This is a multipart message in MIME format. --=_alternative 0068CC6C88256C3D_Content-Type: text/plain; charset="us-ascii" I may have shot myself in the foot, but I made two changes at the same time... Change Number 1: Moved from NT 4.0 Server as Primary Domain Controller to Samba Primary Domain Controller - still working out kinks, but it appears OK. Change Number 2: Abandoned SuSE 2.4.16 three NIC box with SuSE Firewall2 and replaced with another SuSE 2.4.16 three NIC box with Shorewall Thanks to Tom, the removal of my real IP from the aliases got my boxes working to the internet - and off to the races. Current problem(s): Firewall (Shorewall box) eth0 to Internet (real IP address) eth1 to DMZ (haven''t even go there yet...) eth2 to (crossover cable) eth1 of another SuSE three NIC Box 2nd SuSE Box (Running DNS) eth0 to Internal network eth1 from eth2 of Shorewall eth2 to Ascend router private network Can NOT get to private network - nothing appears to be logging (for this leg) I tried adding Ports for Samba rules to /etc/shorewall/rules...but I''m not sure I needed it because the Firewall/Shorewall box does NOT run Samba. I tried the "sam" setup recommendations of configurations, but once again, the DNS box is the one connected to the NIC and "knows" about the required routing to the private subnet...and that box is NOT running Shorewall. Where do I go from here ? It is mandatory that I have the link to work. One of the two changes appeared to have "lit" the "con" status light on the Ascend unit. But, I go no further...any ideas ? - Bill --=_alternative 0068CC6C88256C3D_Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">I may have shot myself in the foot, but I made two changes at the same time...</font> <br> <br><font size=2 face="sans-serif">Change Number 1: Moved from NT 4.0 Server as Primary Domain Controller</font> <br><font size=2 face="sans-serif">to Samba Primary Domain Controller - still working out kinks, but it appears OK.</font> <br> <br><font size=2 face="sans-serif">Change Number 2: Abandoned SuSE 2.4.16 three NIC box with SuSE Firewall2</font> <br><font size=2 face="sans-serif">and replaced with another SuSE 2.4.16 three NIC box with Shorewall</font> <br> <br><font size=2 face="sans-serif">Thanks to Tom, the removal of my real IP from the aliases got my boxes working</font> <br><font size=2 face="sans-serif">to the internet - and off to the races.</font> <br> <br><font size=2 face="sans-serif">Current problem(s):</font> <br> <br><font size=2 face="sans-serif">Firewall (Shorewall box)</font> <br><font size=2 face="sans-serif">eth0 to Internet (real IP address)</font> <br><font size=2 face="sans-serif">eth1 to DMZ (haven''t even go there yet...)</font> <br><font size=2 face="sans-serif">eth2 to (crossover cable) eth1 of another SuSE three NIC Box</font> <br> <br><font size=2 face="sans-serif">2nd SuSE Box (Running DNS)</font> <br><font size=2 face="sans-serif">eth0 to Internal network</font> <br><font size=2 face="sans-serif">eth1 from eth2 of Shorewall</font> <br><font size=2 face="sans-serif">eth2 to Ascend router private network</font> <br> <br><font size=2 face="sans-serif">Can NOT get to private network - nothing appears to be logging (for this leg)</font> <br><font size=2 face="sans-serif">I tried adding Ports for Samba rules to /etc/shorewall/rules...but I''m not sure</font> <br><font size=2 face="sans-serif">I needed it because the Firewall/Shorewall box does NOT run Samba.</font> <br> <br><font size=2 face="sans-serif">I tried the "sam" setup recommendations of configurations, but once again,</font> <br><font size=2 face="sans-serif">the DNS box is the one connected to the NIC and "knows" about the</font> <br><font size=2 face="sans-serif">required routing to the private subnet...and that box is NOT running Shorewall.</font> <br> <br><font size=2 face="sans-serif">Where do I go from here ? It is mandatory that I have the link to work. One of</font> <br><font size=2 face="sans-serif">the two changes appeared to have "lit" the "con" status light on the Ascend unit.</font> <br><font size=2 face="sans-serif">But, I go no further...any ideas ?</font> <br> <br><font size=2 face="sans-serif">- Bill</font> <br> --=_alternative 0068CC6C88256C3D_=--
