I am new to setting up shorewall and so far find it exciting. However I have a simple question and hope someone can point me in the right direction. Also I am running Slackware8.1 (if that means anything). What I need to know is what port AXIP uses during its operation. It seems the new installation I have of shorewall stops or interfers with my AXIP operations. I don''t see where a particular port exists for AXIP in the /etc/services file but I am sure it uses some port to do its work. For those not familiar with AXIP communciations, it simply is a utility that allows a direct/personal connection to another system using the internet and of course is done through personal arrangements, where after its in place each user has a very fast/instant connection to each other. Port 23 or 24 not used here, so for the life of me - I have no idea what port to open or to make free so it is not interferred with?? Any thoughts on how/where I can find this info?? --- Ted Gervais, Coldbrook, Nova Scotia, Canada
I am new to setting up shorewall and so far find it exciting. However I have a simple question and hope someone can point me in the right direction. Also I am running Slackware8.1 (if that means anything). What I need to know is what port AXIP uses during its operation. It seems the new installation I have of shorewall stops or interfers with my AXIP operations. I don''t see where a particular port exists for AXIP in the /etc/services file but I am sure it uses some port to do its work. For those not familiar with AXIP communciations, it simply is a utility that allows a direct/personal connection to another system using the internet and of course is done through personal arrangements, where after its in place each user has a very fast/instant connection to each other. Port 23 or 24 not used here, so for the life of me - I have no idea what port to open or to make free so it is not interferred with?? Any thoughts on how/where I can find this info?? --- Ted Gervais, Coldbrook, Nova Scotia, Canada
--On Saturday, February 22, 2003 12:49:15 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > I am new to setting up shorewall and so far find it exciting. However I > have a simple question and hope someone can point me in the right > direction. Also I am running Slackware8.1 (if that means anything). > > > What I need to know is what port AXIP uses during its operation. It seems > the new installation I have of shorewall stops or interfers with my AXIP > operations. I don''t see where a particular port exists for AXIP in the > /etc/services file but I am sure it uses some port to do its work. > > For those not familiar with AXIP communciations, it simply is a utility > that allows a direct/personal connection to another system using the > internet and of course is done through personal arrangements, where after > its in place each user has a very fast/instant connection to each other. > Port 23 or 24 not used here, so for the life of me - I have no idea what > port to open or to make free so it is not interferred with?? > > Any thoughts on how/where I can find this info?? >Have the other person try to connect to you then look at your log. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Saturday, February 22, 2003 09:06:55 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:>> >> Any thoughts on how/where I can find this info?? >> > > Have the other person try to connect to you then look at your log. > >Did you have any luck with this approach? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Saturday, February 22, 2003 09:06:55 AM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > >> > >> Any thoughts on how/where I can find this info?? > >> > > > > Have the other person try to connect to you then look at your log. > > > > > > Did you have any luck with this approach?Hi Tom and others on the list.. Well I had no luck. I have an axip link with a friend of mine and I have root access to his system. I went over there and had a look at his /varlog/messages, syslog, etc.. files and all I see in those log files are reference ONLY to axip. That is the port. And that is the only way it is being called or described. But - for the life of me, the system uses some kind of port other than AXP, as I/we call it. What that might be I have no idea (yet). I asked another friend of mine if he had any idea as to what port it might be and no luck there either. All I know is that with the shorewall ''setup'' it gives my ''axip'' port a hard time, where it finally kills the daemon that is working on the axip port. So , something in the script files will tell us what port that is but I have no idea where to go. Must be someone out there that has heard of axip and has an idea on what ''services'' port is actually being used???> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 12:07:44 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > Well I had no luck. I have an axip link with a friend of mine and I have > root access to his system. I went over there and had a look at his > /varlog/messages, syslog, etc.. files and all I see in those log files are > reference ONLY to axip. That is the port. And that is the only way it is > being called or described. > > But - for the life of me, the system uses some kind of port other than > AXP, as I/we call it. What that might be I have no idea (yet). >So you see no Shorewall messages? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Sunday, February 23, 2003 12:07:44 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > > > Well I had no luck. I have an axip link with a friend of mine and I have > > root access to his system. I went over there and had a look at his > > /varlog/messages, syslog, etc.. files and all I see in those log files are > > reference ONLY to axip. That is the port. And that is the only way it is > > being called or described. > > > > But - for the life of me, the system uses some kind of port other than > > AXP, as I/we call it. What that might be I have no idea (yet). > > > > So you see no Shorewall messages?Nope. But here is what someone asked me to do. They asked that I run ''netstat'' and it should tell me what port axip is running on. Here is what I saw: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State <snip> Proto RefCnt Flags Type State I-Node PID/Program name Path unix 9 [ ] DGRAM 83 91/syslogd /dev/log unix 2 [ ] DGRAM 4833 75/dhcpcd unix 2 [ ] DGRAM 234 179/ax25d unix 2 [ ] DGRAM 230 178/netromd unix 2 [ ] DGRAM 206 164/kissattach Right here! This entry above (kissattach) is what loads/runs axip. And further down I am reminded that it is running on port ''ax0'' of the ax25 utils.. <snip> Active AX.25 sockets Dest Source Device State Vr/Vs Send-Q Recv-Q VE1ATT-7 VE1DRG-7 ax0 ESTABLISHED 003/000 0 0 * VE1DRG-8 ??? LISTENING 000/000 0 0 See above - port device ax0. That is where the axip process is running. Will this help the scripts such that iptables won''t interfere with that device/port?? <snip> --- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 12:59:22 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> Proto RefCnt Flags Type State I-Node PID/Program name > Path > unix 9 [ ] DGRAM 83 91/syslogd > /dev/log > unix 2 [ ] DGRAM 4833 75/dhcpcd > unix 2 [ ] DGRAM 234 179/ax25d > unix 2 [ ] DGRAM 230 178/netromd > unix 2 [ ] DGRAM 206 164/kissattach > > > Right here! This entry above (kissattach) is what loads/runs axip. > And further down I am reminded that it is running on port ''ax0'' of the > ax25 utils..Yes but those are AF_UNIX sockets!!! -- they have nothing to do with IP/Netfilter/Shorewall. They are very similar to named pipes and are only used for local communication.> > <snip> > > Active AX.25 sockets > Dest Source Device State Vr/Vs Send-Q Recv-Q > VE1ATT-7 VE1DRG-7 ax0 ESTABLISHED 003/000 0 0 > * VE1DRG-8 ??? LISTENING 000/000 0 0 > > > See above - port device ax0. That is where the axip process is running. > Will this help the scripts such that iptables won''t interfere with that > device/port?? >What does ''ip link show'' produce? (or if you don''t have ''ip'', just run ''ifconfig''). Also, please follow the instructions at http://www.shorewall.net/support.htm for getting a Shorewall status of this connection problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Sunday, February 23, 2003 12:59:22 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > Proto RefCnt Flags Type State I-Node PID/Program name > > Path > > unix 9 [ ] DGRAM 83 91/syslogd > > /dev/log > > unix 2 [ ] DGRAM 4833 75/dhcpcd > > unix 2 [ ] DGRAM 234 179/ax25d > > unix 2 [ ] DGRAM 230 178/netromd > > unix 2 [ ] DGRAM 206 164/kissattach > > > > > > Right here! This entry above (kissattach) is what loads/runs axip. > > And further down I am reminded that it is running on port ''ax0'' of the > > ax25 utils.. > > Yes but those are AF_UNIX sockets!!! -- they have nothing to do with > IP/Netfilter/Shorewall. They are very similar to named pipes and are only > used for local communication.I guess. Local, but over the internet in my case. And that covers the whole world.. I know, I have nodes list from all around the world.