Hi all folks, I come back again after having had a heavy fighting with W32.Swen/Gibe.F worm. RH9 eth1 to ADSL modem eth 0 to another workstation running RH8.0, not connected with cable yet =================================================== Now I have ''shorewall-1.4.7-1'' installed and configured according to two-interface instruction on QuickStart Guides On starting Shorewall following error popup; # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc modem Validating interfaces file... Error: Duplicate Interface eth1 Terminated *********** /etc/shorewall/interface #ZONE INTERFACE BROADCAST OPTIONS net eth1 - dhcp,routefilter,norfc1918 loc eth0 detect modem eth1 192.168.1.255 dhcp ************ If I comment the first line of /etc/shorewall/interfaces as abovementioned #ZONE INTERFACE BROADCAST OPTIONS # net eth1 - dhcp,routefilter,norfc1918 and start Shorewall. Then another error popup # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc modem Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Warning: Zone net is empty Local Zone: eth0:0.0.0.0/0 Modem Zone: eth1:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Setting up Accounting... Setting up User Sets... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP IP Forwarding Enabled Processing /etc/shorewall/tunnels... PPTP tunnel to 192.168.1.1 defined. Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT fw loc icmp 8" added. Rule "ACCEPT fw net icmp 8" added. Processing /etc/shorewall/policy... Policy REJECT for fw to net using chain all2all Policy REJECT for fw to loc using chain all2all Policy REJECT for fw to modem using chain all2all Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Policy REJECT for modem to fw using chain all2all Masqueraded Subnets and Hosts: Error: Unable to determine the routes through interface eth1 Terminated I was then completed cut out from outside World/Internet # shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Stopping Shorewall...Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... done. Then I can connect to outside World/Internet again. Kindly advise which file I have to correct. Thanks in advance. B.R. Stephen Liu
On Thu, 9 Oct 2003, Stephen Liu wrote:> Determining Zones... > Zones: net loc modem > Validating interfaces file... > Error: Duplicate Interface eth1 > TerminatedDelete modem zone in zone file.> *********** > /etc/shorewall/interface > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 - > dhcp,routefilter,norfc1918 > loc eth0 detect > modem eth1 192.168.1.255 dhcp > ************Set BROADCAST for net zone. ------------------------[ Taiwan Linux User Group ]----------------------- Andrew Lee cell.: +886 968 749 055 System & IT Consultant phone @work: +886 2 2311 2345 Chinese GNU/Linux Extensions Red Hat Certified Engineer
On Thu, 2003-10-09 at 06:11, Andrew Lee wrote:> On Thu, 9 Oct 2003, Stephen Liu wrote: > > > Determining Zones... > > Zones: net loc modem > > Validating interfaces file... > > Error: Duplicate Interface eth1 > > Terminated > > Delete modem zone in zone file. > > > *********** > > /etc/shorewall/interface > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth1 - > > dhcp,routefilter,norfc1918 > > loc eth0 detect > > modem eth1 192.168.1.255 dhcp > > ************ > > Set BROADCAST for net zone. >And see http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for information about how to set up two zones on one interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom and Andrew, Thanks for your advice. 1) 1st TEST ========>>Determining Zones... >> Zones: net loc modem >>Validating interfaces file... >> Error: Duplicate Interface eth1 >>Terminated >> >> >>Delete modem zone in zone file. >> >>Now /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks #modem Modem ADSL Modem>>>*********** >>>/etc/shorewall/interface >>>#ZONE INTERFACE BROADCAST OPTIONS >>>net eth1 - >>>dhcp,routefilter,norfc1918 >>>loc eth0 detect >>>modem eth1 192.168.1.255 dhcp >>>************ >>> >>> >>Set BROADCAST for net zone. >> >>Now /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect dhcp,routefilter,norfc1918 #net eth1 - dhcp,routefilter,norfc1918 loc eth0 detect modem eth1 192.168.1.255 dhcp # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc Validating interfaces file... Error: Invalid zone (modem) in record "modem eth1 192.168.1.255 dhcp" Terminated Shorewall could not start. 