Mark Champion
2002-Nov-20 06:44 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
I''ve been using shorewall 1.3.6 for a while with no problems on my RH7.2 system (similar to the "two interface" example). I know the command "shorewall clear" used to allow all traffic to pass freely through my firewall. However, when I tried it today, it seems to block all traffic - at least outbound. For example, I can not ping hosts on the internet from a windows machine on the local network. My web browser won''t work, etc. However, if I restart shorewall with "shorewall restart," pings and web browsing works again. I''ve tried it several times. I also rebooted my system with no change. Any ideas? Mark
Aaron Axelsen
2002-Nov-20 07:06 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
In the older versions of shorewall, shorewall clear would remove the routing rules as well as all the others rules. Try downloading the newest version 1.3.10, and give it another shot. --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words." -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Mark Champion Sent: Wednesday, November 20, 2002 12:45 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] "shorewall clear" - stops all traffic? I''ve been using shorewall 1.3.6 for a while with no problems on my RH7.2 system (similar to the "two interface" example). I know the command "shorewall clear" used to allow all traffic to pass freely through my firewall. However, when I tried it today, it seems to block all traffic - at least outbound. For example, I can not ping hosts on the internet from a windows machine on the local network. My web browser won''t work, etc. However, if I restart shorewall with "shorewall restart," pings and web browsing works again. I''ve tried it several times. I also rebooted my system with no change. Any ideas? Mark _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
--On Tuesday, November 19, 2002 10:44:34 PM -0800 Mark Champion <netdaddyo@hotmail.com> wrote:> I''ve been using shorewall 1.3.6 for a while with no problems on my RH7.2 > system (similar to the "two interface" example). I know the command > "shorewall clear" used to allow all traffic to pass freely through my > firewall. However, when I tried it today, it seems to block all traffic > - at least outbound. For example, I can not ping hosts on the internet > from a windows machine on the local network. My web browser won''t work, > etc. However, if I restart shorewall with "shorewall restart," pings and > web browsing works again. > > I''ve tried it several times. I also rebooted my system with no change. > Any ideas? >Works as designed. The ''shorewall clear'' command removes ALL shorewall-generated entries in NetFilter, all shorewall-added routes, all shorewall-added ARP entries and all shorewall-added IP addresses. If your local PCs rely on masquerading to access the internet then ''shorewall clear'' will disable that capability. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 02:23:25 PM -0800 Mark Champion <netdaddyo@hotmail.com> wrote:> > I didn''t think my local PCs relied on masquerading to access the > internet.They do if they have addresses that are reserved by RFC 1918.> However, I don''t know how to check this. I do know that > "shorewall clear" used to open up my local network to the internet. I > didn''t think I changed anything since the last time I used the "shorewall > clear" command, but perhaps I did. > > Anyone know how to check to see if I''m using masquerading?There will be one or more entries in /etc/shorewall/masq. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Mark Champion
2002-Nov-20 22:57 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
> --On Wednesday, November 20, 2002 02:23:25 PM -0800 Mark Champion=20 > <netdaddyo@hotmail.com> wrote: >=20 > > > > I didn''t think my local PCs relied on masquerading to access the > > internet. >=20 > They do if they have addresses that are reserved by RFC 1918. >=20 > > However, I don''t know how to check this. I do know that > > "shorewall clear" used to open up my local network to the internet. I > > didn''t think I changed anything since the last time I used the "shorewall > > clear" command, but perhaps I did. > > > > Anyone know how to check to see if I''m using masquerading? >=20 > There will be one or more entries in /etc/shorewall/masq.Not counting comments, I have a single line in /etc/shorwall/masq as follows: eth0 eth1 So, I quess I''m using masquerading. But I haven''t changed this since I originally configured it. Is it my imagination that "shorewall clear" should operate as I described? I don''t find any other command that will effectively remove the firewall. Perhaps I could edit the "routestopped" file to match the "masq" file and use "shorewall stop", but that doesn''t seem like an appropriate solution. Mark
