE> Maybe then somebody knows what needs clarification/fixing. P.S. Again we are not a spiritual medium, or however you say that in english.... P.S.2: Looking at the IP''s the ISP in in ireland, so I guess language isn''t the problem... See this from the same support page: <QUOTE #2> Please keep in mind that you''re asking for free technical support. Any help we offer is an act of generosity, not an obligation. </QUOTE #2> <JOKE #1> If you want commercial support I can give you my bank account, if you pay me $10.000 or Euro 10.000 (whatever you like.) I''ll might be able to fly over this weekend and fix it on the spot for you. ;-)) </JOKE #1> Stijn P Hennessy said the following on 01-Mar-05 19:21:> shorewall version > 2.2.1 > > ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:e0:29:21:ae:55 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 > inet6 fe80::2e0:29ff:fe21:ae55/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:40:f4:4b:03:06 brd ff:ff:ff:ff:ff:ff > inet 10.10.1.3/8 brd 10.255.255.255 scope global eth1 > inet6 fe80::240:f4ff:fe4b:306/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > 16: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 > link/ppp > inet 213.94.193.89 peer 159.134.155.21/32 scope global ppp0 > inet 213.94.193.90/32 scope global ppp0 > inet 213.94.193.91/32 scope global ppp0 > inet 213.94.193.94/32 scope global ppp0 > inet 213.94.193.92/32 scope global ppp0 > inet 213.94.193.93/32 scope global ppp0 > > ip route show > 159.134.155.21 dev ppp0 proto kernel scope link src 213.94.193.89 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 > 169.254.0.0/16 dev eth1 scope link > 10.0.0.0/8 dev eth1 proto kernel scope link src 10.10.1.3 > default via 159.134.155.21 dev ppp0 > > message log > Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > >> From: Stijn Jonker <SJCJonker@SJC.nl> >> Reply-To: Mailing List for Shorewall Users >> <shorewall-users@lists.shorewall.net> >> To: Mailing List for Shorewall Users >> <shorewall-users@lists.shorewall.net> >> Subject: Re: [Shorewall-users] Can''t connect to Modem >> Date: Tue, 01 Mar 2005 19:06:42 +0100 >> >> Hello "P", >> >> Please check: http://www.shorewall.net/support.htm >> >> and provide the info requested, why all can''t imagine the remainder of >> the config. If you provide the info, maybe somebody can assist you. >> >> Stijn >> >> P Hennessy said the following on 01-Mar-05 18:56: >> >>> Shorewall version 2.2.1 >>> 2 Interface setup. >>> >>> eth1: 10.10.1.3 >>> eth0: 192.168.1.2 >>> >>> modem is 192.168.1.1 >>> >>> I need to be able to connect to my adsl modem, but when shorewall is >>> up I get connection rejected. >>> >>> I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 >>> logdrop # RFC 1918" in "/etc/shorewall/rfc1918" but still getting >>> connection rejected >>> >>> Is there something else I need to change. >>> >>> _________________________________________________________________ >>> Get an all-Ireland weather forecast at MSN Weather! >>> http://www.msn.ie/weather >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >> >> >> -- >> Met Vriendelijke groet/Yours Sincerely >> Stijn Jonker <SJCJonker@sjc.nl> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > > > _________________________________________________________________ > Fair or foul? Find out at MSN Weather! http://www.msn.ie/weather > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Hey P; I myself have always used RedHat and PPPoE connections using the included Roaring Penguin (rp-pppoe). When I setup these configurations I notice that I DON''T actually bring up eth0 (which is used by the ppp0 connection). Now whenever I see a configuration such as this I begin to wonder if this isn''t the problem you are experiencing? (I have never seen a configuration that uses RFC addresses but I have heard of some ISPs doing it) What happens if you issue ''ifdown eth0'' (or ifconfig eth0 down)? Can the router/firewall still connect to the internet? If so then you really don''t want to include eth0 as a zone OR even bring it up at boot. Judging by the default route ppp0 is your gateway and might work without eth0. I see a lot of people having this problem and remember enduring this in slackware and in SuSE (when I tried editing the interfaces myself...) Let us know if this helps and someone can probably help you make changes that will work through a reboot. Jeff ----- Original Message ----- From: "P Hennessy" <paddy667@hotmail.com> To: <shorewall-users@lists.shorewall.net> Sent: Tuesday, March 01, 2005 1:21 PM Subject: Re: [Shorewall-users] Can''t connect to Modem> shorewall version > 2.2.1 > > ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:e0:29:21:ae:55 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 > inet6 fe80::2e0:29ff:fe21:ae55/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:40:f4:4b:03:06 brd ff:ff:ff:ff:ff:ff > inet 10.10.1.3/8 brd 