Hi -- I was happily running Shorewall 1.4 for quite a while, then upgraded
recently to 2.0.13 (Debian Linux, Exim4, Squid, no DMZ) and can''t get
Shorewall working. When I start it, my ssh and pop3 access is immediately
blocked locally.
This is a very simple setup. No dmz, just ETH1 to the Internet and ETH0
local, with IP Masq. Turned ON. I would appreciate it if someone who has a
grasp on this stuff could guide me toward what I''m doing wrong. I have
only
a slender grasp of the whole thing... IP info and rules below.
Thanks,
Art Mandler
amandler@msdbc.org
IP ROUTE SHOW:
152.53.30.64/27 dev eth1 proto kernel scope link src 152.53.30.66
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.99
default via 152.53.30.65 dev eth1
IP ADDR SHOW:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:d2:7d:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.99/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:59:6b:7a brd ff:ff:ff:ff:ff:ff
inet 152.53.30.66/27 brd 152.53.30.95 scope global eth1
And my Rules:
#
#Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system)
#
REDIRECT loc 3128 tcp www -
#
# Accept from Internet to fw all www traffic
ACCEPT fw net tcp www
############################################################################
##
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S)
ADDRESS
#
#
# To avoid connection delays, reject AUTH if the user hasn''t ACCEPTED
it
above
#
REJECT net fw tcp 113
#
# Accept DNS connections from the firewall to the network and back for email
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT net fw tcp 53
ACCEPT net fw udp 53
#
# Accept DNS connections from local network to firewall for Caching
Nameserver
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
#
# Accept WWW connections from the Internet
ACCEPT net fw tcp 80
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
ACCEPT fw loc tcp 22
#
# Make ping work
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
ACCEPT fw net icmp 8
# Accept connections locally on 825 for Exim running with Vexira
ACCEPT fw loc tcp 825
ACCEPT loc fw tcp 825
# Accept Port 25 for SMTP (Vexira in our case)
ACCEPT fw loc tcp 25
ACCEPT loc fw tcp 25
ACCEPT net fw tcp 25
# Accept 110 for pop3 mail
ACCEPT fw loc tcp 110, 995
ACCEPT loc fw tcp 110, 995
# Open up necessary connections for X Windows Admin
ACCEPT fw loc tcp 6000:6010
ACCEPT loc fw udp 177
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE