hiya - today i rebuilt my firewall & went with a 2.4 kernel using iptables (had been using 2.2 / ipchains). got the most recent copy of shorewall from the website, installed it & everything is looking pretty good. i do have one problem... when i start shorewall, the firewall looses it''s ability to query dns servers, so it can''t resove names. the following is what i see in the log file (1.2.3.4 being my firewall & 2.3.4.5 being the external dns server that it''s trying to query): Aug 11 18:17:37 ns5 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=1.2.3.4 DST=2.3.4.5 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=11349 DF PROTO=UDP SPT=1035 DPT=53 LEN=44 i have two zones, ''loc'' & ''net''. machines in the ''loc'' zone can resolve names without any problems. i''ve tried adding rules to the rules file to fix the problem with the firewall, but nothing has worked so far. i''m wondering, is this by design? or do i have something misconfigured? if it weren''t for the fact that i needed to be able to resolve names so i can mail alerts from the firewall to my primary email address, i wouldn''t even worry about it... but, i''m kinda stuck. any help appreciated. oh, also - how do i go about setting it up so that a client in the ''loc'' zone will still be able to ssh to the firewall when shorewall is running? thx. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
On Sun, 11 Aug 2002, Diver8 wrote:> hiya - today i rebuilt my firewall & went with a 2.4 > kernel using iptables (had been using 2.2 / ipchains). > got the most recent copy of shorewall from the > website, installed it & everything is looking pretty > good. > > i do have one problem... > > when i start shorewall, the firewall looses it''s > ability to query dns servers, so it can''t resove > names. the following is what i see in the log file > (1.2.3.4 being my firewall & 2.3.4.5 being the > external dns server that it''s trying to query): > > Aug 11 18:17:37 ns5 kernel: > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=1.2.3.4 > DST=2.3.4.5 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=11349 > DF PROTO=UDP SPT=1035 DPT=53 LEN=44 > > i have two zones, ''loc'' & ''net''. machines in the ''loc'' > zone can resolve names without any problems. > > i''ve tried adding rules to the rules file to fix the > problem with the firewall, but nothing has worked so > far. i''m wondering, is this by design? or do i have > something misconfigured? if it weren''t for the fact > that i needed to be able to resolve names so i can > mail alerts from the firewall to my primary email > address, i wouldn''t even worry about it... but, i''m > kinda stuck. any help appreciated. > > oh, also - how do i go about setting it up so that a > client in the ''loc'' zone will still be able to ssh to > the firewall when shorewall is running? thx. >I really want to know the process you went through to discover, investigate and install Shorewall because before today, I would have sworn that this couldn''t possibly happen. I''ve spent months writing easy to use documentation and it''s as if you haven''t seen a word of it. a) How did you find and download Shorewall? b) Did you use one of the QuickStart Guides? c) If so, which one? d) If not, how did you decide not to use the appropriate Guide? There is a built-in zone with a default name of "fw" that''s pretty important; your DNS problem would be solved by adding the following to your rules file: ACCEPT fw net udp 53 ACCEPT fw net tcp 53 But those rules would have been installed already if you would have used one of the sample configurations!!!??? And each guide points to the appropriate sample configuration!!!??? And you would be able to use SSH to the firewall too if you had installed either the two- or three-interface sample configuration???? I''m confused.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
wow, thanks for the welcome. wow, thanks for using my product. tell you what sir, you can take those easy to understand instructions and shove them up your ass. i''ll use something else. --- Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 11 Aug 2002, Diver8 wrote: > > > hiya - today i rebuilt my firewall & went with a > 2.4 > > kernel using iptables (had been using 2.2 / > ipchains). > > got the most recent copy of shorewall from the > > website, installed it & everything is looking > pretty > > good. > > > > i do have one problem... > > > > when i start shorewall, the firewall looses it''s > > ability to query dns servers, so it can''t resove > > names. the following is what i see in the log > file > > (1.2.3.4 being my firewall & 2.3.4.5 being the > > external dns server that it''s trying to query): > > > > Aug 11 18:17:37 ns5 kernel: > > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=1.2.3.4 > > DST=2.3.4.5 LEN=64 TOS=0x00 PREC=0x00 TTL=64 > ID=11349 > > DF PROTO=UDP SPT=1035 DPT=53 LEN=44 > > > > i have two zones, ''loc'' & ''net''. machines in the > ''loc'' > > zone can resolve names without any problems. > > > > i''ve tried adding rules to the rules file to fix > the > > problem with the firewall, but nothing has worked > so > > far. i''m wondering, is this by design? or do i > have > > something misconfigured? if it weren''t for the > fact > > that i needed to be able to resolve names so i can > > mail alerts from the firewall to my primary email > > address, i wouldn''t even worry