Shorewall users - Apr 2003 - Shorewall problems

Hi :

  I have downloaded shorewall 1.4.1a and installed it on my Mandrake MNF
firewall.  I have edited all the files as mentioned in "2 INTERFACE
EXAMPLE".  My firewall internal network card is 10.4.10.102 and I can
ping my local machine.  But if I try to ping 10.4.10.102 from
10.4.10.104 it do not reply.  I have checked the rule and I have rule
loc-->loc icmp 8 accept.  My external network card is 209.21.100.174.
and I try to ping any external host with DNS name or real IP address I
do not get any reply.  Is there someone who is having the same
problem?????

Please help I have reinstalled few times ......

 

Sunny

On Tue, 8 Apr 2003, sunil shah wrote:
> Hi :
> 
>   I have downloaded shorewall 1.4.1a and installed it on my Mandrake MNF
> firewall.  I have edited all the files as mentioned in "2 INTERFACE
> EXAMPLE".  My firewall internal network card is 10.4.10.102 and I can
> ping my local machine.  But if I try to ping 10.4.10.102 from
> 10.4.10.104 it do not reply.
But pinging 10.4.10.102 from 10.4.10.104 is loc->fw!
> I have checked the rule and I have rule
> loc-->loc icmp 8 accept.  My external network card is 209.21.100.174.
> and I try to ping any external host with DNS name or real IP address I
> do not get any reply.
Do you have a fw->net ping rule? 

> 
> Please help I have reinstalled few times ......
> 
If you would have followed the instructions and downloaded/installed the 
Sample configuration files you would have all of the rules necessary for 
ping.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 8 Apr 2003, sunil shah wrote:

Can someone on the list help Sunil straighten out this mess -- I will not 
be available for the next couple of days.

-Tom
> The following is my rule and policy files
> 	ACCEPT 	fw 	net 	tcp 	53
> 	ACCEPT 	fw 	net 	udp	53
> 	ACCEPT 	loc	net	udp	53
> 	REJECT	net	fw	tcp	113
> 	ACCEPT	loc	fw	tcp	22
> 	ACCEPT	loc	fw	tcp	8443
> 	ACCEPT	fw	loc	icmp	8
> 	ACCEPT	loc	fw	icmp	8
> 	ACCEPT	loc	net	tcp	pop3
> 	ACCEPT	loc	net	tcp	smtp
> 	ACCEPT	loc	net	tcp	http
> 	ACCEPT	loc	net	tcp	https
> 	ACCEPT	loc	net	tcp	ssh
> 	ACCEPT	loc	net	tcp	ftp
> 	ACCEPT	loc	net	tcp	nntp
> 	ACCEPT	loc	net	tcp	ntp
> 	ACCEPT	loc	net	tcp	imap
> 	ACCEPT	fw	net:20022	tcp		ftp
> -
> 	ACCEPT	loc	net:3328tcp	www
> 	ACCEPT	fw	net	tcp	www		-
> 	ACCEPT	fw	net	tcp	53
> 	ACCEPT	fw	net	udp	53
> 	ACCEPT	net	fw	icmp	8
> 	ACCEPT	fw	loc	icmp	8
> 	ACCEPT	fw	net	icmp	8
> 	ACCEPT	loc	loc	icmp	8
> 
> POLICY FILE :
> 	Loc		loc		accept
> 	Loc		net		accept
> 	Net		all		drop		info
> 	All		all		reject	info
> 
> And again my internal network is 10.4.10.0/24 and my external network
> card has a real IP and that is 209.21.100.174............
> Any Help will really appreciated, and Thank you very much for such a
> prompt answer.
> 
> Sunny
> 
> From: Tom Eastep [mailto:teastep@shorewall.net] 
> Sent: Tuesday, April 08, 2003 11:10 AM
> To: sunil shah
> Subject: RE: [Shorewall-users] Shorewall problems
> 
> On Tue, 8 Apr 2003, sunil shah wrote:
> 
> > Yes I have ACCEPT net fw icmp 8 and I have ACCEPT loc loc icmp 8.
> 
> BUT YOU ARE COMPLAINING ABOUT NOT BEING ABLE TO PING FROM THE FIREWALL
> TO 
> THE NET! So you need:
> 
> ACCEPT	fw	net	icmp	8
> 
> > I am
> > trying to ping from inside.  10.4.10.102 is my local network on
> > firewall, and my workstation that is running windows me is
> 10.4.10.104.
> 
> And pinging 10.4.109.102 from 10.4.10.104 IS NOT LOC->LOC; IT IS
> LOC->FW!! 
> So you need:
> 
> 	ACCEPT	loc	fw	icmp	8
> 
> YOU DON''T NEED:
> 
> 	ACCEPT	loc	loc	icmp	8
> 
> unless you have two interfaces to the local zone.
> 
> AGAIN--All of the required rules were already in the two-interface
> sample
> rules file if you would have simply installed it and left the rules
> alone.
> 	
> -Tom
> 
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net