I try to do ping between my local network and Internet and i can''t do it, in my policy I have: loc net ACCEPT info loc fw ACCEPT loc dmz ACCEPT info fw loc ACCEPT fw net ACCEPT info fw dmz ACCEPT info dmz net ACCEPT info dmz fw ACCEPT info net loc ACCEPT info all all REJECT info can I help me? thanks
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-08 08:19 UTC
[Shorewall-users] ping from local to net
Try to add this in your rules file: ACCEPT loc net icmp Best Regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara Sendt: 8. januar 2003 17:00 Til: shorewall-users@shorewall.net Emne: [Shorewall-users] ping from local to net I try to do ping between my local network and Internet and i can''t do it, in my policy I have: loc net ACCEPT info loc fw ACCEPT loc dmz ACCEPT info fw loc ACCEPT fw net ACCEPT info fw dmz ACCEPT info dmz net ACCEPT info dmz fw ACCEPT info net loc ACCEPT info all all REJECT info can I help me? thanks _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
my rules files is:> ACCEPT loc fw tcp 23> ACCEPT loc fw udp 23> ACCEPT loc fw tcp 22> ACCEPT loc fw udp 22> ACCEPT fw net tcp 53> ACCEPT fw net udp 53> ACCEPT dmz loc tcp 53> ACCEPT dmz loc udp 53> ACCEPT fw dmz tcp 23> ACCEPT fw dmz udp 23> ACCEPT fw dmz tcp 22> ACCEPT loc net icmpthanks Kenneth Grande, Driftsjef aspIT AS wrote:>Try to add this in your rules file: > >ACCEPT loc net icmp > > >Best Regards, > >Kenneth. > >-----Opprinnelig melding----- >Fra: shorewall-users-bounces@shorewall.net >[mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara >Sendt: 8. januar 2003 17:00 >Til: shorewall-users@shorewall.net >Emne: [Shorewall-users] ping from local to net > >I try to do ping between my local network and Internet and i can''t do >it, in my policy I have: >loc net ACCEPT info >loc fw ACCEPT >loc dmz ACCEPT info >fw loc ACCEPT >fw net ACCEPT info >fw dmz ACCEPT info >dmz net ACCEPT info >dmz fw ACCEPT info >net loc ACCEPT info >all all REJECT info > >can I help me? >thanks > > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > > >
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-08 08:44 UTC
SV: [Shorewall-users] ping from local to net
Are you able to ping from your firewall? Are your internal ip''s private? Does every ting else work for your clients? (like web mail etc?) Are you masquerading the clients behind your firewall? Does your logfile report anything when you try to ping from your local network to a public ip? cat /var/log/messages (cat /path_to_log_dir/messages) Best Regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara Sendt: 8. januar 2003 17:29 Til: kenneth.grande@aspit.no Kopi: shorewall-users@shorewall.net Emne: Re: [Shorewall-users] ping from local to net my rules files is:> ACCEPT loc fw tcp 23> ACCEPT loc fw udp 23> ACCEPT loc fw tcp 22> ACCEPT loc fw udp 22> ACCEPT fw net tcp 53> ACCEPT fw net udp 53> ACCEPT dmz loc tcp 53> ACCEPT dmz loc udp 53> ACCEPT fw dmz tcp 23> ACCEPT fw dmz udp 23> ACCEPT fw dmz tcp 22> ACCEPT loc net icmpthanks Kenneth Grande, Driftsjef aspIT AS wrote:>Try to add this in your rules file: > >ACCEPT loc net icmp > > >Best Regards, > >Kenneth. > >-----Opprinnelig melding----- >Fra: shorewall-users-bounces@shorewall.net >[mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara >Sendt: 8. januar 2003 17:00 >Til: shorewall-users@shorewall.net >Emne: [Shorewall-users] ping from local to net > >I try to do ping between my local network and Internet and i can''t do >it, in my policy I have: >loc net ACCEPT info >loc fw ACCEPT >loc dmz ACCEPT info >fw loc ACCEPT >fw net ACCEPT info >fw dmz ACCEPT info >dmz net ACCEPT info >dmz fw ACCEPT info >net loc ACCEPT info >all all REJECT info > >can I help me? >thanks > > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > > >_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
