--=.sP9OFeKVMx0j/5 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Ok, while I was trying to gather the info, traffic started moving... I''ll throw the problem out here anyways ;) I''m running 1.3.9b on my firewall and I''m using the following 2 scripts to regulate net access from the kids machine: [hparker@linux bin]# cat msn.down #!/bin/sh shorewall reject 172.16.1.5 shorewall reject 172.16.1.5 shorewall save exit 0 [hparker@linux bin]# cat msn.up #!/bin/sh shorewall allow 172.16.1.5 shorewall allow 172.16.1.5 shorewall save exit 0 [hparker@linux bin]# The problem is, it doesn''t always clear the dynamic rules... I ran msn.up three times this morning... Was trying to get all the cut-n-paste in order on the fourth run, and it finally cleared... What was really strange, I ran msn.up twice in a row, and it said the dynamic rules didn''t exist, yet shorewall status showed them in place?? I then ran msn.down, msn.up and it cleared... I had the kids reboot before I started messing with it to be sure it wasn''t just Windows haveing a problem.. I saw in /var/log/messages where they got their IP from dhcp, yet still couldn''t surf... I just have these running from cron at the appropriate times... It will usually clear on it''s own after a period of time??? I say this, as this is the first time I''ve looked into it, yet it eventually allows them to surf... Here''s the /etc/crontab entries: # Block late night chatting 0 21 * * 0-4 root /home/hparker/bin/msn.down 0 00 * * 5-6 root /home/hparker/bin/msn.down 0 7 * * * root /home/hparker/bin/msn.up So, every morning at 7am, the net comes back... Well, it''s supposed... I scrolled back and found the ''shorewall status'' that showed the dynamic rules in place: Chain dynamic (6 references) pkts bytes target prot opt in out source destination 726 53119 reject all -- * * 172.16.1.5 0.0.0.0/0 0 0 reject all -- * * 172.16.1.5 0.0.0.0/0 Anyone got a clue on this one? --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=.sP9OFeKVMx0j/5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wq0+rgrN227HZ+8RAnNeAJoCYnDoLUxm2jlnXDP5Gihp9flA6QCgiUNH e9NAH/Jm91Ns7p7lgAlCIRU=2+lX -----END PGP SIGNATURE----- --=.sP9OFeKVMx0j/5--
--=.xVBD24pbwJFI1X Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 01 Nov 2002 08:59:50 -0800 Tom Eastep <teastep@shorewall.net> wrote....> So here''s a dumb question -- why the %$#@ do you have the reject/allow > command in each script twice?Ummm..... Hmmmm..... WEll, they initially started a bit different then they are... I guess I ... Missed that little detail.... Thanks! --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=.xVBD24pbwJFI1X Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wrJMrgrN227HZ+8RAiMDAJwN4HcHxXVFQlvLt6HNeLy8dJyO7gCcCd6Z Wy/+sxlWKl2ido1/hfbJWMk=Lc2s -----END PGP SIGNATURE----- --=.xVBD24pbwJFI1X--
--On Friday, November 01, 2002 10:35:07 AM -0600 Homer Parker <hparker@homershut.net> wrote:> Ok, while I was trying to gather the info, traffic started moving... I''ll > throw the problem out here anyways ;) I''m running 1.3.9b on my firewall > and I''m using the following 2 scripts to regulate net access from the kids > machine: > > [hparker@linux bin]# cat msn.down ># !/bin/sh > > shorewall reject 172.16.1.5 > shorewall reject 172.16.1.5 > shorewall save > > exit 0 > > [hparker@linux bin]# cat msn.up ># !/bin/sh > > shorewall allow 172.16.1.5 > shorewall allow 172.16.1.5 > shorewall save > exit 0So here''s a dumb question -- why the %$#@ do you have the reject/allow command in each script twice? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Friday, November 01, 2002 10:35:07 AM -0600 Homer Parker <hparker@homershut.net> wrote:> Ok, while I was trying to gather the info, traffic started moving... I''ll > throw the problem out here anyways ;) I''m running 1.3.9b on my firewall > and I''m using the following 2 scripts to regulate net access from the kids > machine: > > [hparker@linux bin]# cat msn.down ># !/bin/sh > > shorewall reject 172.16.1.5 > shorewall reject 172.16.1.5 > shorewall save > > exit 0 > > [hparker@linux bin]# cat msn.up ># !/bin/sh > > shorewall allow 172.16.1.5 > shorewall allow 172.16.1.5 > shorewall save > exit 0 > [hparker@linux bin]# >Also, are you sure that /sbin is always in the path when this cron job executes? It would be safer to code "/sbin/shorewall" rather than just "shorewall". -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--8luk=.z+U1vgOh+Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 01 Nov 2002 09:04:34 -0800 Tom Eastep <teastep@shorewall.net> wrote....> Also, are you sure that /sbin is always in the path when this cron job > executes? > > It would be safer to code "/sbin/shorewall" rather than just > "shorewall".Added the path, thanks... I guess the good thing it it always took the net down at night ;) --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --8luk=.z+U1vgOh+Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wrRKrgrN227HZ+8RAtPvAKCZtTom5JskQZtkGL8tuUChpA/mIgCgtVxi TTN6q22ueOC3GeI5pugM46g=0QpQ -----END PGP SIGNATURE----- --8luk=.z+U1vgOh+=--