Shorewall users - Feb 2004 - Strange problem ShoreWall+Router+Outlook don''t work...

On Thursday 19 February 2004 04:58 pm, Antony Stubbs
wrote:
> Ok, I have a setup where I have a linux gentoo box acting as a router,
> and an adsl modem/router combo...
> I have another gentoo box and another xp box....
> The router is using shorewall to manage the routing etc... It is
> connected to the net using a PPPoE connection over eth0, and is
> connected to the rest of the network via a switch on eth0.
> All machines seem to be able to do everything (www, icq etc...) using
> the linux router as their gateway..
> All machines use the same pop3/smtp server
> The gentoo box seems to be able to send and receive mail via pop3 and
> smtp.
> The xp box doesn''t seem to be able to - it gets stuck on sending
and
> receiving (microsoft outlook).
> The strange thing is, when you goto acount settings and ''test
account
> settings'' - everything works hunky dorey. You can also telnet to
the
> smtp and pop3 server from the xp box fine.
> Nothing show''s up in the shorewall log when trying to check mail
from
> the xp box
> If I switch the gateway of the xp box to the router/adsl, it works
> fine...
> This is really starting to baffle me...
> The only thing I can think of is windows is doing something that the
> adsl/router understands but the linux router doesn''t? I dunno -
that
> seems pretty unlikely too... What am I missing?
Is Outlook trying to authenticate to a remote PDC? I don''t believe that
is
possible through a Linux-based masquerading gateway (or at least I have never 
been able to make it work -- granted, it was a long time ago when I last 
tried). When I last tried to troubleshoot this, I could see the
client''s
local RFC1918 IP address embedded in the data stream being sent from the 
gateway; this is usually not a good sign.

Hopefully someone else on the list who is more M$ knowlegable than I can 
provide additional insight.

FWIW, I use Outlook here but I always access the Exchange server through a 
VPN.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,

I''m running a similar setup.
I have a Debian gateway/router connected to a dsl modem. The debian machine
comes in 3 interface, which is loc,net,dmz.

I never have any problem doing POP3/SMTP on my masqueraded machine behind
the gateway. And I''m using Microsoft Outlook too. Please provide some
logs
so we can see what gets stuck behind that.

Thanks.

Regards,

Jason

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
Stubbs
Sent: Friday, February 20, 2004 3:17 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Strange problem ShoreWall+Router+Outlook
don''twork...

Ok, I have a setup where I have a linux gentoo box acting as a router,
and an adsl modem/router combo...
I have another gentoo box and another xp box....
The router is using shorewall to manage the routing etc... It is
connected to the net using a PPPoE connection over eth0, and is
connected to the rest of the network via a switch on eth0. 
All machines seem to be able to do everything (www, icq etc...) using
the linux router as their gateway..
All machines use the same pop3/smtp server
The gentoo box seems to be able to send and receive mail via pop3 and
smtp.
The xp box doesn''t seem to be able to - it gets stuck on sending and
receiving (microsoft outlook).
The strange thing is, when you goto acount settings and ''test account
settings'' - everything works hunky dorey. You can also telnet to the
smtp and pop3 server from the xp box fine.
Nothing show''s up in the shorewall log when trying to check mail from
the xp box
If I switch the gateway of the xp box to the router/adsl, it works
fine...
This is really starting to baffle me...
The only thing I can think of is windows is doing something that the
adsl/router understands but the linux router doesn''t? I dunno - that
seems pretty unlikely too... What am I missing? Is there some setting in
outlook? Maybe someone can catch something from iptables -L,
unfortunatly I haven''t learnt how to read it very well yet...
Here''s some relavent config stuff, let me know if you wanna see
anything
else;

Are my settings for the interfaces correct?:
[code]loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback[/code]
Any suggestions at all, please! ;)

mog.homelinux.net/server is ther firewall/router/192.168.1.5
jo is the xp machine btw... / 192.168.1.21
auron/192.168.1.9 is the gentoo box that works

shorewall version
[code]1.4.8[/code]

ip addr show
[code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
qlen 3
    link/ppp
    inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

ip route show
[code]202.74.206.7 dev ppp0  proto kernel  scope link  src 202.74.197.66
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.5
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 202.74.206.7 dev ppp0[/code]


/etc/shorewall/policy
[code]fw              all             ACCEPT
loc             all             ACCEPT
net             all             ACCEPT

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT
#LAST LINE -- DO NOT REMOVE[/code]

/etc/shorewall/rules
[code]#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE    
ORIGINAL     RATUSER
#                                               PORT    PORT(S)   
DEST         LIMIT

#Allow DNS connections to firewall
#ACCEPT     loc       fw                 tcp       53
#ACCEPT     loc       fw                 udp       53
 
# This rule allows you to run an SSH server on your firewall 
# and connect to that server from your local systems.
#ACCEPT     loc       fw                 tcp       22
 
#SSH server on server
DNAT    net     loc:192.168.1.5 tcp     ssh,http
 
#emule on jo
#ACCEPT  net    loc               tcp   6672
#ACCEPT  net    loc               udp   6673
#ACCEPT  net    loc               udp   4665
DNAT    net     loc:192.168.1.21  tcp   6672
DNAT    net     loc:192.168.1.21  udp   6672
DNAT    net     loc:192.168.1.21  udp   6673
#emule web interface on jo
#ACCEPT net     loc             tcp     4711
DNAT    net     loc:192.168.1.21  tcp   4711
DNAT    net     loc:192.168.1.21 udp 4272 - -
DNAT    net     loc:192.168.1.21 udp 4665 - -
 
#vnc on jo
DNAT    net     loc:192.168.1.21  tcp   5800:6000
   
#Transparent proxy
#REDIRECT loc 3128 tcp 80
 
#ACCEPT     net       fw                 tcp       80
#ACCEPT     loc       fw                 tcp       80
 
#Ping rules
#ACCEPT    loc       all       icmp     8
#ACCEPT    net       fw       icmp     8
 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/interfaces
[code]#ZONE    INTERFACE      BROADCAST       OPTIONS
#loc    eth0    192.168.1.255  
newnotsyn,tcpflags,blacklist,norfc1918,routefilter,routeback
 
loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/shorewall.conf
[code]LOGFILE=/var/log/shorewall 
LOGFORMAT="Shorewall:%s:%s:" 
LOGRATELOGBURST=  
LOGUNCLEAN=info 
BLACKLIST_LOGLEVEL=  
LOGNEWNOTSYN=info 
MACLIST_LOG_LEVEL=info 
TCP_FLAGS_LOG_LEVEL=info 
RFC1918_LOG_LEVEL=info 
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin 
SHOREWALL_SHELL=/bin/sh 
SUBSYSLOCK=/var/lock/subsys/shorewall 
STATEDIR=/var/lib/shorewall 
MODULESDIR= 
FW=fw 
IP_FORWARDING=On 
ADD_IP_ALIASES=Yes 
ADD_SNAT_ALIASES=No 
TC_ENABLED=No 
CLEAR_TC=Yes 
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP[/code]

shorewall restart
[code]Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "DNAT net loc:192.168.1.5 tcp ssh,http" added.
   Rule "DNAT net loc:192.168.1.21 tcp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6673" added.
   Rule "DNAT net loc:192.168.1.21 tcp 4711" added.
   Rule "DNAT net loc:192.168.1.21 udp 4272 - -" added.
   Rule "DNAT net loc:192.168.1.21 udp 4665 - -" added.
   Rule "DNAT net loc:192.168.1.21 tcp 5800:6000" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for net to loc using chain net2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.1.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted[/code]

iptables -L
[code]Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
eth0_in    all  --  anywhere             anywhere
ppp0_in    all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP      !icmp --  anywhere             anywhere           state
INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TC PMSS clamp to PMTU
eth0_fwd   all  --  anywhere             anywhere
ppp0_fwd   all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
fw2all     all  --  anywhere             anywhere
fw2all     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHE D
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN ,RST,ACK/SYN
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain common (3 references)
target     prot opt source               destination
icmpdef    icmp --  anywhere             anywhere
reject     udp  --  anywhere             anywhere           udp
dpt:epmap
reject     udp  --  anywhere             anywhere           udp
dpts:netbios-ns:netb ios-ssn
reject     udp  --  anywhere             anywhere           udp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:netbios-ssn
reject     tcp  --  anywhere             anywhere           tcp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:epmap
DROP       udp  --  anywhere             anywhere           udp dpt:1900
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
reject     tcp  --  anywhere             anywhere           tcp dpt:auth
DROP       udp  --  anywhere             anywhere           udp
spt:domain state
NEW

DROP       all  --  anywhere             192.168.1.255
 
Chain dynamic (4 references)
target     prot opt source               destination
 
Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
 
Chain fw2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain icmpdef (1 references)
target     prot opt source               destination
 
Chain loc2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             mog.homelinux.net  multiport
dports ssh,www state NEW
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6673
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:4711
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4272
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4665
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpts:5800:6000
net2all    all  --  anywhere             anywhere
 
Chain newnotsyn (5 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level
info prefix `Shorewall:newnotsyn:DROP:''
DROP       all  --  anywhere             anywhere
 
Chain ppp0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
 
Chain ppp0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
net2all    all  --  anywhere             anywhere
 
Chain reject (10 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere           reject-with
icmp-host-unreachable
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited
 
Chain shorewall (0 references)
target     prot opt source               destination[/code]

I can also post /sbin/shorewall status if you want, but it''s very
long...
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Try removing the newnotsyn and routeback option.

This is my setup
Interface
---------
net     ppp0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
dmz     eth2            detect
vpn     ipsec0


hosts
-----
loc             eth1:10.10.10.0/24
dmz             eth2:10.10.11.0/24

masq
----
ppp0                    eth1
ppp0                    eth2

under policy, you need to have at least

loc	net	ACCEPT

that shud be more than sufficient to allow the POP3 and SMTP traffic to pass
through the firewall to the external world.

Cheers

Jason

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jason Png
Sent: Friday, February 20, 2004 12:28 AM
To: ''Mailing List for Experienced Shorewall Users''
Subject: RE: [Shorewall-users] Strange problem
ShoreWall+Router+Outlookdon''twork...

Hi,

I''m running a similar setup.
I have a Debian gateway/router connected to a dsl modem. The debian machine
comes in 3 interface, which is loc,net,dmz.

I never have any problem doing POP3/SMTP on my masqueraded machine behind
the gateway. And I''m using Microsoft Outlook too. Please provide some
logs
so we can see what gets stuck behind that.

Thanks.

Regards,

Jason

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
Stubbs
Sent: Friday, February 20, 2004 3:17 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Strange problem ShoreWall+Router+Outlook
don''twork...

Ok, I have a setup where I have a linux gentoo box acting as a router,
and an adsl modem/router combo...
I have another gentoo box and another xp box....
The router is using shorewall to manage the routing etc... It is
connected to the net using a PPPoE connection over eth0, and is
connected to the rest of the network via a switch on eth0. 
All machines seem to be able to do everything (www, icq etc...) using
the linux router as their gateway..
All machines use the same pop3/smtp server
The gentoo box seems to be able to send and receive mail via pop3 and
smtp.
The xp box doesn''t seem to be able to - it gets stuck on sending and
receiving (microsoft outlook).
The strange thing is, when you goto acount settings and ''test account
settings'' - everything works hunky dorey. You can also telnet to the
smtp and pop3 server from the xp box fine.
Nothing show''s up in the shorewall log when trying to check mail from
the xp box
If I switch the gateway of the xp box to the router/adsl, it works
fine...
This is really starting to baffle me...
The only thing I can think of is windows is doing something that the
adsl/router understands but the linux router doesn''t? I dunno - that
seems pretty unlikely too... What am I missing? Is there some setting in
outlook? Maybe someone can catch something from iptables -L,
unfortunatly I haven''t learnt how to read it very well yet...
Here''s some relavent config stuff, let me know if you wanna see
anything
else;

Are my settings for the interfaces correct?:
[code]loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback[/code]
Any suggestions at all, please! ;)

mog.homelinux.net/server is ther firewall/router/192.168.1.5
jo is the xp machine btw... / 192.168.1.21
auron/192.168.1.9 is the gentoo box that works

shorewall version
[code]1.4.8[/code]

ip addr show
[code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
qlen 3
    link/ppp
    inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

ip route show
[code]202.74.206.7 dev ppp0  proto kernel  scope link  src 202.74.197.66
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.5
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 202.74.206.7 dev ppp0[/code]


/etc/shorewall/policy
[code]fw              all             ACCEPT
loc             all             ACCEPT
net             all             ACCEPT

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT
#LAST LINE -- DO NOT REMOVE[/code]

/etc/shorewall/rules
[code]#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE    
ORIGINAL     RATUSER
#                                               PORT    PORT(S)   
DEST         LIMIT

#Allow DNS connections to firewall
#ACCEPT     loc       fw                 tcp       53
#ACCEPT     loc       fw                 udp       53
 
# This rule allows you to run an SSH server on your firewall 
# and connect to that server from your local systems.
#ACCEPT     loc       fw                 tcp       22
 
#SSH server on server
DNAT    net     loc:192.168.1.5 tcp     ssh,http
 
#emule on jo
#ACCEPT  net    loc               tcp   6672
#ACCEPT  net    loc               udp   6673
#ACCEPT  net    loc               udp   4665
DNAT    net     loc:192.168.1.21  tcp   6672
DNAT    net     loc:192.168.1.21  udp   6672
DNAT    net     loc:192.168.1.21  udp   6673
#emule web interface on jo
#ACCEPT net     loc             tcp     4711
DNAT    net     loc:192.168.1.21  tcp   4711
DNAT    net     loc:192.168.1.21 udp 4272 - -
DNAT    net     loc:192.168.1.21 udp 4665 - -
 
#vnc on jo
DNAT    net     loc:192.168.1.21  tcp   5800:6000
   
#Transparent proxy
#REDIRECT loc 3128 tcp 80
 
#ACCEPT     net       fw                 tcp       80
#ACCEPT     loc       fw                 tcp       80
 
