Shorewall users - Jul 2003 - problem with routed network

Hi,

Sorry for the lengthy post, but here I go..

I have a routed network as shown in the diagram below

                 Internet Router
                 (202.165.223.145/28)
                         |
                         |
                         |
                 (202.165.223.146/28) eth0
                      Firewall 
(202.165.223.153/29)eth1--------(202.165.223.154/29) DMZ
                 (202.165.223.149/30) eth2
                         |
                         |
                         |
                 (202.165.223.150/30)
                      Local Network

Firewall default route is to 202.165.223.145
Current situation is, I can ping
From
Local Network 202.165.223.150 to Firewall (all 3 interface)
Local Network  202.165.223.150 to DMZ 202.165.223.154
DMZ 202.165.223.154 to Firewall (all 3 interface)
DMZ 202.165.223.154 to Local Network 202.165.223.150
Firewall to Internet

But not from
Local Network 202.165.223.150 to Internet Router interface 202.165.223.145
DMZ 202.165.223.145 to Internet Router Interface 202.165.223.145

Why does this happened, there is no rules saying that I can''t ping to
the
Internet on Shorewall rules file and on the policy, anything from DMZ and 
Local should be able to access net freely
ACCEPT  loc     net
ACCEPT  dmz     net
ACCEPT  fw      net

Could someone on this List shed some light on what is going on here. I am 
starting to loose hair since last friday.

Anyway I attached the shorewall restart output for reference.

Thanks in advance

Razham 
-------------- next part --------------
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
   Local Zone: eth2:0.0.0.0/0
   DMZ Zone: eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "ACCEPT net fw tcp 22" added.
   Rule "ACCEPT net fw icmp 8" added.
   Rule "ACCEPT fw net icmp 8" added.
   Rule "ACCEPT fw net tcp 53" added.
   Rule "ACCEPT fw net udp 53" added.
   Rule "ACCEPT net loc icmp 8" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy ACCEPT for fw to dmz using chain fw2dmz
   Policy DROP for net to fw using chain net2fw
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to dmz using chain net2dmz
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
   Policy ACCEPT for loc to dmz using chain loc2dmz
   Policy ACCEPT for dmz to net using chain dmz2net
   Policy ACCEPT for dmz to loc using chain dmz2loc
Masqueraded Subnets and Hosts:
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted

On Fri, 2003-07-25 at 09:04, Razham Misra, Abdul Razak wrote:
> 
> Firewall default route is to 202.165.223.145
> Current situation is, I can ping
> From
> Local Network 202.165.223.150 to Firewall (all 3 interface)
> Local Network  202.165.223.150 to DMZ 202.165.223.154
> DMZ 202.165.223.154 to Firewall (all 3 interface)
> DMZ 202.165.223.154 to Local Network 202.165.223.150
> Firewall to Internet
> 
> But not from
> Local Network 202.165.223.150 to Internet Router interface 202.165.223.145
> DMZ 202.165.223.145 to Internet Router Interface 202.165.223.145
And if you "shorewall clear", does it work?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-07-25 at 10:45, Razham Misra, Abdul Razak
wrote:
> I have reboot the machine several times, but still remain the same.
> 
Well, that isn''t what I asked -- I asked if "shorewall clear"
makes it
work. I''ll assume that the answer is No in which case, your problem has
nothing to do with Shorewall.

What does "ip route ls" show on your firewall?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net