Shorewall users - Jan 2005 - Problems with Rules?

Hi -- I was happily running Shorewall 1.4 for quite a while, then upgraded
recently to 2.0.13 (Debian Linux, Exim4, Squid, no DMZ) and can''t get
Shorewall working.  When I start it, my ssh and pop3 access is immediately
blocked locally.  

This is a very simple setup.  No dmz, just ETH1 to the Internet and ETH0
local, with IP Masq. Turned ON.  I would appreciate it if someone who has a
grasp on this stuff could guide me toward what I''m doing wrong.  I have
only
a slender grasp of the whole thing... IP info and rules below.

Thanks,
Art Mandler
amandler@msdbc.org

IP ROUTE SHOW:
152.53.30.64/27 dev eth1  proto kernel  scope link  src 152.53.30.66 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.99 
default via 152.53.30.65 dev eth1

IP ADDR SHOW:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:cc:d2:7d:d8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.99/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:cc:59:6b:7a brd ff:ff:ff:ff:ff:ff
    inet 152.53.30.66/27 brd 152.53.30.95 scope global eth1

And my Rules:

#
#Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system)
#
REDIRECT	loc	3128	tcp	www	-
#
# Accept from Internet to fw all www traffic
ACCEPT	fw	net	tcp	www
############################################################################
##
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S)
ADDRESS
#
#
# To avoid connection delays, reject AUTH if the user hasn''t ACCEPTED
it
above
#
REJECT		net	  fw		tcp	113
#
# Accept DNS connections from the firewall to the network and back for email
#
ACCEPT		fw	  net		tcp	53
ACCEPT		fw	  net		udp	53
ACCEPT		net	  fw		tcp	53
ACCEPT		net	  fw		udp	53
#
# Accept DNS connections from local network to firewall for Caching
Nameserver
ACCEPT	loc	fw	tcp	53
ACCEPT	loc	fw	udp	53
#
# Accept WWW connections from the Internet
ACCEPT		net	fw	tcp	80
#
# Accept SSH connections from the local network for administration
#
ACCEPT		loc	  fw		tcp	22
ACCEPT		fw	  loc	        tcp	22

#
# Make ping work
#
ACCEPT		fw	  loc		icmp	8
ACCEPT		loc	  fw		icmp	8
ACCEPT		fw	  net		icmp	8

# Accept connections locally on 825 for Exim running with Vexira
ACCEPT		fw	loc		tcp 	825
ACCEPT		loc	fw		tcp	825

# Accept Port 25 for SMTP (Vexira in our case)
ACCEPT		fw	loc		tcp	25
ACCEPT		loc	fw		tcp	25
ACCEPT		net	fw		tcp	25

# Accept 110 for pop3 mail
ACCEPT	fw	loc	tcp	110, 995
ACCEPT	loc	fw	tcp	110, 995

# Open up necessary connections for X Windows Admin
ACCEPT 	fw	loc	tcp	6000:6010
ACCEPT	loc	fw	udp	177


#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

On Tue, 2005-01-04 at 13:53 -0500, Art Mandler wrote:
> Hi -- I was happily running Shorewall 1.4 for quite a while, then upgraded
> recently to 2.0.13
How did you upgrade? (.deb, tarball, ???) Did you review the Upgrade
Issues list on the Shorewall site? That is important any time that you
are upgrading from one major release to another.
> (Debian Linux, Exim4, Squid, no DMZ) and can''t get
> Shorewall working.  When I start it, my ssh and pop3 access is immediately
> blocked locally.  
> 
What does that mean? That local systems cannot access the firewall SSH
and POP3 servers? If so, are you seeing any messages logged on the
firewall?

> This is a very simple setup.  No dmz, just ETH1 to the Internet and ETH0
> local, with IP Masq. Turned ON.  I would appreciate it if someone who has a
> grasp on this stuff could guide me toward what I''m doing wrong.  I
have only
> a slender grasp of the whole thing... IP info and rules below.
As described at http://shorewall.net/support.htm in the paragraph
beginning THIS IS IMPORTANT!, the properly obtained and attached output
of "shorewall status" is the most useful piece of information you can
provide when you encounter connection problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key