#Ping rules
#ACCEPT    loc       all       icmp     8
#ACCEPT    net       fw       icmp     8
 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/interfaces
[code]#ZONE    INTERFACE      BROADCAST       OPTIONS
#loc    eth0    192.168.1.255  
newnotsyn,tcpflags,blacklist,norfc1918,routefilter,routeback
 
loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/shorewall.conf
[code]LOGFILE=/var/log/shorewall 
LOGFORMAT="Shorewall:%s:%s:" 
LOGRATELOGBURST=  
LOGUNCLEAN=info 
BLACKLIST_LOGLEVEL=  
LOGNEWNOTSYN=info 
MACLIST_LOG_LEVEL=info 
TCP_FLAGS_LOG_LEVEL=info 
RFC1918_LOG_LEVEL=info 
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin 
SHOREWALL_SHELL=/bin/sh 
SUBSYSLOCK=/var/lock/subsys/shorewall 
STATEDIR=/var/lib/shorewall 
MODULESDIR= 
FW=fw 
IP_FORWARDING=On 
ADD_IP_ALIASES=Yes 
ADD_SNAT_ALIASES=No 
TC_ENABLED=No 
CLEAR_TC=Yes 
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP[/code]

shorewall restart
[code]Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "DNAT net loc:192.168.1.5 tcp ssh,http" added.
   Rule "DNAT net loc:192.168.1.21 tcp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6673" added.
   Rule "DNAT net loc:192.168.1.21 tcp 4711" added.
   Rule "DNAT net loc:192.168.1.21 udp 4272 - -" added.
   Rule "DNAT net loc:192.168.1.21 udp 4665 - -" added.
   Rule "DNAT net loc:192.168.1.21 tcp 5800:6000" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for net to loc using chain net2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.1.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted[/code]

iptables -L
[code]Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
eth0_in    all  --  anywhere             anywhere
ppp0_in    all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP      !icmp --  anywhere             anywhere           state
INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TC PMSS clamp to PMTU
eth0_fwd   all  --  anywhere             anywhere
ppp0_fwd   all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
fw2all     all  --  anywhere             anywhere
fw2all     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHE D
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN ,RST,ACK/SYN
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain common (3 references)
target     prot opt source               destination
icmpdef    icmp --  anywhere             anywhere
reject     udp  --  anywhere             anywhere           udp
dpt:epmap
reject     udp  --  anywhere             anywhere           udp
dpts:netbios-ns:netb ios-ssn
reject     udp  --  anywhere             anywhere           udp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:netbios-ssn
reject     tcp  --  anywhere             anywhere           tcp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:epmap
DROP       udp  --  anywhere             anywhere           udp dpt:1900
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
reject     tcp  --  anywhere             anywhere           tcp dpt:auth
DROP       udp  --  anywhere             anywhere           udp
spt:domain state
NEW

DROP       all  --  anywhere             192.168.1.255
 
Chain dynamic (4 references)
target     prot opt source               destination
 
Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
 
Chain fw2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain icmpdef (1 references)
target     prot opt source               destination
 
Chain loc2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             mog.homelinux.net  multiport
dports ssh,www state NEW
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6673
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:4711
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4272
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4665
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpts:5800:6000
net2all    all  --  anywhere             anywhere
 
Chain newnotsyn (5 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level
info prefix `Shorewall:newnotsyn:DROP:''
DROP       all  --  anywhere             anywhere
 
Chain ppp0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
 
Chain ppp0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
net2all    all  --  anywhere             anywhere
 
Chain reject (10 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere           reject-with
icmp-host-unreachable
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited
 
Chain shorewall (0 references)
target     prot opt source               destination[/code]

I can also post /sbin/shorewall status if you want, but it''s very
long...
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Fri, 2004-02-20 at 01:40, Antony Stubbs wrote:
> Oh yeah, and the other funny thing is that if i set the smtp server to one 
> that won''t let me relay off of (i.e. one from a different ISP),
straight away,
> I get back the email saying relaying denied! Then if i switch it back to
the
> valid server, it does the apparent ''time out'' thing...
And i''m sure the valid
> server does work because I''m using it to send this to you, from
the linux box
> using evolution...

I know this sounds overly simple....but have you tried to just blow the
outlook account away, do an ipconfig /flushdns and re-add the account?

Ok, I have a setup where I have a linux gentoo box acting as a router,
and an adsl modem/router combo...
I have another gentoo box and another xp box....
The router is using shorewall to manage the routing etc... It is
connected to the net using a PPPoE connection over eth0, and is
connected to the rest of the network via a switch on eth0. 
All machines seem to be able to do everything (www, icq etc...) using
the linux router as their gateway..
All machines use the same pop3/smtp server
The gentoo box seems to be able to send and receive mail via pop3 and
smtp.
The xp box doesn''t seem to be able to - it gets stuck on sending and
receiving (microsoft outlook).
The strange thing is, when you goto acount settings and ''test account
settings'' - everything works hunky dorey. You can also telnet to the
smtp and pop3 server from the xp box fine.
Nothing show''s up in the shorewall log when trying to check mail from
the xp box
If I switch the gateway of the xp box to the router/adsl, it works
fine...
This is really starting to baffle me...
The only thing I can think of is windows is doing something that the
adsl/router understands but the linux router doesn''t? I dunno - that
seems pretty unlikely too... What am I missing? Is there some setting in
outlook? Maybe someone can catch something from iptables -L,
unfortunatly I haven''t learnt how to read it very well yet...
Here''s some relavent config stuff, let me know if you wanna see
anything
else;

Are my settings for the interfaces correct?:
[code]loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback[/code]
Any suggestions at all, please! ;)

mog.homelinux.net/server is ther firewall/router/192.168.1.5
jo is the xp machine btw... / 192.168.1.21
auron/192.168.1.9 is the gentoo box that works

shorewall version
[code]1.4.8[/code]

ip addr show
[code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
qlen 3
    link/ppp
    inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

ip route show
[code]202.74.206.7 dev ppp0  proto kernel  scope link  src 202.74.197.66
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.5
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 202.74.206.7 dev ppp0[/code]


/etc/shorewall/policy
[code]fw              all             ACCEPT
loc             all             ACCEPT
net             all             ACCEPT

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT
#LAST LINE -- DO NOT REMOVE[/code]

/etc/shorewall/rules
[code]#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE    
ORIGINAL     RATUSER
#                                               PORT    PORT(S)   
DEST         LIMIT

#Allow DNS connections to firewall
#ACCEPT     loc       fw                 tcp       53
#ACCEPT     loc       fw                 udp       53
 
# This rule allows you to run an SSH server on your firewall 
# and connect to that server from your local systems.
#ACCEPT     loc       fw                 tcp       22
 
#SSH server on server
DNAT    net     loc:192.168.1.5 tcp     ssh,http
 
#emule on jo
#ACCEPT  net    loc               tcp   6672
#ACCEPT  net    loc               udp   6673
#ACCEPT  net    loc               udp   4665
DNAT    net     loc:192.168.1.21  tcp   6672
DNAT    net     loc:192.168.1.21  udp   6672
DNAT    net     loc:192.168.1.21  udp   6673
#emule web interface on jo
#ACCEPT net     loc             tcp     4711
DNAT    net     loc:192.168.1.21  tcp   4711
DNAT    net     loc:192.168.1.21 udp 4272 - -
DNAT    net     loc:192.168.1.21 udp 4665 - -
 
#vnc on jo
DNAT    net     loc:192.168.1.21  tcp   5800:6000
   
#Transparent proxy
#REDIRECT loc 3128 tcp 80
 
#ACCEPT     net       fw                 tcp       80
#ACCEPT     loc       fw                 tcp       80
 
