Hi I''m running shorewall on a redhat 7.2 server using tcp,smtp,ssh,www over an sdsl connection. The firewall and the services are all being run from one machine over one ethernet device. I was told that shorewall will work if it and the services were on the same computer. Therefore, I am trying to set this up with only one ethernet device eth0. I also have serveral ips aliased as eth1,eth2,... I was able to get theshorewall up and running, but can''t get certain services to work. Here is my current setup. POLICY: loc net ACCEPT net all DROP info all all REJECT info INTERFACES: net eth0 detect dhcp,noping,norfc1918,multi I also tried the above line with a (-) hyphen sign instead of net, but it did not work. Shorewall config documentation says to use the hypehn if the interface is used for more than one zone. - eth0 detect dhcp,noping,norfc1918,multi With that I added these lines to the Host file. #ZONE HOST(S) OPTIONS loc eth0:64.80.26.184 net eth0 routestopped 64.80.26.184 is the ip address of eth0 and all of the services RULES: # This one gives me access to the server from my home computer ACCEPT net:64.80.26.183 $FW tcp ftp,pop3,ssh # this one gives access from the internet to http & smtp ACCEPT net $FW tcp smtp,www # this one is supposed to give access from the server to the internet ACCEPT $FW net tcp smtp,www,domain With my current setup, I can access the services from my home computer 64.80.26.183. Rule 1 works. I can also access www from any computer. Rule 2 works. Have not tested smtp. The problem I am having is that sendmail is not relaying any mail through the server. I have some scripts that send out email to me and they stay in the queue. The message with it is dns error and timeout. Header parse error. I checked the whole shorewall site and can''t find how to do it with one interface. Any help would be greatly appreciated. Thanks John Michael
John, ----- Original Message ----- From: John Michael To: shorewall-users@shorewall.net Sent: Wednesday, March 13, 2002 4:06 AM Subject: [Shorewall-users] One eth device. Hi I''m running shorewall on a redhat 7.2 server using tcp,smtp,ssh,www over an sdsl connection. The firewall and the services are all being run from one machine over one ethernet device. I was told that shorewall will work if it and the services were on the same computer. Therefore, I am trying to set this up with only one ethernet device eth0. I also have serveral ips aliased as eth1,eth2,... I was able to get theshorewall up and running, but can''t get certain services to work. Here is my current setup. POLICY: loc net ACCEPT net all DROP info all all REJECT info INTERFACES: net eth0 detect dhcp,noping,norfc1918,multi In this setup, you have no local zone -- the system where Shorewall is running is ALWAY the firewall zone (default name "fw"). Your Zones file should consist soley of: net Internet The untrusted Internet Your policy should look like: fw net ACCEPT net all DROP I also tried the above line with a (-) hyphen sign instead of net, but it did not work. Shorewall config documentation says to use the hypehn if the interface is used for more than one zone. - eth0 detect dhcp,noping,norfc1918,multi Should be: net eth0 detect dhcp,noping,norfc1918,multi > I checked the whole shorewall site and can''t find how to do it with one interface. You must not have looked at the one-interface parameterized sample then -- it does exactly what you want. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I don''t really think this is a Shorewall issue, but I figured
I''d start
here and then try asking on a Samba list, and then possibly see if it''s
some weird Windows authentication problem.
I''ve got a three interface Shorewall firewall. One is a DHCP
controlled
interface to the external world, the other two are local (one 100bT, the
other 802.11b). This all works very well, and I can use things like
FTP and other TCP/IP applications to connect between the two local
interfaces.
In fact, in Windows, I can see servers on both sides of the router. For
example, on the wireless side, I can see the Samba server (which is the
Shorewall machine) as well as the machines that have shares on the
100bT side. HOWEVER, I can''t browse the shares on those machines.
When
I attempt that, Windows gives me an error like "Can''t browse that
machine,
maybe you don''t have permission?" (or something like that). Well,
maybe
that''s so -- but I can''t figure out WHY, since I can browse
the machines
from the 100bT side with no problems.
