I''m sure I''m looking straight through something but shorewall is blocking traceroute egress, well the resolving of the IP addresses, from my DMZ and my intranet a fairly typical three zone set-up: Shorewall:all2all:DROP:IN=eth2 OUT=eth0 SRC=217.34.100.194 DST=194.82.51.10 LEN=38 TOS=0x00 PREC=0x00 TTL=28 ID=53225 PROTO=UDP SPT=53140 DPT=33519 LEN=18 Bizarrely, to my mind, tracert under windoze in the intranet works fine. I''m sure I''ve overlooked something obvious and perhaps it''s nothing to do with shorewall but I thought this was the place to ask. TIA, Chris PSYCTC: PSYchotherapy,PSYchology,PSychiatry, Counselling and Therapeutic Communities; practice, research, teaching and consultancy. Chris Evans & Jo-anne Carlyle http://psyctc.org/ Email: chris1@psyctc.org
On Mon, 2 Jun 2003 06:56:27 +0100, Chris Evans <chris1@psyctc.org> wrote:> I''m sure I''m looking straight through something but shorewall is > blocking traceroute egress, well the resolving of the IP addresses, > from my DMZ and my intranet a fairly typical three zone set-up: > Shorewall:all2all:DROP:IN=eth2 OUT=eth0 SRC=217.34.100.194 > DST=194.82.51.10 LEN=38 TOS=0x00 PREC=0x00 TTL=28 ID=53225 PROTO=UDP > SPT=53140 DPT=33519 LEN=18 > Bizarrely, to my mind, tracert under windoze in the intranet works > fine.Windoze uses ICMP traceroute while Linux uses UDP.> > I''m sure I''ve overlooked something obvious and perhaps it''s nothing to > do with shorewall but I thought this was the place to ask. >See http://www.shorewall.net/ports.htm under (you guessed it) Traceroute. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
* Tom Eastep <teastep@shorewall.net> [030602 14:00]:> Windoze uses ICMP traceroute while Linux uses UDP. > > > > >I''m sure I''ve overlooked something obvious and perhaps it''s nothing to > >do with shorewall but I thought this was the place to ask. > > > > See http://www.shorewall.net/ports.htm under (you guessed it) Traceroute.Sure the right way to go, but as its nice to have an alternative you could also use tcptraceroute found at: http://michael.toren.net/code/tcptraceroute/ -- BCNU Marcus
G. Armour Van Horn
2003-Jun-04 20:53 UTC
[Shorewall-users] Newcomer needs to build 3-wire firewall
Greetings: I have been happily using SmoothWall as a straight two-port firewall for the last year or so, but finally came to a situation in which I needed a DMZ. No biggie, throw three cards in a box and start the install, right? BOING! No joy, SmoothWall only supports a DMZ if you have two private networks, which is not my situation. I have a /28 network to work with, and intend to split this in two so I''ll have a potential for five hosts in the bottom /29, the outside of the firewall and the DSL router in the top /29, and a private /24. Looking at the "Three-Interface Firewall" how-to I see that the DMZ example shows private space. Also, the how-to says Version 2.0.1, while the latest Shorewall seems to be 1.4.4b. So, will Shorewall support a real DMZ? And is the version on the how-to the version of the how-to, or does it mean I need to have a different version of Shorewall to run it? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For web hosting and maintenance, visit Van''s home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------
Ed.Greshko@greshko.com
2003-Jun-04 22:54 UTC
[Shorewall-users] Newcomer needs to build 3-wire firewall
On Wed, 4 Jun 2003, G. Armour Van Horn wrote:> I have a /28 network to work with, and intend to split this in two so > I''ll have a potential for five hosts in the bottom /29, the outside of > the firewall and the DSL router in the top /29, and a private /24. > Looking at the "Three-Interface Firewall" how-to I see that the DMZ > example shows private space. > > Also, the how-to says Version 2.0.1, while the latest Shorewall seems to > be 1.4.4b.If you look closely you will see that the Main HOW-TO page says "Version 4", the Standalone HOW-TO page says Version 2.0.1 as does the 3-Interface page. The 2-Interface page sports no version number. Don''t let any of that concern you.> So, will Shorewall support a real DMZ? And is the version on the how-to > the version of the how-to, or does it mean I need to have a different > version of Shorewall to run it?Yes, Shorewall supports setting up a "real" DMZ. Run the most recent version of Shorewall. Shorewall-1.4.4b. Also, since you are new, we would like to point out that if you encounter problems you should first visit the links "FAQs", "Thing to try if it doesn''t work", and "Getting help or Answers to Questoins". All these links are located in the left-hand frame. Regards, Ed -- SARS - The only virus not spread by Outlook http://www.shorewall.net/ for all your firewall needs
Tom Eastep
2003-Jun-05 05:58 UTC
[Shorewall-users] Newcomer needs to build 3-wire firewall
On Thu, 5 Jun 2003 13:54:17 +0800, <Ed.Greshko@greshko.com> wrote:> On Wed, 4 Jun 2003, G. Armour Van Horn wrote:> >> So, will Shorewall support a real DMZ? And is the version on the how-to >> the version of the how-to, or does it mean I need to have a different >> version of Shorewall to run it? > > Yes, Shorewall supports setting up a "real" DMZ. > > Run the most recent version of Shorewall. Shorewall-1.4.4b. > > Also, since you are new, we would like to point out that if you encounter > problems you should first visit the links "FAQs", "Thing to try if it > doesn''t work", and "Getting help or Answers to Questoins". All these > links are located in the left-hand frame. >Also, the original poster should READ the text at the top of http://www.shorewall.net/shorewall_quickstart_guide.htm -- it specifically says that the 3-interface quickstart guide is for users with *one* external IP address and that users with multiple publish addresses should use http://www.shorewall.net/shorewall_setup_guide.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-05 06:00 UTC
[Shorewall-users] Newcomer needs to build 3-wire firewall
On Thu, 05 Jun 2003 05:58:39 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > Also, the original poster should READ the text at the top of > http://www.shorewall.net/shorewall_quickstart_guide.htm -- it > specifically says that the 3-interface quickstart guide is for users with > *one* external IP address and that users with multiple publish addresses > should use http://www.shorewall.net/shorewall_setup_guide.htm.Make that "...public addresses..." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net