FYI, Based upon your Policy File your Firewall is wide open. Can you ping the internet from a system not behind the firewall? In order to provide you with some answers to this problem we need to see all your shorewall files. (interfaces, zones, masq, rules, etc.) Also based upon your Policy File it looks like you are running a three-interface firewall. Have you taken a look at Tom''s three-interface users guide? (http://www.shorewall.net/three-interface.htm) Also please take a look at Tom''s Ping Management page (http://www.shorewall.net/ping.html) and see if he has already answered this question\problem. Hope this helps Mike -----Original Message----- From: Marta Jara [mailto:marta_jara@zenithmedia.es] Sent: Wednesday, January 08, 2003 10:29 AM To: kenneth.grande@aspit.no Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] ping from local to net my rules files is:> ACCEPT loc fw tcp 23> ACCEPT loc fw udp 23> ACCEPT loc fw tcp 22> ACCEPT loc fw udp 22> ACCEPT fw net tcp 53> ACCEPT fw net udp 53> ACCEPT dmz loc tcp 53> ACCEPT dmz loc udp 53> ACCEPT fw dmz tcp 23> ACCEPT fw dmz udp 23> ACCEPT fw dmz tcp 22> ACCEPT loc net icmpthanks Kenneth Grande, Driftsjef aspIT AS wrote:>Try to add this in your rules file: > >ACCEPT loc net icmp > > >Best Regards, > >Kenneth. > >-----Opprinnelig melding----- >Fra: shorewall-users-bounces@shorewall.net >[mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara >Sendt: 8. januar 2003 17:00 >Til: shorewall-users@shorewall.net >Emne: [Shorewall-users] ping from local to net > >I try to do ping between my local network and Internet and i can''t do >it, in my policy I have: >loc net ACCEPT info >loc fw ACCEPT >loc dmz ACCEPT info >fw loc ACCEPT >fw net ACCEPT info >fw dmz ACCEPT info >dmz net ACCEPT info >dmz fw ACCEPT info >net loc ACCEPT info >all all REJECT info > >can I help me? >thanks > > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > > >_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
On Wed, 2003-01-08 at 07:59, Marta Jara wrote:> I try to do ping between my local network and Internet and i can''t do > it, in my policy I have:Marta, Below you''ll find a collection of ping FAQs for the LEAF project. They should assist you in determining your routing problem. What are the ways that "ping" fails and what do they mean? http://sourceforge.net/docman/display_doc.php?docid=4099&group_id=13751 Why can''t the LEAF router ping its own interfaces? http://sourceforge.net/docman/display_doc.php?docid=1433&group_id=13751 Why can''t the LEAF router ping hosts on the LAN? http://sourceforge.net/docman/display_doc.php?docid=1434&group_id=13751 Why can''t the LEAF router ping its external gateway? http://sourceforge.net/docman/display_doc.php?docid=1435&group_id=13751 Why can''t the LEAF router ping hosts on the Internet? http://sourceforge.net/docman/display_doc.php?docid=4100&group_id=13751 Why can''t hosts on the LAN ping hosts on the Internet? http://sourceforge.net/docman/display_doc.php?docid=1436&group_id=13751 -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-08 09:33 UTC
SV: [Shorewall-users] ping from local to net
I totally agree.. You should go through your policy file, and detemine what kind of security level you want for your internal lan and dmz zone. Example: net loc ACCEPT info This is not a good idea, always restrict everything, and open only what you need. (in the rule mentioned example) net all DROP info And then create the appropriate rules needed to get things to work. Keep this in mind: Just because your clients needs to access port 80 on a public machine does not mean that you have to accept traffic to port 80 to $fw or loc. Remember that the fw acts on behalf of your client machine, and requests from your client will be accepted through your fw regardless of your rules file because of this line in your policy file: loc net ACCEPT info (this line would result in vounerability