gal ben haim
2002-Dec-30 13:55 UTC
[Shorewall-users] local network connections to firewall
I want to allow all connections between the firewall machine and the local network,. I addedd to the ''policy'' file the following lines: loc fw ACCEPT fw loc ACCEPT everything worked (pop3, ftp etc..) except samba for some reason samba only worked when i added the following lines to the ''rules'' file: ACCEPT loc fw ACCEPT fw loc What am i missing here? I don''t believe that i need to have the same rule in two files, how do i really need to configure it ?
gal ben haim
2002-Dec-30 13:58 UTC
[Shorewall-users] local network connections to firewall
I want to allow all connections between the firewall machine and the local network,. I addedd to the ''policy'' file the following lines: loc fw ACCEPT fw loc ACCEPT everything worked (pop3, ftp etc..) except samba for some reason samba only worked when i added the following lines to the ''rules'' file: ACCEPT loc fw ACCEPT fw loc What am i missing here? I don''t believe that i need to have the same rule in two files, how do i really need to configure it ?
--On Monday, December 30, 2002 11:54:58 PM +0200 gal ben haim <galbh@pent900.com> wrote:> I want to allow all connections between the firewall machine and the local > network,. I addedd to the ''policy'' file the following lines: > loc fw ACCEPT > > fw loc ACCEPT > > > > everything worked (pop3, ftp etc..) except samba > > for some reason samba only worked when i added the following lines to the > ''rules'' file: > ACCEPT loc fw > > ACCEPT fw loc > > > > What am i missing here? I don''t believe that i need to have the same rule > in two files, how do i really need to configure it ? >You''re going to have to provide more information than the above for me to give you any help. And posting the same message twice doesn''t count... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
stupid_me (''forgot to include the list'');
> I want to allow all connections between the firewall machine and the local
> network,. I addedd to the ''policy'' file the following
lines:
> loc fw ACCEPT
> fw loc ACCEPT
> everything worked (pop3, ftp etc..) except samba
That should do it. I just set up a box (dial-in router with samba
server) last night and it runs smoothly.
(Yes, I do know, a firewall should not work as file server...)
> for some reason samba only worked when i added the following lines to the
> ''rules'' file:
> ACCEPT loc fw
> ACCEPT fw loc
Thats weird. And the rules are to open special ports, not blank.
rules are evaluated before policy. So I assume, you have messed with the
order in policy. Are those policies from above _before_ DROP and REJECT
policies?
IMHO the first matching policy counts, so REJECT from all to all would
render all other policies useless.
.karsten
--
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!
--On Monday, December 30, 2002 11:21:51 PM +0100 kb <kb@bluehash.de> wrote:> > IMHO the first matching policy counts, so REJECT from all to all would > render all other policies useless. >>From the comment at the top of the policy file:For each source/destination pair, the file is processed in order until a match is found ("all" will match any client or server). So yes -- the order of policies is important. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
cheers(); Please, at least Cc: to the list.> Ofcourse i put it before the DROP and REJECT > ok, let''s say i want to allow all traffic between the fw and loc, if you can > tell me exactly what should i add and where so i can try... cuz im sure im > doing something wrong here..Sorry, as I wrote, AFAIK the policy you posted to the list is all, you need. As long as there are no other policies/rules that are evaluated before and prevent that policies to be matched. And as Tom said, that can''t be told from the 2 quotes you gave. We need more infos. .karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!