--On Wednesday, November 20, 2002 02:57:33 PM -0800 Mark Champion <netdaddyo@hotmail.com> wrote:> > Not counting comments, I have a single line in /etc/shorwall/masq as > follows: > > eth0 eth1 > > So, I quess I''m using masquerading. But I haven''t changed this since I > originally configured it.There was a change many releases ago that caused "shorewall stop" (which is done under the covers by "shorewall clear") to remove Netfilter nat table entries -- possibly you had a version installed that predated that change.> > Is it my imagination that "shorewall clear" should operate as I described? > I don''t find any other command that will effectively remove the firewall.The intent of "shorewall clear" is to undo EVERYTHING that Shorewall has done on your system -- end of description. That includes removing the entries. Before you installed Shorewall, your local systems couldn''t access the internet either unless you had your own script for setting up the required entry in the Netfilter nat table.> > Perhaps I could edit the "routestopped" file to match the "masq" file and > use "shorewall stop", but that doesn''t seem like an appropriate solution. >Why don''t you just set up an alternate configuration that has an "all->all ACCEPT" policy? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Mark Champion
2002-Nov-21 06:50 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
> --On Wednesday, November 20, 2002 02:57:33 PM -0800 Mark Champion=20 > <netdaddyo@hotmail.com> wrote: >=20 > > > > Not counting comments, I have a single line in /etc/shorwall/masq as > > follows: > > > > eth0 eth1 > > > > So, I quess I''m using masquerading. But I haven''t changed this since I > > originally configured it. >=20 > There was a change many releases ago that caused "shorewall stop" (which is=20 > done under the covers by "shorewall clear") to remove Netfilter nat table=20 > entries -- possibly you had a version installed that predated that change. >=20 > > > > Is it my imagination that "shorewall clear" should operate as I described? > > I don''t find any other command that will effectively remove the firewall. >=20 > The intent of "shorewall clear" is to undo EVERYTHING that Shorewall has=20 > done on your system -- end of description. That includes removing the=20 > entries. Before you installed Shorewall, your local systems couldn''t access=20 > the internet either unless you had your own script for setting up the=20 > required entry in the Netfilter nat table. >=20 > > > > Perhaps I could edit the "routestopped" file to match the "masq" file and > > use "shorewall stop", but that doesn''t seem like an appropriate solution. > > >=20 > Why don''t you just set up an alternate configuration that has an "all->all=20 > ACCEPT" policy? >=20 > -TomI certainly can''t argue your suggestions, and I''m not trying to. I''m only trying to understand. In the FAQ, Item 7 states that "If you want to totally open up your firewall, you must use the ''shorewall clear'' command." Of course, it doesn''t say that this is the only thing required, but I remember this used to work on my RH7.2 system with Shorewall version 1.3.6. If it''s not too difficult, I''d like to get back to that point. Regarding setting up an "alternate configuration," I tried to look that up. I found a link for "alternate configurations" at the very bottom of http://www.shorewall.net/two-interface.htm, which takes me to the Shorewall 1.3 Reference page. But it doesn''t seem to provide any explanation of "alternate configurations." (Or maybe I can''t see the forest for the trees?) Mark =20
Örjan Johansson
2002-Nov-21 12:47 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
Hi Mark,> -----Original Message----- > From: Mark Champion [mailto:netdaddyo@hotmail.com]=20 > Posted At: den 21 november 2002 07:51 > Posted To: shorewall > Conversation: [Shorewall-users] "shorewall clear" - stops all traffic? > Subject: Re: [Shorewall-users] "shorewall clear" - stops all traffic? >=20> > Why don''t you just set up an alternate configuration that=20 > has an "all->all=20 > > ACCEPT" policy? > >=20 > > -Tom >=20 > I certainly can''t argue your suggestions, and I''m not trying=20 > to. I''m only trying to understand. In the FAQ, Item 7=20 > states that "If you want to totally open up your firewall,=20 > you must use the ''shorewall clear'' command." Of course, it=20 > doesn''t say that this is the only thing required, but I=20 > remember this used to work on my RH7.2 system with Shorewall=20 > version 1.3.6. If it''s not too difficult, I''d like to get=20 > back to that point. >=20 > Regarding setting up an "alternate configuration," I tried to=20 > look that up. I found a link for "alternate configurations"=20 > at the very bottom of=20 > http://www.shorewall.net/two-interface.htm, > which takes me to=20 > the Shorewall 1.3 Reference page. But it doesn''t seem to=20 > provide any explanation of "alternate configurations." (Or=20 > maybe I can''t see the forest for the trees?) >=20 > MarkCopy your files to an alternate directory, for instance /etc/shorewall/alt/, and then run #shorewall -c /etc/shorewall/alt start|restart|check or #shorewall try /etc/shorewall/alt HTH, Orjan
