thr3ads.net - Shorewall users - [Shorewall-users] cups,samba & others [Sep 2003]

If this information is useful, please help other people find it:
Share via:

Brian Marr

2003-Sep-15 22:07 UTC

[Shorewall-users] cups,samba & others

Knoppix 3.2 (Debian) Box running Shorewall 1.4.5-1
This is a home network with a Knoppix acting as a gateway to the net.

Shorewall is connecting to the net ok and masquerading to my other
PC''s.
It is allowing pings and ssh. But is has to do a few other things for me.
These are to allow the Samba server running on the same box to do its job.
Also needed are cups, vncserver, and Hylafax connections. For example,
Knoppix has a printer connected to it. These things are needed within
my home network, not from the outside. As seen below I
have tried a number of steps to get them going without luck. I know for sure
when I clear the rules, Hylafax works as does vnc server. But for now
Shorewall blocks them. Can anyone tell me where I have gone wrong in
simple language ?

Brian

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE
ORIGINAL
#                                                       PORT    PORT(S) DEST
#
#       Accept DNS connections from the firewall to the network
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          fw              loc             udp     53
#
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#
#       Accept VNC connections
#
ACCEPT          loc             fw              tcp     5500
ACCEPT          loc             fw              udp     5500
ACCEPT          fw              loc             tcp     5500
ACCEPT          fw              loc             udp     5500
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
ACCEPT          fw              loc             icmp    0
ACCEPT          loc             fw              icmp    0
#
#       Allow Cups connections To And From Firewall
#
ACCEPT          loc             fw              tcp     631
#
#       Allow connection to the Hylafax Server
#
ACCEPT          loc             fw              tcp     4559
ACCEPT          loc             fw              udp     4559
ACCEPT          fw              loc             tcp     4559
ACCEPT          fw              loc             udp     4559
#
#       Allow Samba to work across the Firewall
#
ACCEPT          fw              loc             udp     137:139
ACCEPT          fw              loc             tcp     137,139
ACCEPT          fw              loc             udp     1024:           137
ACCEPT          loc             fw              udp     137:139
ACCEPT          loc             fw              tcp     137,139
ACCEPT          loc             fw              udp     1024:           137
#
#       Allow connections from VMware
#
ACCEPT          loc:192.168.77.1        loc     tcp
ACCEPT          loc:192.168.120.1       loc     tcp
ACCEPT          loc:192.168.50.7        loc     tcp

Tom Eastep

2003-Sep-16 08:01 UTC

head link

[Shorewall-users] cups,samba & others

On Mon, 2003-09-15 at 22:08, Brian Marr wrote:> Knoppix 3.2 (Debian) Box running Shorewall 1.4.5-1
> This is a home network with a Knoppix acting as a gateway to the net.
> 
> Shorewall is connecting to the net ok and masquerading to my other
PC''s.
> It is allowing pings and ssh. But is has to do a few other things for me.
> These are to allow the Samba server running on the same box to do its job.
> Also needed are cups, vncserver, and Hylafax connections. For example,
> Knoppix has a printer connected to it. These things are needed within
> my home network, not from the outside. As seen below I
> have tried a number of steps to get them going without luck. I know for
sure
> when I clear the rules, Hylafax works as does vnc server. But for now
> Shorewall blocks them. Can anyone tell me where I have gone wrong in
> simple language ?
*Look at your log ("shorewall show log")* -- it will tell you what
rules
you are missing (with the help of Shorewall FAQ 17 and
http://shorewall.net/troubleshoot.htm).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Brian Marr

2003-Sep-16 17:25 UTC

head link

[Shorewall-users] cups,samba & others

On Tue, Sep 16, 2003 at 08:01:40AM -0700, Tom Eastep
wrote:> On Mon, 2003-09-15 at 22:08, Brian Marr wrote:
> > Knoppix 3.2 (Debian) Box running Shorewall 1.4.5-1
> > This is a home network with a Knoppix acting as a gateway to the net.
> > 
> > Shorewall is connecting to the net ok and masquerading to my other
PC''s.
> > It is allowing pings and ssh. But is has to do a few other things for
me.
> > These are to allow the Samba server running on the same box to do its
job.
> > Also needed are cups, vncserver, and Hylafax connections. For example,
> > Knoppix has a printer connected to it. These things are needed within
> > my home network, not from the outside. As seen below I
> > have tried a number of steps to get them going without luck. I know
for sure
> > when I clear the rules, Hylafax works as does vnc server. But for now
> > Shorewall blocks them. Can anyone tell me where I have gone wrong in
> > simple language ?
> 
> *Look at your log ("shorewall show log")* -- it will tell you
what rules
> you are missing (with the help of Shorewall FAQ 17 and
> http://shorewall.net/troubleshoot.htm).
> 
> -Tom

Following instructions on http://shorewall.net/support.htm

/sbin/shorewall reset

Send Fax with Hylafax > result "connection refused".

Capture /tmp/status.txt

Attachment enclosed.
Brian
-------------- next part --------------
[H[2JShorewall-1.4.5 Status at Poncho - Wed Sep 17 09:24:49 CEST 2003

Counters reset Wed Sep 17 09:12:45 CEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7676 3325K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ippp0_in   all  --  ippp0  *       0.0.0.0/0            0.0.0.0/0
   64  4558 ippp1_in   all  --  ippp1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ippp2_in   all  --  ippp2  *       0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
 5872  346K eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 vmnet1_in  all  --  vmnet1 *       0.0.0.0/0            0.0.0.0/0
    0     0 vmnet8_in  all  --  vmnet8 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ippp0_fwd  all  --  ippp0  *       0.0.0.0/0            0.0.0.0/0
   17  2549 ippp1_fwd  all  --  ippp1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ippp2_fwd  all  --  ippp2  *       0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
   19  3050 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 vmnet1_fwd  all  --  vmnet1 *       0.0.0.0/0            0.0.0.0/0
    0     0 vmnet8_fwd  all  --  vmnet8 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7676 3325K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     udp  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 ACCEPT     udp  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 fw2net     all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
   36  3650 fw2net     all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
 5913 3410K fw2loc     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (17 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   93 10709 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    1    60 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    1    78 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
   92 10649 DROP       all  --  *      *       0.0.0.0/0           
192.168.50.255

Chain dynamic (14 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   19  3050 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
   19  3050 loc2net    all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5872  346K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 5872  346K loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5816 3398K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:5500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:5500
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:4559
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:4559
    4   507 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
   93 10709 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (4 references)
 pkts bytes target     prot opt in     out     source               destination
   34  3142 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    2   508 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ippp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain ippp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ippp1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   17  2549 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
   17  2549 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain ippp1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   64  4558 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   64  4558 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ippp2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain ippp2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5861  344K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:5500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:5500
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:631
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:4559
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:4559
   10  1482 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2loc (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       192.168.77.1         0.0.0.0/0   
state NEW
    0     0 ACCEPT     tcp  --  *      *       192.168.120.1        0.0.0.0/0   
state NEW
    0     0 ACCEPT     tcp  --  *      *       192.168.50.7         0.0.0.0/0   
state NEW
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (4 references)
 pkts bytes target     prot opt in     out     source               destination
   17  2929 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    2   121 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (13 references)
 pkts bytes target     prot opt in     out     source               destination
   17  2549 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   18  1002 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   17   924 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
   17   924 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   13   520 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   33  3036 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
   18  1002 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (9 references)
 pkts bytes target     prot opt in     out     source               destination
   13   520 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 ACCEPT     all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    1    78 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain rfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       172.16.0.0/12        0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.0.2.0/24         0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.168.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       0.0.0.0/7            0.0.0.0/0
    0     0 logdrop    all  --  *      *       2.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       5.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       7.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       23.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       27.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       31.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       36.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       39.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       41.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       42.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       49.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       50.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       58.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       60.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       70.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       72.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       83.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       84.0.0.0/6           0.0.0.0/0
    0     0 logdrop    all  --  *      *       88.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       96.0.0.0/3           0.0.0.0/0
    0     0 logdrop    all  --  *      *       127.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       197.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       198.18.0.0/15        0.0.0.0/0
    0     0 logdrop    all  --  *      *       201.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       240.0.0.0/4          0.0.0.0/0

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain vmnet1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 vmnet2loc  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      vmnet8  0.0.0.0/0            0.0.0.0/0

Chain vmnet1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain vmnet2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:vmnet2loc:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain vmnet8_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp0   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ippp2   0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 vmnet2loc  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      vmnet1  0.0.0.0/0            0.0.0.0/0

Chain vmnet8_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Sep 17 09:06:16 net2all:DROP:IN=ippp1 OUT= SRC=24.74.6.7 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=22994 DF PROTO=TCP SPT=3012 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:06:22 net2all:DROP:IN=ippp1 OUT= SRC=24.74.6.7 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=23716 DF PROTO=TCP SPT=3012 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:14:17 net2all:DROP:IN=ippp1 OUT= SRC=211.41.227.104 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=38694 DF PROTO=TCP SPT=3580 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:14:20 net2all:DROP:IN=ippp1 OUT= SRC=211.41.227.104 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=39027 DF PROTO=TCP SPT=3580 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:14:26 net2all:DROP:IN=ippp1 OUT= SRC=211.41.227.104 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=39741 DF PROTO=TCP SPT=3580 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:19:31 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=43236 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:31 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=45413 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:32 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=49419 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:34 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=57151 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:37 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=2042 PROTO=TCP SPT=52360 DPT=80 WINDOW=65535
RES=0x00 SYN URGP=0
Sep 17 09:19:41 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=15497 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:47 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=36476 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:55 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=63189 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:19:56 net2all:DROP:IN=ippp1 OUT= SRC=66.141.165.197 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=63657 DF PROTO=TCP SPT=4606 DPT=80
WINDOW=4288 RES=0x00 SYN URGP=0
Sep 17 09:19:59 net2all:DROP:IN=ippp1 OUT= SRC=66.141.165.197 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=64003 DF PROTO=TCP SPT=4606 DPT=80
WINDOW=4288 RES=0x00 SYN URGP=0
Sep 17 09:20:07 net2all:DROP:IN=ippp1 OUT= SRC=211.76.97.228 DST=203.220.225.39
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=41045 PROTO=TCP SPT=52360 DPT=80
WINDOW=65535 RES=0x00 SYN URGP=0
Sep 17 09:22:20 net2all:DROP:IN=ippp1 OUT= SRC=64.231.33.175 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=43915 DF PROTO=TCP SPT=3518 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:22:23 net2all:DROP:IN=ippp1 OUT= SRC=64.231.33.175 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=44246 DF PROTO=TCP SPT=3518 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:22:29 net2all:DROP:IN=ippp1 OUT= SRC=64.231.33.175 DST=203.220.225.39
LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=44980 DF PROTO=TCP SPT=3518 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Sep 17 09:24:10 all2all:REJECT:IN= OUT=eth0 SRC=192.168.50.3 DST=192.168.50.1
LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4558 DPT=32809
WINDOW=5840 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 72 packets, 5479 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 6 packets, 820 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   394 ippp1_masq  all  --  *      ippp1   0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 98 packets, 11489 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ippp1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   121 MASQUERADE  all  --  *      *       192.168.50.0/24      0.0.0.0/0

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       192.168.50.0/24      0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 13663 packets, 3686K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 man1918    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0   
state NEW
13663 3686K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 13627 packets, 3680K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 36 packets, 5599 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 13640 packets, 6747K bytes)
 pkts bytes target     prot opt in     out     source               destination
13640 6747K outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 13587 packets, 6743K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain man1918 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
169.254.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
172.16.0.0/12
    0     0 logdrop    all  --  *      *       0.0.0.0/0            192.0.2.0/24
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
192.168.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            2.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            5.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            7.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            23.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            27.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            31.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            36.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            39.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            41.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            42.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            49.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            50.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            58.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            60.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            70.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            72.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            83.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            84.0.0.0/6
    0     0 logdrop    all  --  *      *       0.0.0.0/0            88.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            96.0.0.0/3
    0     0 logdrop    all  --  *      *       0.0.0.0/0            127.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            197.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
198.18.0.0/15
    0     0 logdrop    all  --  *      *       0.0.0.0/0            201.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            240.0.0.0/4