10.255.255.255 scope global eth1 > inet6 fe80::240:f4ff:fe4b:306/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > 16: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen3> link/ppp > inet 213.94.193.89 peer 159.134.155.21/32 scope global ppp0 > inet 213.94.193.90/32 scope global ppp0 > inet 213.94.193.91/32 scope global ppp0 > inet 213.94.193.94/32 scope global ppp0 > inet 213.94.193.92/32 scope global ppp0 > inet 213.94.193.93/32 scope global ppp0 > > ip route show > 159.134.155.21 dev ppp0 proto kernel scope link src 213.94.193.89 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 > 169.254.0.0/16 dev eth1 scope link > 10.0.0.0/8 dev eth1 proto kernel scope link src 10.10.1.3 > default via 159.134.155.21 dev ppp0 > > message log > Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774DF> PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > >From: Stijn Jonker <SJCJonker@SJC.nl> > >Reply-To: Mailing List for Shorewall Users > ><shorewall-users@lists.shorewall.net> > >To: Mailing List for Shorewall Users<shorewall-users@lists.shorewall.net>> >Subject: Re: [Shorewall-users] Can''t connect to Modem > >Date: Tue, 01 Mar 2005 19:06:42 +0100 > > > >Hello "P", > > > >Please check: http://www.shorewall.net/support.htm > > > >and provide the info requested, why all can''t imagine the remainder ofthe> >config. If you provide the info, maybe somebody can assist you. > > > >Stijn > > > >P Hennessy said the following on 01-Mar-05 18:56: > >>Shorewall version 2.2.1 > >>2 Interface setup. > >> > >>eth1: 10.10.1.3 > >>eth0: 192.168.1.2 > >> > >>modem is 192.168.1.1 > >> > >>I need to be able to connect to my adsl modem, but when shorewall is upI> >>get connection rejected. > >> > >>I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16logdrop> >># RFC 1918" in "/etc/shorewall/rfc1918" but still getting connection > >>rejected > >> > >>Is there something else I need to change. > >> > >>_________________________________________________________________ > >>Get an all-Ireland weather forecast at MSN Weather! > >>http://www.msn.ie/weather > >> > >>_______________________________________________ > >>Shorewall-users mailing list > >>Post: Shorewall-users@lists.shorewall.net > >>Subscribe/Unsubscribe: > >>https://lists.shorewall.net/mailman/listinfo/shorewall-users > >>Support: http://www.shorewall.net/support.htm > >>FAQ: http://www.shorewall.net/FAQ.htm > > > >-- > >Met Vriendelijke groet/Yours Sincerely > >Stijn Jonker <SJCJonker@sjc.nl> > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > >https://lists.shorewall.net/mailman/listinfo/shorewall-users > >Support: http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > > _________________________________________________________________ > Fair or foul? Find out at MSN Weather! http://www.msn.ie/weather > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
> I myself have always used RedHat and PPPoE connections using the included > Roaring Penguin (rp-pppoe). When I setup these configurations I notice that > I DON''T actually bring up eth0 (which is used by the ppp0 connection).[...] I suspected issues with the the ppp0 device as well. Personally I have set up quite a couple of ADSL connections, using an ADSL Modem connected to an Ethernet card. Despite the fact that the modem physically is connected to that ethernet ethX device, the connection to the ISP usually is done via PPPoE. This effectively means, the underlying ethX device is pretty much useless, and your "net" zone is the pppX device.> > message log > > Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > > SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF > > PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0Didn''t you say 192.168.1.1 (the above destination) is your *modem*? If your modem really got a webserver running on it (some configuration thingy for a DSl router, rather than plain modem?) you maybe need to define both zones (eth0 for internal/config usage and ppp0 for your internet connection).> > >>eth1: 10.10.1.3 > > >>eth0: 192.168.1.2 > > >> > > >>modem is 192.168.1.1 > > >> > > >>I need to be able to connect to my adsl modem, but when shorewall is up I > > >>get connection rejected.See above. Do you mean, you need to access a service running on your "modem"?> > >>I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 logdrop > > >># RFC 1918" in "/etc/shorewall/rfc1918" but still getting connection > > >>rejectedYou should not need to mess with the rcf1918 file, IMHO. If you suspect this to be the issue, simply remove the norfc1918 option from your zones. Done (for testing). Anyway, if I got that right, the zone for interface ppp0 actually should be fine with the norfc1918 option. Just don''t specify it for eth0. Seems, you still didn''t properly describe your issues, eh? ;-) karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
