Shorewall users - Apr 2003 - Shorewall blocking Internet connection

Hello, my problem is that when shorewall is running, i cant get a single
connection to the internet, not from the firewall and not from the clients, i
can only access the internet when i issue the command "shorewall
clear"
im using mdk 9.1, but i followed your suggestion and uninstalled the mandrake
RPM , later installing the latest one on the site (1.4.2)and following the
"two interfaces" guide. (notice that with the mdk utils ive managed to
make it work, but with the mdk version of course).
My network is very simple, the fw is connected to the net using ADSL (eth0), and
with a hub to the lan (eth1).

content of interfaces 

#ZONE INTERFACE BROADCAST OPTIONS 
net eth0 - routefilter,norfc1918 
loc eth1 detect 

content of masq 

#INTERFACE SUBNET ADDRESS 
eth0 eth1 

content of policy 

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST 
loc net ACCEPT 
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line. 
#fw net ACCEPT 
net all DROP info 
all all REJECT info 

content of rules 

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL# PORT PORT(S) DEST 
# 
# Accept DNS connections from the firewall to the network 
# 
ACCEPT fw net tcp 53 
ACCEPT fw net udp 53 
# 
# Accept SSH connections from the local network for administration 
# 
ACCEPT loc fw tcp 22 
# 
# Allow Ping To And From Firewall 
# 
ACCEPT loc fw icmp 8 
ACCEPT net fw icmp 8 
ACCEPT fw loc icmp 8 
ACCEPT fw net icmp 8 
# 

in shorewall.conf i have this enabled 

CLAMPMSS=Yes 

some output..... 

[root@server shorewall]# shorewall version 
1.4.2 
[root@server shorewall]# uname -a 
Linux server 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown unknown
GNU/Linux
[root@server shorewall]# ip addr show 
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 
link/ether 00:e0:7d:71:29:6e brd ff:ff:ff:ff:ff:ff 
inet 10.10.10.10/8 brd 10.255.255.255 scope global eth0 
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 
link/ether 5d:61:5d:61:5d:61 brd ff:ff:ff:ff:ff:ff 
inet 192.168.1.4/24 brd 192.168.1.255 scope global eth1 
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp 
inet 200.43.176.49 peer 200.3.61.205/32 scope global ppp0 
[root@server shorewall]# ip route show 
200.3.61.205 dev ppp0 proto kernel scope link src 200.43.176.49 
192.168.1.0/24 dev eth1 scope link 
10.0.0.0/8 dev eth0 scope link 
127.0.0.0/8 dev lo scope link 
default via 200.3.61.205 dev ppp0 
[root@server shorewall]# lsmod 
Module Size Used by Not tainted 
ipt_TOS 1592 0 (autoclean) 
ipt_MASQUERADE 2104 0 (autoclean) 
ipt_LOG 4280 0 (autoclean) 
ipt_REJECT 3640 0 (autoclean) 
ipt_TCPMSS 3032 0 (autoclean) 
ipt_state 1080 0 (autoclean) 
iptable_mangle 2712 0 (autoclean) 
ip_nat_irc 3280 0 (unused) 
ip_nat_ftp 4016 0 (unused) 
iptable_nat 21048 2 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp] 
ip_conntrack_irc 4304 1 
ip_conntrack_ftp 5200 1 
ip_conntrack 27264 4 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2348 0 (autoclean) 
ip_tables 14648 11 [ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_TCPMSS
ipt_state iptable_mangle iptable_nat iptable_filter]
ppp_synctty 7488 0 (unused) 
ppp_async 9216 1 
ppp_generic 24060 3 [ppp_synctty ppp_async] 
slhc 6564 0 [ppp_generic] 
af_packet 14952 2 (autoclean) 
sr_mod 16920 0 (autoclean) 
floppy 55132 0 
tulip 44032 1 (autoclean) 
ne2k-pci 6752 1 (autoclean) 
8390 7916 0 (autoclean) [ne2k-pci] 
nls_iso8859-1 3516 2 (autoclean) 
nls_cp850 4316 2 (autoclean) 
vfat 11820 2 (autoclean) 
fat 37944 0 (autoclean) [vfat] 
supermount 15296 2 (autoclean) 
ide-cd 33856 0 
cdrom 31648 0 [sr_mod ide-cd] 
ide-scsi 11280 0 
scsi_mod 103284 2 [sr_mod ide-scsi] 
rtc 8060 0 (autoclean) 
ext3 59916 1 
jbd 38972 1 [ext3] 


by the way, the router has a internal ip of 192.168.1.4 and NOt 192.168.1.1 as
usual, but i dont think this should be the problem.

Hope you can help me  

PechE

---------------------
Some more stuff, here you can see that it works when using "shorewall
clear"

[root@server shorewall]# shorewall clear 
Processing /etc/shorewall/params ... 
Processing /etc/shorewall/shorewall.conf... 
Clearing Shorewall...Processing /etc/shorewall/stop ... 
Processing /etc/shorewall/stopped ... 
done. 
[root@server shorewall]# ping shorewall.net 
PING shorewall.net (216.211.130.20) 56(84) bytes of data. 
64 bytes from www.cuscominc.com (216.211.130.20): icmp_seq=1 ttl=49 time=288 ms 
64 bytes from www.cuscominc.com (216.211.130.20): icmp_seq=2 ttl=49 time=289 ms 
64 bytes from www.cuscominc.com (216.211.130.20): icmp_seq=3 ttl=49 time=286 ms 
64 bytes from www.cuscominc.com (216.211.130.20): icmp_seq=4 ttl=49 time=287 ms 

--- shorewall.net ping statistics --- 
4 packets transmitted, 4 received, 0% packet loss, time 3031ms 
rtt min/avg/max/mdev = 286.606/287.755/289.105/1.044 ms 
[root@server shorewall]# shorewall start 
Processing /etc/shorewall/params ... 
Processing /etc/shorewall/shorewall.conf... 
Starting Shorewall... 
Loading Modules... 
Initializing... 
Determining Zones... 
Zones: net loc 
Validating interfaces file... 
Validating hosts file... 
Validating Policy file... 
Determining Hosts in Zones... 
Net Zone: eth0:0.0.0.0/0 
Local Zone: eth1:0.0.0.0/0 
Processing /etc/shorewall/init ... 
Deleting user chains... 
Creating input Chains... 
Configuring Proxy ARP 
Setting up NAT... 
Adding Common Rules 
Adding rules for DHCP 
Enabling RFC1918 Filtering 
Setting up Kernel Route Filtering... 
IP Forwarding Enabled 
Processing /etc/shorewall/tunnels... 
Processing /etc/shorewall/rules... 
Rule "ACCEPT fw net tcp 53" added. 
Rule "ACCEPT fw net udp 53" added. 
Rule "ACCEPT loc fw tcp 22" added. 
Rule "ACCEPT loc fw icmp 8" added. 
Rule "ACCEPT net fw icmp 8" added. 
Rule "ACCEPT fw loc icmp 8" added. 
Rule "ACCEPT fw net icmp 8" added. 
Processing /etc/shorewall/policy... 
Policy REJECT for fw to net using chain all2all 
Policy REJECT for fw to loc using chain all2all 
Policy DROP for net to fw using chain net2all 
Policy REJECT for loc to fw using chain all2all 
Policy ACCEPT for loc to net using chain loc2net 
Masqueraded Subnets and Hosts: 
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 
Processing /etc/shorewall/tos... 
Rule "all all tcp - ssh 16" added. 
Rule "all all tcp ssh - 16" added. 
Rule "all all tcp - ftp 16" added. 
Rule "all all tcp ftp - 16" added. 
Rule "all all tcp ftp-data - 8" added. 
Rule "all all tcp - ftp-data 8" added. 
Processing /etc/shorewall/ecn... 
Activating Rules... 
Processing /etc/shorewall/start ... 
Shorewall Started 
[root@server shorewall]# shorewall reset 
Processing /etc/shorewall/params ... 
Processing /etc/shorewall/shorewall.conf... 
Shorewall Counters Reset 
[root@server shorewall]# ping shorewall.net 
ping: unknown host shorewall.net 
[root@server shorewall]# ping 216.211.130.20 
PING 216.211.130.20 (216.211.130.20) 56(84) bytes of data.
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
>From 200.43.176.49 icmp_seq=1 Destination Port Unreachable 
ping: sendmsg: Operation not permitted 
>From 200.43.176.49 icmp_seq=2 Destination Port Unreachable 
ping: sendmsg: Operation not permitted 
>From 200.43.176.49 icmp_seq=3 Destination Port Unreachable 
ping: sendmsg: Operation not permitted 

--- 216.211.130.20 ping statistics --- 
3 packets transmitted, 0 received, +8 errors, 100% packet loss, time 2088ms

-------------------------------------------
the output of shorewall status 

Shorewall-1.4.2 Status at server - Thu Apr 24 20:52:57 ART 2003 

Counters reset Thu Apr 24 20:50:02 ART 2003 

Chain INPUT (policy ACCEPT 6 packets, 789 bytes) 
pkts bytes target prot opt in out source destination 


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination 


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination 


Apr 24 20:44:35 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47630 SEQ=1
Apr 24 20:44:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47630 SEQ=2
Apr 24 20:44:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47630 SEQ=2
Apr 24 20:44:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47630 SEQ=3
Apr 24 20:44:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47630 SEQ=3
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.35
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51804 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.40
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.35
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.40
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.35
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.40
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.35
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:49 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=200.45.191.40
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51805 DF PROTO=UDP SPT=1025 DPT=53 LEN=39
Apr 24 20:46:53 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28945 SEQ=1
Apr 24 20:46:54 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28945 SEQ=2
Apr 24 20:46:55 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28945 SEQ=2
Apr 24 20:46:56 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28945 SEQ=3
Apr 24 20:46:56 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=216.211.130.20 
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28945 SEQ=3
Apr 24 20:47:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=209.61.189.45
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31182 DF PROTO=TCP SPT=1097 DPT=80
WINDOW=5808 RES=0x00 SYN URGP=0
Apr 24 20:50:53 OUTPUT:REJECT:IN= OUT=ppp0 SRC=200.43.176.49 DST=209.61.189.45
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31182 DF PROTO=TCP SPT=1102 DPT=80
WINDOW=5808 RES=0x00 SYN URGP=0

NAT Table 

Chain PREROUTING (policy ACCEPT 65 packets, 5885 bytes) 
pkts bytes target prot opt in out source destination 


Chain POSTROUTING (policy ACCEPT 6 packets, 320 bytes) 
pkts bytes target prot opt in out source destination 


Chain OUTPUT (policy ACCEPT 21 packets, 1520 bytes) 
pkts bytes target prot opt in out source destination 


Mangle Table 

Chain PREROUTING (policy ACCEPT 137 packets, 45454 bytes) 
pkts bytes target prot opt in out source destination 


Chain INPUT (policy ACCEPT 82 packets, 41468 bytes) 
pkts bytes target prot opt in out source destination 


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination 


Chain OUTPUT (policy ACCEPT 95 packets, 16109 bytes) 
pkts bytes target prot opt in out source destination 


Chain POSTROUTING (policy ACCEPT 74 packets, 14593 bytes) 
pkts bytes target prot opt in out source destination 


udp 17 19 src=192.168.1.2 dst=192.168.1.255 sport=137 dport=137 [UNREPLIED]
src=192.168.1.255 dst=192.168.1.2 sport=137 dport=137 use=1
udp 17 17 src=192.168.1.2 dst=192.168.1.255 sport=138 dport=138 [UNREPLIED]
src=192.168.1.255 dst=192.168.1.2 sport=138 dport=138 use=1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 171 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030424/b15a075d/attachment-0001.gif

> Hello, my problem is that when shorewall is running, i cant get a
> single connection to the internet, not from the firewall and not from
> the clients, i can only access the internet when i issue the command
> "shorewall clear" 
> im using mdk 9.1, but i followed your suggestion and uninstalled the
> mandrake RPM , later installing the latest one on the site (1.4.2)and
> following the "two interfaces" guide. (notice that with the mdk
utils
> ive managed to make it work, but with the mdk version of course). 
Uh, that comment was meant at least for Mandrake 9.0, cause there were a
lot of problems with that. Dunno, how the automatically configured
shorewall of Mandrake 9.1 competes, as I haven''t tried it since.
Hopefully I can check that next week.

