I''m not having success with Shorewell using the "Two-interface" example . It seems to start fine (no error messages) and be trying to work, but I don''t get any data through. Even if I type "shorewell clear", I get nothing through. So my question is... Should my two-interface system have worked before installing Shorewell? And then Shorewell simply restricts the data according to the rules? I did try it before installing Shorewell, and the only thing I could do was ping within the loc zone. This proved to me that the computers were connected and capable of communicating. But I''ve never been able to move a single byte of data between the loc and net zones. When Shorewell is running, I can''t ping within the loc zone. This reinforces the theory that Shorewell doesn''t facilitate communication, but rather restricts it (a good thing for a firewall). So, I don''t know if my problem is a Shorewell configuration problem (which I think matches the two-interface example) or some fundamental Linux configuration problem. BTW, how should I have "lokkit" configured on my computer? Isn''t "lokkit" an alternative to "shorewell?" And within Linux "Setup" should I have the firewall enabled or not? And my "systemconf" utility indicates that both ipchains and iptables are enabled. Is that related? Sorry for all the questions - This is day #3 of my 5-day vacation. I''ve spent it all reading and trying to configure this firewall. I think I must be a complete moron. Mark
Mark Champion schrieb:> > I''m not having success with Shorewell using the "Two-interface" example . > It seems to start fine (no error messages) and be trying to work, but I > don''t get any data through. Even if I type "shorewell clear", I get nothing > through.After ''shorewall clear'', it really should work somehow. Something else is broken with your setup.> > So my question is... Should my two-interface system have worked before > installing Shorewell? And then Shorewell simply restricts the data > according to the rules? I did try it before installing Shorewell, and the > only thing I could do was ping within the loc zone. This proved to me that > the computers were connected and capable of communicating. But I''ve never > been able to move a single byte of data between the loc and net zones.In a usual setup, all interfaces on the firewall should be up and running, although routing may not be enabled so things may not work from clients.> > When Shorewell is running, I can''t ping within the loc zone. This > reinforces the theory that Shorewell doesn''t facilitate communication, but > rather restricts it (a good thing for a firewall). > > So, I don''t know if my problem is a Shorewell configuration problem (which I > think matches the two-interface example) or some fundamental Linux > configuration problem.Maybe both :) First make sure that your interfaces are correctly configured and then make sure you customized the two-interface example correctly.> > BTW, how should I have "lokkit" configured on my computer? Isn''t "lokkit" > an alternative to "shorewell?" And within Linux "Setup" should I have the > firewall enabled or not? And my "systemconf" utility indicates that both > ipchains and iptables are enabled. Is that related?They are both enabled but until there is an appropriate configu for any of them in /etc/sysconfig/, they wont do anything. The best thing is to skip ''firewall configration'' when installing or, if you already did, remove the config files.> > Sorry for all the questions - This is day #3 of my 5-day vacation. I''ve > spent it all reading and trying to configure this firewall. I think I must > be a complete moron.Don''t worry, many of us started the same way :) Simon> > Mark > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Hard won advice here, at least part of it. If ipchains starts up, then iptables will not start (according to the Redhat doc''s), and Shorewall will fail (spent 2 days on that one). I stopped ipchains from starting with "ntsysv", rebooted, and everything started working. Since then I did a "rpm -e" on ipchains, I deleted lokkit also. Check to make sure you have "ip forwarding" turned on. Do a "cat /proc/sys/net/ipv4/ip_forward". It should contain a "1". The documentation mentions how to turn this on, and what to check for in this regard. Joe -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Mark Champion Sent: Thursday, August 15, 2002 2:59 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Prerequisites for Shorewall to work I''m not having success with Shorewell using the "Two-interface" example . It seems to start fine (no error messages) and be trying to work, but I don''t get any data through. Even if I type "shorewell clear", I get nothing through. So my question is... Should my two-interface system have worked before installing