I tried to turn on logging in Shorewall, to see if I could detect anything
happening on the network (I guess next would be to try tcpdump), but
attempting to browse with logging turned on doesn''t give any messages
(whereas attempting an FTP connection DOES give a message).
Here is my (current) policy file ("local" is the wired local net,
"air"
is the 802.11b net and "net" is the external interface):
#CLIENT SERVER POLICY LOG LEVEL
local net ACCEPT
local air ACCEPT
air net ACCEPT
air local ACCEPT
#
fw local ACCEPT
local fw ACCEPT
fw air ACCEPT
air fw ACCEPT
#
net all DROP info
all all REJECT info
Any ideas?
Thanks,
Matt Goheen
> In fact, in Windows, I can see servers on both sides of the router. For > example, on the wireless side, I can see the Samba server (which is the > Shorewall machine) as well as the machines that have shares on the > 100bT side. HOWEVER, I can''t browse the shares on those machines. When > I attempt that, Windows gives me an error like "Can''t browse that machine, > maybe you don''t have permission?" (or something like that). Well, maybe > that''s so -- but I can''t figure out WHY, since I can browse the machines > from the 100bT side with no problems.Note that I CAN browse the Samba server itself -- it''s only the machines on the other subnet that I can''t access. - Matt
Matt, ----- Original Message ----- From: "Matthew Goheen" <mgoheen@rochester.rr.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, March 13, 2002 7:57 AM Subject: [Shorewall-users] Samba routing (?) issue???> I don''t really think this is a Shorewall issue, but I figured I''d start > here and then try asking on a Samba list, and then possibly see if it''s > some weird Windows authentication problem.With the policies that you posted, it not a Shorewall issue.> > I''ve got a three interface Shorewall firewall. One is a DHCP controlled > interface to the external world, the other two are local (one 100bT, the > other 802.11b). This all works very well, and I can use things like > FTP and other TCP/IP applications to connect between the two local > interfaces.Presumably, you mean "between systems connected to the two local interfaces".> > In fact, in Windows, I can see servers on both sides of the router. For > example, on the wireless side, I can see the Samba server (which is the > Shorewall machine) as well as the machines that have shares on the > 100bT side.When you say "see", do you really mean "the systems are visible in the Windows Network Neighborhood"?> HOWEVER, I can''t browse the shares on those machines. When > I attempt that, Windows gives me an error like "Can''t browse that machine, > maybe you don''t have permission?" (or something like that).Would it be asking too much for you to include the exact error message in your report?> Well, maybe > that''s so -- but I can''t figure out WHY, since I can browse the machines > from the 100bT side with no problems. > > I tried to turn on logging in Shorewall, to see if I could detect anything > happening on the network (I guess next would be to try tcpdump), but > attempting to browse with logging turned on doesn''t give any messages > (whereas attempting an FTP connection DOES give a message). >Do you have one of your Samba systems configured as a WINS server and do you have all of your Windows and Samba systems configured to use that WINS server? That''s a requirement if you are going to have Windows systems on two different LAN segments. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I have somewhat similar system, with two internal subnets (Ethernet and HomePNA) attached to the Shorewall box, although my Samba server is on the Ethernet subnet. Browsing works seamlessly across subnets. Your policy files looks fine. Mine is quite a bit simpler, with both internal subnets in the "loc" zone. What do your /etc/shorewall/interfaces and /etc/shorewall/hosts files contain? As you suggest, I suspect this is a Windows/Samba problem. A "permissions" error message suggests you have authentication problems, and ought to ask for help on a Samba list. -Richard> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of > Matthew Goheen > Sent: Wednesday, March 13, 2002 7:58 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Samba routing (?) issue??? > > > I don''t really think this is a Shorewall issue, but I figured > I''d start > here and then try asking on a Samba list, and then possibly > see if it''s > some weird Windows authentication problem. > > I''ve got