Shorewall users - Apr 2003 - ping

Im new to shorewal but have read the docs includint the ping section of the FAQ
but I cant seem to get the fw to respod to pings....
my policys are ...
loc             net             ACCEPT          info
net             fw              ACCEPT          info
loc             loc             ACCEPT          info
fw              net             ACCEPT          info
net             all             DROP            info
all             all             REJECT          info

and rules...

ACCEPT          loc             fw              icmp    8		-
ACCEPT          fw              loc             icmp    8       -
ACCEPT          fw              net             icmp    8       -
ACCEPT          net             fw              icmp    8       -

What am I missing? any thoughts apreciated, thanks,
Eric.

On Tue, 1 Apr 2003 redog@opelousas.org wrote:
> Im new to shorewal but have read the docs includint the ping section of the
FAQ
> but I cant seem to get the fw to respod to pings....
> my policys are ...
> loc             net             ACCEPT          info
> net             fw              ACCEPT          info
> loc             loc             ACCEPT          info
> fw              net             ACCEPT          info
> net             all             DROP            info
> all             all             REJECT          info
> 
> and rules...
> 
> ACCEPT          loc             fw              icmp    8		-
> ACCEPT          fw              loc             icmp    8       -
> ACCEPT          fw              net             icmp    8       -
> ACCEPT          net             fw              icmp    8       -
> 
> What am I missing? any thoughts apreciated, thanks,
Which version of Shorewall are you running?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

#Tom Eastep> Which version of Shorewall are you running?

 V1.4 3/14/2003

On Tue, 1 Apr 2003 redog@opelousas.org wrote:
> #Tom Eastep> Which version of Shorewall are you running?
> 
If you "shorewall clear", can you ping the firewall?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 1 Apr 2003, eric wrote:
> #Tom Eastep> If you "shorewall clear", can you ping the
firewall?
> 
> nope
> 
Then your problem has nothing to do with Shorewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net



--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

On Tue, 1 Apr 2003 redog@opelousas.org wrote:
> #Tom Eastep> Then your problem has nothing to do with Shorewall.
> 
> If thats the case why when I do service shorewall stop ; service
> iptables start can I ping fine with myown set of iptables rules?
> 
Please don''t reply off-list.

"shorewall clear" removes all iptables rules and sets the INPUT,
OUTPUT
and FORWARD policies to ACCEPT. If you can''t ping your firewall in that
state then there is something wrong outside of Shorewall.

If you still feel that there is a Shorewall problem, then please forward 
the information that we need to diagnose connection problems (see 
http://www.shorewall.net/support.htm)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, Apr 01, 2003 at 11:05:25AM -0800, Tom Eastep wrote:
#Tom Eastep> Please don''t reply off-list.

oops, my mistake.

#Tom Eastep> "shorewall clear" removes all iptables rules and sets
the INPUT, OUTPUT and FORWARD policies to ACCEPT. If you can''t ping
your firewall in that state then there is something wrong outside of Shorewall.

I understand that, what I dont understand is why... I have my fw hooked straight
to my T1 and then to our local switch, neither side can ping the fw box but all
services are routing through it fine... beside iptables would cause such
blocking?
Cheers, 
Eric.

On Tue, 1 Apr 2003 redog@opelousas.org wrote:
> On Tue, Apr 01, 2003 at 11:05:25AM -0800, Tom Eastep wrote:
> #Tom Eastep> Please don''t reply off-list.
> 
> oops, my mistake.
> 
> #Tom Eastep> "shorewall clear" removes all iptables rules and
sets the INPUT, OUTPUT and FORWARD policies to ACCEPT. If you can''t
ping your firewall in that state then there is something wrong outside of
Shorewall.
> 
> I understand that, what I dont understand is why... I have my fw hooked
> straight to my T1 and then to our local switch, neither side can ping
> the fw box but all services are routing through it fine... beside
> iptables would cause such blocking?
	See /proc/sys/net/ipv4/icmp* 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

#Tom Eastep> 	See /proc/sys/net/ipv4/icmp* 

yea I guess /proc/sys/net/ipv4/icmp_echo_ignore_broadco_ignore_all should have a
0 insted of a 1 =)
thanks man that was weird, does shorewall manipulate that file ever? If not I
wonder what did...

On Tue, 1 Apr 2003 redog@opelousas.org wrote:
> #Tom Eastep> 	See /proc/sys/net/ipv4/icmp* 
> 
> yea I guess /proc/sys/net/ipv4/icmp_echo_ignore_broadco_ignore_all
> should have a 0 insted of a 1 =)  thanks man that was weird, does
> shorewall manipulate that file ever? If not I wonder what did...
>
Shorewall doesn''t touch that setting...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net