about it... but, > i''m > > kinda stuck. any help appreciated. > > > > oh, also - how do i go about setting it up so that > a > > client in the ''loc'' zone will still be able to ssh > to > > the firewall when shorewall is running? thx. > > > > I really want to know the process you went through > to discover, > investigate and install Shorewall because before > today, I would have sworn > that this couldn''t possibly happen. I''ve spent > months writing easy to use > documentation and it''s as if you haven''t seen a word > of it. > > a) How did you find and download Shorewall? > b) Did you use one of the QuickStart Guides? > c) If so, which one? > d) If not, how did you decide not to use the > appropriate Guide? > > There is a built-in zone with a default name of "fw" > that''s pretty > important; your DNS problem would be solved by > adding the following to > your rules file: > > ACCEPT fw net udp 53 > ACCEPT fw net tcp 53 > > But those rules would have been installed already if > you would have used > one of the sample configurations!!!??? And each > guide points to the > appropriate sample configuration!!!??? And you would > be able to use SSH to > the firewall too if you had installed either the > two- or three-interface > sample configuration???? > > I''m confused.... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
On Sun, 11 Aug 2002, Diver8 wrote:> wow, thanks for the welcome. wow, thanks for using my > product. > > tell you what sir, you can take those easy to > understand instructions and shove them up your ass. > i''ll use something else. >I''m sorry you are taking that attitude because I REALLY do want to know. I''ve spent many times more effort on the web site and the documentation then I have on the product itself and if new users have the kind of problems that you seem to be having then I''ve failed :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
At 20:26 11/08/2002 -0700, Tom Eastep sent this up the stick:>On Sun, 11 Aug 2002, Diver8 wrote: > > > wow, thanks for the welcome. wow, thanks for using my > > product. > > ><snip grief> > >I''m sorry you are taking that attitude because I REALLY do want to know. >I''ve spent many times more effort on the web site and the documentation >then I have on the product itself and if new users have the kind of >problems that you seem to be having then I''ve failed :-(<sarcasm> Gee Tom, it''s a shame how you just don''t get what you pay for nowadays, isn''t it. </sarcasm> Quite frankly, I''m impressed by just how much documentation there is for your product. Well done. Cheers, Rob -- Ever wonder about those people who spend several dollars each on those little bottles of Evian water? Try spelling Evian backwards ... This is random quote 432 of a collection of 1254 [15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian
On Sun, 11 Aug 2002, Diver8 wrote:> wow, thanks for the welcome. wow, thanks for using my > product. > > tell you what sir, you can take those easy to > understand instructions and shove them up your ass. > i''ll use something else.I respectfully suggest that you reconsider. While it is true that Tom could have phrased his response differently his motive is genuinely to improve the site. This is one of the few lists you will find on the Internet where the author of the SW is so active and responsive. You got an answer, not the one you wanted, on a Sunday from the best source. Sure, it was probably raining again in Seattle so he had nothing better to do.... :-) In any event, please try to get over your initial bad experience with the list and stick with shorewall. You will be happy, in the long run, that you did. Regards, Ed -- http://www.shorewall.net/ for all your firewall needs
I most certainly agree with Ed! You name me a place where I can get support like the following: Free Product Free Documentation Free Support ( From the developer! ) Free advice Toms gives up his own time to help people out with a product, you could pay him an ounce of respect and at least try reading a "QuickStart Guide!" It just irks me to see someone like yourself bark at the hand that was feeding you when you didn''t even have the decency to look to see what that hand was holding! Maybe you should go hit ebay and get yourself a nice Cisco PIX and take a nice Cisco IOS class and I think you will be very happy with what you can do. Of course with the amount of Documentation reading you do, I doubt you will make it very far into the manuals, and instead head for those nice $250 per incident support calls. Ok, I am done with my rant... Steve ----- Original Message ----- From: "Ed Greshko" <Edward.M.Greshko@syntegra.com> To: "Diver8" <diver_8_iam@yahoo.com> Cc: <Shorewall-users@shorewall.net> Sent: Sunday, August 11, 2002 10:40 PM Subject: Re: [Shorewall-users] dns problem> On Sun, 11 Aug 2002, Diver8 wrote: > > > wow, thanks for the welcome. wow, thanks for using my > > product. > > > > tell you what sir, you can take those easy to > > understand instructions and shove them up your ass. > > i''ll use something else. > > I respectfully suggest that you reconsider. While it is true that Tom > could have phrased his response differently his motive is genuinely to > improve the site. This is one of the few lists you will find on the > Internet where the author of the SW is so active and responsive. > > You got an answer, not the one you wanted, on a Sunday from the best > source. Sure, it was probably raining again in Seattle so he had nothing > better to do.... :-) > > In any event, please try to get over your initial bad experience with the > list and stick with shorewall. > > You will be happy, in the long run, that you did. > > Regards, > Ed > > -- > http://www.shorewall.net/ for all your firewall needs > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