> > > > > <snip> > > > > Active AX.25 sockets > > Dest Source Device State Vr/Vs Send-Q Recv-Q > > VE1ATT-7 VE1DRG-7 ax0 ESTABLISHED 003/000 0 0 > > * VE1DRG-8 ??? LISTENING 000/000 0 0 > > > > > > See above - port device ax0. That is where the axip process is running. > > Will this help the scripts such that iptables won''t interfere with that > > device/port?? > > > > What does ''ip link show'' produce? (or if you don''t have ''ip'', just run > ''ifconfig'').This is what ip link shows: 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:da:92:bb:20 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:ba:d0:f2:16 brd ff:ff:ff:ff:ff:ff 4: tunl0@NONE: <NOARP,UP> mtu 256 qdisc noqueue link/ipip 0.0.0.0 brd 0.0.0.0 5: nr0: <UP> mtu 216 qdisc noqueue link/generic ac:8a:62:88:a4:8e:0e brd 00:00:00:00:00:00:00 6: nr1: <UP> mtu 216 qdisc noqueue link/generic ac:8a:62:88:a4:8e:00 brd 00:00:00:00:00:00:00 7: nr2: <> mtu 236 qdisc noop link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00 8: nr3: <> mtu 236 qdisc noop link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00 9: ax0: <BROADCAST,UP> mtu 256 qdisc pfifo_fast qlen 10 link/ax25 ac:8a:62:88:a4:8e:10 brd a2:a6:a8:40:40:40:60 Also, please follow the instructions at> http://www.shorewall.net/support.htm for getting a Shorewall status of this > connection problem.Ok Tom..> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 01:32:50 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > On Sun, 23 Feb 2003, Tom Eastep wrote: > >> >> >> --On Sunday, February 23, 2003 12:59:22 PM -0400 Ted Gervais >> <ve1drg@av.eastlink.ca> wrote: >> >> > Proto RefCnt Flags Type State I-Node PID/Program >> > name Path >> > unix 9 [ ] DGRAM 83 91/syslogd >> > /dev/log >> > unix 2 [ ] DGRAM 4833 75/dhcpcd >> > unix 2 [ ] DGRAM 234 179/ax25d >> > unix 2 [ ] DGRAM 230 178/netromd >> > unix 2 [ ] DGRAM 206 164/kissattach >> > >> > >> > Right here! This entry above (kissattach) is what loads/runs axip. >> > And further down I am reminded that it is running on port ''ax0'' of the >> > ax25 utils.. >> >> Yes but those are AF_UNIX sockets!!! -- they have nothing to do with >> IP/Netfilter/Shorewall. They are very similar to named pipes and are only >> used for local communication. > > > I guess. Local, but over the internet in my case. And that covers the > whole world.. I know, I have nodes list from all around the world.Fine, but AF_UNIX sockets are only usable within a single host. So the netstat output above has absolutely no bearing on your problem.> >> >> > >> > <snip> >> > >> > Active AX.25 sockets >> > Dest Source Device State Vr/Vs Send-Q Recv-Q >> > VE1ATT-7 VE1DRG-7 ax0 ESTABLISHED 003/000 0 0 >> > * VE1DRG-8 ??? LISTENING 000/000 0 0 >> > >> > >> > See above - port device ax0. That is where the axip process is >> > running. Will this help the scripts such that iptables won''t interfere >> > with that device/port?? >> > >> >> What does ''ip link show'' produce? (or if you don''t have ''ip'', just run >> ''ifconfig''). > > This is what ip link shows: > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast > qlen 100 > link/ether 00:50:da:92:bb:20 brd ff:ff:ff:ff:ff:ff > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:50:ba:d0:f2:16 brd ff:ff:ff:ff:ff:ff > 4: tunl0@NONE: <NOARP,UP> mtu 256 qdisc noqueue > link/ipip 0.0.0.0 brd 0.0.0.0 > 5: nr0: <UP> mtu 216 qdisc noqueue > link/generic ac:8a:62:88:a4:8e:0e brd 00:00:00:00:00:00:00 > 6: nr1: <UP> mtu 216 qdisc noqueue > link/generic ac:8a:62:88:a4:8e:00 brd 00:00:00:00:00:00:00 > 7: nr2: <> mtu 236 qdisc noop > link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00 > 8: nr3: <> mtu 236 qdisc noop > link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00 > 9: ax0: <BROADCAST,UP> mtu 256 qdisc pfifo_fast qlen 10 > link/ax25 ac:8a:62:88:a4:8e:10 brd a2:a6:a8:40:40:40:60So have you defined the ax0 interface to Shorewall and are you allowing ax.25 (protocol 93) to pass through it? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Sunday, February 23, 2003 09:39:19 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > So have you defined the ax0 interface to Shorewall and are you allowing > ax.25 (protocol 93) to pass through it? >Or..... Possibly, the protocol 93 packets are passed across the your external interface like other tunneling protocols. I''m still confused as to why you see NO Shorewall messages. I suppose that you could try connecting with an empty /etc/shorewall/common file (I assume that you have already turned off log rate limiting as described in the troubleshooting information). That will ensure that everything that Shorewall discards gets logged. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote: -<snip>-> So have you defined the ax0 interface to Shorewall and are you allowing > ax.25 (protocol 93) to pass through it?Not yet. That is where I was going to ask the question. Where/how to you add that? I am looking at the ''rules'' file and wondering about the PORT number. Something would be needed for both ''loc'' & ''net''. Probably udp and tcp?? I bet I am a mile off base. But the ''rules'' file seems to be the one that would be used?? Let me know how close I am Tom..> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 06:20:14 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> Not yet. That is where I was going to ask the question. > Where/how to you add that? I am looking at the ''rules'' file and wondering > about the PORT number. Something would be needed for both ''loc'' & ''net''. > Probably udp and tcp?? > > I bet I am a mile off base. But the ''rules'' file seems to be the one that > would be used?? > > Let me know how close I am Tom.. >We don''t know what the problem is yet -- I will want to see the ''shorewall status'' output after a connection request. If Shorewall is blocking this application then it should be logging messages that describe the packets that it is dropping or rejecting. Since it is not, I want to know why. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Sunday, February 23, 2003 06:20:14 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> Not yet. That is where I was going to ask the question. > Where/how to you add that? I am looking at the ''rules'' file and wondering > about the PORT number. Something would be needed for both ''loc'' & ''net''. > Probably udp and tcp?? > > I bet I am a mile off base. But the ''rules'' file seems to be the one that > would be used?? > > Let me know how close I am Tom.. >We don''t know what the problem is yet -- I will want to see the ''shorewall status'' output after a connection request. If Shorewall is blocking this application then it should be logging messages that describe the packets that it is dropping or rejecting. Since it is not, I want to know why. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Sunday, February 23, 2003 06:20:14 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > > Not yet. That is where I was going to ask the question. > > Where/how to you add that? I am looking at the ''rules'' file and wondering > > about the PORT number. Something would be needed for both ''loc'' & ''net''. > > Probably udp and tcp?? > > > > I bet I am a mile off base. But the ''rules'' file seems to be the one that > > would be used?? > > > > Let me know how close I am Tom.. > > > > We don''t know what the problem is yet -- I will want to see the ''shorewall > status'' output after a connection request. If Shorewall is blocking this > application then it should be logging messages that describe the packets > that it is dropping or rejecting. Since it is not, I want to know why. >Alright Tom - I just adjusted the log output and I notice I have a problem with my tunneling as well. Here is what the log shows, just for that concern: Feb 23 19:06:51 linux logger: Shorewall Started Feb 23 19:08:15 linux kernel: Shorewall:OUTPUT:REJECT:IN= OUT=tunl0 SRC=44.135.34.201 DST=44.137.28\.48 LEN=276 TOS=0x00 PREC=0x00 TTL=64 ID=42244 PROTO=93 Looks like it is being rejected. Am I correct here?> -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
Ted Gervais wrote:> On Sun, 23 Feb 2003, Tom Eastep wrote: > > >> >>--On Sunday, February 23, 2003 06:20:14 PM -0400 Ted Gervais >><ve1drg@av.eastlink.ca> wrote: >> >> >> >>>Not yet. That is where I was going to ask the question. >>>Where/how to you add that? I am looking at the ''rules'' file and wondering >>>about the PORT number. Something would be needed for both ''loc'' & ''net''. >>>Probably udp and tcp?? >>> >>>I bet I am a mile off base. But the ''rules'' file seems to be the one that >>>would be used?? >>> >>>Let me know how close I am Tom.. >>> >> >>We don''t know what the problem is yet -- I will want to see the ''shorewall >>status'' output after a connection request. If Shorewall is blocking this >>application then it should be logging messages that describe the packets >>that it is dropping or rejecting. Since it is not, I want to know why. >> > > > Alright Tom - I just adjusted the log output and I notice I have a problem > with my tunneling as well. Here is what the log shows, just for that > concern: > > Feb 23 19:06:51 linux logger: Shorewall Started > Feb 23 19:08:15 linux kernel: Shorewall:OUTPUT:REJECT:IN= OUT=tunl0 > SRC=44.135.34.201 DST=44.137.28\.48 LEN=276 TOS=0x00 PREC=0x00 TTL=64 > ID=42244 PROTO=93 > > > Looks like it is being rejected. Am I correct here? >Yes -- so you want something like: /etc/shorewall/zones: peers Peers My AXIP Peers /etc/shorewall/interfaces peers tunl* /etc/shorewall/policy peers fw ACCEPT fw peers ACCEPT That should get you further. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Well Tom - first of all I want to thank you for the personal attention you are giving me. I don''t mean for this to happen but I certainly do appreciate you helping.. So - I acted on what you asked me to do for tunl0 and i adjusted the three files in shorewall: interfaces policy zones The result of that was that shorewall would no longer run. Here is what I see when I try and bring it up: ----------------- root@linux:/etc/shorewall# shorewall start /sbin/shorewall: 7: command not found /usr/lib/shorewall/firewall: 7: command not found Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc peers Validating interfaces file... /usr/lib/shorewall/firewall: tunl*_broadcast=: command not found /usr/lib/shorewall/firewall: tunl*_zone=peers: command not found /usr/lib/shorewall/firewall: tunl*_options=: command not found Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Warning: Zone peers is empty Processing /etc/shorewall/init ... Deleting user chains... Creating input Chains... /usr/lib/shorewall/firewall: tunl*_fwd_exists=Yes: command not found /usr/lib/shorewall/firewall: tunl*_in_exists=Yes: command not found Configuring Proxy ARP Setting up NAT... Adding Common Rules iptables v1.2.6a: host/network `*_broadcast'' not found Try `iptables -h'' or ''iptables --help'' for more information. Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... Terminated ----------------- In fact, this really messed things up such that i could no longer access the internet. So, I restored those three files back to their previous set up and restarted shorewall. Things are running ok now, but not the tunl0. And something further about that tunnel - this is the very thing that controls the axip port. The file ax25ipd is run to enable the axip process and with shorewall running it can no longer do that. This is what the /var/log/messages file shows everytime I try and run that daemon: Feb 23 20:09:49 linux kernel: Shorewall:OUTPUT:REJECT:IN= OUT=tunl0 SRC=44.135.34.201 DST=44.137.28.48 LEN=276 TOS=0x00 PREC=0x00 TTL=64 ID=23308 PROTO=93 On Sun, 23 Feb 2003, Tom Eastep wrote:> Ted Gervais wrote: > > On Sun, 23 Feb 2003, Tom Eastep wrote: > > > > > >> > >>--On Sunday, February 23, 2003 06:20:14 PM -0400 Ted Gervais > >><ve1drg@av.eastlink.ca> wrote: > >> > >> > >> > >>>Not yet. That is where I was going to ask the question. > >>>Where/how to you add that? I am looking at the ''rules'' file and wondering > >>>about the PORT number. Something would be needed for both ''loc'' & ''net''. > >>>Probably udp and tcp?? > >>> > >>>I bet I am a mile off base. But the ''rules'' file seems to be the one that > >>>would be used?? > >>> > >>>Let me know how close I am Tom.. > >>> > >> > >>We don''t know what the problem is yet -- I will want to see the ''shorewall > >>status'' output after a connection request. If Shorewall is blocking this > >>application then it should be logging messages that describe the packets > >>that it is dropping or rejecting. Since it is not, I want to know why. > >> > > > > > > Alright Tom - I just adjusted the log output and I notice I have a problem > > with my tunneling as well. Here is what the log shows, just for that > > concern: > > > > Feb 23 19:06:51 linux logger: Shorewall Started > > Feb 23 19:08:15 linux kernel: Shorewall:OUTPUT:REJECT:IN= OUT=tunl0 > > SRC=44.135.34.201 DST=44.137.28\.48 LEN=276 TOS=0x00 PREC=0x00 TTL=64 > > ID=42244 PROTO=93 > > > > > > Looks like it is being rejected. Am I correct here? > > > > Yes -- so you want something like: > > /etc/shorewall/zones: > > peers Peers My AXIP Peers > > /etc/shorewall/interfaces > > peers tunl* > > /etc/shorewall/policy > > peers fw ACCEPT > fw peers ACCEPT > > That should get you further. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 08:10:49 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote: The line in /etc/shorewall/interfaces should have had a "+" rather than a "*". I have no idea where the ":7" nonsense was coming from -- that''s what the debug option of the start command is for as explained in the troubleshooting guide under "If the firewall fails to start". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote: Alright Tom. I will adjust that file; using + rather than * and let you know how it goes. Thanks again for your assistance and support.