--On Wednesday, November 20, 2002 10:50:39 PM -0800 Mark Champion <netdaddyo@hotmail.com> wrote:>> --On Wednesday, November 20, 2002 02:57:33 PM -0800 Mark Champion >> <netdaddyo@hotmail.com> wrote:> I certainly can''t argue your suggestions, and I''m not trying to. I''m > only trying to understand. In the FAQ, Item 7 states that "If you want > to totally open up your firewall, you must use the ''shorewall clear'' > command." Of course, it doesn''t say that this is the only thing > required, but I remember this used to work on my RH7.2 system with > Shorewall version 1.3.6.I''ve studied the differences between 1.3.6 and 1.3.10 and it''s hard to understand how you could have been seeing the behavior you describe in 1.3.6. At any rate, if you ever saw that behavior it was a bug. If it''s not too difficult, I''d like to get back> to that point. > > Regarding setting up an "alternate configuration," I tried to look that > up. I found a link for "alternate configurations" at the very bottom of > http://www.shorewall.net/two-interface.htm, which takes me to the > Shorewall 1.3 Reference page. But it doesn''t seem to provide any > explanation of "alternate configurations." (Or maybe I can''t see the > forest for the trees?) >The topic of Shorewall configurations is introduced at http://shorewall.sf.net/configuration_file_basics.htm. This is pointed out in the Documentation Index where the link to that page has the following subtopic: "Shorewall Configurations (making a test configuration)". The introductory description is linked to http://shorewall.sf.net/starting_and_stopping_shorewall.htm which describes Shorewall Configurations in more detail. -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 10:50:39 PM -0800 Mark Champion <netdaddyo@hotmail.com> wrote:> Regarding setting up an "alternate configuration," I tried to look that > up. I found a link for "alternate configurations" at the very bottom of > http://www.shorewall.net/two-interface.htm, which takes me to the > Shorewall 1.3 Reference page.I''ve corrected a number of problems with links to configurations and starting and stopping the firewall -- thanks for pointing out this problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Mark Champion
2002-Nov-21 16:04 UTC
[Shorewall-users] "shorewall clear" - stops all traffic?
Thanks to Tom Eastep and others for their helpful suggestions. I think I need to study the references provided for a while. I think I can work out a good solution from here. Mark ----- Original Message -----=20 From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@shorewall.net> Sent: Thursday, November 21, 2002 6:59 AM Subject: Re: [Shorewall-users] "shorewall clear" - stops all traffic?>=20 >=20 > --On Wednesday, November 20, 2002 10:50:39 PM -0800 Mark Champion=20 > <netdaddyo@hotmail.com> wrote: >=20 > >> --On Wednesday, November 20, 2002 02:57:33 PM -0800 Mark Champion > >> <netdaddyo@hotmail.com> wrote: >=20 > > I certainly can''t argue your suggestions, and I''m not trying to. I''m > > only trying to understand. In the FAQ, Item 7 states that "If you want > > to totally open up your firewall, you must use the ''shorewall clear'' > > command." Of course, it doesn''t say that this is the only thing > > required, but I remember this used to work on my RH7.2 system with > > Shorewall version 1.3.6. >=20 > I''ve studied the differences between 1.3.6 and 1.3.10 and it''s hard to > understand how you could have been seeing the behavior you describe in > 1.3.6. At any rate, if you ever saw that behavior it was a bug. >=20 > If it''s not too difficult, I''d like to get back > > to that point. > > > > Regarding setting up an "alternate configuration," I tried to look that > > up. I found a link for "alternate configurations" at the very bottom of > > http://www.shorewall.net/two-interface.htm, which takes me to the > > Shorewall 1.3 Reference page. But it doesn''t seem to provide any > > explanation of "alternate configurations." (Or maybe I can''t see the > > forest for the trees?) > > >=20 > The topic of Shorewall configurations is introduced at=20 > http://shorewall.sf.net/configuration_file_basics.htm. This is pointed out=20 > in the Documentation Index where the link to that page has the following=20 > subtopic: "Shorewall Configurations (making a test configuration)". The=20 > introductory description is linked to=20 > http://shorewall.sf.net/starting_and_stopping_shorewall.htm which describes=20 > Shorewall Configurations in more detail. >=20 > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net >=20 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >