Shorewall users - Sep 2003 - Problem on starting shorewall

Hi all folks,

"shorewall-1.4.6c-1"
==================
I followed the QuickStart Guides, two-interfaces to setup/configure
shorewall for Internet/Broadband sharing with another RH8.0 box

The only missing was "At this point, modify /etc/shorewall/rules to add
any DNAT rules that you require."

I have no idea what number to be added.

# cat /etc/shorewall/rules
#    DNAT   net  loc:192.168.1.3 tcp   ssh,http
#    DNAT   net  loc:192.168.1.3 tcp   80  -      1

These 2 lines were commented.

After removing /etc/shorewall/startup_disabled, I could start and stop
shorewall with commands ''shorewall start'' and
''shorewall stop''.  But
afterwards I could not ping

# ping -c 3 www.yahoo.com
ping: unknown host www.yahoo.com

# service network status
Configured devices:
lo eth0 ppp0
Currently active devices:
lo eth0 eth1 ppp0

Still showing broadband connected.  ''shorewall stop'' could not
solve the
problem.  I was completely cut off from outside World.

# cat /etc/shorewall/common   (already created)
./etc/shorewall/common.def"
run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT

After moving back the file ''startup_disabled'' to
/etc/shorewall/startup_disabled

and rebooted the PC, Internet can be connected.

Kindly advise how to fix it.  Thanks in advance.

B.Regards
Stephen Liu


To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.

Seems like a basic setup trouble, I''ll try...

----- Original Message ----- 
From: "Stephen Liu" <satimis@icare.com.hk>
Sent: Sunday, September 14, 2003 8:56 AM

> "shorewall-1.4.6c-1"
good choice
> The only missing was "At this point, modify /etc/shorewall/rules to
add
> any DNAT rules that you require."
>
> # cat /etc/shorewall/rules
> #    DNAT   net  loc:192.168.1.3 tcp   ssh,http
> #    DNAT   net  loc:192.168.1.3 tcp   80  -      1
You''ll only need DNAT if you want people from the evil outside to
connect to boxes in your LAN. Assuming you don''t run any webserver,
mail
server or things like that in your LAN that *need* to be accessed from
the outside, you may leave the two commented. If you''d want to open a
hole for VNC sessions to your workstation, for example, you need it.
This rule will allow remote VNC sessions on display :0 to the PC with IP
192.168.100.123:
  DNAT       net     loc:192.168.100.123       tcp     5900
(See http://www.tightvnc.org/ for more info on VNC, this only serves as
a common used example)
> After removing /etc/shorewall/startup_disabled, I could start and stop
> shorewall with commands ''shorewall start'' and
''shorewall stop''.  But
> afterwards I could not ping
>
> # ping -c 3 www.yahoo.com
> ping: unknown host www.yahoo.com
Did you configure a DNS server? If so, add the following rules to allow
its queries to reach the net:
  ACCEPT          all              net             udp     53
> # cat /etc/shorewall/common   (already created)
> ./etc/shorewall/common.def"
> run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
You don''t really need this. *If* you enabled the above rule, you should
restrict which ICMPs you let through. You might allow Type 8 (ping) for
outgoing requests and drop everything else.
  # allow outgoing echos (type 8)
  ACCEPT     all             net             icmp    8
  # allow incoming echo replies (type 0)
  ACCEPT     net           fw              icmp    0
  # drop anything else from or to the outside
  DROP         net            all              icmp
  DROP         all              net            icmp

You should be able to ping your firewall frim within your LAN with these
rules in place. However, you won''t be able to perform a traceroute or
do
other things that need more icmp types to be allowed.

hth,

Robert Kehl

Hi Robert,

Thanks for your advice.  Finally I discover the trick "stop iptables"

I did following steps;

1) # mv /etc/shorewall/common /home/satimis/Temp/
2) # rpm -q dns
package dns is not installed

3) # rpm -qa|grep dns
(no response)

4) # edit /etc/shorewall/rules

5) # cat /etc/shorewall/rules
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE 
ORIGINAL
#                                                       PORT    PORT(S)
DEST
#
#Accept DNS connections from the firewall to the network
#
#ACCEPT         fw              net             tcp     53
#ACCEPT         fw              net             udp     53
#
#Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
# allow outgoing echos (type 8)
ACCEPT          all             net             icmp    8
# allow incoming echo replies (type 0)
ACCEPT          net             fw              icmp    0
# drop anything else from or to the outside
DROP            net             all             icmp
DROP            all             net             icmp
DROP            all             net             icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6) # shorewall start
7) # service iptables stop
Flushing all chains:                                       [  OK  ]
Removing user defined chains:                              [  OK  ]
Resetting built-in chains to the default ACCEPT policy:    [  OK  ]

8) # ping -c 3 www.yahoo.com
PING www.yahoo.akadns.net (66.218.70.48) 56(84) bytes of data.
64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=1 ttl=51
time=348 m                                            s
64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=2 ttl=51
time=353 m                                            s
64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=3 ttl=51
time=358 m                                            s


Kindly advise whether there is any mistake committed.  Is the entry of
''/etc/shorewall/rules'' correct?

I supposed it is double firewall problem, iptables plus shorewall

I shall proceed to test Internet sharing after having received your
further comment.

Thanks

B.R.
Stephen





On Sun, 2003-09-14 at 20:33, Robert Kehl wrote:
> Seems like a basic setup trouble, I''ll try...
> 
> 
To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
----- Original Message ----- 
> From: "Stephen Liu" <satimis@icare.com.hk>
> Sent: Sunday, September 14, 2003 8:56 AM
> 
> 
> > "shorewall-1.4.6c-1"
> good choice
> 
> > The only missing was "At this point, modify /etc/shorewall/rules
to
> add
> > any DNAT rules that you require."
> >
> > # cat /etc/shorewall/rules
> > #    DNAT   net  loc:192.168.1.3 tcp   ssh,http
> > #    DNAT   net  loc:192.168.1.3 tcp   80  -      1
> 
> You''ll only need DNAT if you want people from the evil outside to
> connect to boxes in your LAN. Assuming you don''t run any
webserver, mail
> server or things like that in your LAN that *need* to be accessed from
> the outside, you may leave the two commented. If you''d want to
open a
> hole for VNC sessions to your workstation, for example, you need it.
> This rule will allow remote VNC sessions on display :0 to the PC with IP
> 192.168.100.123:
>   DNAT       net     loc:192.168.100.123       tcp     5900
> (See http://www.tightvnc.org/ for more info on VNC, this only serves as
> a common used example)
> 
> > After removing /etc/shorewall/startup_disabled, I could start and stop
> > shorewall with commands ''shorewall start'' and
''shorewall stop''.  But
> > afterwards I could not ping
> >
> > # ping -c 3 www.yahoo.com
> > ping: unknown host www.yahoo.com
> 
> Did you configure a DNS server? If so, add the following rules to allow
> its queries to reach the net:
>   ACCEPT          all              net             udp     53
> 
> > # cat /etc/shorewall/common   (already created)
> > ./etc/shorewall/common.def"
> > run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
> 
> You don''t really need this. *If* you enabled the above rule, you
should
> restrict which ICMPs you let through. You might allow Type 8 (ping) for
> outgoing requests and drop everything else.
>   # allow outgoing echos (type 8)
>   ACCEPT     all             net             icmp    8
>   # allow incoming echo replies (type 0)
>   ACCEPT     net           fw              icmp    0
>   # drop anything else from or to the outside
>   DROP         net            all              icmp
>   DROP         all              net            icmp
> 
> You should be able to ping your firewall frim within your LAN with these
> rules in place. However, you won''t be able to perform a traceroute
or do
> other things that need more icmp types to be allowed.
> 
> hth,
> 
> Robert Kehl

Am Son, 2003-09-14 um 17.25 schrieb Stephen Liu:
> 1) # mv /etc/shorewall/common /home/satimis/Temp/
> 2) # rpm -q dns
> package dns is not installed
3) # rpm -qa|grep dns
> (no response)
In fact, this doesn really matter - you are able to resolve names to IPs
- you need not have "your own" DNS server.
> 4) # edit /etc/shorewall/rules
> 5) # cat /etc/shorewall/rules
Here I only list the changes I''d do. Esp. the next two rules are
important.
> #Accept DNS connections from the firewall to the network
> ACCEPT         fw              net             tcp     53
> ACCEPT         fw              net             udp     53
> #       Allow Ping To And From Firewall
> #ACCEPT          loc             fw              icmp    8
> #ACCEPT          net             fw              icmp    8
> #ACCEPT          fw              loc             icmp    8
> #ACCEPT          fw              net             icmp    8
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 6) # shorewall start
> 7) # service iptables stop
> Flushing all chains:                                       [  OK  ]
> Removing user defined chains:                              [  OK  ]
> Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
BOING! Now you''re open as anything. The default policy iptables
installs
when it is stopped is as follows:
iftable filter -P INPUT ACCEPT
iftable filter -P OUTPUT ACCEPT
iftable filter -P FORWARD ACCEPT
iftable nat -P PREROUTING ACCEPT
iftable nat -P POSTROUTING ACCEPT
iftable nat -P OUTPUT ACCEPT
iftable mangle -P PREROUTING ACCEPT
iftable mangle -P OUTPUT ACCEPT 

"Anything goes", should one want to say. If you''d turn around
step 6)
and 7), you wouldn''t have knocked out Shorewall. This way you did:
Implement Shorewall rules and kick them right away via iptables!
> 8) # ping -c 3 www.yahoo.com
> PING www.yahoo.akadns.net (66.218.70.48) 56(84) bytes of data.
> 64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=1 ttl=51
> time=348 m                                            s
For sure this works... see above.
> Kindly advise whether there is any mistake committed.  Is the entry of
> ''/etc/shorewall/rules'' correct?
See the above changes, and simply restart your Shorewall now.
> I supposed it is double firewall problem, iptables plus shorewall
You''re right, but you solved it the wrong way. ;)
> I shall proceed to test Internet sharing after having received your
> further comment.
This is easy. Create an entry in ''masq'':
#INTERFACE              SUBNET          ADDRESS
ppp+                    eth1

Then you''re done.