#Ping rules
#ACCEPT    loc       all       icmp     8
#ACCEPT    net       fw       icmp     8
 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/interfaces
[code]#ZONE    INTERFACE      BROADCAST       OPTIONS
#loc    eth0    192.168.1.255  
newnotsyn,tcpflags,blacklist,norfc1918,routefilter,routeback
 
loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/shorewall.conf
[code]LOGFILE=/var/log/shorewall 
LOGFORMAT="Shorewall:%s:%s:" 
LOGRATELOGBURST=  
LOGUNCLEAN=info 
BLACKLIST_LOGLEVEL=  
LOGNEWNOTSYN=info 
MACLIST_LOG_LEVEL=info 
TCP_FLAGS_LOG_LEVEL=info 
RFC1918_LOG_LEVEL=info 
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin 
SHOREWALL_SHELL=/bin/sh 
SUBSYSLOCK=/var/lock/subsys/shorewall 
STATEDIR=/var/lib/shorewall 
MODULESDIR= 
FW=fw 
IP_FORWARDING=On 
ADD_IP_ALIASES=Yes 
ADD_SNAT_ALIASES=No 
TC_ENABLED=No 
CLEAR_TC=Yes 
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP[/code]

shorewall restart
[code]Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "DNAT net loc:192.168.1.5 tcp ssh,http" added.
   Rule "DNAT net loc:192.168.1.21 tcp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6673" added.
   Rule "DNAT net loc:192.168.1.21 tcp 4711" added.
   Rule "DNAT net loc:192.168.1.21 udp 4272 - -" added.
   Rule "DNAT net loc:192.168.1.21 udp 4665 - -" added.
   Rule "DNAT net loc:192.168.1.21 tcp 5800:6000" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for net to loc using chain net2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.1.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted[/code]

iptables -L
[code]Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
eth0_in    all  --  anywhere             anywhere
ppp0_in    all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP      !icmp --  anywhere             anywhere           state
INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TC PMSS clamp to PMTU
eth0_fwd   all  --  anywhere             anywhere
ppp0_fwd   all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
fw2all     all  --  anywhere             anywhere
fw2all     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHE D
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN ,RST,ACK/SYN
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain common (3 references)
target     prot opt source               destination
icmpdef    icmp --  anywhere             anywhere
reject     udp  --  anywhere             anywhere           udp
dpt:epmap
reject     udp  --  anywhere             anywhere           udp
dpts:netbios-ns:netb ios-ssn
reject     udp  --  anywhere             anywhere           udp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:netbios-ssn
reject     tcp  --  anywhere             anywhere           tcp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:epmap
DROP       udp  --  anywhere             anywhere           udp dpt:1900
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
reject     tcp  --  anywhere             anywhere           tcp dpt:auth
DROP       udp  --  anywhere             anywhere           udp
spt:domain state
NEW
DROP       all  --  anywhere             192.168.1.255
 
Chain dynamic (4 references)
target     prot opt source               destination
 
Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
 
Chain fw2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain icmpdef (1 references)
target     prot opt source               destination
 
Chain loc2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             mog.homelinux.net  multiport
dports ssh,www state NEW
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6673
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:4711
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4272
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4665
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpts:5800:6000
net2all    all  --  anywhere             anywhere
 
Chain newnotsyn (5 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level
info prefix `Shorewall:newnotsyn:DROP:''
DROP       all  --  anywhere             anywhere
 
Chain ppp0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
 
Chain ppp0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
net2all    all  --  anywhere             anywhere
 
Chain reject (10 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere           reject-with
icmp-host-unreachable
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited
 
Chain shorewall (0 references)
target     prot opt source               destination[/code]

I can also post /sbin/shorewall status if you want, but it''s very
long...
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

In shorewall.conf,
Set CLAMPMSS=Yes and try
Mine is set to No
And it works just fine.


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
Stubbs
Sent: Friday, February 20, 2004 3:36 PM
To: Mailing List for Experienced Shorewall Users
Subject: RE: [Shorewall-users] Strange
problemShoreWall+Router+Outlookdon''twork...

I still don''t really understand what those two options do...
These are the logs i get now: (they''re what i got before, and
they''re
why i put newnotsyn on)
> Feb 20 07:14:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200 
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44011 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:16:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200 
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44012 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:18:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200 
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44013 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:20:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200 
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44014 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:22:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200 
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44015 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
Feb 20 07:23:06 mog Shorewall:newnotsyn:DROP:IN=ppp0 OUT= MACSRC=203.96.92.132
DST=202.74.200.162
LEN=40 TOS=0x00 PREC=0x20 TTL=60 ID=36842 PROTO=TCP SPT=110 DPT=4665
WINDOW=0 RES=0x00 ACK RST URGP=0

mind you, 192.168.1.9 is my linux machine, not the xp machine that I''m
having problems with...
So, there are still not errors relating to 192.168.1.21 which is the xp
machine...
the really screwed up thing is that ''test account settings''
works fine - i
even get the test 
email back in the inbox after doing it. but ''send and receive''
just doesn''t
want to send - it
gets that connection interupted error after about a minute of nothing....

It''s really wack. If it didn''t work fine when i switch the
gateway back to
my adsl, then that''d be 
fine - its def. outlook''s fault. It''s just rediculous that the
''test acount
settings'' works and normal
sending doesnt... *shesh*

What''s "Is Outlook trying to authenticate to a remote PDC?"
I''m pretty sure
it isn''t, its just plain 
ol smtp and pop3 setup...