a three interface Shorewall firewall. One is a DHCP > controlled > interface to the external world, the other two are local (one > 100bT, the > other 802.11b). This all works very well, and I can use things like > FTP and other TCP/IP applications to connect between the two local > interfaces. > > In fact, in Windows, I can see servers on both sides of the > router. For > example, on the wireless side, I can see the Samba server > (which is the > Shorewall machine) as well as the machines that have shares on the > 100bT side. HOWEVER, I can''t browse the shares on those > machines. When > I attempt that, Windows gives me an error like "Can''t browse > that machine, > maybe you don''t have permission?" (or something like that). > Well, maybe > that''s so -- but I can''t figure out WHY, since I can browse > the machines > from the 100bT side with no problems. > > I tried to turn on logging in Shorewall, to see if I could > detect anything > happening on the network (I guess next would be to try tcpdump), but > attempting to browse with logging turned on doesn''t give any messages > (whereas attempting an FTP connection DOES give a message). > > Here is my (current) policy file ("local" is the wired local > net, "air" > is the 802.11b net and "net" is the external interface): > > #CLIENT SERVER POLICY LOG LEVEL > local net ACCEPT > local air ACCEPT > air net ACCEPT > air local ACCEPT > # > fw local ACCEPT > local fw ACCEPT > fw air ACCEPT > air fw ACCEPT > # > net all DROP info > all all REJECT info > > Any ideas? > > Thanks, > Matt Goheen > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
> > I''ve got a three interface Shorewall firewall. One is a DHCP controlled > > interface to the external world, the other two are local (one 100bT, the > > other 802.11b). This all works very well, and I can use things like > > FTP and other TCP/IP applications to connect between the two local > > interfaces. > > Presumably, you mean "between systems connected to the two local > interfaces".Correct.> > In fact, in Windows, I can see servers on both sides of the router. For > > example, on the wireless side, I can see the Samba server (which is the > > Shorewall machine) as well as the machines that have shares on the > > 100bT side. > > When you say "see", do you really mean "the systems are visible in the > Windows Network Neighborhood"?Exactly.> > HOWEVER, I can''t browse the shares on those machines. When > > I attempt that, Windows gives me an error like "Can''t browse that machine, > > maybe you don''t have permission?" (or something like that). > > Would it be asking too much for you to include the exact error message in > your report?Uggh....must...manually....copy....message....and....transcribe....it....here: \\Mgdell is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The network path was not found. [The machine is on a different floor -- it''s running Windows XP, btw.]> > Well, maybe > > that''s so -- but I can''t figure out WHY, since I can browse the machines > > from the 100bT side with no problems. > > > > I tried to turn on logging in Shorewall, to see if I could detect anything > > happening on the network (I guess next would be to try tcpdump), but > > attempting to browse with logging turned on doesn''t give any messages > > (whereas attempting an FTP connection DOES give a message). > > > > Do you have one of your Samba systems configured as a WINS server and do you > have all of your Windows and Samba systems configured to use that WINS > server? That''s a requirement if you are going to have Windows systems on two > different LAN segments.I have only one Samba server, and it is a WINS server. However, I don''t think I have my Windows clients specifically configured to use it. I''ll do that tomorrow (going to bed now). I was reading (somewhere on the net) about potential problems you can run into if Samba can''t resolve the NetBIOS name given to it into an IP address. I thought this could be a problem in my configuration (since the name "MGDELL" isn''t resolvable through any means I can think of -- including a broadcast on the wireless net, since MGDELL is only on the 100bT net, and DNS and lmhosts won''t work -- although perhaps WINS would somehow know). Anyway, I fixed this (I think) by assigning fixed IP addresses via DHCP (using the MAC addresses) and then using the Samba lmhosts file to map the NetBIOS names to the fixed IP addresses. Needless to say, this didn''t help (oh, I also changed the Samba config to use lmhosts lookups). I''ll stop copying the shorewall list with any more of these messages, as it apparently is not a Shorewall issue.... Thanks, Matt Goheen
