Howdy, I think that I have RTFM''d, but I could be mistaken. I at least went through the quick-start guide, and I have downloaded the two interface setup etc. I am familiar w/ iptables, etc, but I wanted to move to a more configurable solution. So I built a new firewall, stuck the latest RedHat + XFS on it, and installed Shorewall. I went through the configs step by step, but shorewall does not detect the interfaces properly. [Or I have a Nut loose behind my keyboard]. This is what I get when I start shorewall. I have: interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect routestopped,dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE <snip> ocessing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0 Local Zone: eth1:0.0.0.0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Enabling RFC1918 Filtering Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... </snip> If this is not enough to give any clues to, please let me know. I know that I am going to get spanked for not searching the archives, so I guess I will get my flamesuit on. thanks, Joshua
On Mon, 24 Jun 2002, Joshua Schmidlkofer wrote:> Howdy, I think that I have RTFM''d, but I could be mistaken. I at least > went through the quick-start guide, and I have downloaded the two > interface setup etc. I am familiar w/ iptables, etc, but I wanted to > move to a more configurable solution. So I built a new firewall, stuck > the latest RedHat + XFS on it, and installed Shorewall. I went through > the configs step by step, but shorewall does not detect the interfaces > properly. [Or I have a Nut loose behind my keyboard]. > > This is what I get when I start shorewall. I have: > > interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect dhcp,routefilter,norfc1918 > loc eth1 detect routestopped,dhcp > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > <snip> > ocessing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0 > Local Zone: eth1:0.0.0.0 > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Enabling RFC1918 Filtering > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > </snip> > > > If this is not enough to give any clues to, please let me know. I know > that I am going to get spanked for not searching the archives, so I > guess I will get my flamesuit on. >There is nothing wrong with the above output. You CERTAINLY want your net zone to be 0.0.0.0/24 -- you DO want to be able to connect to any site on the internet, correct? Unless you restrict the local zone using the /etc/shorewall/hosts file, the zone will be "all hosts that are connected via eth1"; again 0.0.0.0/0 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 24 Jun 2002, Tom Eastep wrote:> > There is nothing wrong with the above output. You CERTAINLY want your net > zone to be 0.0.0.0/24 -- you DO want to be able to connect to any site on > the internet, correct? > > Unless you restrict the local zone using the /etc/shorewall/hosts file, > the zone will be "all hosts that are connected via eth1"; again 0.0.0.0/0 >This is the second time that this has come up recently (the other time was on the LEAF list). I''ve added it to the FAQ. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 24 Jun 2002, Tom Eastep wrote:> There is nothing wrong with the above output. You CERTAINLY want your net > zone to be 0.0.0.0/24 -- you DO want to be able to connect to any site on > the internet, correct? >Obviously I meant 0.0.0.0/0 (which is what I assume that Joshua''s actual output also said). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net