On Thu, 2004-02-19 at 16:40, Jason Png wrote:
> Try removing the newnotsyn and routeback option.
> 
> This is my setup
> Interface
> ---------
> net     ppp0            detect          dhcp,routefilter,norfc1918
> loc     eth1            detect
> dmz     eth2            detect
> vpn     ipsec0
> 
> 
> hosts
> -----
> loc             eth1:10.10.10.0/24
> dmz             eth2:10.10.11.0/24
> 
> masq
> ----
> ppp0                    eth1
> ppp0                    eth2
> 
> under policy, you need to have at least
> 
> loc	net	ACCEPT
> 
> that shud be more than sufficient to allow the POP3 and SMTP traffic to
pass
> through the firewall to the external world.
> 
> Cheers
> 
> Jason
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jason
Png
> Sent: Friday, February 20, 2004 12:28 AM
> To: ''Mailing List for Experienced Shorewall Users''
> Subject: RE: [Shorewall-users] Strange problem
> ShoreWall+Router+Outlookdon''twork...
> 
> Hi,
> 
> I''m running a similar setup.
> I have a Debian gateway/router connected to a dsl modem. The debian
machine
> comes in 3 interface, which is loc,net,dmz.
> 
> I never have any problem doing POP3/SMTP on my masqueraded machine behind
> the gateway. And I''m using Microsoft Outlook too. Please provide
some logs
> so we can see what gets stuck behind that.
> 
> Thanks.
> 
> Regards,
> 
> Jason
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
> Stubbs
> Sent: Friday, February 20, 2004 3:17 AM
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] Strange problem ShoreWall+Router+Outlook
> don''twork...
> 
> Ok, I have a setup where I have a linux gentoo box acting as a router,
> and an adsl modem/router combo...
> I have another gentoo box and another xp box....
> The router is using shorewall to manage the routing etc... It is
> connected to the net using a PPPoE connection over eth0, and is
> connected to the rest of the network via a switch on eth0. 
> All machines seem to be able to do everything (www, icq etc...) using
> the linux router as their gateway..
> All machines use the same pop3/smtp server
> The gentoo box seems to be able to send and receive mail via pop3 and
> smtp.
> The xp box doesn''t seem to be able to - it gets stuck on sending
and
> receiving (microsoft outlook).
> The strange thing is, when you goto acount settings and ''test
account
> settings'' - everything works hunky dorey. You can also telnet to
the
> smtp and pop3 server from the xp box fine.
> Nothing show''s up in the shorewall log when trying to check mail
from
> the xp box
> If I switch the gateway of the xp box to the router/adsl, it works
> fine...
> This is really starting to baffle me...
> The only thing I can think of is windows is doing something that the
> adsl/router understands but the linux router doesn''t? I dunno -
that
> seems pretty unlikely too... What am I missing? Is there some setting in
> outlook? Maybe someone can catch something from iptables -L,
> unfortunatly I haven''t learnt how to read it very well yet...
> Here''s some relavent config stuff, let me know if you wanna see
anything
> else;
> 
> Are my settings for the interfaces correct?:
> [code]loc     eth0    192.168.1.255   newnotsyn,routeback
> net     ppp0    -               newnotsyn,routeback[/code]
> Any suggestions at all, please! ;)
> 
> mog.homelinux.net/server is ther firewall/router/192.168.1.5
> jo is the xp machine btw... / 192.168.1.21
> auron/192.168.1.9 is the gentoo box that works
> 
> shorewall version
> [code]1.4.8[/code]
> 
> ip addr show
> [code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
> 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
>     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> 188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
> qlen 3
>     link/ppp
>     inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Thursday 19 February 2004 11:40 pm, Antony Stubbs
wrote:
> Oh yeah, and the other funny thing is that if i set the smtp server to one
> that won''t let me relay off of (i.e. one from a different ISP),
straight
> away, I get back the email saying relaying denied! Then if i switch it back
> to the valid server, it does the apparent ''time out''
thing... And i''m sure
> the valid server does work because I''m using it to send this to
you, from
> the linux box using evolution...
>
Sounds like it it time for tcpdump...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thursday 19 February 2004 12:50 pm, Tom Eastep wrote:
> On Thursday 19 February 2004 11:40 pm, Antony Stubbs wrote:
> > Oh yeah, and the other funny thing is that if i set the smtp server to
> > one that won''t let me relay off of (i.e. one from a different
ISP),
> > straight away, I get back the email saying relaying denied! Then if i
> > switch it back to the valid server, it does the apparent
''time out''
> > thing... And i''m sure the valid server does work because
I''m using it to
> > send this to you, from the linux box using evolution...
>
> Sounds like it it time for tcpdump...
>
Sure wish I could type...

Should have been:

	Sounds like it is time for tcpdump...
                       --

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thursday 19 February 2004 07:17 am, Tom Eastep wrote:
> On Thursday 19 February 2004 04:58 pm, Antony Stubbs wrote:
> > Ok, I have a setup where I have a linux gentoo box acting as a router,
> > and an adsl modem/router combo...
> > I have another gentoo box and another xp box....
> > The router is using shorewall to manage the routing etc... It is
> > connected to the net using a PPPoE connection over eth0, and is
> > connected to the rest of the network via a switch on eth0.
> > All machines seem to be able to do everything (www, icq etc...) using
> > the linux router as their gateway..
> > All machines use the same pop3/smtp server
> > The gentoo box seems to be able to send and receive mail via pop3 and
> > smtp.
> > The xp box doesn''t seem to be able to - it gets stuck on
sending and
> > receiving (microsoft outlook).
> > The strange thing is, when you goto acount settings and ''test
account
> > settings'' - everything works hunky dorey. You can also telnet
to the
> > smtp and pop3 server from the xp box fine.
> > Nothing show''s up in the shorewall log when trying to check
mail from
> > the xp box
> > If I switch the gateway of the xp box to the router/adsl, it works
> > fine...
> > This is really starting to baffle me...
> > The only thing I can think of is windows is doing something that the
> > adsl/router understands but the linux router doesn''t? I dunno
- that
> > seems pretty unlikely too... What am I missing?
>
> Is Outlook trying to authenticate to a remote PDC? I don''t believe
that is
> possible through a Linux-based masquerading gateway (or at least I have
> never been able to make it work -- granted, it was a long time ago when I
> last tried). When I last tried to troubleshoot this, I could see the
> client''s local RFC1918 IP address embedded in the data stream
being sent
> from the gateway; this is usually not a good sign.
>
> Hopefully someone else on the list who is more M$ knowlegable than I can
> provide additional insight.
I apologize -- I was way off-base and should have read Anthony''s
original post
more carefully.

I''m baffled as to why simple pop3/smtp wouldn''t work from
Outlook on the XP
box.

As I said in another post regarding this thread, you may have to resort to 
tcpdump to solve this.

On your Shorewall box:

	tcpdump -ni ppp0 host <ip address of smtp server>

then try to post from Outlook.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Antony Stubbs wrote:
>But I can ping the server from the xp machine, so surely dns is not a
>problem?
>
>
>  
>
>>I know this sounds overly simple....but have you tried to just blow the
>>outlook account away, do an ipconfig /flushdns and re-add the account?
>>    
>>
You can ping it by FQDN when its hooked up behind the firewall?  
Hmm...got me...I''ll do more looking into it at micorsft support.  But 
definitely follow Tom''s advice of

tcpdump -ni ppp0 host <ip address of smtp server>

that''ll wil get you a place to start from for sure....Tom''s
advice has always been gold in my experience :]

Ok, I have a setup where I have a linux gentoo box acting as a router,
and an adsl modem/router combo...
I have another gentoo box and another xp box....
The router is using shorewall to manage the routing etc... It is
connected to the net using a PPPoE connection over eth0, and is
connected to the rest of the network via a switch on eth0. 
All machines seem to be able to do everything (www, icq etc...) using
the linux router as their gateway..
All machines use the same pop3/smtp server
The gentoo box seems to be able to send and receive mail via pop3 and
smtp.
The xp box doesn''t seem to be able to - it gets stuck on sending and
receiving (microsoft outlook).
The strange thing is, when you goto acount settings and ''test account
settings'' - everything works hunky dorey. You can also telnet to the
smtp and pop3 server from the xp box fine.
Nothing show''s up in the shorewall log when trying to check mail from
the xp box
If I switch the gateway of the xp box to the router/adsl, it works
fine...
This is really starting to baffle me...
The only thing I can think of is windows is doing something that the
adsl/router understands but the linux router doesn''t? I dunno - that
seems pretty unlikely too... What am I missing? Is there some setting in
outlook? Maybe someone can catch something from iptables -L,
unfortunatly I haven''t learnt how to read it very well yet...
Here''s some relavent config stuff, let me know if you wanna see
anything
else;

Are my settings for the interfaces correct?:
[code]loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback[/code]
Any suggestions at all, please! ;)

mog.homelinux.net/server is ther firewall/router/192.168.1.5
jo is the xp machine btw... / 192.168.1.21
auron/192.168.1.9 is the gentoo box that works

shorewall version
[code]1.4.8[/code]

ip addr show
[code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
qlen 3
    link/ppp
    inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

ip route show
[code]202.74.206.7 dev ppp0  proto kernel  scope link  src 202.74.197.66
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.5
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 202.74.206.7 dev ppp0[/code]


/etc/shorewall/policy
[code]fw              all             ACCEPT
loc             all             ACCEPT
net             all             ACCEPT

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT
#LAST LINE -- DO NOT REMOVE[/code]