Shorewell? And then Shorewell simply restricts the data according to the rules? I did try it before installing Shorewell, and the only thing I could do was ping within the loc zone. This proved to me that the computers were connected and capable of communicating. But I''ve never been able to move a single byte of data between the loc and net zones. When Shorewell is running, I can''t ping within the loc zone. This reinforces the theory that Shorewell doesn''t facilitate communication, but rather restricts it (a good thing for a firewall). So, I don''t know if my problem is a Shorewell configuration problem (which I think matches the two-interface example) or some fundamental Linux configuration problem. BTW, how should I have "lokkit" configured on my computer? Isn''t "lokkit" an alternative to "shorewell?" And within Linux "Setup" should I have the firewall enabled or not? And my "systemconf" utility indicates that both ipchains and iptables are enabled. Is that related? Sorry for all the questions - This is day #3 of my 5-day vacation. I''ve spent it all reading and trying to configure this firewall. I think I must be a complete moron. Mark _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
H&K4ME schrieb:> > Hard won advice here, at least part of it. If ipchains starts up, then > iptables will not start (according to the Redhat doc''s), and Shorewall will > fail (spent 2 days on that one). I stopped ipchains from starting with > "ntsysv", rebooted, and everything started working. Since then I did a > "rpm -e" on ipchains, I deleted lokkit also. > > Check to make sure you have "ip forwarding" turned on. Do a "cat > /proc/sys/net/ipv4/ip_forward". It should contain a "1". The documentation > mentions how to turn this on, and what to check for in this regard.Just remove both config files and nothing will happen even if ipchains and iptables services are turned on: /etc/sysconfig/iptables /etc/sysconfig/ipchains I also recommend against turing ip forwarding on via /etc/sysctl.conf. Shorewall does it for you unless you don''t want it. Simon> > Joe > > -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Mark Champion > Sent: Thursday, August 15, 2002 2:59 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Prerequisites for Shorewall to work > > I''m not having success with Shorewell using the "Two-interface" example . > It seems to start fine (no error messages) and be trying to work, but I > don''t get any data through. Even if I type "shorewell clear", I get nothing > through. > > So my question is... Should my two-interface system have worked before > installing Shorewell? And then Shorewell simply restricts the data > according to the rules? I did try it before installing Shorewell, and the > only thing I could do was ping within the loc zone. This proved to me that > the computers were connected and capable of communicating. But I''ve never > been able to move a single byte of data between the loc and net zones. > > When Shorewell is running, I can''t ping within the loc zone. This > reinforces the theory that Shorewell doesn''t facilitate communication, but > rather restricts it (a good thing for a firewall). > > So, I don''t know if my problem is a Shorewell configuration problem (which I > think matches the two-interface example) or some fundamental Linux > configuration problem. > > BTW, how should I have "lokkit" configured on my computer? Isn''t "lokkit" > an alternative to "shorewell?" And within Linux "Setup" should I have the > firewall enabled or not? And my "systemconf" utility indicates that both > ipchains and iptables are enabled. Is that related? > > Sorry for all the questions - This is day #3 of my 5-day vacation. I''ve > spent it all reading and trying to configure this firewall. I think I must > be a complete moron. > > Mark > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Thu, 15 Aug 2002, H&K4ME wrote:> Hard won advice here, at least part of it. If ipchains starts up, then > iptables will not start (according to the Redhat doc''s), and Shorewall will > fail (spent 2 days on that one).Tsk, tsk -- this is a FAQ -- http://www.shorewall.net/FAQ.htm#faq8> I stopped ipchains from starting with > "ntsysv", rebooted, and everything started working. Since then I did a > "rpm -e" on ipchains, I deleted lokkit also. > > Check to make sure you have "ip forwarding" turned on. Do a "cat > /proc/sys/net/ipv4/ip_forward". It should contain a "1". The documentation > mentions how to turn this on, and what to check for in this regard. >The current default Shorewall setup turns on ip forwarding. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 14 Aug 2002, Mark Champion wrote:> I''m not having success with Shorewell using the "Two-interface" example . > It seems to start fine (no error messages)What does "shorewall show shorewall" show after you have started shorewall?