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
 3886 3245K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3917  227K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431655 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1053
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1053 [ASSURED]
use=1
tcp      6 431682 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1065
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1065 [ASSURED]
use=1
tcp      6 431977 ESTABLISHED src=192.168.50.1 dst=192.168.50.3 sport=32769
dport=631 src=192.168.50.3 dst=192.168.50.1 sport=631 dport=32769 [ASSURED]
use=1
tcp      6 431999 ESTABLISHED src=192.168.50.1 dst=192.168.50.3 sport=32778
dport=22 src=192.168.50.3 dst=192.168.50.1 sport=22 dport=32778 [ASSURED] use=1
tcp      6 431274 ESTABLISHED src=192.168.50.1 dst=192.168.50.3 sport=32793
dport=22 src=192.168.50.3 dst=192.168.50.1 sport=22 dport=32793 [ASSURED] use=1
tcp      6 431681 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1060
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1060 [ASSURED]
use=1
tcp      6 431681 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1063
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1063 [ASSURED]
use=1
tcp      6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1086 dport=6010
src=127.0.0.1 dst=127.0.0.1 sport=6010 dport=1086 [ASSURED] use=1
udp      17 1 src=192.168.50.1 dst=203.194.27.57 sport=32818 dport=53
src=203.194.27.57 dst=203.220.225.39 sport=53 dport=32818 [ASSURED] use=1
udp      17 3 src=192.168.50.3 dst=192.168.50.255 sport=137 dport=137
[UNREPLIED] src=192.168.50.255 dst=192.168.50.3 sport=137 dport=137 use=1
udp      17 3 src=192.168.50.1 dst=192.168.50.3 sport=137 dport=137 [UNREPLIED]
src=192.168.50.3 dst=192.168.50.1 sport=137 dport=137 use=1
tcp      6 431998 ESTABLISHED src=192.168.50.1 dst=192.168.50.3 sport=32794
dport=22 src=192.168.50.3 dst=192.168.50.1 sport=22 dport=32794 [ASSURED] use=1
tcp      6 431631 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1055
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1055 [ASSURED]
use=1
tcp      6 431681 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1061
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1061 [ASSURED]
use=1
tcp      6 80 TIME_WAIT src=192.168.50.1 dst=192.168.50.3 sport=32808 dport=4559
src=192.168.50.3 dst=192.168.50.1 sport=4559 dport=32808 [ASSURED] use=1
tcp      6 431725 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1064
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1064 [ASSURED]
use=1
tcp      6 431949 ESTABLISHED src=192.168.50.3 dst=192.168.50.3 sport=1067
dport=6001 src=192.168.50.3 dst=192.168.50.3 sport=6001 dport=1067 [ASSURED]
use=1

Tom Eastep

2003-Sep-16 18:27 UTC

head link

[Shorewall-users] cups,samba & others

On Wed, 17 Sep 2003, Brian Marr wrote:
>
>
> Following instructions on http://shorewall.net/support.htm
>
> /sbin/shorewall reset
>
> Send Fax with Hylafax > result "connection refused".
>
> Capture /tmp/status.txt
>
> Attachment enclosed.
Fine -- let''s just solve this problem the easy way:

a) Remove ALL RULES between zones ''fw'' and
''loc''.
b) Before the "all all" policy, add:

	loc	fw	ACCEPT
	fw	loc	ACCEPT

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Brian Marr

2003-Sep-17 15:29 UTC

head link

[Shorewall-users] cups,samba & others

Tom, thanks for your post. I ended up editing the "rules" file and
removing
those referring to fw and loc. In "policy" I am showing

loc             fw              ACCEPT
fw              loc             ACCEPT
all             all             REJECT          info

Hope this is ok. It is working :)