/etc/shorewall/rules
[code]#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE    
ORIGINAL     RATUSER
#                                               PORT    PORT(S)   
DEST         LIMIT

#Allow DNS connections to firewall
#ACCEPT     loc       fw                 tcp       53
#ACCEPT     loc       fw                 udp       53
 
# This rule allows you to run an SSH server on your firewall 
# and connect to that server from your local systems.
#ACCEPT     loc       fw                 tcp       22
 
#SSH server on server
DNAT    net     loc:192.168.1.5 tcp     ssh,http
 
#emule on jo
#ACCEPT  net    loc               tcp   6672
#ACCEPT  net    loc               udp   6673
#ACCEPT  net    loc               udp   4665
DNAT    net     loc:192.168.1.21  tcp   6672
DNAT    net     loc:192.168.1.21  udp   6672
DNAT    net     loc:192.168.1.21  udp   6673
#emule web interface on jo
#ACCEPT net     loc             tcp     4711
DNAT    net     loc:192.168.1.21  tcp   4711
DNAT    net     loc:192.168.1.21 udp 4272 - -
DNAT    net     loc:192.168.1.21 udp 4665 - -
 
#vnc on jo
DNAT    net     loc:192.168.1.21  tcp   5800:6000
   
#Transparent proxy
#REDIRECT loc 3128 tcp 80
 
#ACCEPT     net       fw                 tcp       80
#ACCEPT     loc       fw                 tcp       80
 
#Ping rules
#ACCEPT    loc       all       icmp     8
#ACCEPT    net       fw       icmp     8
 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/interfaces
[code]#ZONE    INTERFACE      BROADCAST       OPTIONS
#loc    eth0    192.168.1.255  
newnotsyn,tcpflags,blacklist,norfc1918,routefilter,routeback
 
loc     eth0    192.168.1.255   newnotsyn,routeback
net     ppp0    -               newnotsyn,routeback

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE[/code]

/etc/shorewall/shorewall.conf
[code]LOGFILE=/var/log/shorewall 
LOGFORMAT="Shorewall:%s:%s:" 
LOGRATELOGBURST=  
LOGUNCLEAN=info 
BLACKLIST_LOGLEVEL=  
LOGNEWNOTSYN=info 
MACLIST_LOG_LEVEL=info 
TCP_FLAGS_LOG_LEVEL=info 
RFC1918_LOG_LEVEL=info 
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin 
SHOREWALL_SHELL=/bin/sh 
SUBSYSLOCK=/var/lock/subsys/shorewall 
STATEDIR=/var/lib/shorewall 
MODULESDIR= 
FW=fw 
IP_FORWARDING=On 
ADD_IP_ALIASES=Yes 
ADD_SNAT_ALIASES=No 
TC_ENABLED=No 
CLEAR_TC=Yes 
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP[/code]

shorewall restart
[code]Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "DNAT net loc:192.168.1.5 tcp ssh,http" added.
   Rule "DNAT net loc:192.168.1.21 tcp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6672" added.
   Rule "DNAT net loc:192.168.1.21 udp 6673" added.
   Rule "DNAT net loc:192.168.1.21 tcp 4711" added.
   Rule "DNAT net loc:192.168.1.21 udp 4272 - -" added.
   Rule "DNAT net loc:192.168.1.21 udp 4665 - -" added.
   Rule "DNAT net loc:192.168.1.21 tcp 5800:6000" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for net to loc using chain net2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.1.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted[/code]

iptables -L
[code]Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
eth0_in    all  --  anywhere             anywhere
ppp0_in    all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP      !icmp --  anywhere             anywhere           state
INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST/SYN TC PMSS clamp to PMTU
eth0_fwd   all  --  anywhere             anywhere
ppp0_fwd   all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state
INVALID
fw2all     all  --  anywhere             anywhere
fw2all     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHE D
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN ,RST,ACK/SYN
common     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
 
Chain common (3 references)
target     prot opt source               destination
icmpdef    icmp --  anywhere             anywhere
reject     udp  --  anywhere             anywhere           udp
dpt:epmap
reject     udp  --  anywhere             anywhere           udp
dpts:netbios-ns:netb ios-ssn
reject     udp  --  anywhere             anywhere           udp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:netbios-ssn
reject     tcp  --  anywhere             anywhere           tcp
dpt:microsoft-ds
reject     tcp  --  anywhere             anywhere           tcp
dpt:epmap
DROP       udp  --  anywhere             anywhere           udp dpt:1900
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
reject     tcp  --  anywhere             anywhere           tcp dpt:auth
DROP       udp  --  anywhere             anywhere           udp
spt:domain state
NEW
DROP       all  --  anywhere             192.168.1.255
 
Chain dynamic (4 references)
target     prot opt source               destination
 
Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
 
Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
loc2all    all  --  anywhere             anywhere
 
Chain fw2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain icmpdef (1 references)
target     prot opt source               destination
 
Chain loc2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2all (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
 
Chain net2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             mog.homelinux.net  multiport
dports ssh,www state NEW
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6672
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:6673
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpt:4711
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4272
ACCEPT     udp  --  anywhere             mums               state NEW
udp dpt:4665
ACCEPT     tcp  --  anywhere             mums               state NEW
tcp dpts:5800:6000
net2all    all  --  anywhere             anywhere
 
Chain newnotsyn (5 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:ACK/ACK
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:RST/RST
ACCEPT     tcp  --  anywhere             anywhere           tcp
flags:FIN/FIN
RETURN     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level
info prefix `Shorewall:newnotsyn:DROP:''
DROP       all  --  anywhere             anywhere
 
Chain ppp0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
 
Chain ppp0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere           state NEW
net2all    all  --  anywhere             anywhere
 
Chain reject (10 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           reject-with
tcp-reset
REJECT     udp  --  anywhere             anywhere           reject-with
icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere           reject-with
icmp-host-unreachable
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited
 
Chain shorewall (0 references)
target     prot opt source               destination[/code]

I can also post /sbin/shorewall status if you want, but it''s very
long...
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

I still don''t really understand what those two options do...
These are the logs i get now: (they''re what i got before, and
they''re
why i put newnotsyn on)
> Feb 20 07:14:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44011 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:16:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44012 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:18:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44013 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:20:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44014 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:22:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
SRC=192.168.1.9 DS T=205.156.51.200
> LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44015 DF PROTO=TCP SPT=361 31 DPT=80
WINDOW=22848 RES=0x00 ACK PSH URGP=0
Feb 20 07:23:06 mog Shorewall:newnotsyn:DROP:IN=ppp0 OUT= MAC= SRC=203.96.92.132
DST=202.74.200.162
LEN=40 TOS=0x00 PREC=0x20 TTL=60 ID=36842 PROTO=TCP SPT=110 DPT=4665 WINDOW=0
RES=0x00 ACK RST URGP=0

mind you, 192.168.1.9 is my linux machine, not the xp machine that I''m
having problems with...
So, there are still not errors relating to 192.168.1.21 which is the xp
machine...
the really screwed up thing is that ''test account settings''
works fine - i even get the test
email back in the inbox after doing it. but ''send and receive''
just doesn''t want to send - it
gets that connection interupted error after about a minute of nothing....

It''s really wack. If it didn''t work fine when i switch the
gateway back to my adsl, then that''d be
fine - its def. outlook''s fault. It''s just rediculous that the
''test acount settings'' works and normal
sending doesnt... *shesh*

What''s "Is Outlook trying to authenticate to a remote PDC?"
I''m pretty sure it isn''t, its just plain
ol smtp and pop3 setup...




