Shorewall users - Aug 2003 - Switch from Monmotha to Shorewall

Hi all,

I started today with Shorewall and got some troubles.
In order not to post all my files I put all temporary into:
http://www.elmit.com/shorewall-help/

I have a four port ethernet card:

    * eth0 points to ISP 1 (public IP)
    * eth1 points to ISP 2 (public IP) (not connected yet, since it is
      at the moment connected via second router on 192.168.250.250)
    * eth2 points to a planed ISP 3 (public IP)
    * eth3 LAN 192.168.250.254 (at the moment only 192.168.250.0/24 used)

dhcpd points for LAN machines to 192.168.250.250 as gateway
named has internal and external view pointing to 192.168.250.254 as 
internal webserver (no loop via ISP 2)

I tried to use shorewall, but some troubles came up:

1. eth3 could not find the MySQL server on the LAN so I switched back to 
Monmotha

Below are all files of shorewall as well as the Monmotha firewall file

Can anybody help me to fix the shorewall files so that it fulfills the 
MySQL problem and the multi ISP setup without second router!

/Thanks!/


bye

Ronald

-- 
Ronald Wiplinger  (CEO of ELMIT)
http://www.elmit.com    +886 (0) 915 653-452
- I''m a SpamCon Foundation Member, #694, Verify it at
http://www.spamcon.org


PS: Spam prevention!
Our system is protected with a spam prevention program. 
If you send us an e-mail, our system will send you a confirmation message back.
Just reply to this confirmation message please.
After receiving this confirmation message, our system will send the hold message
(one) and all future messages (after the received confirmation message) to me
without asking you again.

On Tue, 2003-08-26 at 06:36, Ronald Wiplinger wrote:
> I tried to use shorewall, but some troubles came up:
> 
> 1. eth3 could not find the MySQL server on the LAN so I switched back to 
> Monmotha
> 
> Below are all files of shorewall as well as the Monmotha firewall file
> 
> Can anybody help me to fix the shorewall files so that it fulfills the 
> MySQL problem and the multi ISP setup without second router!
> 
You didn''t include the configuration files. The above description of
your problem is so nebulous though that it wouldn''t have made much
difference anyway.

Finally, these multi-ISP problems usually end up being routing related
and Shorewall isn''t really a factor.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>On Tue, 2003-08-26 at 06:36, Ronald Wiplinger wrote:
>
>  
>
>>I tried to use shorewall, but some troubles came up:
>>
>>1. eth3 could not find the MySQL server on the LAN so I switched back to
>>Monmotha
>>
>>Below are all files of shorewall as well as the Monmotha firewall file
>>
>>Can anybody help me to fix the shorewall files so that it fulfills the 
>>MySQL problem and the multi ISP setup without second router!
>>
>>    
>>
>
>You didn''t include the configuration files. The above description
of
>your problem is so nebulous though that it wouldn''t have made much
>difference anyway.
>  
>
Here is the complete text of my message:

Hi all,

I started today with Shorewall and got some troubles.
In order not to post all my files I put all temporary into:
http://www.elmit.com/shorewall-help/

I have a four port ethernet card:

   * eth0 points to ISP 1 (public IP)
   * eth1 points to ISP 2 (public IP) (not connected yet, since it is
     at the moment connected via second router on 192.168.250.250)
   * eth2 points to a planed ISP 3 (public IP)
   * eth3 LAN 192.168.250.254 (at the moment only 192.168.250.0/24 used)

dhcpd points for LAN machines to 192.168.250.250 as gateway
named has internal and external view pointing to 192.168.250.254 as 
internal webserver (no loop via ISP 2)

I tried to use shorewall, but some troubles came up:

1. eth3 could not find the MySQL server on the LAN so I switched back to 
Monmotha

Below are all files of shorewall as well as the Monmotha firewall file

Can anybody help me to fix the shorewall files so that it fulfills the 
MySQL problem and the multi ISP setup without second router!

