Shorewall users - Feb 2003 - shorewall on the local network

Hi,

I have a system on my local network. I want to run shorewall on it because
I''m paranoid :-)

I''ve used shorewall (and previously seawall) for many years so I dove
right in and setup what I thought would work. I keep getting rejected packets
even though I have the rules in place.

Here''s my setup: (shorewall 1.3.13 + errata)

policy: (one line - paranoid)
all             all             REJECT          info

interfaces:
-  eth0  10.0.0.255 routestopped,dhcp,tcpflags,blacklist

hosts:
loc             eth0:10.0.0.0/16
net             eth0:0.0.0.0/0

zones:
net     Internet        Internet
loc     Local           Local networks

and finally rules:
ACCEPT  fw              loc:10.0.0.5    tcp     53
ACCEPT  fw              loc:10.0.0.5    udp     53
ACCEPT  loc             fw              tcp     22

All other files are default.

I see this from shorewall show log when testing nslookup:
all2all:REJECT:IN= OUT=eth0 SRC=10.0.0.3 DST=10.0.0.5 LEN=76 TOS=0x00 PREC=0x00
TTL=64 ID=52283 DF PROTO=UDP SPT=32770 DPT=53 LEN=56

and this when trying to ssh in from my workstation:
all2all:REJECT:IN=eth0 OUT= SRC=10.0.0.111 DST=10.0.0.3 LEN=48 TOS=0x10
PREC=0x00 TTL=128 ID=25350 DF PROTO=TCP SPT=4193 DPT=22 WINDOW=8192 RES=0x00 SYN
URGP=0

The rules are there but it''s not working the way I anticipated. Where
did I screw up?

Thanks.

--On Tuesday, February 04, 2003 1:34 PM -0500 itdamager@cox.net wrote:
> The rules are there but it''s not working the way I anticipated.
Where did
> I screw up?
I suspect that you have ''net'' before ''loc''
in /etc/shorewall/zones. Since
''loc'' is nested within ''net'', the order of
the zone definitions is
significant.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Duh. That fixed it. Thanks Tom.
> 
> From: Tom Eastep <teastep@shorewall.net>
> Date: 2003/02/04 Tue PM 01:49:41 EST
> To: Shorewall-users@lists.shorewall.net
> Subject: Re: [Shorewall-users] shorewall on the local network
> 
> 
> 
> --On Tuesday, February 04, 2003 1:34 PM -0500 itdamager@cox.net wrote:
> 
> > The rules are there but it''s not working the way I
anticipated. Where did
> > I screw up?
> 
> I suspect that you have ''net'' before
''loc'' in /etc/shorewall/zones. Since
> ''loc'' is nested within ''net'', the order
of the zone definitions is
> significant.
> 
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> Shoreline,    \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>