2) 2nd TEST Now /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect dhcp,routefilter,norfc1918 #net eth1 - dhcp,routefilter,norfc1918 loc eth0 detect #modem eth1 192.168.1.255 dhcp # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth1:0.0.0.0/0 Local Zone: eth0:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Setting up Accounting... Setting up User Sets... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Kernel Route Filtering... Warning: Cannot set route filtering on eth1 IP Forwarding Enabled Processing /etc/shorewall/tunnels... Invalid gateway zone (modem) -- Tunnel "pptpclient modem 192.168.1.1" Ignored Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT fw loc icmp 8" added. Rule "ACCEPT fw net icmp 8" added. Processing /etc/shorewall/policy... Policy REJECT for fw to net using chain all2all Policy REJECT for fw to loc using chain all2all Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: Error: Unable to determine the routes through interface eth1 Terminated Completely cut out from outside World/Internet *B.R. Stephen *
On Thu, 9 Oct 2003, Stephen Liu wrote:> #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect > dhcp,routefilter,norfc1918 > #net eth1 - > dhcp,routefilter,norfc1918 > loc eth0 detect > modem eth1 192.168.1.255 dhcp^^^^^^^^^^^^^^^^^^^^^ This line shouldn''t be here.> # shorewall start > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Starting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Determining Zones... > Zones: net loc > Validating interfaces file... > Error: Invalid zone (modem) in record "modem eth1 192.168.1.255 dhcp"^^^^^^^^^^^^^^^^^^^^ Delete modem zone from your interfaces file.> 2) 2nd TEST > > Now /etc/shorewall/interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect > dhcp,routefilter,norfc1918 > #net eth1 - > dhcp,routefilter,norfc1918 > loc eth0 detect > #modem eth1 192.168.1.255 dhcp > > # shorewall start > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Starting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth1:0.0.0.0/0 > Local Zone: eth0:0.0.0.0/0 > Processing /etc/shorewall/init ... > Deleting user chains... > Setting up Accounting... > Setting up User Sets... > Creating Interface Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP > Enabling RFC1918 Filtering > Setting up Kernel Route Filtering... > Warning: Cannot set route filtering on eth1 > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Invalid gateway zone (modem) -- Tunnel "pptpclient modem^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Do not set anything in tunnels file before your shorewall works. You should keep your configure file as simple as possible from the beginning. ------------------------[ Taiwan Linux User Group ]----------------------- Andrew Lee cell.: +886 968 749 055 System & IT Consultant phone @work: +886 2 2311 2345 Chinese GNU/Linux Extensions Red Hat Certified Engineer
On Thu, 2003-10-09 at 09:01, Andrew Lee wrote:> On Thu, 9 Oct 2003, Stephen Liu wrote: > > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth1 detect > > dhcp,routefilter,norfc1918 > > #net eth1 - > > dhcp,routefilter,norfc1918 > > loc eth0 detect > > modem eth1 192.168.1.255 dhcp > ^^^^^^^^^^^^^^^^^^^^^ > This line shouldn''t be here. > > > # shorewall start > > Loading /usr/share/shorewall/functions... > > Processing /etc/shorewall/params ... > > Processing /etc/shorewall/shorewall.conf... > > Starting Shorewall... > > Loading Modules... > > Initializing... > > Shorewall has detected the following iptables/netfilter capabilities: > > NAT: Available > > Packet Mangling: Available > > Multi-port Match: Available > > Connection Tracking Match: Available > > Determining Zones... > > Zones: net loc > > Validating interfaces file... > > Error: Invalid zone (modem) in record "modem eth1 192.168.1.255 dhcp" > ^^^^^^^^^^^^^^^^^^^^ > Delete modem zone from your interfaces file. >Possibly Andrew and I should both back up a minute and ask Stephen "How do you connect to your ISP and receive an IP address?" a) PPPoE? b) DHCP? c) PPTP? d) Static IP e) ??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom and Andrew - snip - /etc/shorewall/shorewall.conf is the original file after installation with the only change to set CLAMPMSS=yes (before change - CLAMPMSS=no) I carried another test: made following changes a) /etc/shorewall/shorewall.conf CLAMPMSS=no b) /etc/shorewall/tunnels comment following line # pptpclient modem 192.168.1.1 (only one line. This file was copied from the tarball: two-interface-sample) # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth1:0.0.0.0/0 Local Zone: eth0:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Setting up Accounting... Setting up User Sets... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Kernel Route Filtering... Warning: Cannot set route filtering on eth1 IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT fw loc icmp 8" added. Rule "ACCEPT fw net icmp 8" added. Processing /etc/shorewall/policy... Policy REJECT for fw to net using chain all2all Policy REJECT for fw to loc using chain all2all Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: Error: Unable to determine the routes through interface eth1 Terminated Shorewall started but I was cut off from outside World/Internet>Possibly Andrew and I should both back up a minute and ask Stephen "How >do you connect to your ISP and receive an IP address?" > >a) PPPoE? >b) DHCP? >c) PPTP? >d) Static IP >e) ??? >via ADSL modem with dynamic IP address. a) PPPoE B.R. Stephen
On Thu, 2003-10-09 at 09:55, Stephen Liu wrote:> Policy REJECT for fw to loc using chain all2all > Policy DROP for net to fw using chain net2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Masqueraded Subnets and Hosts: > Error: Unable to determine the routes through interface eth1 > Terminated > > Shorewall started but I was cut off from outside World/InternetShorewall did NOT start. And please stop adding the bit about being cut off from the internet and read http://www.shorewall.net/starting_and_stopping.htm to understand what happens when Shorewall fails to start.> > >Possibly Andrew and I should both back up a minute and ask Stephen "How > >do you connect to your ISP and receive an IP address?" > > > >a) PPPoE? > >b) DHCP? > >c) PPTP? > >d) Static IP > >e) ??? > > > via ADSL modem with dynamic IP address.That doesn''t answer my question. *How is your dynamic IP address assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer this question. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-10-09 at 10:10, Tom Eastep wrote:> > > > > via ADSL modem with dynamic IP address. > > That doesn''t answer my question. *How is your dynamic IP address > assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer > this question.And if you don''t know the answer: a) At a shell prompt logged in as root, type "ifconfig". Do you see a device called ppp0? b) If the answer to the first question is yes, then type "ps ax | fgrep pptp | fgrep -v fgrep". Did that produce any output and if so, what did it give you? c) If the answer to the first question is yes but the second command produced no output then please type "ps ax | fgrep pppoe | fgrep -v fgrep". d) If the command in c) produced no output then please "ps ax > /tmp/mx" and send us the /tmp/mx file as an attachment. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Thanks for your advice. Tom Eastep wrote:>> Policy REJECT for fw to loc using chain all2all >> Policy DROP for net to fw using chain net2all >> Policy REJECT for loc to fw using chain all2all >> Policy ACCEPT for loc to net using chain loc2net >>Masqueraded Subnets and Hosts: >> Error: Unable to determine the routes through interface eth1 >>Terminated >> >>Shorewall started but I was cut off from outside World/Internet >> >> > >Shorewall did NOT start. And please stop adding the bit about being cut >off from the internet and read >http://www.shorewall.net/starting_and_stopping.htm to understand what >happens when Shorewall fails to start. > >Noted. But one strange thing was; 1) After that (issuing the command "# shorewall start" I can''t connect to Internet 2) I must issue the command "shorewall stop" and then I can connect Internet again It prompted; # shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Stopping Shorewall...Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... done.>>>Possibly Andrew and I should both back up a minute and ask Stephen "How >>>do you connect to your ISP and receive an IP address?" >>> >>>a) PPPoE? >>>b) DHCP? >>>c) PPTP? >>>d) Static IP >>>e) ??? >>> >via ADSL modem with dynamic IP address. > > > >That doesn''t answer my question. *How is your dynamic IP address >assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer >this question. > >ppp0. I suppose it is similar to PPPoE B.R. Stephen