On Thu, 2004-02-19 at 16:40, Jason Png wrote:
> Try removing the newnotsyn and routeback option.
> 
> This is my setup
> Interface
> ---------
> net     ppp0            detect          dhcp,routefilter,norfc1918
> loc     eth1            detect
> dmz     eth2            detect
> vpn     ipsec0
> 
> 
> hosts
> -----
> loc             eth1:10.10.10.0/24
> dmz             eth2:10.10.11.0/24
> 
> masq
> ----
> ppp0                    eth1
> ppp0                    eth2
> 
> under policy, you need to have at least
> 
> loc	net	ACCEPT
> 
> that shud be more than sufficient to allow the POP3 and SMTP traffic to
pass
> through the firewall to the external world.
> 
> Cheers
> 
> Jason
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jason Png
> Sent: Friday, February 20, 2004 12:28 AM
> To: ''Mailing List for Experienced Shorewall Users''
> Subject: RE: [Shorewall-users] Strange problem
> ShoreWall+Router+Outlookdon''twork...
> 
> Hi,
> 
> I''m running a similar setup.
> I have a Debian gateway/router connected to a dsl modem. The debian machine
> comes in 3 interface, which is loc,net,dmz.
> 
> I never have any problem doing POP3/SMTP on my masqueraded machine behind
> the gateway. And I''m using Microsoft Outlook too. Please provide
some logs
> so we can see what gets stuck behind that.
> 
> Thanks.
> 
> Regards,
> 
> Jason
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
> Stubbs
> Sent: Friday, February 20, 2004 3:17 AM
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] Strange problem ShoreWall+Router+Outlook
> don''twork...
> 
> Ok, I have a setup where I have a linux gentoo box acting as a router,
> and an adsl modem/router combo...
> I have another gentoo box and another xp box....
> The router is using shorewall to manage the routing etc... It is
> connected to the net using a PPPoE connection over eth0, and is
> connected to the rest of the network via a switch on eth0. 
> All machines seem to be able to do everything (www, icq etc...) using
> the linux router as their gateway..
> All machines use the same pop3/smtp server
> The gentoo box seems to be able to send and receive mail via pop3 and
> smtp.
> The xp box doesn''t seem to be able to - it gets stuck on sending
and
> receiving (microsoft outlook).
> The strange thing is, when you goto acount settings and ''test
account
> settings'' - everything works hunky dorey. You can also telnet to
the
> smtp and pop3 server from the xp box fine.
> Nothing show''s up in the shorewall log when trying to check mail
from
> the xp box
> If I switch the gateway of the xp box to the router/adsl, it works
> fine...
> This is really starting to baffle me...
> The only thing I can think of is windows is doing something that the
> adsl/router understands but the linux router doesn''t? I dunno -
that
> seems pretty unlikely too... What am I missing? Is there some setting in
> outlook? Maybe someone can catch something from iptables -L,
> unfortunatly I haven''t learnt how to read it very well yet...
> Here''s some relavent config stuff, let me know if you wanna see
anything
> else;
> 
> Are my settings for the interfaces correct?:
> [code]loc     eth0    192.168.1.255   newnotsyn,routeback
> net     ppp0    -               newnotsyn,routeback[/code]
> Any suggestions at all, please! ;)
> 
> mog.homelinux.net/server is ther firewall/router/192.168.1.5
> jo is the xp machine btw... / 192.168.1.21
> auron/192.168.1.9 is the gentoo box that works
> 
> shorewall version
> [code]1.4.8[/code]
> 
> ip addr show
> [code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
> 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
>     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> 188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc pfifo_fast
> qlen 3
>     link/ppp
>     inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]

Oh yeah, and the other funny thing is that if i set the smtp server to one 
that won''t let me relay off of (i.e. one from a different ISP),
straight away,
I get back the email saying relaying denied! Then if i switch it back to the 
valid server, it does the apparent ''time out'' thing... And
i''m sure the valid
server does work because I''m using it to send this to you, from the
linux box
using evolution...

But I can ping the server from the xp machine, so surely dns is not a
problem?

> I know this sounds overly simple....but have you tried to just blow the
> outlook account away, do an ipconfig /flushdns and re-add the account?
> 
> 
> ______________________________________________________________________
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

Mine was already set to yes, so i tried no, but it didn''t have an
effect...