Regards,

Robert Kehl

Stephen Liu wrote:
> Hi Robert,
> 
> Thanks for your advice.  Finally I discover the trick "stop
iptables"
> 
> I did following steps;
> 
> 1) # mv /etc/shorewall/common /home/satimis/Temp/
> 2) # rpm -q dns
> package dns is not installed
OK, you''re not running a DNS server.
> 
> 3) # rpm -qa|grep dns
> (no response)
> 
> 4) # edit /etc/shorewall/rules
> 
> 5) # cat /etc/shorewall/rules
> #ACTION         SOURCE          DEST            PROTO   DEST   SOURCE
> ORIGINAL
> #                                                       PORT   PORT(S)
> DEST
> #
> #Accept DNS connections from the firewall to the network #
> #ACCEPT         fw              net             tcp     53
> #ACCEPT         fw              net             udp     53 #
The above rules are commented. Remember, your firewall has a resolver lib
(/etc/resolv.conf) configured to query DNS servers (probably at your ISP).
If you do not want your firewall to issue DNS request, then leave the above
rules commented. Otherwise...
> #Accept SSH connections from the local network for administration #
> ACCEPT          loc             fw              tcp     22 #
OK
> #       Allow Ping To And From Firewall
> #
> ACCEPT          loc             fw              icmp    8
> ACCEPT          net             fw              icmp    8
> ACCEPT          fw              loc             icmp    8
> ACCEPT          fw              net             icmp    8
OK
> # allow outgoing echos (type 8)
> ACCEPT          all             net             icmp    8
Correct me if I''m wrong, but I thought the zone "fw" would be
included if
"all" was specifed in a rule. With that in mind, the above seems a
little
redundant.
> # allow incoming echo replies (type 0)
> ACCEPT          net             fw              icmp    0
Why the icmp 0? I don''t need the above rule at my end.

[root@firewall root]# cd /etc/shorewall/
[root@firewall shorewall]# grep icmp rules
ACCEPT          loc             fw              icmp    echo-request
ACCEPT          fw              loc             icmp    echo-request
ACCEPT          loc             dmz             icmp    echo-request
ACCEPT          dmz             loc             icmp    echo-request
REJECT          net             fw              icmp    echo-request
ACCEPT          fw              net             icmp    echo-request

> # drop anything else from or to the outside
> DROP            net             all             icmp
> DROP            all             net             icmp
> DROP            all             net             icmp #
Why the above? Ping management (as of 1.4.0) is no different than any other
connection attempt. By defualt, shorewall policy denies the above icmp
requests. 

# cat /etc/shorewall/policy | grep info
net             all             DROP            info

all             all             REJECT          info
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 6) # shorewall start
> 7) # service iptables stop
> Flushing all chains:                                       [  OK  ]
> Removing user defined chains:                              [  OK  ]
> Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
If you are going to use shorewall, consider disabling the iptables service
from starting in the first place.

Type: man chkconfig
> 
> 8) # ping -c 3 www.yahoo.com
> PING www.yahoo.akadns.net (66.218.70.48) 56(84) bytes of data.
> 64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=1 ttl=51
> time=348 m                                            s
> 64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=2 ttl=51
> time=353 m                                            s
> 64 bytes from w17.www.scd.yahoo.com (66.218.70.48): icmp_seq=3 ttl=51
> time=358 m                                            s
> 
> 
> Kindly advise whether there is any mistake committed.  Is the entry of
> ''/etc/shorewall/rules'' correct?
See above...
> 
> I supposed it is double firewall problem, iptables plus shorewall
Your assessment sounds correct to me.

Steve Cowles

Hi Robert,

Thanks for your advice

On Mon, 2003-09-15 at 00:32, Robert Kehl wrote:
> > 2) # rpm -q dns
> > package dns is not installed
> 3) # rpm -qa|grep dns
> > (no response)
> 
> In fact, this doesn really matter - you are able to resolve names to IPs
> - you need not have "your own" DNS server.
Noted.
> Here I only list the changes I''d do. Esp. the next two rules are
> important.
> > #Accept DNS connections from the firewall to the network
> > ACCEPT         fw              net             tcp     53
> > ACCEPT         fw              net             udp     53
> 
> > #       Allow Ping To And From Firewall
> > #ACCEPT          loc             fw              icmp    8
> > #ACCEPT          net             fw              icmp    8
> > #ACCEPT          fw              loc             icmp    8
> > #ACCEPT          fw              net             icmp    8
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
New /etc/shorewall/rules

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL
#							PORT	PORT(S)	DEST
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
#
#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22
#
#	Allow Ping To And From Firewall
#
#ACCEPT		loc		fw		icmp	8
#ACCEPT		net		fw		icmp	8
#ACCEPT		fw		loc		icmp	8
#ACCEPT		fw		net		icmp	8
# allow outgoing echos (type 8)
ACCEPT     	all             net             icmp    8
# allow incoming echo replies (type 0)
ACCEPT 		net           	fw              icmp    0
# drop anything else from or to the outside
DROP         	net            	all            	icmp
DROP         	all             net            	icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

> BOING! Now you''re open as anything. The default policy iptables
installs
> when it is stopped is as follows:
> iftable filter -P INPUT ACCEPT
> iftable filter -P OUTPUT ACCEPT
> iftable filter -P FORWARD ACCEPT
> iftable nat -P PREROUTING ACCEPT
> iftable nat -P POSTROUTING ACCEPT
> iftable nat -P OUTPUT ACCEPT
> iftable mangle -P PREROUTING ACCEPT
> iftable mangle -P OUTPUT ACCEPT 
> 
> "Anything goes", should one want to say. If you''d turn
around step 6)
> and 7), you wouldn''t have knocked out Shorewall. This way you did:
> Implement Shorewall rules and kick them right away via iptables!
It is very strange.  I can''t do another way round

# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall Not Currently Running
Starting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc modem
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth1:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone modem is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
Setting up Kernel Route Filtering...
   Warning: Cannot set route filtering on eth1
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "ACCEPT fw net tcp 53" added.
   Rule "ACCEPT fw net udp 53" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT loc net icmp 8" added.
   Rule "ACCEPT modem net icmp 8" added.
   Rule "ACCEPT fw net icmp 8" added.
   Rule "ACCEPT net fw icmp 0" added.
   Rule "DROP net loc icmp" added.
   Rule "DROP net modem icmp" added.
   Rule "DROP net fw icmp" added.
   Rule "DROP loc net icmp" added.
   Rule "DROP modem net icmp" added.
   Rule "DROP fw net icmp" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   Error: Unknown interface ppp+
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated

# ping -c 3 www.yahoo.com
ping: unknown host www.yahoo.com


I must stop iptables again otherwise I could not see the outside World

# service iptables stop
Flushing all chains:                                       [  OK  ]
Removing user defined chains:                              [  OK  ]
Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
> > I shall proceed to test Internet sharing after having received your
> > further comment.
> 
> This is easy. Create an entry in ''masq'':
> #INTERFACE            SUBNET          ADDRESS
> ppp+                    eth1
Why SUBNET = eth1?  I use eth1 connecting Internet/Broadband and eth0
connecting another Linux box (RH8.0)

B.R.
Stephen


To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.

Stephen:
<snip>
> Masqueraded Subnets and Hosts:
>   Error: Unknown interface ppp+
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/stopped ...
> Terminated
<snip>

You can''t use ppp+ in the masq file..
You have to use the correct interface name 
ie ppp0

Jerry Vonau

Am Mon, 2003-09-15 um 01.55 schrieb Stephen Liu:
> It is very strange.  I can''t do another way round
> 
> # shorewall restart
> Masqueraded Subnets and Hosts:
>    Error: Unknown interface ppp+
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/stopped ...
> Terminated
Shorewall didn''t start - what''s your
''interfaces'' files like?
> I must stop iptables again otherwise I could not see the outside World
What you are doing by issuing a ''service iptables stop'' is
simply
flushing all tbles and applying general ALLOW rules, emaning you open up
every door. Not what you want.
> # service iptables stop
> Flushing all chains:                                       [  OK  ]
> Removing user defined chains:                              [  OK  ]
> Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
> > This is easy. Create an entry in ''masq'':
> > #INTERFACE            SUBNET          ADDRESS
> > ppp+                    eth1
> 
> Why SUBNET = eth1?  I use eth1 connecting Internet/Broadband and eth0
> connecting another Linux box (RH8.0)
Oh - I name the internet interface ppp+, and my lan is connected to
eth1... ok: Under INTERFACE you note the interface that''s connecting to
the net, under SUBNET you note the one your LAN is connected to. Maybe
I''ve reread falsly.

So, take this in ''masq'':
#INTERFACE            SUBNET          ADDRESS
eth1                    eth0

To complete your setup you have to allow your lan certain ports in
''rules'', too:

# web access (http)
ACCEPT    loc     all       tcp     80:89,8000,8080,443
# email traffic
ACCEPT    loc     all       tcp     25,110,995,143,993
# Instant Messaging
#ACCEPT    loc     net       tcp     5190,5050,1863,6667

You might enable the last rule if you have some IM clients.

Regards,

Robert Kehl

Hi Jerry,

Thanks for your response.