Bill.Light@kp.org wrote:> > Current problem(s): > > Firewall (Shorewall box) > eth0 to Internet (real IP address) > eth1 to DMZ (haven''t even go there yet...) > eth2 to (crossover cable) eth1 of another SuSE three NIC Box > > 2nd SuSE Box (Running DNS) > eth0 to Internal network > eth1 from eth2 of Shorewall > eth2 to Ascend router private network > > Can NOT get to private network - nothing appears to be logging (for this > leg)Can''t get to the private network from WHERE?> I tried adding Ports for Samba rules to /etc/shorewall/rules...but I''m > not sure > I needed it because the Firewall/Shorewall box does NOT run Samba. > > I tried the "sam" setup recommendations of configurations, but once again, > the DNS box is the one connected to the NIC and "knows" about the > required routing to the private subnet...and that box is NOT running > Shorewall.So again, what hosts can''t reach the local network? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format. --=_alternative 0077C18388256C3D_Content-Type: text/plain; charset="us-ascii">From any box on the internal network ...Box #2 eth0 goes to 192 subnet (internal network) eth1 goes to 172 subnet eth3 goes to (another) 192 subnet All boxes running Citrix client should route to 172 subnet - Box 2 has the routing information on it.... Neither /var/log/messages on Shorewall box - nor- SuSE Box #2 /var/log/messages show anything being logged And, I''m certainly not blacklisting myself... - Bill ----- Forwarded by Bill Light/CA/KAIPERM on 09/23/02 02:27 PM ----- Tom Eastep <teastep@shorewall.net> 09/23/02 02:12 PM To: Bill Light/CA/KAIPERM@KAIPERM cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Citrix and Shorewall> > Current problem(s): > > Firewall (Shorewall box) > eth0 to Internet (real IP address) > eth1 to DMZ (haven''t even go there yet...) > eth2 to (crossover cable) eth1 of another SuSE three NIC Box > > 2nd SuSE Box (Running DNS) > eth0 to Internal network > eth1 from eth2 of Shorewall > eth2 to Ascend router private network > > Can NOT get to private network - nothing appears to be logging (for this> leg)Can''t get to the private network from WHERE?> I tried adding Ports for Samba rules to /etc/shorewall/rules...but I''m > not sure > I needed it because the Firewall/Shorewall box does NOT run Samba. > > I tried the "sam" setup recommendations of configurations, but onceagain,> the DNS box is the one connected to the NIC and "knows" about the > required routing to the private subnet...and that box is NOT running > Shorewall.So again, what hosts can''t reach the local network? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net --=_alternative 0077C18388256C3D_Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">From any box on the internal network ...</font> <br> <br><font size=2 face="sans-serif">Box #2 eth0 goes to 192 subnet (internal network)</font> <br><font size=2 face="sans-serif"> eth1 goes to 172 subnet</font> <br><font size=2 face="sans-serif"> eth3 goes to (another) 192 subnet</font> <br> <br><font size=2 face="sans-serif">All boxes running Citrix client should route to 172 subnet - Box 2 has the routing information on it....</font> <br> <br><font size=2 face="sans-serif">Neither /var/log/messages on Shorewall box </font> <br><font size=2 face="sans-serif"> - nor- SuSE Box #2 /var/log/messages show anything being logged</font> <br> <br><font size=2 face="sans-serif">And, I''m certainly not blacklisting myself...