/Thanks!/


>Finally, these multi-ISP problems usually end up being routing related
>and Shorewall isn''t really a factor.
>
>-Tom
>  
>

-- 
Ronald Wiplinger  (CEO of ELMIT)
http://www.elmit.com    +886 (0) 915 653-452
- I''m a SpamCon Foundation Member, #694, Verify it at
http://www.spamcon.org


PS: Spam prevention!
Our system is protected with a spam prevention program. 
If you send us an e-mail, our system will send you a confirmation message back.
Just reply to this confirmation message please.
After receiving this confirmation message, our system will send the hold message
(one) and all future messages (after the received confirmation message) to me
without asking you again.

On Tue, 2003-08-26 at 10:09, Ronald Wiplinger wrote:
> >
> Here is the complete text of my message:
> 
The list is configured to only accept attachments of the following
types:

multipart/mixed
multipart/alternative
text/plain
text/html

HTML is converted to plain text before forwarding to the list.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-08-26 at 10:21, Tom Eastep wrote:
> On Tue, 2003-08-26 at 10:09, Ronald Wiplinger wrote:
> 
> > >
> > Here is the complete text of my message:
> > 
> 
> The list is configured to only accept attachments of the following
> types:
> 
> multipart/mixed
> multipart/alternative
> text/plain
> text/html
> 
> HTML is converted to plain text before forwarding to the list.
> 
Ooops -- sorry, wrong list. The Users list accepts all attachment types
and converts HTML to plain text.

So I don''t know why your attachments aren''t being forwarded...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>On Tue, 2003-08-26 at 10:09, Ronald Wiplinger wrote:
>
>  
>
>>Here is the complete text of my message:
>>
>>    
>>
>
>The list is configured to only accept attachments of the following
>types:
>
>multipart/mixed
>multipart/alternative
>text/plain
>text/html
>
>HTML is converted to plain text before forwarding to the list.
>
>-Tom
>  
>
Here is AGAIN the complete text, let me walk you through:

Hi all,

I started today with Shorewall and got some troubles.
In order not to post all my files I put all temporary into:
http://www.elmit.com/shorewall-help/


here above is a LINK, use your left mouse button and click on it. 
Magically it will open for you a browser window, which includes all the 
information you may need. If you THAN still need more information I will 
be happy to give this also.
If you think this is too much trouble to look at the web site, and the 
mailing list is more interested in TRAFFIC, I can post each file as a 
message as well.








I have a four port ethernet card:

   * eth0 points to ISP 1 (public IP)
   * eth1 points to ISP 2 (public IP) (not connected yet, since it is
     at the moment connected via second router on 192.168.250.250)
   * eth2 points to a planed ISP 3 (public IP)
   * eth3 LAN 192.168.250.254 (at the moment only 192.168.250.0/24 used)

dhcpd points for LAN machines to 192.168.250.250 as gateway
named has internal and external view pointing to 192.168.250.254 as 
internal webserver (no loop via ISP 2)

I tried to use shorewall, but some troubles came up:

1. eth3 could not find the MySQL server on the LAN so I switched back to 
Monmotha

Can anybody help me to fix the shorewall files so that it fulfills the 
MySQL problem and the multi ISP setup without second router!

/Thanks!/

-- 
Ronald Wiplinger  (CEO of ELMIT)
http://www.elmit.com    +886 (0) 915 653-452
- I''m a SpamCon Foundation Member, #694, Verify it at
http://www.spamcon.org


PS: Spam prevention!
Our system is protected with a spam prevention program. 
If you send us an e-mail, our system will send you a confirmation message back.
Just reply to this confirmation message please.
After receiving this confirmation message, our system will send the hold message
(one) and all future messages (after the received confirmation message) to me
without asking you again.