On Fri, 10 Oct 2003, Stephen Liu wrote:> > > >Shorewall did NOT start. And please stop adding the bit about being cut > >off from the internet and read > >http://www.shorewall.net/starting_and_stopping.htm to understand what > >happens when Shorewall fails to start. > > > > > Noted. But one strange thing was; > > 1) After that (issuing the command "# shorewall start" I can''t connect > to Internet > > 2) I must issue the command "shorewall stop" and then I can connect > Internet again > It prompted; > # shorewall stop > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Stopping Shorewall...Processing /etc/shorewall/stop ... > Processing /etc/shorewall/stopped ... > done. >Ok -- there was definitely a bug there which I believe that I have corrected in the current CVS version.> > > >That doesn''t answer my question. *How is your dynamic IP address > >assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer > >this question. > > > > > ppp0. I suppose it is similar to PPPoE >If it is PPPoE then the interface that connects to the ADSL "Modem" is invisible to Shorewall and you should define the internet interface as ppp0. See the two-interface QuickStart guide. If it is PPTP then you also need to define the internet interface as ppp0 but you also need to define a tunnel to the modem; there''s a link from the two-interface QuickStart Guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Thanks for your continued advice.>> - snip - >> >>That doesn''t answer my question. *How is your dynamic IP address >>assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer >>this question. >> >> > >And if you don''t know the answer: > >a) At a shell prompt logged in as root, type "ifconfig". Do you see a >device called ppp0? > >Yes. ppp0>b) If the answer to the first question is yes, then type "ps ax | fgrep >pptp | fgrep -v fgrep". Did that produce any output and if so, what did >it give you? > >I made 3 tests 1) # shorewall start (I can''t connect Broadband/Internet) # ping -c 3 www.yahoo.com PING www.yahoo.akadns.net (66.218.71.80) 56(84) bytes of data. .... ping: sendmsg: Operation not permitted --- www.yahoo.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2018ms # ps ax | fgrep pptp | fgrep -v fgrep No response. 2) # shorewall stop (I can connect Broadband/Internet) # shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Stopping Shorewall...Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... done. # ps ax | fgrep pptp | fgrep -v fgrep 5399 pts/2 S 0:00 grep -F pptp 3) I started ''Shorewall'' again and left it there for about 5 minuets. I could connet Broadband/Internet, very strange. # shorewall restart ........ Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: Error: Unable to determine the routes through interface eth1 Terminated # ping -c 3 www.yahoo.com PING www.yahoo.akadns.net (66.218.71.80) 56(84) bytes of data. .... ping: sendmsg: Operation not permitted --- www.yahoo.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2018ms # ps ax | fgrep pptp | fgrep -v fgrep No response. AFTER ABOUT 5 MINUTES LATER (please see Remark at the bottom of this posting) # ping -c 3 www.yahoo.com PING www.yahoo.akadns.net (66.218.71.93) 56(84) bytes of data. ..... 64 bytes from w14.www.scd.yahoo.com (66.218.71.93): icmp_seq=3 ttl=51 time=215 ms --- www.yahoo.akadns.net ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2027ms rtt min/avg/max/mdev = 215.873/216.129/216.588/0.627 ms # ps ax | fgrep pptp | fgrep -v fgrep 5666 pts/2 S 0:00 grep -F pptp>c) If the answer to the first question is yes but the second command >produced no output then please type "ps ax | fgrep pppoe | fgrep -v >fgrep". > >I think c) does not apply to my case. I made following test # shorewall restart ...... Masqueraded Subnets and Hosts: Error: Unable to determine the routes through interface eth1 Terminated # ps ax | fgrep pppoe | fgrep -v fgrep 2092 ? S 0:00 /usr/sbin/pppd pty /usr/sbin/pppoe -p /var/run/pppoe-adsl.pid.pppoe -I eth1 -T 80 -U -m 1412 ipparam ppp0 linkname ppp0 noipdefault noauth default-asyncmap defaultroute hide-password nodetach usepeerdns mtu 1492 mru 1492 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp user satim 2093 ? S 0:01 /usr/sbin/pppoe -p /var/run/pppoe-adsl.pid.pppoe -I eth1 -T 80 -U -m 1412 6423 pts/2 R 0:00 grep -F pppoe # ping -c 3 www.yahoo.com PING www.yahoo.akadns.net (66.218.71.84) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- www.yahoo.