</font> <br> <br><font size=2 face="sans-serif">- Bill</font> <br> <br> <br><font size=1 color=#800080 face="sans-serif">----- Forwarded by Bill Light/CA/KAIPERM on 09/23/02 02:27 PM -----</font> <br> <table width=100%> <tr valign=top> <td> <td><font size=1 face="sans-serif"><b>Tom Eastep <teastep@shorewall.net></b></font> <p><font size=1 face="sans-serif">09/23/02 02:12 PM</font> <br> <td><font size=1 face="Arial"> </font> <br><font size=1 face="sans-serif"> To: Bill Light/CA/KAIPERM@KAIPERM</font> <br><font size=1 face="sans-serif"> cc: shorewall-users@shorewall.net</font> <br><font size=1 face="sans-serif"> Subject: Re: [Shorewall-users] Citrix and Shorewall</font></table> <br> <br> <br><font size=2 face="Courier New"><br> <br> > <br> > Current problem(s):<br> > <br> > Firewall (Shorewall box)<br> > eth0 to Internet (real IP address)<br> > eth1 to DMZ (haven''t even go there yet...)<br> > eth2 to (crossover cable) eth1 of another SuSE three NIC Box<br> > <br> > 2nd SuSE Box (Running DNS)<br> > eth0 to Internal network<br> > eth1 from eth2 of Shorewall<br> > eth2 to Ascend router private network<br> > <br> > Can NOT get to private network - nothing appears to be logging (for this <br> > leg)<br> <br> Can''t get to the private network from WHERE?<br> <br> > I tried adding Ports for Samba rules to /etc/shorewall/rules...but I''m <br> > not sure<br> > I needed it because the Firewall/Shorewall box does NOT run Samba.<br> > <br> > I tried the "sam" setup recommendations of configurations, but once again,<br> > the DNS box is the one connected to the NIC and "knows" about the<br> > required routing to the private subnet...and that box is NOT running <br> > Shorewall.<br> <br> So again, what hosts can''t reach the local network?<br> <br> -Tom<br> -- <br> Tom Eastep \ Shorewall - iptables made easy<br> AIM: tmeastep \ http://www.shorewall.net<br> ICQ: #60745924 \ teastep@shorewall.net<br> <br> </font> <br> --=_alternative 0077C18388256C3D_=--
Bill.Light@kp.org wrote:> > From any box on the internal network ... > > Box #2 eth0 goes to 192 subnet (internal network) > eth1 goes to 172 subnet > eth3 goes to (another) 192 subnet > > All boxes running Citrix client should route to 172 subnet - Box 2 has > the routing information on it.... > > Neither /var/log/messages on Shorewall box > - nor- SuSE Box #2 /var/log/messages show anything being logged > > And, I''m certainly not blacklisting myself... >But if I understand your network topology, then the problem connections don''t have anything to do with Shorewall - Right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 007C374A88256C3D_Content-Type: text/plain;
charset="us-ascii"
One would assume that....but that part was working when SuSEfirewall2 was
my primary firewall....
I was looking for some ideas of what Shorewall could have changed or what
I may have turned on to have it stop doing the proper routing.
/etc/route.conf was taken directly from the SuSEfirewall box and because
it was a new box, I flipped eth0 and eth2 to be more consistent with
"typcial" three NIC firewalls. The "2nd box" was left
unchanged, so that
routing stayed intact. I''m at a loss.
To be honest that NAT''ng thing suprised me, but I get it.
- Bill
Tom Eastep <teastep@shorewall.net>
Sent by: shorewall-users-admin@shorewall.net
09/23/02 03:29 PM
To: Bill Light/CA/KAIPERM@KAIPERM
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Citrix and Shorewall
Bill.Light@kp.org wrote:>
> From any box on the internal network ...
>
> Box #2 eth0 goes to 192 subnet (internal network)
> eth1 goes to 172 subnet
> eth3 goes to (another) 192 subnet
>
> All boxes running Citrix client should route to 172 subnet - Box 2 has
> the routing information on it....
>
> Neither /var/log/messages on Shorewall box
> - nor- SuSE Box #2 /var/log/messages show anything being logged
>
> And, I''m certainly not blacklisting myself...