If you are using DHCP, you may want to set option netbios-node-type 2; This configures the clients as "P-nodes," which use WINS only, no broadcasts (the router will not pass netbios broadcasts). -Richard> > > I''ve got a three interface Shorewall firewall. One is a > DHCP controlled > > > interface to the external world, the other two are local > (one 100bT, the > > > other 802.11b). This all works very well, and I can use > things like > > > FTP and other TCP/IP applications to connect between the two local > > > interfaces. > > > > Presumably, you mean "between systems connected to the two local > > interfaces". > > Correct. > > > > In fact, in Windows, I can see servers on both sides of > the router. For > > > example, on the wireless side, I can see the Samba server > (which is the > > > Shorewall machine) as well as the machines that have shares on the > > > 100bT side. > > > > When you say "see", do you really mean "the systems are > visible in the > > Windows Network Neighborhood"? > > Exactly. > > > > HOWEVER, I can''t browse the shares on those machines. When > > > I attempt that, Windows gives me an error like "Can''t > browse that machine, > > > maybe you don''t have permission?" (or something like that). > > > > Would it be asking too much for you to include the exact > error message in > > your report? > > Uggh....must...manually....copy....message....and....transcrib > e....it....here: > > \\Mgdell is not accessible. You might not have > permission to use this > network resource. Contact the administrator of this > server to find out > if you have access permissions. > > The network path was not found. > > [The machine is on a different floor -- it''s running Windows XP, btw.] > > > > Well, maybe > > > that''s so -- but I can''t figure out WHY, since I can > browse the machines > > > from the 100bT side with no problems. > > > > > > I tried to turn on logging in Shorewall, to see if I > could detect anything > > > happening on the network (I guess next would be to try > tcpdump), but > > > attempting to browse with logging turned on doesn''t give > any messages > > > (whereas attempting an FTP connection DOES give a message). > > > > > > > Do you have one of your Samba systems configured as a WINS > server and do you > > have all of your Windows and Samba systems configured to > use that WINS > > server? That''s a requirement if you are going to have > Windows systems on two > > different LAN segments. > > I have only one Samba server, and it is a WINS server. > However, I don''t think > I have my Windows clients specifically configured to use it. > I''ll do that > tomorrow (going to bed now). > > I was reading (somewhere on the net) about potential problems > you can run > into if Samba can''t resolve the NetBIOS name given to it into > an IP address. > I thought this could be a problem in my configuration (since > the name "MGDELL" > isn''t resolvable through any means I can think of -- > including a broadcast > on the wireless net, since MGDELL is only on the 100bT net, > and DNS and lmhosts > won''t work -- although perhaps WINS would somehow know). > Anyway, I fixed > this (I think) by assigning fixed IP addresses via DHCP (using the MAC > addresses) and then using the Samba lmhosts file to map the > NetBIOS names > to the fixed IP addresses. Needless to say, this didn''t help > (oh, I also > changed the Samba config to use lmhosts lookups). > > I''ll stop copying the shorewall list with any more of these > messages, as it > apparently is not a Shorewall issue.... > > Thanks, > Matt Goheen > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
----- Original Message ----- From: "Richard Doyle" <rdoyle@islandnetworks.com> To: "Matthew Goheen" <mgoheen@rochester.rr.com>; "Tom Eastep" <teastep@shorewall.net>; <shorewall-users@shorewall.net> Sent: Wednesday, March 13, 2002 9:14 PM Subject: RE: [Shorewall-users] Samba routing (?) issue???> If you are using DHCP, you may want to set > > option netbios-node-type 2; > > This configures the clients as "P-nodes," which use WINS only, no > broadcasts (the router will not pass netbios broadcasts).And of course, you''ll want to set ''netbios-name-servers'' and ''netbios-dd-server'' to the address of your WINS server. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net