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms>d) If the command in c) produced no output then please "ps ax > /tmp/mx" >and send us the /tmp/mx file as an attachment. > >I continued to proceed d) and attached the file ''mx'' to this posting. Thanks B.R. Stephen Remark to "AFTER ABOUT 5 MINUTES LATER" (Remark: This case only happened occasionally, not always the same. On another test it failed. I left "shorewall start" for more than 15 minutes. Still I could not conect to Internet. I have to issue "shorewall stop" command. I could not explain why) -------------- next part -------------- PID TTY STAT TIME COMMAND 1 ? S 0:05 init 2 ? SW 0:00 [keventd] 3 ? SW 0:00 [kapmd] 4 ? SWN 0:00 [ksoftirqd_CPU0] 9 ? SW 0:00 [bdflush] 5 ? SW 0:00 [kswapd] 6 ? SW 0:00 [kscand/DMA] 7 ? SW 0:03 [kscand/Normal] 8 ? SW 0:00 [kscand/HighMem] 10 ? SW 0:00 [kupdated] 11 ? SW 0:00 [mdrecoveryd] 15 ? SW 0:00 [kjournald] 73 ? SW 0:00 [khubd] 1721 ? SW 0:00 [kjournald] 1722 ? SW 0:00 [kjournald] 1997 ? SW 0:00 [eth0] 2081 ? S 0:00 /bin/bash /sbin/adsl-connect /etc/sysconfig/network-s 2088 ? SW 0:00 [eth1] 2092 ? S 0:00 /usr/sbin/pppd pty /usr/sbin/pppoe -p /var/run/pppoe- 2093 ? S 0:01 /usr/sbin/pppoe -p /var/run/pppoe-adsl.pid.pppoe -I e 2163 ? S 0:00 syslogd -m 0 2167 ? S 0:00 klogd -x 2185 ? SW 0:00 [portmap] 2204 ? SW 0:00 [rpc.statd] 2757 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-sc 2794 ? S 0:00 /usr/sbin/sshd 2808 ? S 0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid 2826 ? S 0:00 [sendmail] 2831 ? S 0:00 [sendmail] 2837 ? S 0:00 [sendmail] 2855 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 2856 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 2868 ? S 0:03 /usr/bin/spamd -d -c -a -m5 -H 2877 ? S 0:00 gpm -t imps2 -m /dev/mouse 2886 ? S 0:00 crond 2897 ? S 0:00 cupsd 2900 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 2964 ? S 0:04 [xfs] 2982 ? S 0:00 [atd] 2990 tty1 S 0:00 /sbin/mingetty tty1 2991 tty2 S 0:00 /sbin/mingetty tty2 2992 tty3 S 0:00 /sbin/mingetty tty3 2993 tty4 S 0:00 /sbin/mingetty tty4 2994 tty5 S 0:00 /sbin/mingetty tty5 2995 tty6 S 0:00 /sbin/mingetty tty6 2996 ? S 0:00 [gdm-binary] 3039 ? S 0:00 [gdm-binary] 3040 ? S 3:58 /usr/X11R6/bin/X :0 -auth /var/gdm/:0.Xauth vt7 3042 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 3050 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 3051 ? S 0:00 /usr/bin/perl -I/usr/lib/MailScanner /usr/sbin/MailSc 3052 ? S 0:00 /bin/sh /usr/bin/startkde 3089 ? S 0:00 /usr/bin/ssh-agent /usr/share/apps/switchdesk/Xclient 3131 ? S 0:00 kdeinit: Running... 3134 ? S 0:00 kdeinit: dcopserver --nosid 3137 ? S 0:00 kdeinit: klauncher 3139 ? S 0:02 kdeinit: kded 3151 ? S 0:05 /usr/bin/artsd -F 10 -S 4096 -s 60 -m artsmessage -l 3160 ? S 0:01 kdeinit: knotify 3161 ? S 0:00 kwrapper ksmserver 3163 ? S 0:00 kdeinit: ksmserver 3164 ? S 0:04 kdeinit: kwin -session 117f00000100010622606640000010 3166 ? S 0:04 kdeinit: kdesktop 3168 ? S 0:14 kdeinit: kicker 3169 ? S 0:00 kdeinit: kio_file file /tmp/ksocket-satimis/klauncher 3170 ? S 0:12 /usr/bin/autorun -l --interval=1000 --cdplayer=/usr/b 3176 ? S 0:00 kdeinit: kwrited 3177 ? S 0:00 /usr/bin/pam-panel-icon --sm-client-id 117f0000010001 3179 ? S 0:00 [pam_timestamp_c] 3182 ? S 0:00 /bin/sh /usr/local/Thunderbird/run-mozilla.sh /usr/lo 3196 ? S 7:24 /usr/local/Thunderbird/thunderbird-bin 3364 ? S 0:00 /bin/sh /usr/local/Firebird/run-mozilla.sh /usr/local 3378 ? S 0:33 /usr/local/Firebird/MozillaFirebird-bin 4063 ? S 0:10 kdeinit: konsole 4064 pts/2 S 0:00 /bin/bash 4092 pts/2 S 0:00 [su] 4095 pts/2 S 0:00 -bash 4663 ? S 0:01 kdeinit: konsole 4664 pts/3 S 0:00 /bin/bash 4691 pts/3 S 0:00 [su] 4694 pts/3 S 0:00 -bash 4734 pts/3 S 0:10 konqueror 4736 ? S 0:00 kdeinit: Running... 4739 ? S 0:00 kdeinit: dcopserver --nosid --suicide 4742 ? S 0:00 kdeinit: klauncher 4744 ? S 0:01 kdeinit: kded 4748 ? S 0:00 kdeinit: kio_file file /tmp/ksocket-root/klaunchertcM 6429 pts/2 R 0:00 ps ax
Hi Tom,
I made another test by shuting down the PC and booted it again.