You are a disgrace to the concept of open source. Just because you have an initial problem with the program does not in any way justify heaping a pile of insult on the developer!! What goes around comes around!!>>> Diver8 <diver_8_iam@yahoo.com> 08/11/02 22:22 PM >>>wow, thanks for the welcome. wow, thanks for using my product. tell you what sir, you can take those easy to understand instructions and shove them up your ass.=20 i''ll use something else. --- Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 11 Aug 2002, Diver8 wrote: >=20 > > hiya - today i rebuilt my firewall & went with a > 2.4 > > kernel using iptables (had been using 2.2 / > ipchains). > > got the most recent copy of shorewall from the > > website, installed it & everything is looking > pretty > > good. > >=20 > > i do have one problem... > >=20 > > when i start shorewall, the firewall looses it''s > > ability to query dns servers, so it can''t resove > > names. the following is what i see in the log > file > > (1.2.3.4 being my firewall & 2.3.4.5 being the > > external dns server that it''s trying to query): > >=20 > > Aug 11 18:17:37 ns5 kernel: > > Shorewall:all2all:REJECT:IN=3D OUT=3Deth0 SRC=3D1.2.3.4 > > DST=3D2.3.4.5 LEN=3D64 TOS=3D0x00 PREC=3D0x00 TTL=3D64 > ID=3D11349 > > DF PROTO=3DUDP SPT=3D1035 DPT=3D53 LEN=3D44 > >=20 > > i have two zones, ''loc'' & ''net''. machines in the > ''loc'' > > zone can resolve names without any problems. > >=20 > > i''ve tried adding rules to the rules file to fix > the > > problem with the firewall, but nothing has worked > so > > far. i''m wondering, is this by design? or do i > have > > something misconfigured? if it weren''t for the > fact > > that i needed to be able to resolve names so i can > > mail alerts from the firewall to my primary email > > address, i wouldn''t even worry about it... but, > i''m > > kinda stuck. any help appreciated. > >=20 > > oh, also - how do i go about setting it up so that > a > > client in the ''loc'' zone will still be able to ssh > to > > the firewall when shorewall is running? thx. > >=20 >=20 > I really want to know the process you went through > to discover, > investigate and install Shorewall because before > today, I would have sworn > that this couldn''t possibly happen. I''ve spent > months writing easy to use > documentation and it''s as if you haven''t seen a word > of it. >=20 > a) How did you find and download Shorewall? > b) Did you use one of the QuickStart Guides? > c) If so, which one? > d) If not, how did you decide not to use the > appropriate Guide? >=20 > There is a built-in zone with a default name of "fw" > that''s pretty=20 > important; your DNS problem would be solved by > adding the following to=20 > your rules file: >=20 > ACCEPT fw net udp 53 > ACCEPT fw net tcp 53 >=20 > But those rules would have been installed already if > you would have used > one of the sample configurations!!!??? And each > guide points to the=20 > appropriate sample configuration!!!??? And you would > be able to use SSH to > the firewall too if you had installed either the > two- or three-interface=20 > sample configuration???? >=20 > I''m confused.... >=20 > -Tom > --=20 > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >=20 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
On Mon, 12 Aug 2002, Ed Greshko wrote:> > You got an answer, not the one you wanted, on a Sunday from the best > source. Sure, it was probably raining again in Seattle so he had nothing > better to do.... :-) >Actually, it was a beautiful weekend which I split between working on the Shorewall documentation, helping another Shorewall user with a perplexing problem and pressure washing my deck. I really need to get a life... :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Actually, it was a beautiful weekend which I split between working on the > Shorewall documentation, helping another Shorewall user with a perplexing > problem and pressure washing my deck. I really need to get a life... :-)Hey Tom, you got a life, what you need is a VACATION and disconnect from the ''Net for awhile! :-) -- Patrick Benson Stockholm, Sweden
On 12 Aug 2002 at 6:09, Tom Eastep wrote:> Actually, it was a beautiful weekend which I split between working on the > Shorewall documentation, helping another Shorewall user with a perplexing > problem and pressure washing my deck. I really need to get a life... :-) > > -TomWhat? No Mariners games?? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
On Mon, 12 Aug 2002, John Andersen wrote:> On 12 Aug 2002 at 6:09, Tom Eastep wrote: > > > Actually, it was a beautiful weekend which I split between working on the > > Shorewall documentation, helping another Shorewall user with a perplexing > > problem and pressure washing my deck. I really need to get a life... :-) > > > > -Tom > > What? No Mariners games?? >I was deck-washing while the game was on -- just as well; M''s lost :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net