Hi shorewall users.
It''s my first question on this list. I''ve carefully read the
doc,
searched the list but...
I''ve three cards on my shorewall box :
eth0 -> net : the evil internet (a C class network ;-)
eth1 -> local : our network, a C class range
eth2 -> guest : a NAT/RFC1819 network, C class, DHCP
Everything works nice from the "guest" network. Surfing, pinging,
all is ok, except that I can''t see the local network.
The problem is with the "local" zone. From it, I can see the
firewall, ping eth0 or eth1, but cannot do anything on "net".
No ping, no other services as well. And there''s no logs when
I make my test.
Here is my config :
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
aaa.bbb.ccc.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
xxx.yy.zzz.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.221.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 aaa.bbb.ccc.1 0.0.0.0 UG 0 0 0
eth0
zones :
#ZONE DISPLAY COMMENTS
net Net Internet
local Local Local network
guest Visitors Network for visitors only
interfaces :
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 aaa.bbb.ccc.255
local eth1 xxx.yy.zzz.255
guest eth2 192.168.221.255
policy :
#SOURCE DEST POLICY LOG LEVEL
#LIMIT:BURST
local net ACCEPT
local guest ACCEPT
local fw ACCEPT
guest fw DROP info
guest local ACCEPT
guest net ACCEPT
net all DROP info
all all REJECT info
(I''ll drop local/guest and guest/local as soon as it works)
masq :
#INTERFACE SUBNET ADDRESS
eth0 eth2
rules :
#==================== Acces au firewall lui-meme
#===========================ACCEPT local:xxx.yy.zzz.ttt fw all
ACCEPT net fw tcp - http
ACCEPT fw net tcp http
#------------------------------------------------------------------------
#-----
# gestion des pings
#------------------------------------------------------------------------
#-----
ACCEPT local fw icmp echo-request
ACCEPT fw local icmp echo-request
ACCEPT local guest icmp echo-request
ACCEPT guest local icmp echo-request
# refuse ping from outside to firewall
DROP net fw icmp echo-request
ACCEPT fw net icmp echo-request
ACCEPT all net icmp echo-request
#------------------------------------------------------------------------
#-----
# DNS on the firewall
#------------------------------------------------------------------------
#-----
# on peut interroger notre propre serveur DNS
ACCEPT fw local:$DNS_SERVER tcp - domain
ACCEPT fw local:$DNS_SERVER udp - domain
# on peut interroger les DNS exterieurs
ACCEPT fw net tcp domain
ACCEPT fw net udp domain
#------------------------------------------------------------------------
#-----
# DNS IN
#------------------------------------------------------------------------
#-----
ACCEPT net local:$DNS_SERVER tcp domain
ACCEPT net local:$DNS_SERVER udp domain
ACCEPT guest local:$DNS_SERVER tcp domain
ACCEPT guest local:$DNS_SERVER udp domain
#------------------------------------------------------------------------
#-----
# DNS OUT
#------------------------------------------------------------------------
#-----
ACCEPT local net tcp domain
ACCEPT local net udp domain
Sorry, some comments are in french. As a test, I''ve tried to open
an access from the outside ("net") to the inner DNS server. But this
is
not my problem now.
I''ve checked and re-checked my config, but cannot find what''s
wrong. Am I missing something about the routing ? Nothing seems to
go from the "local" zone to "net".
Norbert
-----------------------------------------------------------
INSTITUT DALLE MOLLE D''INTELLIGENCE ARTIFICIELLE PERCEPTIVE
. __ . ___ __ | Norbert Crettol
/ / ` / / / / / | System Engineer
/ / / / /--/ /-- | Tel:++41-27-721.77.25
/ /__.'' / / / / | Fax:++41-27-721.77.12
| email : norbert.crettol@idiap.ch
Rue du Simplon 4-CP 592 |
CH-1920 Martigny | http://www.idiap.ch
--------------------------------------------------------