All connections to the internet and local work fine its just the one to the modem that there is a problem with. I have tried the http://www.shorewall.net/FAQ.htm#faq14 but the connect to modem is still rejected.>From: Karsten Bräckelmann <k.braeckelmann@davision.com> >Reply-To: Mailing List for Shorewall Users ><shorewall-users@lists.shorewall.net> >To: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Can''t connect to Modem >Date: Tue, 01 Mar 2005 21:13:47 +0100 > > > > I myself have always used RedHat and PPPoE connections using the >included > > Roaring Penguin (rp-pppoe). When I setup these configurations I notice >that > > I DON''T actually bring up eth0 (which is used by the ppp0 connection). >[...] > >I suspected issues with the the ppp0 device as well. > >Personally I have set up quite a couple of ADSL connections, using an >ADSL Modem connected to an Ethernet card. Despite the fact that the >modem physically is connected to that ethernet ethX device, the >connection to the ISP usually is done via PPPoE. This effectively means, >the underlying ethX device is pretty much useless, and your "net" zone >is the pppX device. > > > > > message log > > > Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > > > SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 >ID=26774 DF > > > PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > >Didn''t you say 192.168.1.1 (the above destination) is your *modem*? > >If your modem really got a webserver running on it (some configuration >thingy for a DSl router, rather than plain modem?) you maybe need to >define both zones (eth0 for internal/config usage and ppp0 for your >internet connection). > > > > > >>eth1: 10.10.1.3 > > > >>eth0: 192.168.1.2 > > > >> > > > >>modem is 192.168.1.1 > > > >> > > > >>I need to be able to connect to my adsl modem, but when shorewall is >up I > > > >>get connection rejected. > >See above. Do you mean, you need to access a service running on your >"modem"? > > > > > >>I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 >logdrop > > > >># RFC 1918" in "/etc/shorewall/rfc1918" but still getting >connection > > > >>rejected > >You should not need to mess with the rcf1918 file, IMHO. If you suspect >this to be the issue, simply remove the norfc1918 option from your >zones. Done (for testing). > >Anyway, if I got that right, the zone for interface ppp0 actually should >be fine with the norfc1918 option. Just don''t specify it for eth0. > > >Seems, you still didn''t properly describe your issues, eh? ;-) > > karsten > > >-- >Davision - Atelier fuer Gestaltung / Internet / Multimedia > UNIX / Linux Netzwerke und Schulungen > Telefon 06151/273859 Fax 06151/273862 ><< signature.asc >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Get almost unlimited e-mail storage - upgrade to Hotmail Plus! http://www.imagine-msn.com/hotmail/en-ie
> All connections to the internet and local work fine its just the one to the > modem that there is a problem with. > I have tried the http://www.shorewall.net/FAQ.htm#faq14 but the connect to > modem is still rejected.See below.> > > > >>eth0: 192.168.1.2 > > > > >>modem is 192.168.1.1 > > > > >> > > > > >>I need to be able to connect to my adsl modem, but when shorewall is up I > > > > >>get connection rejected. > > > >See above. Do you mean, you need to access a service running on your > >"modem"?Well, you didn''t answer to most of our questions, but as you are referring to FAQ 14, I''ll take this as a "yes" to the above question at least...> > > > >>I have added "192.168.1.1 RETURN" above the line "192.168.0.0/16 logdrop > > > > >># RFC 1918" in "/etc/shorewall/rfc1918" but still getting connection > > > > >>rejected(See above.) At least this is not what FAQ 14 talks about. The "note" explicitly states that you would need two of em... Did you add a zone for the eth0 device as well? If yes, you likely will need to adjust your rules/policies. Paddy (or whatever the P stands for), you are pretty light in describing your configuration. Zones, interfaces, policies and rules effecting this connection as well as some detailed words about your configuration and network would help. At least those, who try to help you... karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
