Shorewall users - Jan 2003 - dmz2dmz?

Hi

My situation:

I have two pc''s with public ip''s (192.159.56.206(webserver)
and
84.196.123.65(mail-gateway)) in the dmz. The firewall (84.196.123.66) is
configures with proxyarp, so nothing is changed on the pc''s from when
they
were not behind the firewall (i.e. they don''t have the firewall as
gateway
(and they each have different gateways, only 84.196.123.65 has same gateway
as the firewall).

The only problem is with communication between the pc''s in the dmz,
which
should always be allowed but isn''t. I can ping every which way I want,
except internally on the dmz.

I would think that this POLICY should work:
dmz             dmz             ACCEPT
But the log says:
Jan 13 17:17:11 firewall1 kernel: Shorewall:dmz2dmz:REJECT:IN=eth1 OUT=eth1
SRC=192.159.56.206 DST=84.196.123.65 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=58204
 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=14592

The only situation where it works is with the POLICY:
all             all             ACCEPT
Which is hardly acceptable :-)


How do I make it work?

My files:
PROXYARP:
############################################################################
##
#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
84.196.123.65           eth1            eth0            No
192.159.56.206          eth1            eth0            No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


RULES:
############################################################################
##
#RESULT         CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S)
ADDRESS
#
# Allow SSH from the local network
#
ACCEPT          loc       $FW           tcp     ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT          net       $FW           tcp     ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT          $FW       net           udp     ntp
### Internet to DMZ
ACCEPT          net                     dmz                     icmp
echo-request
ACCEPT          net                     dmz                     tcp     ssh
ACCEPT          net                     dmz:84.196.123.65       tcp     smtp
ACCEPT          net                     dmz                     tcp
http,https
ACCEPT          net                     dmz                     tcp     ftp
ACCEPT          net                     dmz                     tcp     3389
#RDP Protocol (Terminal Ser
ver)

ACCEPT          $FW                     net                     udp
domain
ACCEPT          $FW                     net                     tcp
domain
#
# Firewall to DMZ
#
ACCEPT          $FW                     dmz                     tcp     smtp
ACCEPT          $FW                     net                     tcp     smtp
#
# Internet to Firewall
#
DROP            net                     $FW                     2
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


POLICY:
############################################################################
###
#CLIENT         SERVER          POLICY          LOG LEVEL
dmz             dmz             ACCEPT
dmz             net             ACCEPT

loc             net             ACCEPT
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Thanks
Carsten

>The only situation where it works is with the POLICY:
>all             all             ACCEPT
>Which is hardly acceptable :-)
>How do I make it work?
>POLICY:
>dmz             dmz             ACCEPT
That line will make it work, as long as the "dmz" interface is
correctly
set up in interfaces (which was missing from your config dump)

--On Monday, January 13, 2003 05:00:07 PM +0100 Jan Johansson 
<jan.johansson@nwl.se> wrote:
>> The only situation where it works is with the POLICY:
>> all             all             ACCEPT
>> Which is hardly acceptable :-)
>
>
>> How do I make it work?
>
>
>> POLICY:
>> dmz             dmz             ACCEPT
>
> That line will make it work, as long as the "dmz" interface is
correctly
> set up in interfaces (which was missing from your config dump)
>
And if the above line comes BEFORE your "all all REJECT" policy.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

>And if the above line comes BEFORE your "all all REJECT" policy.
Well, at least that was how it was stated in his enclosed configs, so I
assumed it would be...

--On Monday, January 13, 2003 05:10:19 PM +0100 Jan Johansson 
<jan.johansson@nwl.se> wrote:
>> And if the above line comes BEFORE your "all all REJECT"
policy.
>
> Well, at least that was how it was stated in his enclosed configs, so I
> assumed it would be...
>
Sorry -- didn''t look at the original post. The interesting question
then is
"Why is there a REJECT rule in the dmz2dmz chain?"

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Monday, January 13, 2003 05:00:07 PM +0100 Jan Johansson 
<jan.johansson@nwl.se> wrote:
>> The only situation where it works is with the POLICY:
>> all             all             ACCEPT
>> Which is hardly acceptable :-)
>
>
>> How do I make it work?
>
>
>> POLICY:
>> dmz             dmz             ACCEPT
>
> That line will make it work, as long as the "dmz" interface is
correctly
> set up in interfaces (which was missing from your config dump)
>
I would also like to see the output from "shorewall status".

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

> >> POLICY:
> >> dmz             dmz             ACCEPT
> >
> > That line will make it work, as long as the "dmz" interface
is correctly
> > set up in interfaces (which was missing from your config dump)
Here it is:
INTERFACES:
############################################################################
##
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            detect          routestopped
dmz     eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I have an unpleasant suspicion that I should add "multi" to the
dmz/eth1
options - I tried it, and that works - but is it right?
>I would also like to see the output from "shorewall status".
Here is the very long shorewall status:

Shorewall-1.2.12 Status at firewall1 - Tue Jan 14 09:55:09 CET 2003

Chain INPUT (policy DROP 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
  962 88735 net2fw     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 dmz2fw     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:dmz2dmz:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
   29  1851 net2dmz    all  --  eth0   eth1    0.0.0.0/0
0.0.0.0/0
   28  1825 dmz2net    all  --  eth1   eth0    0.0.0.0/0
0.0.0.0/0
    6   504 dmz2dmz    all  --  eth1   eth1    0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:dmz2dmz:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
  324 88272 fw2net     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 fw2dmz     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:dmz2dmz:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain all2all (4 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source
destination
    2    72 icmpdef    icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:0x10/0x10
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:0x04/0x04
  390 32799 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 reject-with icmp-port-unreachable
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900
   28  7920 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255
    2    72 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4
    0     0 DROP       all  --  *      *       0.0.0.0/0
80.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
10.255.255.255

Chain dmz2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination
    3   252 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    3   252 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain dmz2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  eth1   *       0.0.0.0/0
0.0.0.0/0          icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain dmz2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
   26  1711 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    2   114 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:25
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
  324 88272 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW udp dpt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:25
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 12

Chain loc2fw (0 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:22
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc2net (0 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
  420 40791 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain net2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination
   29  1851 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
84.196.123.65      state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:3389
    0     0 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
  535 47748 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:113
    7   196 DROP       2    --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0
0.0.0.0/0          icmp type 8
  420 40791 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination

Jan 14 08:32:50 net2all:DROP:IN=eth0 OUT=eth1 SRC=66.136.140.172
DST=84.196.123.65 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=24960 DF PROTO=TCP
SPT=4501 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:50 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=84.196.123.66 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24963 DF PROTO=TCP
SPT=4535 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:50 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=84.196.123.66 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24967 DF PROTO=TCP
SPT=4575 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:51 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24992 DF PROTO=TCP
SPT=1616 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:51 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=24997 DF PROTO=TCP
SPT=1658 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:54 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25034 DF PROTO=TCP
SPT=1616 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:54 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25037 DF PROTO=TCP
SPT=1658 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=66.136.140.172
DST=84.196.123.65 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=25061 DF PROTO=TCP
SPT=4477 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:56 net2all:DROP:IN=eth0 OUT=eth1 SRC=66.136.140.172
DST=84.196.123.65 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=25063 DF PROTO=TCP
SPT=4501 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:56 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=84.196.123.66 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25065 DF PROTO=TCP
SPT=4535 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:32:56 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=84.196.123.66 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25069 DF PROTO=TCP
SPT=4575 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:33:00 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25123 DF PROTO=TCP
SPT=1616 DPT=27374 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 08:33:00 net2all:DROP:IN=eth0 OUT= SRC=66.136.140.172
DST=80.198.127.63 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=25126 DF PROTO=TCP
SPT=1658 DPT=12345 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 14 09:33:01 net2all:DROP:IN=eth0 OUT=eth1 SRC=193.252.182.63
DST=192.159.56.206 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=30654 DF PROTO=TCP
SPT=2064 DPT=888 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 14 09:33:04 net2all:DROP:IN=eth0 OUT=eth1 SRC=193.252.182.63
DST=192.159.56.206 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=30656 DF PROTO=TCP
SPT=2064 DPT=888 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 14 09:33:11 net2all:DROP:IN=eth0 OUT=eth1 SRC=193.252.182.63
DST=192.159.56.206 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=30658 DF PROTO=TCP
SPT=2064 DPT=888 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 14 09:37:39 dmz2dmz:REJECT:IN=eth1 OUT=eth1 SRC=84.196.123.65
DST=192.159.56.206 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=50028 SEQ=256
Jan 14 09:37:40 dmz2dmz:REJECT:IN=eth1 OUT=eth1 SRC=84.196.123.65
DST=192.159.56.206 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=50028 SEQ=512
Jan 14 09:37:41 dmz2dmz:REJECT:IN=eth1 OUT=eth1 SRC=84.196.123.65
DST=192.159.56.206 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=50028 SEQ=768
Jan 14 09:37:42 dmz2dmz:REJECT:IN=eth1 OUT=eth1 SRC=84.196.123.65
DST=192.159.56.206 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=50028 SEQ=1024

Chain PREROUTING (policy ACCEPT 1097K packets, 73M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 9242 packets, 530K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 196 packets, 11962 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain PREROUTING (policy ACCEPT 1721K packets, 342M bytes)
 pkts bytes target     prot opt in     out     source
destination
 2537  181K pretos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 338K packets, 37M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 497K packets, 257M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 36057 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source
destination
  394  109K outtos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 525K packets, 271M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
  388  109K TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source
destination
  626 54840 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
   22  1480 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08

--On Tuesday, January 14, 2003 08:59:47 AM +0100 Carsten 
<carsten@webglobe.dk> wrote:
>> >> POLICY:
>> >> dmz             dmz             ACCEPT
>> >
>> > That line will make it work, as long as the "dmz"
interface is
>> > correctly set up in interfaces (which was missing from your config
>> > dump)
>
> Here it is:
> INTERFACES:
>##########################################################################
##
>##
># ZONE    INTERFACE      BROADCAST       OPTIONS
> net     eth0            detect          routestopped
> dmz     eth1            detect
># LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> I have an unpleasant suspicion that I should add "multi" to the
dmz/eth1
> options - I tried it, and that works - but is it right?
Given that you have a dmz->dmz chain, you shouldn''t have to do that
but it
doesn''t hurt anything.
>
>> I would also like to see the output from "shorewall status".
>
> Here is the very long shorewall status:
>
> Shorewall-1.2.12 Status at firewall1 - Tue Jan 14 09:55:09 CET 2003
>
> Chain INPUT (policy DROP 1 packets, 78 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
>   962 88735 net2fw     all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 dmz2fw     all  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:dmz2dmz:REJECT:''
>     0     0 reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
And as I suspected, we have a bug -- the "dmz2dmz" log prefix is being
applied where it shouldn''t be.

Unfortunately, it''s not happening in my setup so I can''t
analyze the
problem except by code gazing.

Please send me a debug trace of "shorewall start" or "shorewall
restart"
(instructions at http://sourceforge.sf.net/troubleshoot.htm). If you would 
reset ''multi'' on your dmz interface while you are getting the
trace, I can
look at that too.

-Tom

--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net