On Mon, 2003-09-15 at 08:25, Jerry Vonau wrote:
> Stephen:
> <snip>
> > Masqueraded Subnets and Hosts:
> >   Error: Unknown interface ppp+
> > Processing /etc/shorewall/stop ...
> > Processing /etc/shorewall/stopped ...
> > Terminated
> <snip>
> 
> You can''t use ppp+ in the masq file..
> You have to use the correct interface name 
> ie ppp0
#INTERFACE		SUBNET		ADDRESS
ppp0			eth1

OR

#INTERFACE		SUBNET		ADDRESS
ppp0			eth0

Sorry can''t work

# shorewall restart
.....
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   Error: Unknown interface ppp0
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated


If I put
#INTERFACE		SUBNET		ADDRESS
eth0			eth1

# shorewall restart
....
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   Error: Unable to determine the routes through interface eth1


If I put

#INTERFACE		SUBNET		ADDRESS
eth1			eth0

# shorewall restart
....
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started

eth1 - connecting to broadband
etho - to be connected to another Linux box (RH8.0)


But one thing I could not understand.  Each time after I restart
"shorewall" I must stop "iptables" again.   Otherwise I
could not
connect Internet.

B.R.
Stephen




> 
> Jerry Vonau
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.

Stephen:

Your broadband is adsl correct?
Your connected before you try to start shorewall?

Please post the information requested from
http://www.shorewall.net/support.htm

The more info given, the better of a chance we have to
solve your problem. Include all the files you edited.

Jerry





----- Original Message -----
From: "Stephen Liu" <satimis@icare.com.hk>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Sunday, September 14, 2003 08:26 PM
Subject: Re: [Shorewall-users] Problem on starting shorewall


Hi Jerry,

Thanks for your response.

On Mon, 2003-09-15 at 08:25, Jerry Vonau wrote:
> Stephen:
> <snip>
> > Masqueraded Subnets and Hosts:
> >   Error: Unknown interface ppp+
> > Processing /etc/shorewall/stop ...
> > Processing /etc/shorewall/stopped ...
> > Terminated
> <snip>
>
> You can''t use ppp+ in the masq file..
> You have to use the correct interface name
> ie ppp0
#INTERFACE SUBNET ADDRESS
ppp0 eth1

OR

#INTERFACE SUBNET ADDRESS
ppp0 eth0

Sorry can''t work

# shorewall restart
.....
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   Error: Unknown interface ppp0
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated


If I put
#INTERFACE SUBNET ADDRESS
eth0 eth1

# shorewall restart
....
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   Error: Unable to determine the routes through interface eth1


If I put

#INTERFACE SUBNET ADDRESS
eth1 eth0

# shorewall restart
....
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started

eth1 - connecting to broadband
etho - to be connected to another Linux box (RH8.0)


But one thing I could not understand.  Each time after I restart
"shorewall" I must stop "iptables" again.   Otherwise I
could not
connect Internet.

B.R.
Stephen




>
> Jerry Vonau
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Hi Robert,

On Mon, 2003-09-15 at 08:36, Robert Kehl wrote:
> Shorewall didn''t start - what''s your
''interfaces'' files like?
cat /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          dhcp,routefilter
loc     eth0            detect

- snip -
> So, take this in ''masq'':
> #INTERFACE            SUBNET          ADDRESS
> eth1                    eth0
> 
Following is my masq settings
# cat /etc/shorewall/masq
....
#INTERFACE              SUBNET          ADDRESS
eth1                      eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Setup of Ethernet card (RH9.0 - this box)
Under ''General'' tab
check ''Activate device when computer starts''
check ''Statically set IP addresses
Address: 192.168.0.1
Subnet Mask: 255.255.255.0
Default Gateway Address:10.10.10.254
Under ''Route'' (no entry)
Under ''Hardware Device'' tab
Hardware: eth0
check ''Bind to MAC Address: ....''

Setup of Ethernet card (RH8.0 - another Linux box sharing Internet)
Under ''General'' tab
check ''Activate device when computer starts''
check ''Statically set IP addresses
Address: 192.168.0.2
Subnet Mask: 255.255.255.0
Default Gateway Address:10.10.10.254
Under ''Route'' (no entry)
Under ''Hardware Device'' tab
Hardware: eth0
check ''Bind to MAC Address: ....''

Broadband sharing failed.  On RH8.0 box - ping failed
Remarks: two boxes are connected via a crossover cable
            the indicator lcd light on the NICs of both boxes did
not     
            grow.

> To complete your setup you have to allow your lan certain ports in
> ''rules'', too:
> 
> # web access (http)
> ACCEPT    loc     all       tcp     80:89,8000,8080,443
> # email traffic
> ACCEPT    loc     all       tcp     25,110,995,143,993
> # Instant Messaging
> #ACCEPT    loc     net       tcp     5190,5050,1863,6667
> 
> You might enable the last rule if you have some IM clients.
edit /etc/shorewall/rules
# cat /etc/shorewall/rules
...
....
#	Accept DNS connections from the firewall to the network
#
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
#
#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22
#
#	Allow Ping To And From Firewall
#
#ACCEPT		loc		fw		icmp	8
#ACCEPT		net		fw		icmp	8
#ACCEPT		fw		loc		icmp	8
#ACCEPT		fw		net		icmp	8
# allow outgoing echos (type 8)
ACCEPT     	all             net             icmp    8
# allow incoming echo replies (type 0)
ACCEPT 		net           	fw              icmp    0
# drop anything else from or to the outside
DROP         	net            	all            	icmp
DROP         	all             net            	icmp
#
# web access (http)
ACCEPT    loc     all       tcp     80:89,8000,8080,443
# email traffic
ACCEPT    loc     all       tcp     25,110,995,143,993
# Instant Messaging
#ACCEPT    loc    net       tcp     5190,5050,1863,6667
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall Not Currently Running
Starting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc modem
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth1:0.0.0.0/0
   Local Zone: eth0:0.0.0.0/0
   Warning: Zone modem is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
Setting up Kernel Route Filtering...
   Warning: Cannot set route filtering on eth1
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
   Rule "ACCEPT fw net tcp 53" added.
   Rule "ACCEPT fw net udp 53" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT loc net icmp 8" added.
   Rule "ACCEPT modem net icmp 8" added.
   Rule "ACCEPT fw net icmp 8" added.
   Rule "ACCEPT net fw icmp 0" added.
   Rule "DROP net loc icmp" added.
   Rule "DROP net modem icmp" added.
   Rule "DROP net fw icmp" added.
   Rule "DROP loc net icmp" added.
   Rule "DROP modem net icmp" added.
   Rule "DROP fw net icmp" added.
   Rule "ACCEPT loc net tcp 80:89,8000,8080,443" added.
   Rule "ACCEPT loc modem tcp 80:89,8000,8080,443" added.
   Rule "ACCEPT loc fw tcp 80:89,8000,8080,443" added.
   Rule "ACCEPT loc net tcp 25,110,995,143,993" added.
   Rule "ACCEPT loc modem tcp 25,110,995,143,993" added.
   Rule "ACCEPT loc fw tcp 25,110,995,143,993" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to modem using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for loc to modem using chain all2all
   Policy REJECT for modem to net using chain all2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.0.0/24 through eth1
   To 0.0.0.0/0 from 169.254.0.0/16 through eth1
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started

Still could not connect Internet
# /etc/rc.d/init.d/iptables stop

Then ping is OK

B.R.
Stephen



To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.

Hi Jerry,

On Mon, 2003-09-15 at 11:29, Jerry Vonau wrote:
> Your broadband is adsl correct?
YES, correct
> Your connected before you try to start shorewall?
Broadband cable is permanently connected to NIC.  At booting it is
detected first and then shorewall starts automatically.

One strange thing I could not resolve.  Iptables has been disabled at
booting with the small program ''ntsysv''.  But I need to
''/etc/rc.d/init.d/iptables stop'' again before I can ping. 
Otherwise I
could not connect to broadband.  Restart ''shorewall'' is not
necessary.

> Please post the information requested from
> http://www.shorewall.net/support.htm
# shorewall version
1.4.6c

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:40:00:4e:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:70:f6:dd brd ff:ff:ff:ff:ff:ff
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
    link/ppp
    inet 202.123.68.132 peer 202.123.71.254/32 scope global ppp0

# ip route show
202.123.71.254 dev ppp0  proto kernel  scope link  src 202.123.68.132
192.168.0.0/24 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 202.123.71.254 dev ppp0

# /sbin/shorewall reset
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall Not Started

# /sbin/shorewall status > /tmp/status.txt
see attached file ''status.txt''

Thanks

B.R.
Stephen

> 
To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
----- Original Message -----
> From: "Stephen Liu" <satimis@icare.com.hk>
> To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Sunday, September 14, 2003 08:26 PM
> Subject: Re: [Shorewall-users] Problem on starting shorewall
> 
> 
> Hi Jerry,
> 
> Thanks for your response.
> 
> On Mon, 2003-09-15 at 08:25, Jerry Vonau wrote:
> > Stephen:
> > <snip>
> > > Masqueraded Subnets and Hosts:
> > >   Error: Unknown interface ppp+
> > > Processing /etc/shorewall/stop ...
> > > Processing /etc/shorewall/stopped ...
> > > Terminated
> > <snip>
> >
> > You can''t use ppp+ in the masq file..
> > You have to use the correct interface name
> > ie ppp0
> 
> #INTERFACE SUBNET ADDRESS
> ppp0 eth1
> 
> OR
> 
> #INTERFACE SUBNET ADDRESS
> ppp0 eth0
> 
> Sorry can''t work
> 
> # shorewall restart
> .....
>    Policy DROP for net to loc using chain net2all
>    Policy DROP for net to modem using chain net2all
>    Policy REJECT for loc to fw using chain all2all
>    Policy ACCEPT for loc to net using chain loc2net
>    Policy REJECT for modem to net using chain all2all
> Masqueraded Subnets and Hosts:
>    Error: Unknown interface ppp0
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/stopped ...
> Terminated
> 
> 
> If I put
> #INTERFACE SUBNET ADDRESS
> eth0 eth1
> 
> # shorewall restart
> ....
> Processing /etc/shorewall/policy...
>    Policy ACCEPT for fw to net using chain fw2net
>    Policy DROP for net to fw using chain net2all
>    Policy DROP for net to loc using chain net2all
>    Policy DROP for net to modem using chain net2all
>    Policy REJECT for loc to fw using chain all2all
>    Policy ACCEPT for loc to net using chain loc2net
>    Policy REJECT for modem to net using chain all2all
> Masqueraded Subnets and Hosts:
>    Error: Unable to determine the routes through interface eth1
> 
> 
> If I put
> 
> #INTERFACE SUBNET ADDRESS
> eth1 eth0
> 
> # shorewall restart
> ....
>    Rule "all all tcp - ftp 16" added.
>    Rule "all all tcp ftp - 16" added.
>    Rule "all all tcp ftp-data - 8" added.
>    Rule "all all tcp - ftp-data 8" added.
> Processing /etc/shorewall/ecn...
> Activating Rules...
> Processing /etc/shorewall/start ...
> Shorewall Started
> 
> eth1 - connecting to broadband
> etho - to be connected to another Linux box (RH8.0)
> 
> 
> But one thing I could not understand.  Each time after I restart
> "shorewall" I must stop "iptables" again.   Otherwise I
could not
> connect Internet.
> 
> B.R.
> Stephen
-------------- next part --------------
[H[2JShorewall-1.4.6c Status at localhost.localdomain - Mon Sep 15 12:47:39 HKT
2003