> > All connections to the internet and local work fine its just the one to the > > modem that there is a problem with. > > I have tried the http://www.shorewall.net/FAQ.htm#faq14 but the connect to > > modem is still rejected.The brand new FAQ 14b [1], which magically was added as we talk, might be useful. :-)> Did you add a zone for the eth0 device as well? If yes, you likely will > need to adjust your rules/policies.Obviously, you did not. Which is mentioned in FAQ 14b -- as well as in FAQ 17 now. Thanks Tom for adding this to FAQ 17 as well. I already wondered and checked that FAQ, but OUTPUT wasn''t mentioned at all before... Have a nice "vacation", Tom. :-) karsten [1] http://shorewall.net/FAQ.htm#faq14b [2] http://shorewall.net/FAQ.htm#faq17 -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Thank you. The new FAQ 14b fixed the problem. The $FW can now connect to the modem. But the loc is still not connecting to it. It may be a routing problem. It is not giving any errors in the log. Thanks again.>From: Karsten Bräckelmann <k.braeckelmann@davision.com> >Reply-To: Mailing List for Shorewall Users ><shorewall-users@lists.shorewall.net> >To: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Can''t connect to Modem >Date: Tue, 01 Mar 2005 22:44:23 +0100 > > > > > All connections to the internet and local work fine its just the one >to the > > > modem that there is a problem with. > > > I have tried the http://www.shorewall.net/FAQ.htm#faq14 but the >connect to > > > modem is still rejected. > >The brand new FAQ 14b [1], which magically was added as we talk, might >be useful. :-) > > > > Did you add a zone for the eth0 device as well? If yes, you likely will > > need to adjust your rules/policies. > >Obviously, you did not. Which is mentioned in FAQ 14b -- as well as in >FAQ 17 now. > >Thanks Tom for adding this to FAQ 17 as well. I already wondered and >checked that FAQ, but OUTPUT wasn''t mentioned at all before... > >Have a nice "vacation", Tom. :-) > > karsten > > >[1] http://shorewall.net/FAQ.htm#faq14b >[2] http://shorewall.net/FAQ.htm#faq17 > > >-- >Davision - Atelier fuer Gestaltung / Internet / Multimedia > UNIX / Linux Netzwerke und Schulungen > Telefon 06151/273859 Fax 06151/273862 ><< signature.asc >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Get almost unlimited e-mail storage - upgrade to Hotmail Plus! http://www.imagine-msn.com/hotmail/en-ie
> Thank you. > > The new FAQ 14b fixed the problem. > > The $FW can now connect to the modem. > But the loc is still not connecting to it. It may be a routing problem. > It is not giving any errors in the log.Yes, could be a routing issue. Is the firewall the default gateway for your clients in the loc zone? Otherwise, the routing issue could be on the clients themselves, cause they simply don''t know about that "modem" network. Which sure would explain, why there are no logs at all on your firewall. Can you ping (if allowed) the IP of the firewall in the modem zone 192.168.1.2 ? Even if you can reach the modem from the machines in your loc zone, the routing issue might be on the modem side. It only knows it''s own network 192.168.1.0/24 -- and until the fw is the default gateway for the modem, it simply does not know how to respond to IPs in the 10.10.0.0/16 network, where your local clients live... Masquerading should take care of this. If you add "eth0 eth1" to the masq file, the modem only needs to know about the firewall to respond to your local clients. Of course, you still need to explicitly ACCEPT the connections from loc to modem zone. karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862
Adding "eth0 eth1" to the masq fixed it. Thanks for all the help.>From: Karsten Bräckelmann <k.braeckelmann@davision.com> >Reply-To: Mailing List for Shorewall Users ><shorewall-users@lists.shorewall.net> >To: shorewall-users@lists.shorewall.net >Subject: Re: [Shorewall-users] Can''t connect to Modem >Date: Tue, 01 Mar 2005 23:55:02 +0100 > > > > Thank you. > > > > The new FAQ 14b fixed the problem. > > > > The $FW can now connect to the modem. > > But the loc is still not connecting to it. It may be a routing problem. > > It is not giving any errors in the log. > >Yes, could be a routing issue. > >Is the firewall the default gateway for your clients in the loc zone? >Otherwise, the routing issue could be on the clients themselves, cause >they simply don''t know about that "modem" network. Which sure would >explain, why there are no logs at all on your firewall. > >Can you ping (if allowed) the IP of the firewall in the modem zone >192.168.1.2 ? > > >Even if you can reach the modem from the machines in your loc zone, the >routing issue might be on the modem side. It only knows it''s own network >192.168.1.0/24 -- and until the fw is the default gateway for the modem, >it simply does not know how to respond to IPs in the 10.10.0.0/16 >network, where your local clients live... > >Masquerading should take care of this. If you add "eth0 eth1" to the >masq file, the modem only needs to know about the firewall to respond to >your local clients. > >Of course, you still need to explicitly ACCEPT the connections from loc >to modem zone. > > karsten > > >-- >Davision - Atelier fuer Gestaltung / Internet / Multimedia > UNIX / Linux Netzwerke und Schulungen > Telefon 06151/273859 Fax 06151/273862 ><< signature.asc >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_________________________________________________________________ Get almost unlimited e-mail storage - upgrade to Hotmail Plus! http://www.imagine-msn.com/hotmail/en-ie