Hi trying to do something a little odd here. This system is behind the main shorewall firewall on the LAN 192.168.1.0/24 ETH0 is shared with Win4Lin using vnetd , so the linux side of the machine has an ip of 192.168.1.8 and win4lin with win98 on it has an ip address of 192.168.1.9. this interface is defined as net. there are 2 ax25 radio interfaces ax0 & ax1 these are defined as ham. I set the policy to ACCEPT net to fw and vice versa, and fw to ham the policy from ham to fw is DROP, and rules set to allow certain ports and protocols an ax+ interfaces. There is also a DNAT rule to allow access on port 8000 to go to server on the main gateway machine , where the real firewall is installed and running very nicely( thanks Tom). One diddy problem. the win4lin virtual machine which is merged on eth0 is now blocked.. Now I could''nt see anything in the manual or faqs on this type of merged interface. Unlike VMWare win4lin dos''nt create an interface on the host machine Would a rule something like below work ACCEPT 192.168.1.0/24 192.168.1.9 tcp all ACCEPT 192.168.1.9 192.168.1.0/24 tcp all Some guidance would be very appreciated TIA Richard
On Sat, 2003-10-04 at 07:50, Richard Bown wrote:> > Would a rule something like below work > > ACCEPT 192.168.1.0/24 192.168.1.9 tcp all > ACCEPT 192.168.1.9 192.168.1.0/24 tcp all >Since those aren''t syntactically valid rules, no -- they wouldn''t work. What messages are you seeing when you try to access the net from Win4Lin. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-10-04 at 15:57, Tom Eastep wrote:> On Sat, 2003-10-04 at 07:50, Richard Bown wrote: > > > > > Would a rule something like below work > > > > ACCEPT 192.168.1.0/24 192.168.1.9 tcp all > > ACCEPT 192.168.1.9 192.168.1.0/24 tcp all > > > > Since those aren''t syntactically valid rules, no -- they wouldn''t work. > > What messages are you seeing when you try to access the net from > Win4LinShorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139 WINDOW=8760 RES=0x00 ACK URGP=0 As you can see its in and out on the same port, so could I use an entry in the interface file file , sorta - eth0 detect ham ax+ detect then in hosts net1 eth0:192.168.1.9 #the win4lin virtul machine net2 eth0:192.168.1.0/24 #the rest of the LAN I can see a possible prob with the netmask on that, I could if need be allocate the win4lin machine above x.x.x.128 if that makes it easier. HTH Richard> -Tom-- Richard Bown <richard.bown@blueyonder.co.uk>
On Sat, 4 Oct 2003, Richard Bown wrote:> On Sat, 2003-10-04 at 15:57, Tom Eastep wrote: > > On Sat, 2003-10-04 at 07:50, Richard Bown wrote: > > > > > > > > Would a rule something like below work > > > > > > ACCEPT 192.168.1.0/24 192.168.1.9 tcp all > > > ACCEPT 192.168.1.9 192.168.1.0/24 tcp all > > > > > > > Since those aren''t syntactically valid rules, no -- they wouldn''t work. > > > > What messages are you seeing when you try to access the net from > > Win4Lin > > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 > > TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139 WINDOW=8760 RES=0x00 ACK URGP=0 >Then set the ''routeback'' option on eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-10-04 at 18:19, Tom Eastep wrote:> On > > > > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 > > > > TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139 WINDOW=8760 RES=0x00 ACK URGP=0 > > > > Then set the ''routeback'' option on eth0.Thanks Tom Just a minor problem, at the moment I run ver. 1.3.14 on Mandrake 9.1, and "routeback" was put in on a later version. There are rpms for 1.4.6c on sourceforge, I assume from the release notes these are for Redhat, which in most cases are compatible with Mandrake distros. Is the iproute package still need to be "ip utility" as in MDK its iproute2 I dont know which version of shorewall is going to be distributed with MDK 9.2 which is due for release in the next month ?? TIA Richard -- Richard Bown <richard.bown@blueyonder.co.uk>
On Sat, 4 Oct 2003, Richard Bown wrote:> On Sat, 2003-10-04 at 18:19, Tom Eastep wrote: > > On > > > > > > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 > > > > > > TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139 WINDOW=8760 RES=0x00 ACK URGP=0 > > > > > > > Then set the ''routeback'' option on eth0. > > > Thanks Tom > > Just a minor problem, at the moment I run ver. 1.3.14 on Mandrake 9.1, > and "routeback" was put in on a later version. > There are rpms for 1.4.6c on sourceforge, I assume from the release > notes these are for Redhat, which in most cases are compatible with > Mandrake distros.Possibly you should read the documentation: http://shorewall.net/download.htm "If you run a RedHat, SuSE, Mandrake, Linux PPC, Trustix or TurboLinux distribution with a 2.4 kernel, you can use the RPM version"> > Is the iproute package still need to be "ip utility" as in MDK its > iproute2 >>From http://shorewall.net/Install.htm:"Note2: Beginning with Shorewall 1.4.0, Shorewall is dependent on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the installation of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-1.4.x-1 This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps <shorewall rpm>)." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks for the clarification Tom, I was looking at the upgrade issues section of the manual. Richard On Sat, 2003-10-04 at 19:30, Tom Eastep wrote:> On Sat, 4 Oct 2003, Richard Bown wrote: > > > On Sat, 2003-10-04 at 18:19, Tom Eastep wrote: > > > On > > > > > > > > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.9 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 > > > > > > > > TTL=127 ID=4610 DF PROTO=TCP SPT=1058 DPT=139 WINDOW=8760 RES=0x00 ACK URGP=0 > > > > > > > > > > Then set the ''routeback'' option on eth0. > > > > > > Thanks Tom > > > > Just a minor problem, at the moment I run ver. 1.3.14 on Mandrake 9.1, > > and "routeback" was put in on a later version. > > There are rpms for 1.4.6c on sourceforge, I assume from the release > > notes these are for Redhat, which in most cases are compatible with > > Mandrake distros. > > Possibly you should read the documentation: > > http://shorewall.net/download.htm > > "If you run a RedHat, SuSE, Mandrake, Linux PPC, Trustix or > TurboLinux distribution with a 2.4 kernel, you can use the RPM > version" > > > > > Is the iproute package still need to be "ip utility" as in MDK its > > iproute2 > > > > >From http://shorewall.net/Install.htm: > > "Note2: Beginning with Shorewall 1.4.0, Shorewall is dependent on > the iproute package. Unfortunately, some distributions call this > package iproute2 which will cause the installation of Shorewall > to fail with the diagnostic: > > error: failed dependencies:iproute is needed by shorewall-1.4.x-1 > > This may be worked around by using the --nodeps option of rpm > (rpm -ivh --nodeps <shorewall rpm>)." > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Richard Bown <richard.bown@blueyonder.co.uk>