On Tue, 2003-08-26 at 10:33, Ronald Wiplinger wrote:
> Tom Eastep wrote:
> 
> >On Tue, 2003-08-26 at 10:09, Ronald Wiplinger wrote:
> >
> >  
> >
> >>Here is the complete text of my message:
> >>
> >>    
> >>
> >
> >The list is configured to only accept attachments of the following
> >types:
> >
> >multipart/mixed
> >multipart/alternative
> >text/plain
> >text/html
> >
> >HTML is converted to plain text before forwarding to the list.
> >
> >-Tom
> >  
> >
> Here is AGAIN the complete text, let me walk you through:
This is not the complete text. You have conveniently omitted the
following line that was present in your last two posts:

"Below are all files of shorewall as well as the Monmotha firewall
file"

That line was placed near the bottom of your post. Neither I nor any one
else saw any files below that line.

> 
> Hi all,
> 
> I started today with Shorewall and got some troubles.
> In order not to post all my files I put all temporary into:
> http://www.elmit.com/shorewall-help/
> 
> 
> here above is a LINK, use your left mouse button and click on it. 
> Magically it will open for you a browser window, which includes all the 
> information you may need. If you THAN still need more information I will 
> be happy to give this also.
I hope you are able to solve your problem.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>On Tue, 2003-08-26 at 10:33, Ronald Wiplinger wrote:
>  
>
>>Tom Eastep wrote:
>>
>>    
>>
>>>On Tue, 2003-08-26 at 10:09, Ronald Wiplinger wrote:
>>>
>>> 
>>>
>>>      
>>>
>>>>Here is the complete text of my message:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>The list is configured to only accept attachments of the following
>>>types:
>>>
>>>multipart/mixed
>>>multipart/alternative
>>>text/plain
>>>text/html
>>>
>>>HTML is converted to plain text before forwarding to the list.
>>>
>>>-Tom
>>> 
>>>
>>>      
>>>
>>Here is AGAIN the complete text, let me walk you through:
>>    
>>
>
>This is not the complete text. You have conveniently omitted the
>following line that was present in your last two posts:
>
>"Below are all files of shorewall as well as the Monmotha firewall
file"
>
>That line was placed near the bottom of your post. Neither I nor any one
>else saw any files below that line.
>  
>
Sorry, for this line. I though people start reading at the top of a text 
and not at the end.

After we cleared our missunderstanding, can we come to the subject, how 
to solve it?

Thank you!

bye

Ronald




>
>  
>
>>Hi all,
>>
>>I started today with Shorewall and got some troubles.
>>In order not to post all my files I put all temporary into:
>>http://www.elmit.com/shorewall-help/
>>
>>
>>here above is a LINK, use your left mouse button and click on it. 
>>Magically it will open for you a browser window, which includes all the 
>>information you may need. If you THAN still need more information I will
>>be happy to give this also.
>>    
>>
>
>I hope you are able to solve your problem.
>
>-Tom
>  
>

-- 
Ronald Wiplinger  (CEO of ELMIT)
http://www.elmit.com    +886 (0) 915 653-452
- I''m a SpamCon Foundation Member, #694, Verify it at
http://www.spamcon.org


PS: Spam prevention!
Our system is protected with a spam prevention program. 
If you send us an e-mail, our system will send you a confirmation message back.
Just reply to this confirmation message please.
After receiving this confirmation message, our system will send the hold message
(one) and all future messages (after the received confirmation message) to me
without asking you again.

On Tue, 2003-08-26 at 11:29, Ronald Wiplinger wrote:
> 
> Sorry, for this line. I though people start reading at the top of a text 
> and not at the end.
> 
> After we cleared our missunderstanding, can we come to the subject, how 
> to solve it?
> 
All right.

What exactly is the problem you are reporting? The following description
has me perplexed:

"eth3 could not find the MySQL server on the LAN so I switched back to 
Monmotha"

I see that you have a rule for allowing MySQL connections from the LAN
to the firewall. Are you saying that rule isn''t working?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>What exactly is the problem you are reporting? The following description
>has me perplexed:
>
>"eth3 could not find the MySQL server on the LAN so I switched back to 
>Monmotha"
>
>I see that you have a rule for allowing MySQL connections from the LAN
>to the firewall. Are you saying that rule isn''t working?
>  
>
Yes!