Tom: Maybe you should consider adding version to that warning...

> My network is very simple, the fw is connected to the net using ADSL
> (eth0), and with a hub to the lan (eth1). 
> 
> content of interfaces 
> 
> #ZONE INTERFACE BROADCAST OPTIONS 
> net eth0 - routefilter,norfc1918 
> loc eth1 detect 
Don''t use ethX with ADSL modems, use the pppX instead (as mentioned in
the QuickStart Guides):
 net  ppp0  -  dhcp,routefilter,norfc1918

> content of masq 
> 
> #INTERFACE SUBNET ADDRESS 
> eth0 eth1 
Of course, same here:
 ppp0  eth1

	karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

kb (kb@bluehash.de) had this to say on 04/24/03 at 21:44:
> 
> Don''t use ethX with ADSL modems, use the pppX instead (as
mentioned in
> the QuickStart Guides):
>  net  ppp0  -  dhcp,routefilter,norfc1918
Only if you have a PPPOE address. I have a static IP with my ADSL, so I use
eth0. You''re assuming something that may or may not be true.

In many (most?) case, you might be correct, because many ADSL accounts are
PPPOE-style accounts. But not all.
> 
> 
> > content of masq 
> > 
> > #INTERFACE SUBNET ADDRESS 
> > eth0 eth1 
> 
> Of course, same here:
>  ppp0  eth1
See above.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030424/2d1a2251/attachment.bin

On 25 Apr 2003 03:45:33 +0200, kb <kb@bluehash.de> wrote:

>
> Uh, that comment was meant at least for Mandrake 9.0, cause there were a
> lot of problems with that. Dunno, how the automatically configured
> shorewall of Mandrake 9.1 competes, as I haven''t tried it since.
> Hopefully I can check that next week.
>
> Tom: Maybe you should consider adding version to that warning...
>
I''ll be happy to as soon as people can confirm what Mandrake 9.1 
does/doesn''t do with respect to Shorewall. With my new work assignment,
I
no longer have the spare cycles to install every new release from all of 
the popular distributions and understand what those distributions have 
screwed up...

Having said that, I will always try to keep current with RedHat releases 
since that is the distribution that I use on all of my systems. I have 
upgraded my desktop to RedHat 9.0 and will upgrading my firewall and server 
within the next week.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-04-25 at 04:18, Andr?s L?pez wrote:
> "If you connect via a regular modem, your External Interface will also
be
> ppp0. If you connect via ISDN, your external interface will be ippp0."
> 
> I don?t know why i didn?t saw that!!
> 
> THANKS!! its (off course) working now
> 
> PechE
> 
> PD: for what i saw in the original mdk 9.1 files, and for what i read in
the
> shorewall site, its exactly the same as in 9.0 (3 zones, masq, loc and
net).

Tom, as Mandrake still seems to configure ppp0 and the corresponding
ethX device, the warning is likely to apply to ML 9.1, too.

(Posted to the list for that reason -- to put my comment in the previous
post into perspective.)

	karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

On Thu, 24 Apr 2003, Andr?s L?pez wrote:
> Hello, my problem is that when shorewall is running, i cant get a single
connection to the internet, not from the firewall and not from the clients, i
can only access the internet when i issue the command "shorewall
clear"
> im using mdk 9.1, but i followed your suggestion and uninstalled the
mandrake RPM , later installing the latest one on the site (1.4.2)and following
the "two interfaces" guide. (notice that with the mdk utils ive
managed to make it work, but with the mdk version of course).
> My network is very simple, the fw is connected to the net using ADSL
(eth0), and with a hub to the lan (eth1).
> 
> content of interfaces 
> 
> #ZONE INTERFACE BROADCAST OPTIONS 
> net eth0 - routefilter,norfc1918 
You have ''norfc1918'' specified on your internet interface --
see below.
> loc eth1 detect 
> 
> content of masq 
> 
> #INTERFACE SUBNET ADDRESS 
> eth0 eth1 
> 
> content of policy 
> 
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST 
> loc net ACCEPT 
> # If you want open access to the Internet from your Firewall 
> # remove the comment from the following line. 
> #fw net ACCEPT 
You should have READ THE INSTRUCTIONS IN THE TWO-INTERFACE QUICKSTART 
GUIDE -- if you want access from the firewall to the internet YOU MUST 
UNCOMMENT THE LINE ABOVE.
> 
> [root@server shorewall]# shorewall version 
> 1.4.2 
> [root@server shorewall]# uname -a 
> Linux server 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown
unknown GNU/Linux
> [root@server shorewall]# ip addr show 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 
> link/ether 00:e0:7d:71:29:6e brd ff:ff:ff:ff:ff:ff 
> inet 10.10.10.10/8 brd 10.255.255.255 scope global eth0 
You have an RFC 1918 address on your external interface yet you have 
specified ''norfc1918'' on that interface in
/etc/shorewall/interfaces;
THAT WILL NEVER WORK and is discussed in the two-interface QuickStart 
Guide.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