Counters reset Mon Sep 15 12:42:20 HKT 2003

Chain INPUT (policy ACCEPT 8 packets, 1729 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8  1729 RH-Lokkit-0-50-INPUT  all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Lokkit-0-50-INPUT  all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 8 packets, 616 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Lokkit-0-50-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
udp spts:67:68 dpts:67:68
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
udp spts:67:68 dpts:67:68
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:0:1023 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:2049 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable

Sep 15 12:25:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=54
Sep 15 12:25:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=54
Sep 15 12:25:36 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=48
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=48
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=48
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=48892 DF PROTO=UDP SPT=32769 DPT=53 LEN=48
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=48893 DF PROTO=UDP SPT=32769 DPT=53 LEN=52
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=48893 DF PROTO=UDP SPT=32769 DPT=53 LEN=52
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=48893 DF PROTO=UDP SPT=32769 DPT=53 LEN=52
Sep 15 12:25:37 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=48893 DF PROTO=UDP SPT=32769 DPT=53 LEN=52
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.209
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 12:42:32 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=202.123.77.213
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=19345 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 12:42:48 INPUT:REJECT:IN=ppp0 OUT= SRC=218.1.122.14 DST=202.123.68.132
LEN=92 TOS=0x00 PREC=0x00 TTL=117 ID=39945 PROTO=ICMP TYPE=8 CODE=0 ID=56363
SEQ=47636
Sep 15 12:42:48 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.132 DST=218.1.122.14
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=54146 PROTO=ICMP TYPE=3 CODE=1
[SRC=218.1.122.14 DST=202.123.68.132 LEN=92 TOS=0x00 PREC=0x00 TTL=117 ID=39945
PROTO=ICMP TYPE=8 CODE=0 ID=56363 SEQ=47636 ]

NAT Table

Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 8 packets, 1729 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 8 packets, 1729 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8 packets, 616 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 8 packets, 616 bytes)
 pkts bytes target     prot opt in     out     source               destination

----- Original Message ----- 
From: "Stephen Liu" <satimis@icare.com.hk>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Monday, September 15, 2003 6:10 AM
Subject: Re: [Shorewall-users] Problem on starting shorewall

> Setup of Ethernet card (RH9.0 - this box)
> Address: 192.168.0.1
> Subnet Mask: 255.255.255.0
> Default Gateway Address:10.10.10.254
What''s that? Change the Gefault GW to 192.168.1.1
> Setup of Ethernet card (RH8.0 - another Linux box sharing Internet)
> Address: 192.168.0.2
Nope - this is your gateway - other subnet!
Address: 192.168.1.1
> Broadband sharing failed.  On RH8.0 box - ping failed
> Remarks: two boxes are connected via a crossover cable
>             the indicator lcd light on the NICs of both boxes did
> not grow.
Sure. Once you''ve done the above changes, you should be able to ping
your firewall and to browse the internet.
> Masqueraded Subnets and Hosts:
>    To 0.0.0.0/0 from 192.168.0.0/24 through eth1
>    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
Where does the last one come from - looks like one of those M$-driven
DHCP leases...?!? Strange.

Again: If you issue ''service iptables stop'', you''re
actually opening up
the firewall, ie. you do not have *any* protection then.

Regards,

Robert Kehl

Stefhan:
My comments are in "" ""
> Your broadband is adsl correct?
YES, correct
> Your connected before you try to start shorewall?
Broadband cable is permanently connected to NIC.  At booting it is
detected first and then shorewall starts automatically.
"" adsl is not detected, it is started, with most likely with
/etc/rc.d/init.d/adsl start""

One strange thing I could not resolve.  Iptables has been disabled at
booting with the small program ''ntsysv''.  But I need to
''/etc/rc.d/init.d/iptables stop'' again before I can ping.

"" shorewall blocks pings by default""
""All your doing is clearing shorewall with that""

Otherwise I could not connect to broadband.
> Please post the information requested from
> http://www.shorewall.net/support.htm
"" please post all the files you were in...""
"" I''m only geting part of the picture""

# shorewall version
1.4.6c

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:40:00:4e:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:70:f6:dd brd ff:ff:ff:ff:ff:ff
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
    link/ppp
    inet 202.123.68.132 peer 202.123.71.254/32 scope global ppp0

# ip route show
202.123.71.254 dev ppp0  proto kernel  scope link  src 202.123.68.132
192.168.0.0/24 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 202.123.71.254 dev ppp0
"" OK your internet uses ppp0""
"" you also have dhcp set on interface eth0... fix that ""
> #INTERFACE SUBNET ADDRESS
> ppp0 eth0
>
"" this is the one you need""
"" once you post ALL your files, the picture becomes
clearer""
"" zones interfaces hosts rules.... ALL of them""

--------from the post after-----------
> Setup of Ethernet card (RH9.0 - this box)
> Address: 192.168.0.1
> Subnet Mask: 255.255.255.0
> Default Gateway Address:10.10.10.254
What''s that? Change the Gefault GW to 192.168.1.1

""Your internal interface for the lan should NOT have a gateway, it IS
the
gateway""
> Setup of Ethernet card (RH8.0 - another Linux box sharing Internet)
> Address: 192.168.0.2
Nope - this is your gateway - other subnet!
Address: 192.168.1.1
"" your lan clients should use your internal ip as the gateway
192.168.0.1""
------------------------
"" Unless your prepared to post the all the requested information, all
at
the same time,
I don''t have time to interrogate you to extract the information
required.
Bits and pieces
of info makes this long and drawn out .  ""

Jerry

Hi Robert,

On Mon, 2003-09-15 at 14:02, Robert Kehl wrote:
- snip -
> > Setup of Ethernet card (RH9.0 - this box)
> > Address: 192.168.0.1
> > Subnet Mask: 255.255.255.0
> > Default Gateway Address:10.10.10.254
> 
> What''s that? Change the Gefault GW to 192.168.1.1
New settings
Address: 192.168.0.1
Subnet Mask: 10.10.10.1
Default Gateway Address: 192.168.1.1
> > Setup of Ethernet card (RH8.0 - another Linux box sharing Internet)
> > Address: 192.168.0.2
> 
> Nope - this is your gateway - other subnet!
> Address: 192.168.1.1
New settings
Address: 192.168.1.1
Subnet Mask: 10.10.10.1 (also tried 10.10.10.2)
Default Gateway Address: 192.168.0.2

RH8.0 box still failed to ping

# ping -c 3 www.yahoo.com
ping: unknow host www.yahoo.com

lcd light on each NIC of both box grows
> > Broadband sharing failed.  On RH8.0 box - ping failed
> > Remarks: two boxes are connected via a crossover cable
> >             the indicator lcd light on the NICs of both boxes did
> > not grow.
> 
> Sure. Once you''ve done the above changes, you should be able to
ping
> your firewall and to browse the internet.
> 
> > Masqueraded Subnets and Hosts:
> >    To 0.0.0.0/0 from 192.168.0.0/24 through eth1
> >    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
> 
> Where does the last one come from - looks like one of those M$-driven
> DHCP leases...?!? Strange.
This RH9.0 box has another hard drive mounted on mobile rack running
M$Windoz ME.  But the rack has been removed at time of test.
> Again: If you issue ''service iptables stop'',
you''re actually opening
up
> the firewall, ie. you do not have *any* protection then.
Note with thanks.

The strange thing is at booting eth1 (broadband) will be detected first
and then ''shorewall'' starts.  Iptables has been permanent
stopped with
''ntsysv'' command.  But after login I have to stop
''iptables'' again
before I can connect outside World

Hereinafter is my test according to
http://www.shorewall.net/support.htm

# shorewall version
1.4.6c

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:40:00:4e:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/32 brd 192.168.0.1 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:70:f6:dd brd ff:ff:ff:ff:ff:ff
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
    link/ppp
    inet 202.123.68.222 peer 202.123.71.254/32 scope global ppp0

# ip route show
202.123.71.254 dev ppp0  proto kernel  scope link  src 202.123.68.222
192.168.0.1 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 202.123.71.254 dev ppp0

# /sbin/shorewall reset
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall Not Started

''/sbin/shorewall reset'' can''t restart shorewall

# /sbin/shorewall status > /home/satimis/Temp/status2.txt

status2.txt is attached to this posting.