> > > --On Sunday, February 23, 2003 08:10:49 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > The line in /etc/shorewall/interfaces should have had a "+" rather than a > "*". I have no idea where the ":7" nonsense was coming from -- that''s what > the debug option of the start command is for as explained in the > troubleshooting guide under "If the firewall fails to start". > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 09:14:25 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> On Sun, 23 Feb 2003, Tom Eastep wrote: > > > Alright Tom. I will adjust that file; using + rather than * and let you > know how it goes. > > Thanks again for your assistance and support. >You''re welcome Ted -- sorry about the typo in my instructions :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Sunday, February 23, 2003 09:14:25 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > On Sun, 23 Feb 2003, Tom Eastep wrote: > > > > > > Alright Tom. I will adjust that file; using + rather than * and let you > > know how it goes. > > > > Thanks again for your assistance and support. > > > > You''re welcome Ted -- sorry about the typo in my instructions :-( >Ok Tom. NO problem. I wonder how you do it all. YOu are responding to everyones concerns. I would go nuts.. And - I thought I would mention. I amended that file; + rather than * and now shorewall comes up just fine. Bingo! Trouble is - the ax25ipd daemon is not running. And there is nothing in the log. At least before, we saw that protocol error when we ran that daemon. But now nothing at all. I have entered the following in the shorewall.conf file for the most logging information. I hope this will help show what is happening when the ax25ipd daemon is run again. LOGUNCLEAN=debug Any other thoughts on how to hunt that problem down? Let me try this new log setting first and I will see if there is anything to see. > -Tom> -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Sunday, February 23, 2003 09:50:36 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > LOGUNCLEAN=debug > > Any other thoughts on how to hunt that problem down? Let me try this new > log setting first and I will see if there is anything to see.I''ve given up asking for shorewall status output -- you''re on your own. Good night, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 23 Feb 2003, Tom Eastep wrote:> > > --On Sunday, February 23, 2003 09:50:36 PM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > > > > LOGUNCLEAN=debug > > > > Any other thoughts on how to hunt that problem down? Let me try this new > > log setting first and I will see if there is anything to see. > > I''ve given up asking for shorewall status output -- you''re on your own.Oooops! I guess I missed something. You were talking about getting the status output of shorewall. I naturally figured that was the log information. I sense it was more than that. Remember Tom - I know nothing about this shorewall. Other than what I have been reading. And for a ''first-timer'' there is lots to read. If you meant something else, and I suspect you did - than it is my loss that I failed to understand. Sorry - and good night.> > Good night, > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Monday, February 24, 2003 08:13:55 AM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > Remember Tom - I know nothing about this shorewall. Other than what I have > been reading. And for a ''first-timer'' there is lots to read. If you meant > something else, and I suspect you did - than it is my loss that I failed > to understand. >I''m curious Ted how you found out where to post for help with Shorewall. Did you look at the main Web page, select "Mailing List", find the email address and post? I''m not being sarcastic here -- I am really interested because a lot of folks like yourself seem to be bypassing the "Support" page which describes what we need to accurately diagnose problems. One of the things described there is how to capture "shorewall status" output when you are having connection problems. There''s a link from the mailing list page (in bold font) asking "Before posting a problem report to this list, please see the problem reporting guidelines." which links to the support page -- perhaps that isn''t prominent enough? I need to understand how to make it this clearer and since you have recent experience, I thought I''d ask... -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 24 Feb 2003, Tom Eastep wrote:> > > --On Monday, February 24, 2003 08:13:55 AM -0400 Ted Gervais > <ve1drg@av.eastlink.ca> wrote: > > > > > > Remember Tom - I know nothing about this shorewall. Other than what I have > > been reading. And for a ''first-timer'' there is lots to read. If you meant > > something else, and I suspect you did - than it is my loss that I failed > > to understand. > > > > I''m curious Ted how you found out where