> and be trying to work, but I > don''t get any data through. Even if I type "shorewell clear", I get nothing > through. > > So my question is... Should my two-interface system have worked before > installing Shorewell?Your two-interface system should have been able to access the internet and your local systems and firewall should be able to communicate freely.> And then Shorewell simply restricts the data > according to the rules? I did try it before installing Shorewell, and the > only thing I could do was ping within the loc zone. This proved to me that > the computers were connected and capable of communicating. But I''ve never > been able to move a single byte of data between the loc and net zones. > > When Shorewell is running, I can''t ping within the loc zone. This > reinforces the theory that Shorewell doesn''t facilitate communication, but > rather restricts it (a good thing for a firewall).What does "can''t ping within the loc zone" mean exactly.> > So, I don''t know if my problem is a Shorewell configuration problem (which I > think matches the two-interface example) or some fundamental Linux > configuration problem. > > BTW, how should I have "lokkit" configured on my computer? Isn''t "lokkit" > an alternative to "shorewell?"Yes -- you should use one or the other.> And within Linux "Setup" should I have the > firewall enabled or not?No.> And my "systemconf" utility indicates that both > ipchains and iptables are enabled. Is that related? >You should have neither enabled. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, My answers are embedded below...> On Wed, 14 Aug 2002, Mark Champion wrote: > > > I''m not having success with Shorewell using the "Two-interface" example.> > It seems to start fine (no error messages) > > What does "shorewall show shorewall" show after you have started > shorewall?The following is shown... Counters reset Thu Aug 15 09:57:02 PDT 2002 iptables: Table does not exist (do you need to insmod?)> > and be trying to work, but I > > don''t get any data through. Even if I type "shorewell clear", I getnothing> > through. > > > > So my question is... Should my two-interface system have worked before > > installing Shorewell? > > Your two-interface system should have been able to access the internet and > your local systems and firewall should be able to communicate freely. > > > And then Shorewell simply restricts the data > > according to the rules? I did try it before installing Shorewell, andthe> > only thing I could do was ping within the loc zone. This proved to methat> > the computers were connected and capable of communicating. But I''venever> > been able to move a single byte of data between the loc and net zones. > > > > When Shorewell is running, I can''t ping within the loc zone. This > > reinforces the theory that Shorewell doesn''t facilitate communication,but> > rather restricts it (a good thing for a firewall). > > What does "can''t ping within the loc zone" mean exactly.I use ping as a basic test. When shorewall is not running, I can ping the firewall from a Windows computer in the loc zone. When shorewall is running, I cannot ping the firewall. (I followed the instructions to open the firewall for pinging. These instructions did not indicate a "rule" was needed.> > > > So, I don''t know if my problem is a Shorewell configuration problem(which I> > think matches the two-interface example) or some fundamental Linux > > configuration problem. > > > > BTW, how should I have "lokkit" configured on my computer? Isn''t"lokkit"> > an alternative to "shorewell?" > > Yes -- you should use one or the other.OK, I''ll use shorewell.> > > And within Linux "Setup" should I have the > > firewall enabled or not? > > No.OK, well I enabled it. I guess I should run "setup" and disable it now, right?> > And my "systemconf" utility indicates that both > > ipchains and iptables are enabled. Is that related? > > > > You should have neither enabled.I didn''t enable them. Maybe they got enabled with the firewall. I guess I can disable them within the "systemconf" utility, right? Mark Champion ps. I know Shoreline! I live in Kenmore!> -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net
