Shorewall users - Nov 2004 - Losing connections after starting shorewall

All,

	Sorry for the potentially stupid question.  I''ve looked at the 
FAQ''s, albeit quickly, and haven''t found anything that
I''m
understanding will help this problem.  A couple of days ago I 
restarted my SUSE linux box to try to resolve a problem with a vsftp 
server configuration, and when the box came back up, I couldn''t 
connect remotely to my box.  I had someone locally issue a ''shorewall 

clear'' and I was able to connect without problems.  I then typed in 
shorewall stop in and SSH session and stayed connected, but when I 
typed "shorewall start", it processed through everything until it 
printed "Activating rules" on the screen, at which time my network 
connection was cut off.  I''m running Shorewall 2.0.10, using the one-
interface configuration on the a SUSE 9.1 box.  I tried removing 
shorewall and completely reinstalling it from the rpm after I 
couldn''t resolve the problems with any edits to my interfaces, zones, 

policy, or rules files, but that hasn''t solved the problem.  The 
contents of my rules, policy, zones, and interfaces files are listed 
below.  These files are also attached, as are the results of ip addr 
show, ip route show, shorewall debug start 2>trace, and shorewall 
status after the firewall has been started and while I''m trying to 
connect.  All attached files are in a zip archive as the trace file 
is much too large to attach otherwise.  Any help is greatly 
appreciated.  I am subscribed to the list, but receive it in digest 
format, so adding me to any replies would be greatly appreciated.

RULES:

ACCEPT		net	fw	icmp	8
ACCEPT		fw	net	icmp
ACCEPT		net	fw	tcp	http,ssh,ftp
ACCEPT		net:155.97.241.182	fw	tcp		5800:5849,5900:5949
ACCEPT		net:155.97.241.182	fw	udp	5800:5849,5900:5949
ACCEPT		net:192.168.0.0/24	fw	tcp	
AllowSMB		net:192.168.0.0/24	fw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

POLICY:

fw		net		ACCEPT
net		all		DROP		info
# The FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

ZONES:

net	Net		Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

INTERFACES:

net	eth1		detect		routefilter,dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

David Burrow
david.burrow@scl.utah.edu

The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any other MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  troubleshooting.zip
     Date:  2 Nov 2004, 15:32
     Size:  61232 bytes.
     Type:  ZIP-archive

On Tue, 2004-11-02 at 14:34, David Burrow wrote:
> 	Sorry for the potentially stupid question.  I''ve looked at the 
> FAQ''s, albeit quickly, and haven''t found anything that
I''m
> understanding will help this problem.  A couple of days ago I 
> restarted my SUSE linux box to try to resolve a problem with a vsftp 
> server configuration, and when the box came back up, I couldn''t 
> connect remotely to my box. 
I don''t understand your configuration at all:

a) You have two ethernet interfaces (eth0 and eth1).
b) Only eth0 has an IPV4 address.
c) Only eth1 is defined to Shorewall.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

	Thanks for pointing out that oversight.  The eth0 was an older 
Netgear card, and I decided not even to plug it in (too lazy to 
remove it from the box), the network cable was in the other, newer 
3Com, card.  I haven''t changed which NIC the cable''s plugged
into
(still in the 3com), but it seems that when I rebooted the computer, 
the machine switched the cards, such that the 3com card is now being 
called eth0, and the Netgear eth1, instead of the other way around.  
I just switched the interfaces file to eth0, and everything is 
working.  Trust me to miss something stupid like that.  I didn''t even 
think to look at it, as I didn''t switch the card I was using.  Sorry 
for the trouble, and thanks for the quick reply.  Shorewall is a 
wonderful product.

David

On 2 Nov 2004 at 15:36, Tom Eastep wrote:
> On Tue, 2004-11-02 at 14:34, David Burrow wrote:
> 
> > 	Sorry for the potentially stupid question.  I''ve looked at
the
> > FAQ''s, albeit quickly, and haven''t found anything
that I''m
> > understanding will help this problem.  A couple of days ago I 
> > restarted my SUSE linux box to try to resolve a problem with a vsftp 
> > server configuration, and when the box came back up, I
couldn''t
> > connect remotely to my box. 
> 
> I don''t understand your configuration at all:
> 
> a) You have two ethernet interfaces (eth0 and eth1).
> b) Only eth0 has an IPV4 address.
> c) Only eth1 is defined to Shorewall.
> 
> Thanks,
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
> 
David Burrow
david.burrow@scl.utah.edu