B.Regards
Stephen

(P.S. During testing my Evolution got some problem.  I send daily emails
by Evolution as USER.  Now it can''t send and receive mails.  But as
ROOT
it still works.  Therefore I will continue to send postings to Shorewall
list as ROOT until I get it fixed.  Hoping that my postings will arrive
the mailing list without problem)

To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
-------------- next part --------------
[H[2JShorewall-1.4.6c Status at localhost.localdomain - Mon Sep 15 15:50:05 HKT
2003

Counters reset Mon Sep 15 14:19:41 HKT 2003

Chain INPUT (policy ACCEPT 382 packets, 25053 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 383 packets, 23097 bytes)
 pkts bytes target     prot opt in     out     source               destination

Sep 15 14:19:27 INPUT:REJECT:IN=ppp0 OUT= SRC=218.19.30.149 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=23036 PROTO=ICMP TYPE=8 CODE=0 ID=18425
SEQ=1766
Sep 15 14:19:27 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=218.19.30.149
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=28580 PROTO=ICMP TYPE=3 CODE=1
[SRC=218.19.30.149 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=23036
PROTO=ICMP TYPE=8 CODE=0 ID=18425 SEQ=1766 ]
Sep 15 14:19:44 INPUT:REJECT:IN=ppp0 OUT= SRC=68.134.169.125 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=18806 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=894
Sep 15 14:19:44 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=68.134.169.125
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=1553 PROTO=ICMP TYPE=3 CODE=1
[SRC=68.134.169.125 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=113
ID=18806 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=894 ]
Sep 15 14:19:51 INPUT:REJECT:IN=ppp0 OUT= SRC=68.90.112.45 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=32516 PROTO=ICMP TYPE=8 CODE=0 ID=1024
SEQ=51400
Sep 15 14:19:51 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=68.90.112.45
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=21035 PROTO=ICMP TYPE=3 CODE=1
[SRC=68.90.112.45 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=32516
PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=51400 ]
Sep 15 14:19:59 INPUT:REJECT:IN=ppp0 OUT= SRC=213.22.174.250 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=109 ID=45017 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=57673
Sep 15 14:19:59 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=213.22.174.250
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=3883 PROTO=ICMP TYPE=3 CODE=1
[SRC=213.22.174.250 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=109
ID=45017 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=57673 ]
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.209
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.213
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.209
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.213
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.209
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.213
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.209
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.77.213
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51
Sep 15 14:20:16 INPUT:REJECT:IN=ppp0 OUT= SRC=202.123.11.170 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=107 ID=24116 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=39236
Sep 15 14:20:16 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=202.123.11.170
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=31746 PROTO=ICMP TYPE=3 CODE=1
[SRC=202.123.11.170 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=107
ID=24116 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=39236 ]
Sep 15 14:20:26 INPUT:REJECT:IN=ppp0 OUT= SRC=4.4.241.24 DST=202.123.68.222
LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=24690 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11028
Sep 15 14:20:26 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222 DST=4.4.241.24
LEN=120 TOS=0x00 PREC=0xC0 TTL=255 ID=55568 PROTO=ICMP TYPE=3 CODE=1
[SRC=4.4.241.24 DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=24690
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=11028 ]

NAT Table

Chain PREROUTING (policy ACCEPT 1288 packets, 84189 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20 packets, 1437 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20 packets, 1437 bytes)
 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 1713 packets, 570K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1713 packets, 570K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1596 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1596 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination

----- Original Message ----- 
From: "Stephen Liu" <satimis@icare.com.hk>
Sent: Monday, September 15, 2003 11:36 AM

> # /sbin/shorewall reset
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Shorewall Not Started
> 
> ''/sbin/shorewall reset'' can''t restart shorewall
You didn''t acutally start Shorewall. The command is:

shorewall start

or

shroewall restart

Try it, and forget about ''iptables stop''.. ;)

Robert

Stepehn,

You posted ip addresses where subnet masks needed to be.

Your subnet mask''s needs to be ...  255.255.255.0.

Also not sure why your default gateways are on different networks on each nic
card.??
I assume that someone told you to do that?? :P


JBanks
--- Stephen Liu <satimis@icare.com.hk> wrote:
> Hi Robert,
> 
> On Mon, 2003-09-15 at 14:02, Robert Kehl wrote:
> - snip -
> > > Setup of Ethernet card (RH9.0 - this box)
> > > Address: 192.168.0.1
> > > Subnet Mask: 255.255.255.0
> > > Default Gateway Address:10.10.10.254
> > 
> > What''s that? Change the Gefault GW to 192.168.1.1
> 
> New settings
> Address: 192.168.0.1
> Subnet Mask: 10.10.10.1
> Default Gateway Address: 192.168.1.1
> 
> > > Setup of Ethernet card (RH8.0 - another Linux box sharing
Internet)
> > > Address: 192.168.0.2
> > 
> > Nope - this is your gateway - other subnet!
> > Address: 192.168.1.1
> 
> New settings
> Address: 192.168.1.1
> Subnet Mask: 10.10.10.1 (also tried 10.10.10.2)
> Default Gateway Address: 192.168.0.2
> 
> RH8.0 box still failed to ping
> 
> # ping -c 3 www.yahoo.com
> ping: unknow host www.yahoo.com
> 
> lcd light on each NIC of both box grows
> 
> > > Broadband sharing failed.  On RH8.0 box - ping failed
> > > Remarks: two boxes are connected via a crossover cable
> > >             the indicator lcd light on the NICs of both boxes did
> > > not grow.
> > 
> > Sure. Once you''ve done the above changes, you should be able
to ping
> > your firewall and to browse the internet.
> > 
> > > Masqueraded Subnets and Hosts:
> > >    To 0.0.0.0/0 from 192.168.0.0/24 through eth1
> > >    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
> > 
> > Where does the last one come from - looks like one of those M$-driven
> > DHCP leases...?!? Strange.
> 
> This RH9.0 box has another hard drive mounted on mobile rack running
> M$Windoz ME.  But the rack has been removed at time of test.
> 
> > Again: If you issue ''service iptables stop'',
you''re actually opening
> up
> > the firewall, ie. you do not have *any* protection then.
> 
> Note with thanks.
> 
> The strange thing is at booting eth1 (broadband) will be detected first
> and then ''shorewall'' starts.  Iptables has been permanent
stopped with
> ''ntsysv'' command.  But after login I have to stop
''iptables'' again
> before I can connect outside World
> 
> Hereinafter is my test according to
> http://www.shorewall.net/support.htm
> 
> # shorewall version
> 1.4.6c
> 
> # ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:07:40:00:4e:a9 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/32 brd 192.168.0.1 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:bf:70:f6:dd brd ff:ff:ff:ff:ff:ff
> 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast
qlen
> 3
>     link/ppp
>     inet 202.123.68.222 peer 202.123.71.254/32 scope global ppp0
> 
> # ip route show
> 202.123.71.254 dev ppp0  proto kernel  scope link  src 202.123.68.222
> 192.168.0.1 dev eth0  scope link
> 169.254.0.0/16 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 202.123.71.254 dev ppp0
> 
> # /sbin/shorewall reset
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Shorewall Not Started
> 
> ''/sbin/shorewall reset'' can''t restart shorewall
> 
> # /sbin/shorewall status > /home/satimis/Temp/status2.txt
> 
> status2.txt is attached to this posting.
> 
> B.Regards
> Stephen
> 
> (P.S. During testing my Evolution got some problem.  I send daily emails
> by Evolution as USER.  Now it can''t send and receive mails.  But
as ROOT
> it still works.  Therefore I will continue to send postings to Shorewall
> list as ROOT until I get it fixed.  Hoping that my postings will arrive
> the mailing list without problem)
> 
> To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
> > [H[2JShorewall-1.4.6c Status at localhost.localdomain - Mon Sep 15
15:50:05 HKT 2003
> 
> Counters reset Mon Sep 15 14:19:41 HKT 2003
> 
> Chain INPUT (policy ACCEPT 382 packets, 25053 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain OUTPUT (policy ACCEPT 383 packets, 23097 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Sep 15 14:19:27 INPUT:REJECT:IN=ppp0 OUT= SRC=218.19.30.149
DST=202.123.68.222 LEN=92 TOS=0x00
> PREC=0x00 TTL=118 ID=23036 PROTO=ICMP TYPE=8 CODE=0 ID=18425 SEQ=1766 
> Sep 15 14:19:27 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=218.19.30.149 LEN=120 TOS=0x00
> PREC=0xC0 TTL=255 ID=28580 PROTO=ICMP TYPE=3 CODE=1 [SRC=218.19.30.149
DST=202.123.68.222 LEN=92
> TOS=0x00 PREC=0x00 TTL=118 ID=23036 PROTO=ICMP TYPE=8 CODE=0 ID=18425
SEQ=1766 ]
> Sep 15 14:19:44 INPUT:REJECT:IN=ppp0 OUT= SRC=68.134.169.125
DST=202.123.68.222 LEN=92 TOS=0x00
> PREC=0x00 TTL=113 ID=18806 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=894 
> Sep 15 14:19:44 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=68.134.169.125 LEN=120
> TOS=0x00 PREC=0xC0 TTL=255 ID=1553 PROTO=ICMP TYPE=3 CODE=1
[SRC=68.134.169.125
> DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=18806 PROTO=ICMP
TYPE=8 CODE=0 ID=768
> SEQ=894 ] 
> Sep 15 14:19:51 INPUT:REJECT:IN=ppp0 OUT= SRC=68.90.112.45
DST=202.123.68.222 LEN=92 TOS=0x00
> PREC=0x00 TTL=113 ID=32516 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=51400 
> Sep 15 14:19:51 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=68.90.112.45 LEN=120 TOS=0x00
> PREC=0xC0 TTL=255 ID=21035 PROTO=ICMP TYPE=3 CODE=1 [SRC=68.90.112.45
DST=202.123.68.222 LEN=92
> TOS=0x00 PREC=0x00 TTL=113 ID=32516 PROTO=ICMP TYPE=8 CODE=0 ID=1024
SEQ=51400 ]
> Sep 15 14:19:59 INPUT:REJECT:IN=ppp0 OUT= SRC=213.22.174.250
DST=202.123.68.222 LEN=92 TOS=0x00
> PREC=0x00 TTL=109 ID=45017 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=57673 
> Sep 15 14:19:59 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=213.22.174.250 LEN=120
> TOS=0x00 PREC=0xC0 TTL=255 ID=3883 PROTO=ICMP TYPE=3 CODE=1
[SRC=213.22.174.250
> DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=109 ID=45017 PROTO=ICMP
TYPE=8 CODE=0 ID=512
> SEQ=57673 ] 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=59 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=59 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=59 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=59 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=71 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=71 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=71 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=71 TOS=0x00
> PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> Sep 15 14:20:16 INPUT:REJECT:IN=ppp0 OUT= SRC=202.123.11.170
DST=202.123.68.222 LEN=92 TOS=0x00
> PREC=0x00 TTL=107 ID=24116 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=39236 
> Sep 15 14:20:16 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.11.170 LEN=120
> TOS=0x00 PREC=0xC0 TTL=255 ID=31746 PROTO=ICMP TYPE=3 CODE=1
[SRC=202.123.11.170
> DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=107 ID=24116 PROTO=ICMP
TYPE=8 CODE=0 ID=768
> SEQ=39236 ] 
> Sep 15 14:20:26 INPUT:REJECT:IN=ppp0 OUT= SRC=4.4.241.24 DST=202.123.68.222
LEN=92 TOS=0x00
> PREC=0x00 TTL=113 ID=24690 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=11028 
> Sep 15 14:20:26 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=4.4.241.24 LEN=120 TOS=0x00
> PREC=0xC0 TTL=255 ID=55568 PROTO=ICMP TYPE=3 CODE=1 [SRC=4.4.241.24
DST=202.123.68.222 LEN=92
> TOS=0x00 PREC=0x00 TTL=113 ID=24690 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11028 ]
> 
> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 1288 packets, 84189 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain POSTROUTING (policy ACCEPT 20 packets, 1437 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain OUTPUT (policy ACCEPT 20 packets, 1437 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Mangle Table
> 
> Chain PREROUTING (policy ACCEPT 1713 packets, 570K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain INPUT (policy ACCEPT 1713 packets, 570K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain OUTPUT (policy ACCEPT 1596 packets, 105K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> Chain POSTROUTING (policy ACCEPT 1596 packets, 105K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
> 
> > _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Stephen Liu wrote:
> 
> Hi Robert,
> 
> On Mon, 2003-09-15 at 14:02, Robert Kehl wrote:
> - snip -
> > > Setup of Ethernet card (RH9.0 - this box)
> > > Address: 192.168.0.1
> > > Subnet Mask: 255.255.255.0
> > > Default Gateway Address:10.10.10.254
> >
> > What''s that? Change the Gefault GW to 192.168.1.1
> 
> New settings
> Address: 192.168.0.1
> Subnet Mask: 10.10.10.1
> Default Gateway Address: 192.168.1.1
> 
> > > Setup of Ethernet card (RH8.0 - another Linux box sharing
Internet)
> > > Address: 192.168.0.2
> >
> > Nope - this is your gateway - other subnet!
> > Address: 192.168.1.1
> 
> New settings
> Address: 192.168.1.1
> Subnet Mask: 10.10.10.1 (also tried 10.10.10.2)
> Default Gateway Address: 192.168.0.2
> 
> RH8.0 box still failed to ping
> 
> # ping -c 3 www.yahoo.com
> ping: unknow host www.yahoo.com
Hello Stephen,

At this moment I think it would be wise to reinstall Shorewall and
follow exactly the steps that are prescribed in the Basic Two-Interface
Firewall and keep an eye on detail, which is actually not that easy for
any of us at the beginning. ;) You mentioned earlier that you are
connecting via ADSL, yet in an earlier post you have this line in your
/etc/shorewall/interfaces file:

cat /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth1            detect          dhcp,routefilter

which contradicts the guide''s instructions if you will be using the ppp
interface, (taken directly from the guide):

"The Shorewall two-interface sample configuration assumes that the
external interface is eth0 and the internal interface is eth1. If your
configuration is different, you will have to modify the sample
/etc/shorewall/interfaces file accordingly. While you are there, you may
wish to review the list of options that are specified for the
interfaces. Some hints:

If your external interface is ppp0 or ippp0, you can replace the
"detect" in the second column with "-". 

If your external interface is ppp0 or ippp0 or if you have a static IP
address, you can remove "dhcp" from the option list."

I would suggest that you read the documentation associated with your
personal setup thoroughly first and then look at the Shorewall
Troubleshooting guide if it''s not working as it should be. You should
only modify the basics first and see that Shorewall is actually working
before embarking on more complicated matters because it will, otherwise,
lead to much confusion. It''s also very important to actually know what
you want to have done and knowing how to go about it because after
seeing your discussion with Robert I personally feel that you will be
snaring yourselves in knots which may be very hard to free yourselves
from. Just my opinion.....

http://www.shorewall.net/two-interface.htm

http://www.shorewall.net/troubleshoot.htm 


Best regards,
-- 
Patrick Benson
Stockholm, Sweden

Hi Robert,

Actually shorewall already starts at booting but I could not connect
Internet after login.  I must stop ''iptables'' after login.  I
tried
nearly 2 days with the same result.

''/sbin/shorewall reset'' is a test following the instruction of
URL;
http://www.shorewall.net/support.htm

I will repeat a complete test in according to the instruction mentioned
and post the results thereafter including following files after
configuraion

shorewall.conf
interfaces
routestopped 
zones
masq         
policy   
rules

B.R.
Stephen



On Mon, 2003-09-15 at 17:46, Robert Kehl wrote:
> 
To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
----- Original Message ----- 
> From: "Stephen Liu" <satimis@icare.com.hk>
> Sent: Monday, September 15, 2003 11:36 AM
> 
> 
> > # /sbin/shorewall reset
> > Loading /usr/share/shorewall/functions...
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Shorewall Not Started
> > 
> > ''/sbin/shorewall reset'' can''t restart
shorewall
> 
> You didn''t acutally start Shorewall. The command is:
> 
> shorewall start
> 
> or
> 
> shroewall restart
> 
> Try it, and forget about ''iptables stop''.. ;)
> 
> Robert

Hi Patrick,

Your suggestion to reinstall Shorewall is a good idea.  I will ''rpm
-e''
it later and go through your comment and relevant documents.

After fixing Evolution problem I will come back to this list.


What I expect to be advised is sample NIC settings for

RH9.0 box (running Shorewall)
Manual IP address setting
IP Address ???
Subset Mask ???
Default Gateway Address ???
Connection:
eth1 to Broadband
eth0 to RH8.0


RH8.0 box (sharing broadband connection)
Manual IP address setting
IP Address ???
Subset Mask ???
Default Gateway Address ???

eth0 to RH9.0 to share broadband


Thanks for your advice.

B.R.
Stephen



On Mon, 2003-09-15 at 19:05, Patrick Benson wrote:
> Stephen Liu wrote:
> > 
> > Hi Robert,
> > 
> > On Mon, 2003-09-15 at 14:02, Robert Kehl wrote:
> > - snip -
> > > > Setup of Ethernet card (RH9.0 - this box)
> > > > Address: 192.168.0.1
> > > > Subnet Mask: 255.255.255.0
> > > > Default Gateway Address:10.10.10.254
> > >
> > > What''s that? Change the Gefault GW to 192.168.1.1
> > 
> > New settings
> > Address: 192.168.0.1
> > Subnet Mask: 10.10.10.1
> > Default Gateway Address: 192.168.1.1
> > 
> > > > Setup of Ethernet card (RH8.0 - another Linux box sharing
Internet)
> > > > Address: 192.168.0.2
> > >
> > > Nope - this is your gateway - other subnet!
> > > Address: 192.168.1.1
> > 
> > New settings
> > Address: 192.168.1.1
> > Subnet Mask: 10.10.10.1 (also tried 10.10.10.2)
> > Default Gateway Address: 192.168.0.2
> > 
> > RH8.0 box still failed to ping
> > 
> > # ping -c 3 www.yahoo.com
> > ping: unknow host www.yahoo.com
> 
> Hello Stephen,
> 
> At this moment I think it would be wise to reinstall Shorewall and
> follow exactly the steps that are prescribed in the Basic Two-Interface
> Firewall and keep an eye on detail, which is actually not that easy for
> any of us at the beginning. ;) You mentioned earlier that you are
> connecting via ADSL, yet in an earlier post you have this line in your
> /etc/shorewall/interfaces file:
> 
> cat /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            detect          dhcp,routefilter
> 
> which contradicts the guide''s instructions if you will be using
the ppp
> interface, (taken directly from the guide):
> 
> "The Shorewall two-interface sample configuration assumes that the
> external interface is eth0 and the internal interface is eth1. If your
> configuration is different, you will have to modify the sample
> /etc/shorewall/interfaces file accordingly. While you are there, you may
> wish to review the list of options that are specified for the
> interfaces. Some hints:
> 
> If your external interface is ppp0 or ippp0, you can replace the
> "detect" in the second column with "-". 
> 
> If your external interface is ppp0 or ippp0 or if you have a static IP
> address, you can remove "dhcp" from the option list."
> 
> I would suggest that you read the documentation associated with your
> personal setup thoroughly first and then look at the Shorewall
> Troubleshooting guide if it''s not working as it should be. You
should
> only modify the basics first and see that Shorewall is actually working
> before embarking on more complicated matters because it will, otherwise,
> lead to much confusion. It''s also very important to actually know
what
> you want to have done and knowing how to go about it because after
> seeing your discussion with Robert I personally feel that you will be
> snaring yourselves in knots which may be very hard to free yourselves
> from. Just my opinion.....
> 
> http://www.shorewall.net/two-interface.htm
> 
> http://www.shorewall.net/troubleshoot.htm
> 
> 
> Best regards,

To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.

Hi Joshua,

Thanks for your response.  I will reinstall Shorewall and come back to
this list later.