On Thu, 15 Aug 2002, Mark Champion wrote:> Tom, > > > > > What does "shorewall show shorewall" show after you have started > > shorewall? > > The following is shown... > > Counters reset Thu Aug 15 09:57:02 PDT 2002 > iptables: Table does not exist (do you need to insmod?)Then Shorewall is NOT starting. I need to see the exact output from "shorewall start"> > > > What does "can''t ping within the loc zone" mean exactly. > > I use ping as a basic test. When shorewall is not running, I can ping the > firewall from a Windows computer in the loc zone. When shorewall is > running, I cannot ping the firewall.But of course Shorewall is never "running" -- when Shorewall fails to start, it enters the "stopped" state where only traffic to/from "routestopped" hosts is allowed.> > > And within Linux "Setup" should I have the > > > firewall enabled or not? > > > > No. > > OK, well I enabled it. I guess I should run "setup" and disable it now, > right?I would think so.> > > > And my "systemconf" utility indicates that both > > > ipchains and iptables are enabled. Is that related? > > > > > > > You should have neither enabled. > > I didn''t enable them. Maybe they got enabled with the firewall. I guess I > can disable them within the "systemconf" utility, right? >I have no idea what "systemconf" is -- I assume it''s your distro''s system configuration utility but it''s not one that I''m familiar with and you haven''t told us which distribution you are running. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, 1. My Linux is RedHat 7.2 with all updates as of Monday. 2. I meant to say "serviceconf" rather than "systemconf." "serviceconf" is an X11 app that allows me to start/stop/restart services including ipchains and iptables. Incidentially, I have stopped both of those. 3. Here is the output from a "shorewall start" command. [root@niftysvr shorewall]# shorewall start Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Warning: Zone net is empty Local Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT net fw tcp 80" added. Rule "ACCEPT loc fw tcp 80" added. Adding rules for DHCP Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: To 0.0.0.0/0 from eth1 through eth0 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Shorewall Started [root@niftysvr shorewall]# 4. Here is the output from "shorewall show shorewall" after starting shorewall... [root@niftysvr shorewall]# shorewall show shorewall Shorewall-1.3.6 Chain shorewall at niftysvr.myip.net - Thu Aug 15 11:13:32 PDT 2002 Counters reset Thu Aug 15 11:13:20 PDT 2002 Chain shorewall (0 references) pkts bytes target prot opt in out source destination [root@niftysvr shorewall]# 5. Thanks for your patience - I''m kind of new at this. Mark ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mark Champion" <netdaddyo@hotmail.com> Cc: <shorewall-users@shorewall.net> Sent: Thursday, August 15, 2002 10:25 AM Subject: Re: [Shorewall-users] Prerequisites for Shorewall to work> On Thu, 15 Aug 2002, Mark Champion wrote: > > > Tom, > > > > > > > > What does "shorewall show shorewall" show after you have started > > > shorewall? > > > > The following is shown... > > > > Counters reset Thu Aug 15 09:57:02 PDT 2002 > > iptables: Table does not exist (do you need to insmod?) > > Then Shorewall is NOT starting. I need to see the exact output from > "shorewall start" > > > > > > > What does "can''t ping within the loc zone" mean exactly. > > > > I use ping as a basic test. When shorewall is not running, I can pingthe> > firewall from a Windows computer in the loc zone. When shorewall is > > running, I cannot ping the firewall. > > But of course Shorewall is never "running" -- when Shorewall fails to > start, it enters the "stopped" state where only traffic to/from > "routestopped" hosts is allowed. > > > > > And within Linux "Setup" should I have the > > > > firewall enabled or not? > > > > > > No. > > > > OK, well I enabled it. I guess I should run "setup" and disable it now, > > right? > > I would think so. > > > > > > > And my "systemconf" utility indicates that both > > > > ipchains and iptables are enabled. Is that related? > > > > > > > > > > You should have neither enabled. > > > > I didn''t enable them. Maybe they got enabled with the firewall. Iguess I> > can disable them within the "systemconf" utility, right? > > > > I have no idea what "systemconf" is -- I assume it''s your distro''s system > configuration utility but it''s not one that I''m familiar with and you > haven''t told us which distribution you are running. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >
On Thu, 15 Aug 2002, Mark Champion wrote:> Tom, > > 1. My Linux is RedHat 7.2 with all updates as of Monday. > > 2. I meant to say "serviceconf" rather than "systemconf." "serviceconf" is > an X11 app that allows me to start/stop/restart services including ipchains > and iptables. Incidentially, I have stopped both of those. > > 3. Here is the output from a "shorewall start" command. > > [root@niftysvr shorewall]# shorewall start > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Warning: Zone net is emptyThe above is a very bad sign -- it means that you haven''t assigned an internet interface!!!