Hello again,
This was indeed a very very very stupid mistake.....
The client on the outside network is going through a caching proxy,
which was caching previous responses from my internal web server, making
it look like that I was talking to the server through the firewall.
In other words the firewall was working as advertised the whole time.
Sorry for the noise. It was all of course a "stupid user mistake" 8-)
This firewall configuration mechanism, is most excelent piece of
software. Makes firewalling real fun 8-).
Regards,
K.D.
On Sun, 2003-01-05 at 05:45, K?ri Dav??sson wrote:> Hello,
>
> I am looking at the shorewall, and so far I like what I see, but I have
> one question.
>
> I installed the firewall with, zones: fw, loc, net and work.
> Where the work zone is a VPN zone to my work intranet
> The policy file is the default policy file, with the added policy to
> accept connections from fw to net, i.e. it contains
>
> work loc ACCEPT
> loc work ACCEPT
> loc net ACCEPT
> fw net ACCEPT
> net all DROP info
> all all REJECT info
>
> The rules file is empty.
>
> Now I can connect to the network from my firewall and local computers
> sending email, browsing the web, connect through pptp to work, etc..
> In short: Life is good.
>
> Now for testing purposes I am running a web server on the firewall as
> well. If I understand the policy file correctly then I should not be
> able to connect to the webserver (running on the standard port 80) from
> the outside.
> But the strange thing is that I am able to do exactly this.
> Then if I try to explicitly close port 80 on the fw. Adding the line
>
> REJECT net fw tcp www
>
> to the rules file has no effect, i.e. I am able to access the web server
> anyhow.
>
> Having both lines
>
> REJECT net fw tcp www
> REJECT net loc tcp www
>
> in the rules file does not change anything.
>
> So the big question is what am I missing? Why am I able to contact the
> server from the outside?
>
> Thanks for all pointers,
> K.D.
--
K?ri Dav??sson <karid@isholf.is>