to trojans, because any traffic on any port is accepted from your local network to the public net) I usually change this line to: loc net DROP and open the the ports needed from loc to net (i.e 80,25,110,https), this provides more control on the traffic going through your firewall and will make you sleep better at night :) Best regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Martinez, Mike (MHS-ACS) Sendt: 8. januar 2003 18:01 Til: shorewall-users@shorewall.net Emne: RE: [Shorewall-users] ping from local to net FYI, Based upon your Policy File your Firewall is wide open. Can you ping the internet from a system not behind the firewall? In order to provide you with some answers to this problem we need to see all your shorewall files. (interfaces, zones, masq, rules, etc.) Also based upon your Policy File it looks like you are running a three-interface firewall. Have you taken a look at Tom''s three-interface users guide? (http://www.shorewall.net/three-interface.htm) Also please take a look at Tom''s Ping Management page (http://www.shorewall.net/ping.html) and see if he has already answered this question\problem. Hope this helps Mike -----Original Message----- From: Marta Jara [mailto:marta_jara@zenithmedia.es] Sent: Wednesday, January 08, 2003 10:29 AM To: kenneth.grande@aspit.no Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] ping from local to net my rules files is:> ACCEPT loc fw tcp 23> ACCEPT loc fw udp 23> ACCEPT loc fw tcp 22> ACCEPT loc fw udp 22> ACCEPT fw net tcp 53> ACCEPT fw net udp 53> ACCEPT dmz loc tcp 53> ACCEPT dmz loc udp 53> ACCEPT fw dmz tcp 23> ACCEPT fw dmz udp 23> ACCEPT fw dmz tcp 22> ACCEPT loc net icmpthanks Kenneth Grande, Driftsjef aspIT AS wrote:>Try to add this in your rules file: > >ACCEPT loc net icmp > > >Best Regards, > >Kenneth. > >-----Opprinnelig melding----- >Fra: shorewall-users-bounces@shorewall.net >[mailto:shorewall-users-bounces@shorewall.net] P? vegne av Marta Jara >Sendt: 8. januar 2003 17:00 >Til: shorewall-users@shorewall.net >Emne: [Shorewall-users] ping from local to net > >I try to do ping between my local network and Internet and i can''t do >it, in my policy I have: >loc net ACCEPT info >loc fw ACCEPT >loc dmz ACCEPT info >fw loc ACCEPT >fw net ACCEPT info >fw dmz ACCEPT info >dmz net ACCEPT info >dmz fw ACCEPT info >net loc ACCEPT info >all all REJECT info > >can I help me? >thanks > > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://mail.shorewall.net/mailman/listinfo/shorewall-users > > >_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
Marta,
One additional resource you should read follows.
ICMP Echo-request (Ping)
http://www.shorewall.net/ping.html
On Wed, 2003-01-08 at 09:20, Mike Noyes wrote:> On Wed, 2003-01-08 at 07:59, Marta Jara wrote:
> > I try to do ping between my local network and Internet and i
can''t do
> > it, in my policy I have:
>
> Marta,
> Below you''ll find a collection of ping FAQs for the LEAF project.
They
> should assist you in determining your routing problem.
>
> What are the ways that "ping" fails and what do they mean?
> http://sourceforge.net/docman/display_doc.php?docid=4099&group_id=13751
>
> Why can''t the LEAF router ping its own interfaces?
> http://sourceforge.net/docman/display_doc.php?docid=1433&group_id=13751
>
> Why can''t the LEAF router ping hosts on the LAN?
> http://sourceforge.net/docman/display_doc.php?docid=1434&group_id=13751
>
> Why can''t the LEAF router ping its external gateway?
> http://sourceforge.net/docman/display_doc.php?docid=1435&group_id=13751
>
> Why can''t the LEAF router ping hosts on the Internet?
> http://sourceforge.net/docman/display_doc.php?docid=4100&group_id=13751
>
> Why can''t hosts on the LAN ping hosts on the Internet?
> http://sourceforge.net/docman/display_doc.php?docid=1436&group_id=13751
--
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/