> Local Zone: eth1:0.0.0.0/0 > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT fw net tcp 53" added. > Rule "ACCEPT fw net udp 53" added. > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT net fw tcp 80" added. > Rule "ACCEPT loc fw tcp 80" added. > Adding rules for DHCP > Setting up ICMP Echo handling... > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy DROP for net to fw using chain net2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from eth1 through eth0 > Processing /etc/shorewall/tos... > Rule "all all tcp - ssh 16" added. > Rule "all all tcp ssh - 16" added. > Rule "all all tcp - ftp 16" added. > Rule "all all tcp ftp - 16" added. > Rule "all all tcp ftp-data - 8" added. > Rule "all all tcp - ftp-data 8" added. > Activating Rules... > Shorewall Started > [root@niftysvr shorewall]# > > 4. Here is the output from "shorewall show shorewall" after starting > shorewall... > > [root@niftysvr shorewall]# shorewall show shorewall > Shorewall-1.3.6 Chain shorewall at niftysvr.myip.net - Thu Aug 15 11:13:32 > PDT 2002 > > Counters reset Thu Aug 15 11:13:20 PDT 2002 > > Chain shorewall (0 references) > pkts bytes target prot opt in out source > destination > > [root@niftysvr shorewall]# > > 5. Thanks for your patience - I''m kind of new at this. >The good news is that Shorewall is now starting -- assuming that your local ethernet interface is eth1 and assuming that you don''t have either "noping" or "filterping" on the eth1 entry in /etc/shorewall/interfaces, you should be able to ping back and forth between the firewall and local systems. If you fix the internet interface problem, you should be all set!! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> On Thu, 15 Aug 2002, Mark Champion wrote: > > > Tom, > > > > 1. My Linux is RedHat 7.2 with all updates as of Monday. > > > > 2. I meant to say "serviceconf" rather than "systemconf." "serviceconf"is> > an X11 app that allows me to start/stop/restart services includingipchains> > and iptables. Incidentially, I have stopped both of those. > > > > 3. Here is the output from a "shorewall start" command. > > > > [root@niftysvr shorewall]# shorewall start > > Processing /etc/shorewall/shorewall.conf ... > > Processing /etc/shorewall/params ... > > Starting Shorewall... > > Loading Modules... > > Initializing... > > Determining Zones... > > Zones: net loc > > Validating interfaces file... > > Validating hosts file... > > Validating Policy file... > > Determining Hosts in Zones... > > Warning: Zone net is empty > > The above is a very bad sign -- it means that you haven''t assigned an > internet interface!!!I copied /etc/shorewall/interfaces from the two-interface sample. The instructions implied that I didn''t need to modify this file if eth0 was the net and eth1 was loc. Specifically, the instructions state... "The Shorewall two-interface sample configuration assumes that the external interface is eth0 and the internal interface is eth1. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly... " Anyway, I added the following line... net eth0 detect dhcp AND NOW IT WORKS! YAHOOO! I still need to make several changes though. I''m running a dhcp server for my loc network and that doesn''t work unless I issue a "shorewall clear" command. I need to figure out what ports are involved and add them to the rules file. I also run an X Server on a Windows machine and need to figure out the ports for that. But web browsing works, mail works, ping works! Thanks for your help! mark
> I still need to make several changes though. I''m running a > dhcp server for my loc network and that doesn''t work unless > I issue a "shorewall clear" command. I need to figure out > what ports are involved and add them to the rules file. I > also run an X Server on a Windows machine and need to figure > out the ports for that.I can probably help on the X server stuff. If your using XDMCP to start an X session back to your X server on the LAN, then the following is a cut/paste from my rules file: ------------------------ # Allow the firewall to create X sessions back to local LAN # These session can either be started by XDMCP queries or the # user manually starting them through ssh, telnet, etc... # 10 ports, plus ssh offset (X11DisplayOffset 10) should be enough. ACCEPT fw loc tcp 6000:6010 # Allow the firewall to accept XDMCP queries from X servers on # the LAN. If XDMCP is not configured on the firewall, then comment # the following line. Its not needed. ACCEPT loc fw udp 177 ------------------------ Steve Cowles
On Thu, 15 Aug 2002, Mark Champion wrote:> > I still need to make several changes though. I''m running a dhcp server for > my loc network and that doesn''t work unless I issue a "shorewall clear" > command. I need to figure out what ports are involved and add them to the > rules file.Or better yet, follow from the Shorewall Home Page->Documentation->DHCP which will tell you to just set the "dhcp" option on eth1. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net