--=.sP9OFeKVMx0j/5
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Ok, while I was trying to gather the info, traffic started moving...
I''ll
throw the problem out here anyways ;) I''m running 1.3.9b on my firewall
and I''m using the following 2 scripts to regulate net access from the
kids
machine:
[hparker@linux bin]# cat msn.down
#!/bin/sh
shorewall reject 172.16.1.5
shorewall reject 172.16.1.5
shorewall save
exit 0
[hparker@linux bin]# cat msn.up
#!/bin/sh
shorewall allow 172.16.1.5
shorewall allow 172.16.1.5
shorewall save
exit 0
[hparker@linux bin]#
The problem is, it doesn''t always clear the dynamic rules... I ran
msn.up
three times this morning... Was trying to get all the cut-n-paste in order
on the fourth run, and it finally cleared... What was really strange, I
ran msn.up twice in a row, and it said the dynamic rules didn''t exist,
yet
shorewall status showed them in place?? I then ran msn.down, msn.up and it
cleared... I had the kids reboot before I started messing with it to be
sure it wasn''t just Windows haveing a problem.. I saw in
/var/log/messages
where they got their IP from dhcp, yet still couldn''t surf... I just
have
these running from cron at the appropriate times... It will usually clear
on it''s own after a period of time??? I say this, as this is the first
time I''ve looked into it, yet it eventually allows them to surf...
Here''s
the /etc/crontab entries:
# Block late night chatting
0 21 * * 0-4 root /home/hparker/bin/msn.down
0 00 * * 5-6 root /home/hparker/bin/msn.down
0 7 * * * root /home/hparker/bin/msn.up
So, every morning at 7am, the net comes back... Well, it''s supposed...
I
scrolled back and found the ''shorewall status'' that showed the
dynamic
rules in place:
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
726 53119 reject all -- * * 172.16.1.5
0.0.0.0/0
0 0 reject all -- * * 172.16.1.5
0.0.0.0/0
Anyone got a clue on this one?
---
Homer Parker
http://www.homershut.net
telnet://bbs.homershut.net
This e-mail message is 100% Microsoft free!
WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST.
/"\
\ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
--=.sP9OFeKVMx0j/5
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9wq0+rgrN227HZ+8RAnNeAJoCYnDoLUxm2jlnXDP5Gihp9flA6QCgiUNH
e9NAH/Jm91Ns7p7lgAlCIRU=2+lX
-----END PGP SIGNATURE-----
--=.sP9OFeKVMx0j/5--
--=.xVBD24pbwJFI1X Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 01 Nov 2002 08:59:50 -0800 Tom Eastep <teastep@shorewall.net> wrote....> So here''s a dumb question -- why the %$#@ do you have the reject/allow > command in each script twice?Ummm..... Hmmmm..... WEll, they initially started a bit different then they are... I guess I ... Missed that little detail.... Thanks! --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=.xVBD24pbwJFI1X Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wrJMrgrN227HZ+8RAiMDAJwN4HcHxXVFQlvLt6HNeLy8dJyO7gCcCd6Z Wy/+sxlWKl2ido1/hfbJWMk=Lc2s -----END PGP SIGNATURE----- --=.xVBD24pbwJFI1X--
--On Friday, November 01, 2002 10:35:07 AM -0600 Homer Parker <hparker@homershut.net> wrote:> Ok, while I was trying to gather the info, traffic started moving... I''ll > throw the problem out here anyways ;) I''m running 1.3.9b on my firewall > and I''m using the following 2 scripts to regulate net access from the kids > machine: > > [hparker@linux bin]# cat msn.down ># !/bin/sh > > shorewall reject 172.16.1.5 > shorewall reject 172.16.1.5 > shorewall save > > exit 0 > > [hparker@linux bin]# cat msn.up ># !/bin/sh > > shorewall allow 172.16.1.5 > shorewall allow 172.16.1.5 > shorewall save > exit 0So here''s a dumb question -- why the %$#@ do you have the reject/allow command in each script twice? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Friday, November 01, 2002 10:35:07 AM -0600 Homer Parker <hparker@homershut.net> wrote:> Ok, while I was trying to gather the info, traffic started moving... I''ll > throw the problem out here anyways ;) I''m running 1.3.9b on my firewall > and I''m using the following 2 scripts to regulate net access from the kids > machine: > > [hparker@linux bin]# cat msn.down ># !/bin/sh > > shorewall reject 172.16.1.5 > shorewall reject 172.16.1.5 > shorewall save > > exit 0 > > [hparker@linux bin]# cat msn.up ># !/bin/sh > > shorewall allow 172.16.1.5 > shorewall allow 172.16.1.5 > shorewall save > exit 0 > [hparker@linux bin]# >Also, are you sure that /sbin is always in the path when this cron job executes? It would be safer to code "/sbin/shorewall" rather than just "shorewall". -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--8luk=.z+U1vgOh+Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 01 Nov 2002 09:04:34 -0800 Tom Eastep <teastep@shorewall.net> wrote....> Also, are you sure that /sbin is always in the path when this cron job > executes? > > It would be safer to code "/sbin/shorewall" rather than just > "shorewall".Added the path, thanks... I guess the good thing it it always took the net down at night ;) --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --8luk=.z+U1vgOh+Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wrRKrgrN227HZ+8RAtPvAKCZtTom5JskQZtkGL8tuUChpA/mIgCgtVxi TTN6q22ueOC3GeI5pugM46g=0QpQ -----END PGP SIGNATURE----- --8luk=.z+U1vgOh+=--