B.R.
Stephen

On Mon, 2003-09-15 at 17:52, Joshua Banks wrote:
> Stepehn,
> 
> You posted ip addresses where subnet masks needed to be.
> 
> Your subnet mask''s needs to be ...  255.255.255.0.
> 
> Also not sure why your default gateways are on different networks on each
nic card.??
> I assume that someone told you to do that?? :P
> 
> 
> JBanks
> --- Stephen Liu <satimis@icare.com.hk> wrote:
> > Hi Robert,
> > 
> > On Mon, 2003-09-15 at 14:02, Robert Kehl wrote:
> > - snip -
> > > > Setup of Ethernet card (RH9.0 - this box)
> > > > Address: 192.168.0.1
> > > > Subnet Mask: 255.255.255.0
> > > > Default Gateway Address:10.10.10.254
> > > 
> > > What''s that? Change the Gefault GW to 192.168.1.1
> > 
> > New settings
> > Address: 192.168.0.1
> > Subnet Mask: 10.10.10.1
> > Default Gateway Address: 192.168.1.1
> > 
> > > > Setup of Ethernet card (RH8.0 - another Linux box sharing
Internet)
> > > > Address: 192.168.0.2
> > > 
> > > Nope - this is your gateway - other subnet!
> > > Address: 192.168.1.1
> > 
> > New settings
> > Address: 192.168.1.1
> > Subnet Mask: 10.10.10.1 (also tried 10.10.10.2)
> > Default Gateway Address: 192.168.0.2
> > 
> > RH8.0 box still failed to ping
> > 
> > # ping -c 3 www.yahoo.com
> > ping: unknow host www.yahoo.com
> > 
> > lcd light on each NIC of both box grows
> > 
> > > > Broadband sharing failed.  On RH8.0 box - ping failed
> > > > Remarks: two boxes are connected via a crossover cable
> > > >             the indicator lcd light on the NICs of both
boxes did
> > > > not grow.
> > > 
> > > Sure. Once you''ve done the above changes, you should be
able to ping
> > > your firewall and to browse the internet.
> > > 
> > > > Masqueraded Subnets and Hosts:
> > > >    To 0.0.0.0/0 from 192.168.0.0/24 through eth1
> > > >    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
> > > 
> > > Where does the last one come from - looks like one of those
M$-driven
> > > DHCP leases...?!? Strange.
> > 
> > This RH9.0 box has another hard drive mounted on mobile rack running
> > M$Windoz ME.  But the rack has been removed at time of test.
> > 
> > > Again: If you issue ''service iptables stop'',
you''re actually opening
> > up
> > > the firewall, ie. you do not have *any* protection then.
> > 
> > Note with thanks.
> > 
> > The strange thing is at booting eth1 (broadband) will be detected
first
> > and then ''shorewall'' starts.  Iptables has been
permanent stopped with
> > ''ntsysv'' command.  But after login I have to stop
''iptables'' again
> > before I can connect outside World
> > 
> > Hereinafter is my test according to
> > http://www.shorewall.net/support.htm
> > 
> > # shorewall version
> > 1.4.6c
> > 
> > # ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:07:40:00:4e:a9 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.1/32 brd 192.168.0.1 scope global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:50:bf:70:f6:dd brd ff:ff:ff:ff:ff:ff
> > 7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc
pfifo_fast qlen
> > 3
> >     link/ppp
> >     inet 202.123.68.222 peer 202.123.71.254/32 scope global ppp0
> > 
> > # ip route show
> > 202.123.71.254 dev ppp0  proto kernel  scope link  src 202.123.68.222
> > 192.168.0.1 dev eth0  scope link
> > 169.254.0.0/16 dev eth0  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 202.123.71.254 dev ppp0
> > 
> > # /sbin/shorewall reset
> > Loading /usr/share/shorewall/functions...
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Shorewall Not Started
> > 
> > ''/sbin/shorewall reset'' can''t restart
shorewall
> > 
> > # /sbin/shorewall status > /home/satimis/Temp/status2.txt
> > 
> > status2.txt is attached to this posting.
> > 
> > B.Regards
> > Stephen
> > 
> > (P.S. During testing my Evolution got some problem.  I send daily
emails
> > by Evolution as USER.  Now it can''t send and receive mails. 
But as ROOT
> > it still works.  Therefore I will continue to send postings to
Shorewall
> > list as ROOT until I get it fixed.  Hoping that my postings will
arrive
> > the mailing list without problem)
> > 
> > To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
> > > [H[2JShorewall-1.4.6c Status at localhost.localdomain - Mon Sep
15 15:50:05 HKT 2003
> > 
> > Counters reset Mon Sep 15 14:19:41 HKT 2003
> > 
> > Chain INPUT (policy ACCEPT 382 packets, 25053 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain OUTPUT (policy ACCEPT 383 packets, 23097 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Sep 15 14:19:27 INPUT:REJECT:IN=ppp0 OUT= SRC=218.19.30.149
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=118 ID=23036 PROTO=ICMP TYPE=8 CODE=0 ID=18425 SEQ=1766 
> > Sep 15 14:19:27 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=218.19.30.149 LEN=120 TOS=0x00
> > PREC=0xC0 TTL=255 ID=28580 PROTO=ICMP TYPE=3 CODE=1 [SRC=218.19.30.149
DST=202.123.68.222 LEN=92
> > TOS=0x00 PREC=0x00 TTL=118 ID=23036 PROTO=ICMP TYPE=8 CODE=0 ID=18425
SEQ=1766 ]
> > Sep 15 14:19:44 INPUT:REJECT:IN=ppp0 OUT= SRC=68.134.169.125
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=113 ID=18806 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=894 
> > Sep 15 14:19:44 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=68.134.169.125 LEN=120
> > TOS=0x00 PREC=0xC0 TTL=255 ID=1553 PROTO=ICMP TYPE=3 CODE=1
[SRC=68.134.169.125
> > DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=18806
PROTO=ICMP TYPE=8 CODE=0 ID=768
> > SEQ=894 ] 
> > Sep 15 14:19:51 INPUT:REJECT:IN=ppp0 OUT= SRC=68.90.112.45
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=113 ID=32516 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=51400 
> > Sep 15 14:19:51 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=68.90.112.45 LEN=120 TOS=0x00
> > PREC=0xC0 TTL=255 ID=21035 PROTO=ICMP TYPE=3 CODE=1 [SRC=68.90.112.45
DST=202.123.68.222 LEN=92
> > TOS=0x00 PREC=0x00 TTL=113 ID=32516 PROTO=ICMP TYPE=8 CODE=0 ID=1024
SEQ=51400 ]
> > Sep 15 14:19:59 INPUT:REJECT:IN=ppp0 OUT= SRC=213.22.174.250
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=109 ID=45017 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=57673 
> > Sep 15 14:19:59 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=213.22.174.250 LEN=120
> > TOS=0x00 PREC=0xC0 TTL=255 ID=3883 PROTO=ICMP TYPE=3 CODE=1
[SRC=213.22.174.250
> > DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=109 ID=45017
PROTO=ICMP TYPE=8 CODE=0 ID=512
> > SEQ=57673 ] 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=59 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=59 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=59 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=59 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=39 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=71 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=71 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.209 LEN=71 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> > Sep 15 14:20:08 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.77.213 LEN=71 TOS=0x00
> > PREC=0x00 TTL=64 ID=25325 DF PROTO=UDP SPT=32769 DPT=53 LEN=51 
> > Sep 15 14:20:16 INPUT:REJECT:IN=ppp0 OUT= SRC=202.123.11.170
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=107 ID=24116 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=39236 
> > Sep 15 14:20:16 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=202.123.11.170 LEN=120
> > TOS=0x00 PREC=0xC0 TTL=255 ID=31746 PROTO=ICMP TYPE=3 CODE=1
[SRC=202.123.11.170
> > DST=202.123.68.222 LEN=92 TOS=0x00 PREC=0x00 TTL=107 ID=24116
PROTO=ICMP TYPE=8 CODE=0 ID=768
> > SEQ=39236 ] 
> > Sep 15 14:20:26 INPUT:REJECT:IN=ppp0 OUT= SRC=4.4.241.24
DST=202.123.68.222 LEN=92 TOS=0x00
> > PREC=0x00 TTL=113 ID=24690 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=11028 
> > Sep 15 14:20:26 OUTPUT:REJECT:IN= OUT=ppp0 SRC=202.123.68.222
DST=4.4.241.24 LEN=120 TOS=0x00
> > PREC=0xC0 TTL=255 ID=55568 PROTO=ICMP TYPE=3 CODE=1 [SRC=4.4.241.24
DST=202.123.68.222 LEN=92
> > TOS=0x00 PREC=0x00 TTL=113 ID=24690 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11028 ]
> > 
> > NAT Table
> > 
> > Chain PREROUTING (policy ACCEPT 1288 packets, 84189 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain POSTROUTING (policy ACCEPT 20 packets, 1437 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain OUTPUT (policy ACCEPT 20 packets, 1437 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Mangle Table
> > 
> > Chain PREROUTING (policy ACCEPT 1713 packets, 570K bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain INPUT (policy ACCEPT 1713 packets, 570K bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain OUTPUT (policy ACCEPT 1596 packets, 105K bytes)
> >  pkts bytes target     prot opt in     out     source              
destination
> > 
> > Chain POSTROUTING (policy ACCEPT 1596 packets, 105K bytes)
> >  pkts bytes target     prot opt in     out     source

Hi Stephen!

I''ll try to paint some ASCII here, hopefully hitting your desired
configuration scheme ;)

    INET
        |
        |
 DSL-Modem
        |                                                    |
        |
    eth1/ppp0  (IP=192.168.1.1 Subnet=255.255.255.0)   <--
"Dialing"
Interface (WAN)!
     [ RH9 ] <-- Shorewall running HERE!
       eth0    IP=192.168.0.1 Subnet=255.255.255.0 GW=  <-- LAN
Interface!
        |
        |
    [ switch/HUB ]  <-- need not be there, but probably is
        |
        |
       eth0    IP = 192.168.0.2, Subnet=255.255.255.0 GW=192.168.0.1
     [ RH8 ] <-- no Shorewall here, this is the client!