>
But if I understand your network topology, then the problem connections
don''t have anything to do with Shorewall - Right?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
--=_alternative 007C374A88256C3D_Content-Type: text/html;
charset="us-ascii"
<br><font size=2 face="sans-serif">One would assume
that....but that part was working when SuSEfirewall2 was my primary
firewall....</font>
<br>
<br><font size=2 face="sans-serif">I was looking for some
ideas of what Shorewall could have changed or what I may have turned
on to have it stop doing the proper routing. /etc/route.conf was taken
directly from the SuSEfirewall box and because it was a new box, I flipped eth0
and eth2 to be more consistent with "typcial" three NIC
firewalls. The "2nd box" was left unchanged, so that
routing stayed intact. I''m at a loss.</font>
<br>
<br><font size=2 face="sans-serif">To be honest that
NAT''ng thing suprised me, but I get it.</font>
<br>
<br><font size=2 face="sans-serif">- Bill</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<br><font size=1 face="sans-serif">Sent by:
shorewall-users-admin@shorewall.net</font>
<p><font size=1 face="sans-serif">09/23/02 03:29
PM</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Bill
Light/CA/KAIPERM@KAIPERM</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Citrix and Shorewall</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Bill.Light@kp.org
wrote:<br>
> <br>
> From any box on the internal network ...<br>
> <br>
> Box #2 eth0 goes to 192 subnet (internal
network)<br>
>
eth1 goes to 172 subnet<br>
>
eth3 goes to (another) 192 subnet<br>
> <br>
> All boxes running Citrix client should route to 172 subnet - Box 2 has
<br>
> the routing information on it....<br>
> <br>
> Neither /var/log/messages on Shorewall box<br>
> - nor- SuSE Box #2 /var/log/messages
show anything being logged<br>
> <br>
> And, I''m certainly not blacklisting myself...<br>
> <br>
<br>
But if I understand your network topology, then the problem connections
<br>
don''t have anything to do with Shorewall - Right?<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
_______________________________________________<br>
Shorewall-users mailing list<br>
Shorewall-users@shorewall.net<br>
http://www.shorewall.net/mailman/listinfo/shorewall-users<br>
</font>
<br>
<br>
--=_alternative 007C374A88256C3D_=--
Bill.Light@kp.org wrote:> > One would assume that....but that part was working when SuSEfirewall2 > was my primary firewall.... > > I was looking for some ideas of what Shorewall could have changed or > what I may have turned on to have it stop doing the proper routing.The Routing table on "2nd SuSE Box" is hardly a black box -- that is you can look at it and determine exactly where packets are going. And that is the only factor that is significant unless you are routing private<->local traffic through the Shorewall box. Are you?> /etc/route.conf was taken directly from the SuSEfirewall box and > because it was a new box, I flipped eth0 and eth2 to be more consistent > with "typcial" three NIC firewalls. The "2nd box" was left unchanged, > so that routing stayed intact. I''m at a loss. > > To be honest that NAT''ng thing suprised me, but I get it. >Nat''ng thing? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 0009323988256C3E_Content-Type: text/plain;
charset="us-ascii"
Success ! Thanks for the hints Tom.
Apparently the "main" firewall IS doing all of the routing. I never
know
what to "hide" when I post to a public list (Security concerns and
all),
but bottom line, the actual work range is a 10 subnet and so is being
"logdropped" per the "rfc1918".
It might also explain another problem I''m having with the new Samba PDC
-
complains about not being able to connect to 127.0.0.1:139 if I want to
change a password...
So I took it out - I can now access work from home - but the reality is I
would like to keep the rule except for the actual work subnet...where
would I put 10.x.y.0 to allow that "violation" of rfc1918 ? Second
question, without destroying what''s working, can I do a 2nd routing on
the
same NIC (based on a subnet) ??
The NAT''ng thing I was referring to was I did have my real IP being
NAT''d
- once I removed, per your recommendation Shorewall started working.
Thanks a heep Tom! What I''m seeing so far, I really like.
- Bill
========================================================
Tom Eastep <teastep@shorewall.net>
09/23/02 05:20 PM
To: Bill Light/CA/KAIPERM@KAIPERM
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Citrix and Shorewall
Bill.Light@kp.org wrote:>
> One would assume that....but that part was working when SuSEfirewall2
> was my primary firewall....