Regards
Brian


On Tue, Sep 16, 2003 at 06:27:52PM -0700, Tom Eastep
wrote:> On Wed, 17 Sep 2003, Brian Marr wrote:
> 
> >
> >
> > Following instructions on http://shorewall.net/support.htm
> >
> > /sbin/shorewall reset
> >
> > Send Fax with Hylafax > result "connection refused".
> >
> > Capture /tmp/status.txt
> >
> > Attachment enclosed.
> 
> Fine -- let''s just solve this problem the easy way:
> 
> a) Remove ALL RULES between zones ''fw'' and
''loc''.
> b) Before the "all all" policy, add:
> 
> 	loc	fw	ACCEPT
> 	fw	loc	ACCEPT
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Tom Eastep

2003-Sep-17 15:34 UTC

head link

[Shorewall-users] cups,samba & others

On Wed, 2003-09-17 at 15:31, Brian Marr wrote:> Tom, thanks for your post. I ended up editing the "rules" file
and removing
> those referring to fw and loc. In "policy" I am showing
> 
> loc             fw              ACCEPT
> fw              loc             ACCEPT
> all             all             REJECT          info
> 
> Hope this is ok. It is working :)
Should be fine -- the design of Netfilter requires that traffic to/from
the firewall system be treated differently but many users consider their
firewall system to be "just another local system". The policy trick
that
you have implemented above helps materialize that view and is much
easier for Linux/Networking newbies to deal with.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Richard

2003-Sep-18 12:49 UTC

head link

[Shorewall-users] cups,samba & others

On Wednesday 17 September 2003 05:34 pm, Tom Eastep
wrote:> On Wed, 2003-09-17 at 15:31, Brian Marr wrote:
> > Tom, thanks for your post. I ended up editing the "rules"
file and
> > removing those referring to fw and loc. In "policy" I am
showing
> >
> > loc             fw              ACCEPT
> > fw              loc             ACCEPT
> > all             all             REJECT          info
> >
> > Hope this is ok. It is working :)
Tom, I just want to be sure before I really screw up a perfectly working 
system and so others reading this thread will understand completely:

I have many entries in my Rules file that deal with loc to fw and fw to loc 
addressing any number of ports.  By placing the two loc>fw and fw>loc 
ACCEPT
entries in the Policy file, those many things are no longer necessary and may 
be safely deleted FROM THE RULES file. Scream once if yes, twice if no.

 I apologize for appearing dense but I figure if I asked it and stated it in a 
slightly different way maybe it will preclude a lot of other bonehead 
questions on the same subject.

Thanks again,  glad you''re back.
Richard

Tom Eastep

2003-Sep-18 13:05 UTC

head link

[Shorewall-users] cups,samba & others

On Thu, 2003-09-18 at 12:45, Richard wrote:> On Wednesday 17 September 2003 05:34 pm, Tom Eastep wrote:
> > On Wed, 2003-09-17 at 15:31, Brian Marr wrote:
> > > Tom, thanks for your post. I ended up editing the
"rules" file and
> > > removing those referring to fw and loc. In "policy" I
am showing
> > >
> > > loc             fw              ACCEPT
> > > fw              loc             ACCEPT
> > > all             all             REJECT          info
> > >
> > > Hope this is ok. It is working :)
> 
> Tom, I just want to be sure before I really screw up a perfectly working 
> system and so others reading this thread will understand completely:
> 
> I have many entries in my Rules file that deal with loc to fw and fw to loc
> addressing any number of ports.  By placing the two loc>fw and fw>loc
ACCEPT
> entries in the Policy file, those many things are no longer necessary and
may
> be safely deleted FROM THE RULES file. Scream once if yes, twice if no.
The ACCEPT rules may be removed -- if you have DROP or REJECT rules,
those must stay.
> 
>  I apologize for appearing dense but I figure if I asked it and stated it
in a
> slightly different way maybe it will preclude a lot of other bonehead 
> questions on the same subject.
> 
a) Rules are exceptions to policy.
b) If your policy is ACCEPT then any ACCEPT rules that are covered by
that policy are superfluous.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Sep 2003 - cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others

[Shorewall-users] cups,samba & others