The firewall = web server  uses an external database server, which is on 
192.168.250.xx, which is on the LAN of eth3. All pages using the MySQL 
database did not show up.
Therefore I had to switch back.
I found in the meantime that I can shorten some range of ports, which 
will make the files smaller to eventually post them ;-)
Having a look at the configuration files, are there other possible 
improvments to make?

Talking about multiple ISP connections: These are only used for outgoing 
connection, so that all  my LAN user, do not need to bother my  server 
line (on eth0), however, it is nice to use the DNAT feature to point any 
incoming connection to the server back as well, which works than like a 
backup line.

bye

Ronald @ 3:00 am

On Tue, 2003-08-26 at 12:01, Ronald Wiplinger wrote:
> Tom Eastep wrote:
> 
> >What exactly is the problem you are reporting? The following
description
> >has me perplexed:
> >
> >"eth3 could not find the MySQL server on the LAN so I switched
back to
> >Monmotha"
> >
> >I see that you have a rule for allowing MySQL connections from the LAN
> >to the firewall. Are you saying that rule isn''t working?
> >  
> >
> 
> Yes!
> 
> The firewall = web server  uses an external database server, which is on 
> 192.168.250.xx, which is on the LAN of eth3. All pages using the MySQL 
> database did not show up.
Then shouldn''t the rule should be 

ACCEPT	fw	loc	tcp	3306

The web server on the firewall is the client and the server is in the
''loc'' zone.

Also -- if you make just a single ''net'' zone, and assign all
three
interfaces to it you will have a much smaller ruleset. When necessary,
you can qualify a zone with an interface such as in:

ACCEPT	net:eth0	fw	tcp	8000

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

On 26 Aug 2003, Tom Eastep wrote:
>All right.
>
>What exactly is the problem you are reporting?
Sometimes I''m amazed that you''re still subscribed to this
list, Tom.  You
did a *really* good job keeping your cool on this one.

-Jason

Tom Eastep wrote:
>Then shouldn''t the rule should be 
>
>ACCEPT	fw	loc	tcp	3306
>
>The web server on the firewall is the client and the server is in the
>''loc'' zone.
>
>Also -- if you make just a single ''net'' zone, and assign
all three
>interfaces to it you will have a much smaller ruleset. When necessary,
>you can qualify a zone with an interface such as in:
>
>ACCEPT	net:eth0	fw	tcp	8000
>
>-Tom
>  
>
Thanks, it seems it worked.
Two missing part I solved alone ;-)
1. how to put in the three interfaces to one zone. I tried coma 
separated, which did not work, so I put three lines with net and interface
2. DNS was missing for the local machines. I changed rules  to ACCEPT  
fw    all    tcp 53 ....

So far it seems to work. Thanks again!

bye

Ronald

-- 
Ronald Wiplinger  (CEO of ELMIT)
http://www.elmit.com    +886 (0) 915 653-452
- I''m a SpamCon Foundation Member, #694, Verify it at
http://www.spamcon.org


PS: Spam prevention!
Our system is protected with a spam prevention program. 
If you send us an e-mail, our system will send you a confirmation message back.
Just reply to this confirmation message please.
After receiving this confirmation message, our system will send the hold message
(one) and all future messages (after the received confirmation message) to me
without asking you again.

On Wed, 27 Aug 2003, Ronald Wiplinger wrote:
> Two missing part I solved alone ;-)
> 1. how to put in the three interfaces to one zone. I tried coma
> separated, which did not work, so I put three lines with net and interface
Surely it''s not that difficult -- no where does the documentation
suggest
that you can only have one record per zone in /etc/shorewall/interfaces.
And nowhere does it say that you can have a comma-separated list in the
first column.
> 2. DNS was missing for the local machines. I changed rules  to ACCEPT
> fw    all    tcp 53 ....
>
>
If you follow the QuickStart Guides, you get lots of help with DNS.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net