Shorewall users - Aug 2003 - problem with accessing services in internal network

Hi,

I recentely started to use Shorewall. My network configuration is simple,
I have a firewall/router machine with two network interfaces and a couple
of computers behind it in the local network. All machines in my local
network can use services on the internet. My problem is that they can''t
see services provided by other machines on my internal network. The only
machine that can use those services is the firewall machine. Every
computer can ping each other though. There''s nothing in the log files
for
dropped/rejected packages, when I for example try to access a web server
in my internal network, the connection just kind of "hangs".

I''ve gone through my configuration files a million times and I
don''t
understand what the problem might be. Obviously there is a setting I must
be missing. Does anybody else have some idea? Here''s what I have in my
configuration files (these are the only ones I''ve made changes to):

interfaces:
#ZONE	 INTERFACE	BROADCAST	OPTIONS
net	 eth0		detect
loc	 eth1		detect

masq:
#INTERFACE	        SUBNET		ADDRESS
eth0			192.168.1.0/24

policy:
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		all		ACCEPT
fw              all		ACCEPT
net		all		DROP		info
all		all		REJECT		info

zones:
#ZONE	DISPLAY		COMMENTS
net	Net		Internet
loc	Local		Local networks

Thanks!

- Sini

On Mon, 2003-08-04 at 01:12, Sini M?kel? wrote:
> I recentely started to use Shorewall. My network configuration is simple,
> I have a firewall/router machine with two network interfaces and a couple
> of computers behind it in the local network. All machines in my local
> network can use services on the internet. My problem is that they
can''t
> see services provided by other machines on my internal network. The only
> machine that can use those services is the firewall machine. Every
> computer can ping each other though. There''s nothing in the log
files for
> dropped/rejected packages, when I for example try to access a web server
> in my internal network, the connection just kind of "hangs".
I think you are saying that machines in your loc zone are not able to
use a web server also located in your loc zone.  In that case the
firewall should not be involved since their is a direct link between
machines on the same subnet.

When trying to use the web server, for example, did you use an IP
address or hostname?  You may have a DNS issue.

> 
> I''ve gone through my configuration files a million times and I
don''t
> understand what the problem might be. Obviously there is a setting I must
> be missing. Does anybody else have some idea? Here''s what I have
in my
> configuration files (these are the only ones I''ve made changes
to):
> 
> interfaces:
> #ZONE	 INTERFACE	BROADCAST	OPTIONS
> net	 eth0		detect
> loc	 eth1		detect
> 
> masq:
> #INTERFACE	        SUBNET		ADDRESS
> eth0			192.168.1.0/24
> 
> policy:
> #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
> loc		all		ACCEPT
> fw              all		ACCEPT
> net		all		DROP		info
> all		all		REJECT		info
> 
> zones:
> #ZONE	DISPLAY		COMMENTS
> net	Net		Internet
> loc	Local		Local networks
> 
> Thanks!
> 
> - Sini
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
http://www.shorewall.net       Shorewall, for all your firewall needs

On Mon, Aug 04, 2003 at 01:21:50AM +0800, Ed Greshko
wrote:
> > I recentely started to use Shorewall. My network configuration is
simple,
> > I have a firewall/router machine with two network interfaces and a
couple
> > of computers behind it in the local network. All machines in my local
> > network can use services on the internet. My problem is that they
can''t
> > see services provided by other machines on my internal network. The
only
> > machine that can use those services is the firewall machine. Every
> > computer can ping each other though. There''s nothing in the
log files for
> > dropped/rejected packages, when I for example try to access a web
server
> > in my internal network, the connection just kind of "hangs".
> 
> I think you are saying that machines in your loc zone are not able to
> use a web server also located in your loc zone.  In that case the
> firewall should not be involved since their is a direct link between
> machines on the same subnet.
> 
> When trying to use the web server, for example, did you use an IP
> address or hostname?  You may have a DNS issue.
I always use IP addresses in my local network. I can ping the server, as
well as other machines in my local network, it just other type of
connections that always time out. It''s not just the web server, but
other type of services as well (VNC, Samba), which are set up in
different machines. 

This configuration worked before I installed Shorewall, so I assumed it
is something to do with it. The machine with Shorewall is after all the
default gateway for all my machines. I am open for any other suggestions
as well.

- Sini

Sini M?kel? wrote:
> I always use IP addresses in my local network. I can ping the server,
> as well as other machines in my local network, it just other type of
> connections that always time out. It''s not just the web server,
but
> other type of services as well (VNC, Samba), which are set up in
> different machines. 
> 
> This configuration worked before I installed Shorewall, so I assumed
> it is something to do with it. The machine with Shorewall is after
> all the default gateway for all my machines. I am open for any other
> suggestions as well.
Are you stating that you cannot access your internal web server using its IP
address like:

http://192.168.1.5

from another host on the same lan???

If so, then I would think this is a routing/netmask related problem on the
hosts that are behind your firewall. But yet you state you can ping these
same systems. Strange! Maybe you can post your routing tables. A couple of
other things you might want to check:

1) Are you sure that you have not configured these services with their own
ACL type restictions like hosts.allow/deny, htaccess, etc...

2) Are you sure that your webserver is not invloking its own set of firewall
rules?

STeve Cowles

On Mon, 2003-08-04 at 01:59, Sini M?kel? wrote:
> I always use IP addresses in my local network. I can ping the server, as
> well as other machines in my local network, it just other type of
> connections that always time out. It''s not just the web server,
but
> other type of services as well (VNC, Samba), which are set up in
> different machines. 
> 
> This configuration worked before I installed Shorewall, so I assumed it
> is something to do with it. The machine with Shorewall is after all the
> default gateway for all my machines. I am open for any other suggestions
> as well.
Please post your configuration details.  What you are saying doesn''t
fit
your description of your network.

Also, on the same host you are pinging the other host could you do the
following....

ping IP_ADD

telnet IP_ADD 80

Thanks,
ed

-- 
http://www.shorewall.net       Shorewall, for all your firewall needs

On Sun, 3 Aug 2003 20:00:31 +0200, Sini M?kel? <sini@zilched.net> wrote:

>>
>> When trying to use the web server, for example, did you use an IP
>> address or hostname?  You may have a DNS issue.
>
> I always use IP addresses in my local network. I can ping the server, as
> well as other machines in my local network, it just other type of
> connections that always time out. It''s not just the web server,
but
> other type of services as well (VNC, Samba), which are set up in
> different machines.
>
> This configuration worked before I installed Shorewall, so I assumed it
> is something to do with it. The machine with Shorewall is after all the
> default gateway for all my machines. I am open for any other suggestions
> as well.
This could still be DNS-related if reverse DNS lookups no longer work. 
Where is the DNS server used by your local network and have you enabled 
access to it?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net