-----Original Message-----
From: sunil shah
Sent: Friday, April 04, 2003 8:10 AM
To: ''shorewall-users@lists.shorewall.net''
Cc: sunil shah
Subject: Shorewall 1.4.1
Hi :
I have internal network with 10.4.10.0/24 and I have router with 3
real ips. One of the ip I have used for my firewall and that is
209.21.100.174 with 255.255.255.0. My 2nd network card is using
10.4.10.102 and 255.255.255.0. I have downloaded all the files for two
intework interface and installed them under /etc/shorewall directory.
As it mentioned I have enable ping. I am able to ping my internal
network which is 10.4.10.104. But if I try to ping 10.4.10.102 or
209.21.100.174 which is my firewall 2 nic I can not ping any of the
network card. I also try to put my workstation machine default gateway
10.4.10.102 that is my firewall I can not get out on internet from the
work station via firewall. Would you pleas tell me where I am wrong.
Any help will appreciate. Thank you in advance.
Shorewall Version 1.4.1a
Uname -a Linux firewall.cicatelli.org
2.1.18-8.1mdksecure #1 SMP Mon Jun 24 11:39:25 MDT 2002 i686 unknown
Ip addr show 1: lo: <LOOPBACK,UP> mtu 16436
qdisc noqueue
Link/loopback
00:00:00:00:00:00 brb 00:00:00:00:00:00
Inet 127.0.0.1/8 brb
127.255.255.255 scope host lo
2: eth0:
<BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether
00:02:b3:03:27:9b brb ff:ff:ff:ff:ff:ff
inet 10.4.10.102/204
brb 10.4.10.255 scope global eth0
3: eht1:
<BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
LINK.ETHER
00:50:04:a4:62:a4 brb ff:ff:ff:ff:ff:ff
Inet
209.21.100.174/24 brb 209.21.100.255 scope global eth1
Ip route show 209.21.100.0/24 dev eth1 scope
link
10.4.10.0/24 dev eth0
scope link
127.0.0.0/8 dev lo scope
link
default dev eth1 scope
link
lsmod Module
size used by Not Tainted
ipt_TOS
1248 12 (autoclean)
ipt_MASQUERADE
1600 1 (autoclean)
ipt_LOG
3776 7 (autoclean)
ipt_REJECT
3296 6 (autoclean)
ipt_state
864 28 (autoclean)
iptable_mangle 2336 1
(autoclean)
ip_nat_irc 2944 0
(unused)
ip_nat_ftp 3552 0
(unused)
iptable_nat 17108 3
[ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntract_irc 2976 0
[ip_nat_irc]
ip_conntract_ftp 3872 0
[ip_nat_ftp]
ip_conntrack 16844 4
[ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat
ipconntrack_irc ip_conntrack_ftp]
iptable_filter 1952 1
(autoclean)
ip_tables 12256 10
[ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle
iptable_nat iptable_filter]
ppp_async 6912 0
(unused)
ppp_generic 22792 0
[ppp_asunc]
slhc 5088 0
[ppp_generic]
af_packet 13896 0
(autoclean)
usb-uhci 22692 0
(unused)
usbcore 62080 1
[usb-uhci]
3c59x 26536 1
(autoclean)
eepro100 18640 1
(autoclean)
rtc 6680 0
(autoclean)
ext3 65292 1
jbd 42716 1
[ext3]
Sunil Shah
Network Engineer
Cicatelli Associates Inc.
505 8th Ave. 16th Floor
New York, NY 10018
If you "shorewall clear" do your problems go away? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Sunil, On Tue, 8 Apr 2003, sunil shah wrote:> > 1) Please don''t reply off-list -- I''m not a private consultant. > 2) I have no experience with MNF > 3) I''m on my way out the door and will be away for a couple of days. > > You will have to ask you questions on the list and hope someone answers.Have you had any luck solving your problem? If not: a) Issue "shorewall clear" and see if you can ''ping''; if not, your problem has nothing to do with Shorewall. b) A user who recently reported ''ping'' problems discovered that his distribution was setting "/proc/sys/net/ipv4/icmp_echo_ignore_all to 1. This effectively prevents the firewall from responding to ping but should not affect pinging other hosts from the firewall. To upgrade to the latest version of Shorewall using RPMs, follow the instructions at http://www.shorewall.net/Install.htm. If you want to ensure that there is no trace of your old configuration left over, rename /etc/shorewall before upgrading. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net