Shorewall users - Aug 2002 - Newbie opening door ... sticks in toe...

Dear Shorewall Wizards,

I have two interfaces eth0, eth1 in machine fw -- eth0 goes to an ehub, eth1 
goes nowhere.  

All machines are connected to the same e-hub which is connected to a DSL 
modem, all in the same octet block using static ips.  There are no Class C 
private net addresses.  (I have not implemented masquerading during the past 
2.5 yrs, though I would like to if I can get this going correctly.  :-))

I''ve had more than my fair share of intruders prior to this weekend, so
I
changed the root drive and upgraded? from RHL 7.0 to RHL 7.3.   There is 
hardly anything here with which the kiddies can play, but I''m trying to
change that.  

Currently, I can <shorewall start> on fw box, without error. 
Configuration
is:
RHL 7.3, 
Linux 2.4.18-3, 
iptables 1.3.5, 
Shorewall LATEST.rpm (two days old? - 1.3.6) 

Once loaded, however, I cannot ping fw from box #2.   Also, I cannot access 
fw with <telnet mail 25> (if shorewall is up).  I can, however, access fw 
with <telnet mail 25> from the fw machine when shorewall is up.  
SOOOOO....
I think my problem is either a broken DNS on box #2 (it''s not loading 
correctly to resolve names locally but can resolve using remote DNS), OR.... 
I don''t have shorewall configured correctly to allow access to tcp 25
from
the loc zone (or, possibly even the net zone).  

How can Shorewall stop this box #2 from pinging hosts on the net? 
That''s
interesting... 

#1) Because box 2 uses a static IP address, I was thinking it would be 
considered a "net" zone, but is it really in the "loc" zone?
How do I tell
shorewall what IP addresses should be considered as the "loc" zone....
?

Is the "loc" zone assigned the Class C addresses automatically?
(10.x.x.x,
192.x.x.x, etc. )

#2) Here is the pertinent from my rules file.   

# Accept DNS connections from the firewall to the network
ACCEPT		fw	net		tcp	53
ACCEPT		fw	net		udp	53
# Accept SMTP requests from the internet to the network
ACCEPT		net	fw		tcp	25
ACCEPT		net	fw		tcp	110
ACCEPT		loc	fw		tcp	25
ACCEPT		loc	fw		tcp	110

# Accept SSH connections from the local network, and the net, for 
administration
ACCEPT		loc	fw		tcp	22
ACCEPT		net	fw		tcp	22

# Accept TELNET connections from the net, remembering that the passwords are 
insecure
ACCEPT		net	fw		tcp	23

# Accept AUTH connections from the net
ACCEPT		net	fw		tcp	113

# Accept NTP connections to the net
ACCEPT 		fw	net		udp	123

# Accept HTTP requests from the internet to the network
ACCEPT		net	fw		tcp	http

# Accept HTTPS requests from the internet to the network
ACCEPT		net	fw		tcp	443

# Reject NFS_PORT requests from the internet to the network
REJECT		net	fw		tcp	2049

# Reject SOCKS_PORT establishing a connection from the internet to the network
REJECT		net	fw		tcp	1080

# Reject Xwindows_Ports from the network destined for the fw
REJECT		net	fw		tcp	6000:6063
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

If I <shorewall clear> I can ping to the fw from box #2.  Up, cannot ping.
Down, can ping.  

I did create the icmpdef file, as recommended.    

Need more info; less info?  Too many questions?  

TIA,


-- 
Andrew Lietzow        
The ACL Group, Inc.