Shorewall users - Feb 2003 - rejected packets from loc host to loc host

Hi shorewallers,

    Im getting all sorts of packets rejected by shorewall from my loc (eth1)
device. please help me to resolve this ! hope im not doing anything blatently
stupid in my config :)

    using shorewall w/ debian woody 2.4.18. eth0 = internet, eth1 = local masq
lan, wlan0 = wireless nic running host_ap.

                                                                            eth0
= my.net.ip.add | eth1 = 10.0.0.1 | wlan0 = 10.0.1.1

    from my firewall (10.0.0.1), if i ping a hostname (note my dns server is
10.0.0.10) i get this --->

    Mar  1 03:29:28 animal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=10.0.0.1 DST=10.0.0.10 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=5061 DF PROTO=UDP
SPT=1041 DPT=53 LEN=29

    previously i was getting rejected packets destined for 10.0.0.0, stopping my
WINS server from becoming browser master.. i had to change REJECT to ACCEPT in
common.def --> run_iptables -A common -p udp --dport 137:139     -j ACCEPT ,
and also changed this from DROP to ACCEPT, also from common.def -->
run_iptables -A common -d 255.255.255.255 -j ACCEPT....

    i was doing all this to get a WINS server running properly.. 

    i have attached a shorewall status output (file called status, output of
shorewall status >> status)

    thanks for anyhelp from anyone on this. 

    Simon
    sydney, AU.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: status
Type: application/octet-stream
Size: 30035 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030301/b03bc76f/status-0001.obj

--On Saturday, March 01, 2003 04:06:27 AM +1100 simon 
<sblack@bigpond.net.au> wrote:
> Hi shorewallers,
>
>     Im getting all sorts of packets rejected by shorewall from my loc
> (eth1) device. please help me to resolve this ! hope im not doing
> anything blatently stupid in my config :)
>
>     using shorewall w/ debian woody 2.4.18. eth0 = internet, eth1 = local
> masq lan, wlan0 = wireless nic running host_ap.
>
>
> eth0 = my.net.ip.add | eth1 = 10.0.0.1 | wlan0 = 10.0.1.1
>
>     from my firewall (10.0.0.1), if i ping a hostname (note my dns server
> is 10.0.0.10) i get this --->
>
>     Mar  1 03:29:28 animal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
> SRC=10.0.0.1 DST=10.0.0.10 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=5061 DF
> PROTO=UDP SPT=1041 DPT=53 LEN=29
This was covered in the two-interface QuickStart Guide (you did read that 
correct? http://www.shorewall.net/two-interface.htm) in the paragraph 
entitled "DNS" although in your case, the DNS server appears to be in
the
local zone rather than on the firewall; just reverse the rules shown in the 
guide.
>
>     previously i was getting rejected packets destined for 10.0.0.0,
> stopping my WINS server from becoming browser master.. i had to change
> REJECT to ACCEPT in common.def -->
Please read the comments at the beginning of common.def regarding 
modification of that file. Read them again.

 run_iptables -A common -p udp --dport
> 137:139     -j ACCEPT , and also changed this from DROP to ACCEPT, also
> from common.def --> run_iptables -A common -d 255.255.255.255 -j
> ACCEPT....
>
>     i was doing all this to get a WINS server running properly..
The proper method of supporting WINS/Samba is amply documented at 
http://www.shorewall.net/samba.htm. Modification of common.def is 
definitely the wrong approach.


-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net