I''m having a problem when I try to get my client machines on the net throught the loc zone. I used the three-interface quick setup guide. I have my shorewall box with 3 nics, eth0 is dhcp to my cable modem, eth1 is 10.10.10.254 with a dhcp server for the loc hub and eth2 is 10.10.11.254 with a dhcp server for the dmz hub. My laptop is connected to the loc hub and pulling a dhcp address of 10.10.10.100 n/m 255.255.255.0 g/w 10.10.10.254. My policy is: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT info # Also If You Wish To Open Up DMZ Access To The Internet # remove the comment from the following line. #dmz net ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE My /var/log/messages says this when I try and connect to the internet from my laptop on loc: Jul 15 12:53:15 va-spotsy-cuda2-c6d-215 kernel: Shorewall:all2all:REJECT:IN=eth1 OUTMAC=00:e0:81:03:1a:2a:00:20:e0:6f:40:ee:08:00 SRC=10.10.10.100 DST=10.10.10.254 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=9002 PROTO=UDP SPT=1036 DPT=53 LEN=40 Now, if I change my policy to all all ACCEPT, my /var/log/messages says this: Jul 15 12:57:35 va-spotsy-cuda2-c6d-215 kernel: Shorewall:all2all:ACCEPT:IN=eth1 OUTMAC=00:e0:81:03:1a:2a:00:20:e0:6f:40:ee:08:00 SRC=10.10.10.100 DST=10.10.10.254 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=9045 PROTO=UDP SPT=1035 DPT=53 LEN=39 I know I''m not suposed to change the policy to all all ACCEPT because that defeats the purpose of the whole idea, I just can''t get out on the net any other way from my clients in loc. I modified the files in /etc/shorewall as I thought they should be, but I might have missed something. Can someone give me some help. Thanks. Bryan H NVETHIS Netowkrs __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Brian, On Tue, 2003-07-15 at 10:00, Bryan H wrote:> > My /var/log/messages says this when I try and connect > to the internet from my laptop on loc: > Jul 15 12:53:15 va-spotsy-cuda2-c6d-215 kernel: > Shorewall:all2all:REJECT:IN=eth1 OUT> MAC=00:e0:81:03:1a:2a:00:20:e0:6f:40:ee:08:00 > SRC=10.10.10.100 DST=10.10.10.254 LEN=60 TOS=0x00 > PREC=0x00 TTL=128 ID=9002 PROTO=UDP SPT=1036 DPT=53 > LEN=40 >The above is a DNS request from your laptop to your firewall. From this, I''m assuming that you are running a DNS server on your firewall and that your DHCP server is pointing your laptop to that server. You must have missed the part of the QuickStart Guide that talked about DNS as you are missing a couple of rules: ACCEPT loc fw udp 53 ACCEPT loc fw tcp 53 In the future, please note that the link "Things to try if it doesn''t work" on the Shorewall home page gives information about how to understand Shorewall log messages. Also, FAQ #17 offers additional insight into why these messages get generated. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net