Two legged 1.4.2 firewall zone nwl is eth0 (192.168.221.0/24 ($FW on .205)) zone jvc is eth1 (10.200.47.0/24 ($FW on .253)) Lets suppose i need to allow traffic from nwl to "jvn" which is 10.200.0.0/16 (yes, i do realize that they overlap) and route that traffic to 10.200.47.254? The router upstream from this one routes 10.200.0.0/16 -> 192.168.221.205 and i do see "rejects" on this box. Now, i figured that this is a case of "Case 1" for hosts, so i went and did (zones) jvn JVN JOIN (hosts) jvn eth1:10.200.0.0/16 (rules) ACCEPT nwl jvn all (policy) all jvn ACCEPT jvn all ACCEPT (yes, i know this overlaps with rules) but it still rejects everything What am i not doing right this time? ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
On Wed, 4 Jun 2003 08:23:50 +0200, j2 <spamfilter2@mupp.net> wrote:> Two legged 1.4.2 firewall > > zone nwl is eth0 (192.168.221.0/24 ($FW on .205)) > zone jvc is eth1 (10.200.47.0/24 ($FW on .253)) > > Lets suppose i need to allow traffic from nwl to "jvn" which is > 10.200.0.0/16 (yes, i do realize that they overlap) and route that > traffic to 10.200.47.254? > > The router upstream from this one routes 10.200.0.0/16 -> 192.168.221.205 > and i do see "rejects" on this box. > > Now, i figured that this is a case of "Case 1" for hosts, so i went and > did > > (zones) > jvn JVN JOIN > > (hosts) > jvn eth1:10.200.0.0/16 > > (rules) > ACCEPT nwl jvn all > > (policy) > all jvn ACCEPT > jvn all ACCEPT > (yes, i know this overlaps with rules) > > but it still rejects everything > > What am i not doing right this time? >Please post the output of "shorewall status" as an attachment. Be sure that the included log display shows some of these rejects. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Quoting Tom Eastep <teastep@shorewall.net>:> Please post the output of "shorewall status" as an attachment. Be sure that > > the included log display shows some of these rejects.I''ll collect some tomorrow. But, am i on the right track with my thinking? As in: Is this one of the cases where hosts is needed? ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
On Wed, 4 Jun 2003 16:52:15 +0200, j2 <spamfilter2@mupp.net> wrote:> Quoting Tom Eastep <teastep@shorewall.net>: > >> Please post the output of "shorewall status" as an attachment. Be sure >> that >> >> the included log display shows some of these rejects. > > I''ll collect some tomorrow. But, am i on the right track with my > thinking? As in: Is this one of the cases where hosts is needed? >I don''t know -- I don''t understand your network setup yet. When you send the "shorewall status" output, please include the output from "route -n". Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> I don''t know -- I don''t understand your network setup yet. When you send > the "shorewall status" output, please include the output from "route -n".Aha, uhm, ill have to postpone the debugging for a day or so, got a urgent task to clear first. Shall i draw a schematic of the layout?