>
> I was looking for some ideas of what Shorewall could have changed or
> what I may have turned on to have it stop doing the proper routing.
The Routing table on "2nd SuSE Box" is hardly a black box -- that is
you
can look at it and determine exactly where packets are going. And that is
the only factor that is significant unless you are routing private<->local
traffic through the Shorewall box. Are you?
> /etc/route.conf was taken directly from the SuSEfirewall box and
> because it was a new box, I flipped eth0 and eth2 to be more consistent
> with "typcial" three NIC firewalls. The "2nd box" was
left unchanged,
> so that routing stayed intact. I''m at a loss.
>
> To be honest that NAT''ng thing suprised me, but I get it.
>
Nat''ng thing?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 0009323988256C3E_Content-Type: text/html;
charset="us-ascii"
<br><font size=2 face="sans-serif">Success !
Thanks for the hints Tom.</font>
<br>
<br><font size=2 face="sans-serif">Apparently the
"main" firewall IS doing all of the routing. I never
know what to "hide" when I post to a public list (Security
concerns and all), but bottom line, the actual work range is a 10 subnet and so
is being "logdropped" per the
"rfc1918".</font>
<br>
<br><font size=2 face="sans-serif">It might also explain
another problem I''m having with the new Samba PDC - complains about not
being able to connect to 127.0.0.1:139 if I want to change a
password...</font>
<br>
<br><font size=2 face="sans-serif">So I took it out - I
can now access work from home - but the reality is I would like to keep the rule
except for the actual work subnet...where would I put 10.x.y.0 to
allow that "violation" of rfc1918 ? Second question,
without destroying what''s working, can I do a 2nd routing on the same
NIC (based on a subnet) ??</font>
<br>
<br><font size=2 face="sans-serif">The NAT''ng
thing I was referring to was I did have my real IP being NAT''d - once I
removed, per your recommendation Shorewall started working.</font>
<br>
<br><font size=2 face="sans-serif">Thanks a heep Tom!
What I''m seeing so far, I really like.</font>
<br>
<br><font size=2 face="sans-serif">- Bill</font>
<br>
<br><font size=2
face="sans-serif">=========================================================</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">09/23/02 05:20
PM</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Bill
Light/CA/KAIPERM@KAIPERM</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Citrix and Shorewall</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Bill.Light@kp.org
wrote:<br>
> <br>
> One would assume that....but that part was working when SuSEfirewall2
<br>
> was my primary firewall....<br>
> <br>
> I was looking for some ideas of what Shorewall could have
changed or <br>
> what I may have turned on to have it stop doing the proper
routing.<br>
<br>
The Routing table on "2nd SuSE Box" is hardly a black box --
that is you <br>
can look at it and determine exactly where packets are going. And that is
<br>
the only factor that is significant unless you are routing
private<->local <br>
traffic through the Shorewall box. Are you?<br>
<br>
<br>
> /etc/route.conf was taken directly from the SuSEfirewall box
and <br>
> because it was a new box, I flipped eth0 and eth2 to be more consistent
<br>
> with "typcial" three NIC firewalls. The
"2nd box" was left unchanged, <br>
> so that routing stayed intact. I''m at a
loss.<br>
> <br>
> To be honest that NAT''ng thing suprised me, but I get
it.<br>
> <br>
<br>
Nat''ng thing?<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</font>
<br>
<br>
--=_alternative 0009323988256C3E_=--
Bill.Light@kp.org wrote:> > So I took it out - I can now access work from home - but the reality is > I would like to keep the rule except for the actual work subnet...where > would I put 10.x.y.0 to allow that "violation" of rfc1918 ?You modify /etc/shorewall/rfc1918 and be sure to put your exceptions BEFORE the existing rule that applies to the address.> Second > question, without destroying what''s working, can I do a 2nd routing on > the same NIC (based on a subnet) ?? >I have NO idea what that means...> The NAT''ng thing I was referring to was I did have my real IP being > NAT''d - once I removed, per your recommendation Shorewall started working. > > Thanks a heep Tom! What I''m seeing so far, I really like. >Good... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net