to post for help with Shorewall. > Did you look at the main Web page, select "Mailing List", find the email > address and post?Someone gave me the address and that included the ''list'' address. I immediately thought it best to get on the list to see some of the questions etc and if i had a concern or two, I would ask the ''others'' for assistance etc.. And I DID do some reading but I am also in a hurry. I bet you have heard that before. Plus - I am trying to change over from IPCHAINS (ugh..) and that can be confusing. In fact, I am back to ipchains now just to keep things going but I need to go to IPTABLES to be in step with the future. People advised me that the best way to go was with SHOREWALL which gets you going right away and than you can start to poke and snoop around to customize things. I haven''t been able to do much with my ''shorewall'' installation so far, probably because the basis of my operation is the ax25 utils. And that is the cause of all my problems. I felt from your questions that you needed an output from ''shorwall'' showing its status, meaning the log files etc.. etc.. But I believe now that in fact you wanted a copy of ''shorewall status'' which is the execution of shorewall with the ''status'' option. That I didn''t realize was what you wanted. I somehow was narrowmindedly still thinking of LOG files which is what we had been talking about and figured ''status'' in the case meant MORE log-file-status. Sorry for rambling on, but I thought it best to re-explain my situation.> I''m not being sarcastic here -- I am really interested because a lot of > folks like yourself seem to be bypassing the "Support" page which describes > what we need to accurately diagnose problems. One of the things described > there is how to capture "shorewall status" output when you are having > connection problems.I know about that (now), but wasn''t thinking correctly when you mentioned it earlier. I suppose if you had said ''RUN SHOREWALL STATUS'' things would have been clearer, but WHY, if I was up to speed with my thinking.?? .> > There''s a link from the mailing list page (in bold font) asking "Before > posting a problem report to this list, please see the problem reporting > guidelines." which links to the support page -- perhaps that isn''t > prominent enough? >Yuup. That is quite clear.> I need to understand how to make it this clearer and since you have recent > experience, I thought I''d ask...Well again, maybe last night wasn''t a good night to be working on these scripts. I suppose I was most confused about that protocol 93 and whatever else is involved in running the ax25 utils. That kept me away from following the guide, especially since a quick look in the guide failed to really show me that there was any help there. Maybe that was a serious mistake. You are doing the right thing Tom, and are on a very noble path here to help all of us get going with iptables. I wish I had your strength and fortitude in this regard. But a lot of people look for the easy path, whatever that is when it comes to iptables. But I personally plan to study iptables so I will gain a fair understanding of how it works. I agree this could take some time, but at least that is my plan/intentions. But further to your question - I believe that in looking at all things on your site and all your files, that there is CLEAR direction for everyone as to how to get started and where to go for help. I hope my thoughts have been of some assistance. --- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7
--On Monday, February 24, 2003 12:20:43 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > And I DID do some reading but I am also in a hurry. I bet you have heard > that before. Plus - I am trying to change over from IPCHAINS (ugh..) and > that can be confusing. In fact, I am back to ipchains now just to keep > things going but I need to go to IPTABLES to be in step with the future. > People advised me that the best way to go was with SHOREWALL which gets > you going right away and than you can start to poke and snoop around to > customize things.It might be useful for us to see your ipchains ruleset.> > Well again, maybe last night wasn''t a good night to be working on these > scripts. I suppose I was most confused about that protocol 93 and > whatever else is involved in running the ax25 utils. That kept me away > from following the guide, especially since a quick look in the guide > failed to really show me that there was any help there. Maybe that was a > serious mistake.> > I hope my thoughts have been of some assistance. >Thanks, Ted. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net