Sorry, I accidentally erased the part about the upgrade: I haven''t upgraded v1.4.0 yet, I just tried v1.4.5 on another machine before going live with v1.4.5. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Carlos Cajina" <cecajina@hotmail.com> Sent: Friday, July 18, 2003 2:57 PM Subject: Re: [Shorewall-users] Shorewall not working> On Fri, 2003-07-18 at 14:50, Carlos Cajina wrote: > > > I''ll include them in the start script, but just to be aware of what I''m > > doing, What would this two lines do to improve the firewall setup? > > They prevent the kernel from responding to ARP requests on the wrong > interface. > > > > > > > > > > I decided that I would use one segment to be "loc" and the other tobe> > the "net" and would filter by blacklisting IP addresses from "loc" even > > though I would be > > > > "wasting" practically the whole IP address range from "net" segment.I> > followed the two-interface how-to and everything has been working finesince> > I installed the firewall 4 months ago. Now, it seems to me that newer > > versions of Shorewall don''t allow eth0 and eth1 to be connected to thesame> > hub/switch (as stated in the docs), and I certainly ended up confusedand> > believing that Shorewall didn''t work at all. > > > > > > > The output that you posted showed that you were trying to masqueradeout> > of eth0 when your default route was out of eth1; that *definitely*indicates> > a configuration problem and would have been a problem with 1.4.0 aswell.> > How did you upgrade from 1.4.0->1.4.5? > > > > Well, in strange way the firewall has been working for quite a whilewith> > that configuration. As I mentioned, the base files I used to configure > > Shorewall where the ones included in the two-interface configurationsample.> > Now please answer my question -- how did you upgrade from 1.4.0->1.4.5? > > > > > I feel a little lost about how to correct the configuration/masquerading > > problem. I have the folowling in the main cfg files: > > > > [zones] > > #ZONE DISPLAY COMMENTS > > net Net Internet > > loc Local Local Networks > > > > [interfaces] > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 detect routefilter,norfc1918 > > loc eth1 detect blacklist > > > > [masq] > > #INTERFACE SUBNET ADDRESS > > eth0 eth1 > > > > Having this configuration I still don''t see where''s the bug, > > >From the output that you posted, your default route is on eth1 -- that > would mean that eth1 should be your external interface, not your local > interface. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > >
On Fri, 2003-07-18 at 15:03, Carlos Cajina wrote:> Sorry, I accidentally erased the part about the upgrade: I haven''t upgraded > v1.4.0 yet, I just tried v1.4.5 on another machine before going live with > v1.4.5. >Sounds like you didn''t customize the two-interface sample for that machine''s configuration. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I didn''t customize those files because I assigned eth1 and eth0 to loc and net respectively just like in the example (to make my life a little easier) I did modified the policy, rules and blacklist files to do the actual filtering. Is there something that I missed in the configuration? ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Carlos Cajina" <cecajina@hotmail.com> Cc: <Shorewall-users@lists.shorewall.net> Sent: Friday, July 18, 2003 3:10 PM Subject: Re: Fw: [Shorewall-users] Shorewall not working> On Fri, 2003-07-18 at 15:03, Carlos Cajina wrote: > > Sorry, I accidentally erased the part about the upgrade: I haven''tupgraded> > v1.4.0 yet, I just tried v1.4.5 on another machine before going livewith> > v1.4.5. > > > > Sounds like you didn''t customize the two-interface sample for that > machine''s configuration. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > >
On Fri, 2003-07-18 at 15:15, Carlos Cajina wrote:> I didn''t customize those files because I assigned eth1 and eth0 to loc and > net respectively just like in the example (to make my life a little easier) > I did modified the policy, rules and blacklist files to do the actual > filtering. Is there something that I missed in the configuration?Please post the output of "ip route ls" from that box. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
---- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Carlos Cajina" <cecajina@hotmail.com> Cc: <Shorewall-users@lists.shorewall.net> Sent: Friday, July 18, 2003 3:20 PM Subject: Re: Fw: [Shorewall-users] Shorewall not working> On Fri, 2003-07-18 at 15:15, Carlos Cajina wrote: > > I didn''t customize those files because I assigned eth1 and eth0 to locand> > net respectively just like in the example (to make my life a littleeasier)> > I did modified the policy, rules and blacklist files to do the actual > > filtering. Is there something that I missed in the configuration? > > Please post the output of "ip route ls" from that box.Here it is: 148.202.98.0/24 dev eth0 scope link 148.202.86.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 148.202.86.254 dev eth1> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > >
On Fri, 2003-07-18 at 15:33, Carlos Cajina wrote:> > > > Please post the output of "ip route ls" from that box. > > Here it is: > 148.202.98.0/24 dev eth0 scope link > 148.202.86.0/24 dev eth1 scope link > 127.0.0.0/8 dev lo scope link > default via 148.202.86.254 dev eth1 >Given that routing table, I don''t know how you can claim that your net interface is eth0. The default route is on eth1! Also, since you have public IP addresses on both interfaces, why are you doing masquerading at all? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net