-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I''m setting up a server that will be placed on a colocation in ISP. It has only one interface that is eth0. It''s running mdk9.2. My shorewall settings are: zone: net eth0 detect norfc1918 policy: fw net ACCEPT net all DROP info all all REJECT info rules: ACCEPT net fw icmp 8 ACCEPT net fw tcp 20,21,22,25,53,80,110,143,443,783,3306,5432,10000 - ACCEPT net fw udp 53 - The machine is still in my LAN with ip: 192.168.0.236 The problem is: I can''t connect into it. When I tried to ssh from 192.168.0.234, it''s /var/log/messages (the server''s) showed that it was dropping port 22. Also pinging is dropped. Here''s the log: Apr 7 12:32:49 server2 kernel: Shorewall:logdrop:DROP:IN=eth0 OUT= MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234 DST=192.168.0.236 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=7742 DF PROTO=TCP SPT=32808 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 If I clear shorewall, I can ssh into it. Have I missed something here? Thanks. - -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux.arinet.org 11:37:17 up 3:26, Mandrake Linux release 9.2 (FiveStar) for i586 public key: https://www.arinet.org/fajar-pub.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAc4gRkp5CsIXuxqURAsUkAJ9puenSMQvApto0WgIc0NozDoVChQCeIxco 6qbcdDIpXDxya9GH7OsgRcM=whhN -----END PGP SIGNATURE-----
On Tuesday 06 April 2004 08:48 pm, Fajar Priyanto wrote:> Hi all, > I''m setting up a server that will be placed on a colocation in ISP. > It has only one interface that is eth0. It''s running mdk9.2. > > My shorewall settings are: > zone: > net eth0 detect norfc1918UNtill you move if off your 192.168 lan you will have to get rid of the norfc1918 ... -- John Andersen - NORCOM http://www.norcomsoftware.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 07 April 2004 12:03 pm, John Andersen wrote:> UNtill you move if off your 192.168 lan you will have to > get rid of the norfc1918 ...Yes! It did it. Thanks John. Moreover, can you give me a little explanation why the rfc1918 shouldn''t be applied in LAN environment? - -- Fajar Priyanto | Reg''d Linux User #327841 | http://linux.arinet.org 13:03:13 up 4:52, Mandrake Linux release 9.2 (FiveStar) for i586 public key: https://www.arinet.org/fajar-pub.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAc5nkkp5CsIXuxqURApFpAKCG8AIO0G7rmVp1jQT3CDSNp4OvPwCdHHgx 2/5tZnGbkSsPvjI4cdBwYss=25SM -----END PGP SIGNATURE-----
Fajar Priyanto wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wednesday 07 April 2004 12:03 pm, John Andersen wrote: > >>UNtill you move if off your 192.168 lan you will have to >>get rid of the norfc1918 ... > > Yes! It did it. > Thanks John. > Moreover, can you give me a little explanation why the rfc1918 shouldn''t be > applied in LAN environment?Because you run Mandrake, you didn''t invest the 20-30 minutes that most Shorewall users do in learning about Shorewall during the installation process. It would be a good idea for you to read the Two-interface QuickStart Guide (http://shorewall.net/two-interface.htm) -- you''ll be amazed what you might pick up (such as what RFC 1918 is all about and why you should care). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Fajar Priyanto wrote:> > Here''s the log: > Apr 7 12:32:49 server2 kernel: Shorewall:logdrop:DROP:IN=eth0 OUT= > MAC=00:09:6b:a5:b1:65:00:c0:9f:28:15:65:08:00 SRC=192.168.0.234 > DST=192.168.0.236 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=7742 DF PROTO=TCP > SPT=32808 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 >Let me offer another hint. Shorewall FAQ 17 (http://shorewall.net/FAQ.htm#faq17) gives information about how to decode these messages. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net