> > Don''t use ethX with ADSL modems, use the pppX instead (as
mentioned in
> > the QuickStart Guides):
> >  net  ppp0  -  dhcp,routefilter,norfc1918
>
> Only if you have a PPPOE address. I have a static IP with my ADSL, so I use
> eth0. You''re assuming something that may or may not be true.
>
> In many (most?) case, you might be correct, because many ADSL accounts are
> PPPOE-style accounts. But not all.
Um, OK -- thanks, I will remember that.

	karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

On 25 Apr 2003 05:16:58 +0200, kb <kb@bluehash.de> wrote:

>>
>> PD: for what i saw in the original mdk 9.1 files, and for what i read
in
>> the
>> shorewall site, its exactly the same as in 9.0 (3 zones, masq, loc and 
>> net).
>
>
> Tom, as Mandrake still seems to configure ppp0 and the corresponding
> ethX device, the warning is likely to apply to ML 9.1, too.
>
> (Posted to the list for that reason -- to put my comment in the previous
> post into perspective.)
http://www.shorewall.net/two-interface.htm says "If you are running 
Shorewall under Mandrake 9.0 or later...."

Doesn''t "Mandrake 9.0 or later" also include 9.1? Or am I
missing
something???

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi, I had this problem also I think...I saw you have blacked some 
outgoing UDP-connections that are blocked....See if they are to the 
address of your ISP.....If so unbloock them....Hopefully ( and I think) 
your internetconnections will work.....So something like...ACCEPT fw 
net:IP-address udp (maybe als a port(s)..but still have to do tghat for 
myself...:) )

Hopefully it helps....ot''s very restricted, so don''t think
it''s
unsafe(if it makes your connection work..has to be done anyway...or is 
there another way?)

> >> PD: for what i saw in the original mdk 9.1 files, and for what i
read in
> >> the
> >> shorewall site, its exactly the same as in 9.0 (3 zones, masq, loc
and
> >> net).
> >
> > Tom, as Mandrake still seems to configure ppp0 and the corresponding
> > ethX device, the warning is likely to apply to ML 9.1, too.
> >
> > (Posted to the list for that reason -- to put my comment in the
previous
> > post into perspective.)
> 
> http://www.shorewall.net/two-interface.htm says "If you are running 
> Shorewall under Mandrake 9.0 or later...."
> 
> Doesn''t "Mandrake 9.0 or later" also include 9.1? Or am
I missing
> something???

Sure, that warning even applies to ML 9.1 -- A bit earlier in that
thread it seemed, 9.1 does not have that flaw like 9.0 and therefore the
warning should have been restricted only to 9.0. Turns out, that was too
quick and 9.1 does it the same way as 9.0. (I was referring to that.)


However, hopefully I will have to setup a new Mandrake 9.1 firewall next
week. I will check then, how the interfaces are created.

IIRC the problem was, having the ethX _and_ the corresponding ppp0
interface and therefore mixed and messed policies.


btw: Andres problems are solved... :)

	karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

On 25 Apr 2003 15:15:03 +0200, kb <kb@bluehash.de> wrote:

>
>
> btw: Andres problems are solved... :)
>
Thanks, Karsten.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net