You need not assign a private IP address to eth1 on your RH9, but you
may - as a fallback to a hardware ISDN router f.e. It won''t help much
in
the above configuration, anyhow: When an ADSL connection is established,
eth0 "becomes" ppp0 and ppp0 is assigned a default gateway and IP
address from the queried server, provided a successful  authentication,
for sure. Yes, one could describe this more precise, but the basics
become clear, I hope?!

You must be able to ping from RH8 to RH9 ( ie. from 192.168.0.2 to
192.168.0.1) and back *prior* to installing Shorewall to ensure correct
network setup.

And: lookup your kernel configuration. Is IP forwarding (and IP
masquerading) enabled? It need not be - if not, enable them, see
http://shorewall.net/kernel.htm for more info. RH comes with a
comprehensive Kernel Configuration GUI, I believe.

There are certainly some other possible configuration schemes, even in
your small network:

You *may* also run Shorewall on the RH8 box, although you''d expose RH9
to the public completely. This is very rarely desirable and therefore
NOT recommended. I believe that you personally do not want this.

Running two Shorewalls (one on each box) is possible, too, but also not
recommended - you won''t probably need it. One possible appliance would
be the use of the "User Set" feature on your workstation.

Hope this helps,

Robert



----- Original Message ----- 
From: "Stephen Liu" <satimis@icare.com.hk>
Sent: Monday, September 15, 2003 1:34 PM

What I expect to be advised is sample NIC settings for

RH9.0 box (running Shorewall)
Manual IP address setting
IP Address ???
Subset Mask ???
Default Gateway Address ???
Connection:
eth1 to Broadband
eth0 to RH8.0


RH8.0 box (sharing broadband connection)
Manual IP address setting
IP Address ???
Subset Mask ???
Default Gateway Address ???

eth0 to RH9.0 to share broadband

Hi Robert,

Lot of thanks for your detail advice and your time spent.

On Tue, 2003-09-16 at 02:04, Robert Kehl wrote:
> I''ll try to paint some ASCII here, hopefully hitting your desired
> configuration scheme ;)
> 
>     INET
>         |
>         |
>  DSL-Modem
>         |                                                    |
>         |
>     eth1/ppp0  (IP=192.168.1.1 Subnet=255.255.255.0)   <--
"Dialing"
> Interface (WAN)!
>      [ RH9 ] <-- Shorewall running HERE!
>        eth0    IP=192.168.0.1 Subnet=255.255.255.0 GW=  <-- LAN
> Interface!
>         |
>         |
>     [ switch/HUB ]  <-- need not be there, but probably is
>         |
>         |
>        eth0    IP = 192.168.0.2, Subnet=255.255.255.0 GW=192.168.0.1
>      [ RH8 ] <-- no Shorewall here, this is the client!
> 
> You need not assign a private IP address to eth1 on your RH9, but you
> may - as a fallback to a hardware ISDN router f.e. It won''t help
much in
> the above configuration, anyhow: When an ADSL connection is established,
> eth0 "becomes" ppp0 and ppp0 is assigned a default gateway and IP
> address from the queried server, provided a successful  authentication,
> for sure. Yes, one could describe this more precise, but the basics
> become clear, I hope?!
Noted.  on xDSL configuration I check "Automatically obtain IP address
with (dialup)"
> You must be able to ping from RH8 to RH9 ( ie. from 192.168.0.2 to
> 192.168.0.1) and back *prior* to installing Shorewall to ensure correct
> network setup.
To my understanding I can ping 192.168.0.1 from RH8.0 box.  Can I ping
www.yahoo.con to test connection to Internet?
> And: lookup your kernel configuration. Is IP forwarding (and IP
> masquerading) enabled? It need not be - if not, enable them, see
> http://shorewall.net/kernel.htm for more info. RH comes with a
> comprehensive Kernel Configuration GUI, I believe.
I will check it as advised.  However I found iproute running on RH9.0
box.

# which ip
/sbin/ip


- snip -
> 
> You *may* also run Shorewall on the RH8 box, although you''d expose
RH9
> to the public completely. This is very rarely desirable and therefore
> NOT recommended. I believe that you personally do not want this.
> 
> Running two Shorewalls (one on each box) is possible, too, but also not
> recommended - you won''t probably need it. One possible appliance
would
> be the use of the "User Set" feature on your workstation.
Noted with thanks

B.R.
Stephen
> 
To Get Your Own iCareHK.com Email Address?  Go To www.iCareHK.com.
----- Original Message ----- 
> From: "Stephen Liu" <satimis@icare.com.hk>
> Sent: Monday, September 15, 2003 1:34 PM
> 
> What I expect to be advised is sample NIC settings for
> 
> RH9.0 box (running Shorewall)
> Manual IP address setting
> IP Address ???
> Subset Mask ???
> Default Gateway Address ???
> Connection:
> eth1 to Broadband
> eth0 to RH8.0
> 
> 
> RH8.0 box (sharing broadband connection)
> Manual IP address setting
> IP Address ???
> Subset Mask ???
> Default Gateway Address ???
> 
> eth0 to RH9.0 to share broadband

On Tue, 16 Sep 2003, Stephen Liu wrote:
>
> To my understanding I can ping 192.168.0.1 from RH8.0 box.  Can I ping
> www.yahoo.con to test connection to Internet?
>
I recommend pinging your default gateway *by IP address* using the
"-n"
option -- that way you eliminate DNS as a potential source of problems.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 15 Sep 2003 08:02:44 +0200
"Robert Kehl" <mailinglists@robertkehl.de> wrote:
> >    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
> 
> Where does the last one come from - looks like one of those M$-driven
> DHCP leases...?!? Strange.
This has to do with DHCP autoconfig. See  http://www.zeroconf.org/.

RedHat 9.0 seems to install a route for this subnet when you setup
DHCP. I had to comment it out from /etc/sysconfig/network-scripts/ifup.

# Add Zeroconf route.
#if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" ];
then
#    ip route replace 169.254.0.0/16 dev ${REALDEVICE} 
#fi

Norbert


-----------------------------------------------------------
INSTITUT DALLE MOLLE D''INTELLIGENCE ARTIFICIELLE PERCEPTIVE
   . __    . ___  __    | Norbert Crettol
  / /  `  / /  / /  /  	| System Engineer
 / /   / / /--/ /--     | Tel:++41-27-721.77.25
/ /__.'' / /  / /       	| Fax:++41-27-721.77.12
                        | email : norbert.crettol@idiap.ch 
Rue du Simplon 4-CP 592	|
CH-1920 Martigny        | http://www.idiap.ch            
--------------------------------------------------------

Thannkkk-yoouuuu Norbert ;-)

I''ve been looking for the source of this out-of-place entry in my RH 
routing tables for years....

Best,
/tom

--On Tuesday, September 16, 2003 14:48:21 +0200 Norbert Crettol 
<norbert.crettol@idiap.ch> wrote:
> This has to do with DHCP autoconfig. See  http://www.zeroconf.org/.
>
> RedHat 9.0 seems to install a route for this subnet when you setup
> DHCP. I had to comment it out from /etc/sysconfig/network-scripts/ifup.
>
># Add Zeroconf route.
># if [ -z "${NOZEROCONF}" -a "${ISALIAS}" =
"no" ]; then
>#    ip route replace 169.254.0.0/16 dev ${REALDEVICE}
># fi
>
> Norbert

Norbert Crettol wrote:
> On Mon, 15 Sep 2003 08:02:44 +0200
> "Robert Kehl" <mailinglists@robertkehl.de> wrote:
> 
>>>    To 0.0.0.0/0 from 169.254.0.0/16 through eth1
>> 
>> Where does the last one come from - looks like one of those M$-driven
>> DHCP leases...?!? Strange.
> 
> This has to do with DHCP autoconfig. See  http://www.zeroconf.org/.
> 
> RedHat 9.0 seems to install a route for this subnet when you setup
> DHCP. I had to comment it out from
> /etc/sysconfig/network-scripts/ifup.
> 
> # Add Zeroconf route.
> #if [ -z "${NOZEROCONF}" -a "${ISALIAS}" =
"no" ]; then
> #    ip route replace 169.254.0.0/16 dev ${REALDEVICE} #fi
> 
FWIW: You can add NOZEROCONF=YES to /etc/sysconfig/network to disable the
redhat network init scripts from adding the zeroconf route. In fact, the way
the ifup test is written, NOZEROCONF can equal anything like yes, no, or
even your mothers maiden name. The -z test simply returns true if the length
of the variable being tested is zero. i.e. not set

Steve Cowles

On Tue, 16 Sep 2003 17:57:03 -0500
"Cowles, Steve" <steve@stevecowles.com> wrote:
> Norbert Crettol wrote:
[...]
> > 
> > # Add Zeroconf route.
> > #if [ -z "${NOZEROCONF}" -a "${ISALIAS}" =
"no" ]; then
> > #    ip route replace 169.254.0.0/16 dev ${REALDEVICE} #fi
> > 
> 
> FWIW: You can add NOZEROCONF=YES to /etc/sysconfig/network to disable
> the redhat network init scripts from adding the zeroconf route. In fact,
> the way the ifup test is written, NOZEROCONF can equal anything like
> yes, no, or even your mothers maiden name. The -z test simply returns
> true if the length of the variable being tested is zero. i.e. not set
> 
Thank you. This is cleaner than commenting it out.

Norbert

-----------------------------------------------------------
INSTITUT DALLE MOLLE D''INTELLIGENCE ARTIFICIELLE PERCEPTIVE
   . __    . ___  __    | Norbert Crettol
  / /  `  / /  / /  /  	| System Engineer
 / /   / / /--/ /--     | Tel:++41-27-721.77.25
/ /__.'' / /  / /       	| Fax:++41-27-721.77.12
                        | email : norbert.crettol@idiap.ch 
Rue du Simplon 4-CP 592	|
CH-1920 Martigny        | http://www.idiap.ch            
--------------------------------------------------------