On Thu, 2004-02-19 at 19:29, Jason Png wrote:
> In shorewall.conf,
> Set CLAMPMSS=Yes and try
> Mine is set to No
> And it works just fine.
> 
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Antony
> Stubbs
> Sent: Friday, February 20, 2004 3:36 PM
> To: Mailing List for Experienced Shorewall Users
> Subject: RE: [Shorewall-users] Strange
> problemShoreWall+Router+Outlookdon''twork...
> 
> I still don''t really understand what those two options do...
> These are the logs i get now: (they''re what i got before, and
they''re
> why i put newnotsyn on)
> 
> > Feb 20 07:14:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
> SRC=192.168.1.9 DS T=205.156.51.200 
> > LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44011 DF PROTO=TCP SPT=361 31
DPT=80
> WINDOW=22848 RES=0x00 ACK PSH URGP=0
> > Feb 20 07:16:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
> SRC=192.168.1.9 DS T=205.156.51.200 
> > LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44012 DF PROTO=TCP SPT=361 31
DPT=80
> WINDOW=22848 RES=0x00 ACK PSH URGP=0
> > Feb 20 07:18:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
> SRC=192.168.1.9 DS T=205.156.51.200 
> > LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44013 DF PROTO=TCP SPT=361 31
DPT=80
> WINDOW=22848 RES=0x00 ACK PSH URGP=0
> > Feb 20 07:20:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
> SRC=192.168.1.9 DS T=205.156.51.200 
> > LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44014 DF PROTO=TCP SPT=361 31
DPT=80
> WINDOW=22848 RES=0x00 ACK PSH URGP=0
> > Feb 20 07:22:17 mog Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0
> SRC=192.168.1.9 DS T=205.156.51.200 
> > LEN=213 TOS=0x00 PREC=0x00 TTL=63 ID=44015 DF PROTO=TCP SPT=361 31
DPT=80
> WINDOW=22848 RES=0x00 ACK PSH URGP=0
> Feb 20 07:23:06 mog Shorewall:newnotsyn:DROP:IN=ppp0 OUT= MAC>
SRC=203.96.92.132 DST=202.74.200.162
> LEN=40 TOS=0x00 PREC=0x20 TTL=60 ID=36842 PROTO=TCP SPT=110 DPT=4665
> WINDOW=0 RES=0x00 ACK RST URGP=0
> 
> mind you, 192.168.1.9 is my linux machine, not the xp machine that
I''m
> having problems with...
> So, there are still not errors relating to 192.168.1.21 which is the xp
> machine...
> the really screwed up thing is that ''test account
settings'' works fine - i
> even get the test 
> email back in the inbox after doing it. but ''send and
receive'' just doesn''t
> want to send - it
> gets that connection interupted error after about a minute of nothing....
> 
> It''s really wack. If it didn''t work fine when i switch
the gateway back to
> my adsl, then that''d be 
> fine - its def. outlook''s fault. It''s just rediculous
that the ''test acount
> settings'' works and normal
> sending doesnt... *shesh*
> 
> What''s "Is Outlook trying to authenticate to a remote
PDC?" I''m pretty sure
> it isn''t, its just plain 
> ol smtp and pop3 setup...
> 
> 
> 
> 
> On Thu, 2004-02-19 at 16:40, Jason Png wrote:
> > Try removing the newnotsyn and routeback option.
> > 
> > This is my setup
> > Interface
> > ---------
> > net     ppp0            detect          dhcp,routefilter,norfc1918
> > loc     eth1            detect
> > dmz     eth2            detect
> > vpn     ipsec0
> > 
> > 
> > hosts
> > -----
> > loc             eth1:10.10.10.0/24
> > dmz             eth2:10.10.11.0/24
> > 
> > masq
> > ----
> > ppp0                    eth1
> > ppp0                    eth2
> > 
> > under policy, you need to have at least
> > 
> > loc	net	ACCEPT
> > 
> > that shud be more than sufficient to allow the POP3 and SMTP traffic
to
> pass
> > through the firewall to the external world.
> > 
> > Cheers
> > 
> > Jason
> > 
> > -----Original Message-----
> > From: shorewall-users-bounces@lists.shorewall.net
> > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
Jason
> Png
> > Sent: Friday, February 20, 2004 12:28 AM
> > To: ''Mailing List for Experienced Shorewall Users''
> > Subject: RE: [Shorewall-users] Strange problem
> > ShoreWall+Router+Outlookdon''twork...
> > 
> > Hi,
> > 
> > I''m running a similar setup.
> > I have a Debian gateway/router connected to a dsl modem. The debian
> machine
> > comes in 3 interface, which is loc,net,dmz.
> > 
> > I never have any problem doing POP3/SMTP on my masqueraded machine
behind
> > the gateway. And I''m using Microsoft Outlook too. Please
provide some logs
> > so we can see what gets stuck behind that.
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Jason
> > 
> > -----Original Message-----
> > From: shorewall-users-bounces@lists.shorewall.net
> > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
Antony
> > Stubbs
> > Sent: Friday, February 20, 2004 3:17 AM
> > To: shorewall-users@lists.shorewall.net
> > Subject: [Shorewall-users] Strange problem ShoreWall+Router+Outlook
> > don''twork...
> > 
> > Ok, I have a setup where I have a linux gentoo box acting as a router,
> > and an adsl modem/router combo...
> > I have another gentoo box and another xp box....
> > The router is using shorewall to manage the routing etc... It is
> > connected to the net using a PPPoE connection over eth0, and is
> > connected to the rest of the network via a switch on eth0. 
> > All machines seem to be able to do everything (www, icq etc...) using
> > the linux router as their gateway..
> > All machines use the same pop3/smtp server
> > The gentoo box seems to be able to send and receive mail via pop3 and
> > smtp.
> > The xp box doesn''t seem to be able to - it gets stuck on
sending and
> > receiving (microsoft outlook).
> > The strange thing is, when you goto acount settings and ''test
account
> > settings'' - everything works hunky dorey. You can also telnet
to the
> > smtp and pop3 server from the xp box fine.
> > Nothing show''s up in the shorewall log when trying to check
mail from
> > the xp box
> > If I switch the gateway of the xp box to the router/adsl, it works
> > fine...
> > This is really starting to baffle me...
> > The only thing I can think of is windows is doing something that the
> > adsl/router understands but the linux router doesn''t? I dunno
- that
> > seems pretty unlikely too... What am I missing? Is there some setting
in
> > outlook? Maybe someone can catch something from iptables -L,
> > unfortunatly I haven''t learnt how to read it very well yet...
> > Here''s some relavent config stuff, let me know if you wanna
see anything
> > else;
> > 
> > Are my settings for the interfaces correct?:
> > [code]loc     eth0    192.168.1.255   newnotsyn,routeback
> > net     ppp0    -               newnotsyn,routeback[/code]
> > Any suggestions at all, please! ;)
> > 
> > mog.homelinux.net/server is ther firewall/router/192.168.1.5
> > jo is the xp machine btw... / 192.168.1.21
> > auron/192.168.1.9 is the gentoo box that works
> > 
> > shorewall version
> > [code]1.4.8[/code]
> > 
> > ip addr show
> > [code]1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:80:ad:86:de:c0 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.1.5/24 brd 192.168.0.255 scope global eth0
> > 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
> >     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> > 188: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1480 qdisc
pfifo_fast
> > qlen 3
> >     link/ppp
> >     inet 202.74.197.66 peer 202.74.206.7/32 scope global ppp0[/code]
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

On Thursday 19 February 2004 04:58 pm, Antony Stubbs wrote:
>
>
> /etc/shorewall/policy
> [code]fw              all             ACCEPT
> loc             all             ACCEPT
> net             all             ACCEPT
>
Oh crap; missed this the first time.

Folks -- please don''t set ACCEPT policies like this when you are trying
to
debug a problem; it never helps and it robs you of one of your most important 
diagnostic tools -- the log messages produced by the all->all REJECT policy 
at the end.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 22 Feb 2004, Antony Stubbs wrote:
>
> I hate to have wasted your time like this, I''m so sorry!
>
No problem! It was an interesting puzzle.
>
> Now onto making my rules more secure :D...
>
Good plan!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 22 Feb 2004, Antony Stubbs wrote:
> One last thing - how do you get tcpdump to show icmp packets?
Add ''icmp'' to the filter expression.

Example:

	tcpdump -ni eth0 host 192.168.1.4 or icmp

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > > In the last trace that you sent, the firewall is dropping the
message body on
> > > output. The length of the packet is 1448 whereas the MSS (Maximum
segment
> > > size) for the connection should have been 1440. I can''t
see if the firewall
> > > is returning an fragmentation-needed ICMP to the XP box because
of the way
> > > that I had you run tcpdump. Hence the question about CLAMPMSS.
> > >
> > > -Tom
> >
> > Hmm, Ethereal is pretty neat, been playing around with it... Gonna
take
> > me a little more playing before I can tell how you figured out the
> > packet size, and that its dropping message body packets...
> > It almost appears to me that it''s sending the body, but after
it''s sent,
> > doesn''t seem to get a reply back from the server? I dunno -
kinda wild
> > guess, this is my first time looking at logs like these...
> >
> 
> Do you have a firewall on the XP system? Have you disabled the ICMP
> protocol in that firewall?
Bingo.

I''m sooo sorry man...

Just before I got this reply, I sent you another email asking if it
could be the firewall - having looked very carefully at more logs using
ehtereal (very cool program).

As soon as I got your email, I ran into the other room, disabled the
firewall and bingo - it worked...

I hate to have wasted your time like this, I''m so sorry!

I played around with the firewall logs (Syquest personal firewall) and
found that it had blocked some icmp packets, because it decided it was
for no specific application, so the ''allow all and allow icmp''
for
outlook didn''t get picked up. I made an advanced rule allowing icmp
data
from the linux router for all and it seems to work for now. If I run
into any more problems with the firewall I''ll just disable, because
it''s
only protecting her comp from inside the network anyway - i.e. not worth
the trouble...

Now onto making my rules more secure :D...

-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam

One last thing - how do you get tcpdump to show icmp packets?

-- 
Tony.

-------------------------------------
ICQ: 17046577
MSN: dolby@paradise.net.nz
EMAIL: dolby@paradise.net.nz
CELL: 021622663
Get your free, safe spam protection at www.spamassassin.org
Razor - Join the fight against spam