Shorewall users - Dec 2002 - Shorewall works behind firewall, but not as firewall...

I''m attempting to setup Shorewall on a box that is to replace my
current
firewall/router/etc...  I currently have a two-interface setup like the one
described in the HOWTO, and am configuring the Shorewall box as the same.  I
installed Shorewall on the box, behind my current firewall on a private
network (10/8 on eth0), and placed a switch and another computer behind the
Shorewall box (192.168.0/24 on eth1).
    I was very please with the setup, and it appeared to work wonderfully
right away.  The windows computer behind the shorewall box got it''s
dhcp
lease and was able to access the internet and the shorewall box, the
shorewall box was able to access the windows computer and the internet,
looked great.
    Next, I brought down my network, and moved the Shorewall box to replace
my current firewall (just like the two-interface HOWTO is laid out).  When I
brought the network back up, the Shorewall box correctly got it''s
public IP
address on eth0, however, now the all2all chain is blocking traffic from the
computers behind the firewall to the internet and from the firewall to the
internet (enabled in the policy file).  I can ping, ssh, etc between the
firewall and local network, but cannot ping, ssh, http, past the Shorewall
box to the internet.
    I can''t understand why it would work behind my original firewall,
but
not in place of it.  (yes the original firewall is completely off the
network, I''ve restarted my cable modem, all computers on the network,
shorewall, ifcfg-eth0 and ifcfg-eth1 were correctly rewritten and restarted
to match the new configuration.  I''ve commented out 10/8 and
192.168.0/24 in
the rfc1918)
    What''s going wrong and what information can I provide to help
determine
the cause...

RedHat 8.0
iptables 1.2.6a
kernel 2.4.18-8.0smp

/etc/shorewall/masq
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1

/etc/shorewall/policy
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
# following line
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

Typical log entries:
Dec 18 23:37:24 junzabid2 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1
SRC=10.0.0.2 DST=128.95.120.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127 ID=6472
PROTO=UDP SPT=2090 DPT=53 LEN=42
Dec 18 23:32:45 junzabid2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=10.0.0.1 DST=204.127.198.4 LEN=71 TOS=0x00 PRE C=0x00 TTL=64 ID=36058 DF
PROTO=UDP SPT=1024 DPT=53 LEN=51

(hmmm ok, now I notice:  why are these entering and leaving eth1?)

Thanks...

--On Thursday, December 19, 2002 12:58:29 AM -0800 altcnc 
<altcnc@hotmail.com> wrote:

> (hmmm ok, now I notice:  why are these entering and leaving eth1?)
>
Check your routing table

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Thursday, December 19, 2002 12:58:29 AM -0800 altcnc 
<altcnc@hotmail.com> wrote:
> Typical log entries:
> Dec 18 23:37:24 junzabid2 kernel: Shorewall:all2all:REJECT:IN=eth1
> OUT=eth1 SRC=10.0.0.2 DST=128.95.120.1 LEN=62 TOS=0x00 PREC=0x00 TTL=127
> ID=6472 PROTO=UDP SPT=2090 DPT=53 LEN=42
> Dec 18 23:32:45 junzabid2 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
> SRC=10.0.0.1 DST=204.127.198.4 LEN=71 TOS=0x00 PRE C=0x00 TTL=64 ID=36058
> DF PROTO=UDP SPT=1024 DPT=53 LEN=51
>
> (hmmm ok, now I notice:  why are these entering and leaving eth1?)
>
This can also be caused by having both eth0 and eth1 connected to the same 
hub or switch.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net