Shorewall automatically started, I suppose.
Then restarted iptables.
TEST
===After booting the PC
# ping -c 3 www.yahoo.com
PING www.yahoo.akadns.net (66.218.71.93) 56(84) bytes of data.
......
ping: sendmsg: Operation not permitted
--- www.yahoo.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
# shorewall status > /tmp/mx-1
(mx-1 is attached to this posting)
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:07:40:00:4E:A9
inet addr:192.168.0.1 Bcast:192.168.0.1 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:240 (240.0 b)
Interrupt:5 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:50:BF:70:F6:DD
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:86 errors:0 dropped:0 overruns:0 frame:0
TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7036 (6.8 Kb) TX bytes:2806 (2.7 Kb)
Interrupt:11 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1036 (1.0 Kb) TX bytes:1036 (1.0 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:202.123.68.80 P-t-P:202.123.71.254
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2913 (2.8 Kb) TX bytes:176 (176.0 b)
# ps ax | fgrep pptp | fgrep -v fgrep
3305 pts/2 S 0:00 grep -F pptp
# service iptables restart
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: [ OK ]
# ping -c 3 www.yahoo.com
PING www.yahoo.akadns.net (66.218.71.95) 56(84) bytes of data.
........
64 bytes from w16.www.scd.yahoo.com (66.218.71.95): icmp_seq=3 ttl=52
time=216 ms
--- www.yahoo.akadns.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 216.162/218.013/219.836/1.593 ms
# shorewall status . /tmp/mx-2
(mx-2 is attached to this posting)
B.R.
Stephen
>On Thu, 2003-10-09 at 10:10, Tom Eastep wrote:
>
>
>
>>>via ADSL modem with dynamic IP address.
>>>
>>>
>>That doesn''t answer my question. *How is your dynamic IP
address
>>assigned?* PPPoE, DHCP, or PPTP? We cannot help you until you answer
>>this question.
>>
>>
>
>And if you don''t know the answer:
>
>a) At a shell prompt logged in as root, type "ifconfig". Do you
see a
>device called ppp0?
>
>b) If the answer to the first question is yes, then type "ps ax | fgrep
>pptp | fgrep -v fgrep". Did that produce any output and if so, what did
>it give you?
>
>c) If the answer to the first question is yes but the second command
>produced no output then please type "ps ax | fgrep pppoe | fgrep -v
>fgrep".
>
>d) If the command in c) produced no output then please "ps ax >
/tmp/mx"
>and send us the /tmp/mx file as an attachment.
>
>Thanks,
>-Tom
>
>
-------------- next part --------------
[H[2JShorewall-1.4.7 Status at localhost.localdomain - Fri Oct 10 15:34:16 HKT
2003
Counters reset Mon Sep 15 22:57:46 HKT 2003
Chain INPUT (policy DROP 39 packets, 3444 bytes)
pkts bytes target prot opt in out source destination
5 1823 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 84 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain OUTPUT (policy DROP 15 packets, 1116 bytes)
pkts bytes target prot opt in out source destination
1 56 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 84 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4 240 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
Chain all2all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (2 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0 192.168.0.1
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
Chain eth1_in (0 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
Chain fw2loc (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (58 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (8 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 255.255.255.255
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 169.254.0.0/16
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 172.16.0.0/12
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 192.0.2.0/24
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 0.0.0.0/7
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 2.0.0.0/8
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 5.0.0.0/8
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 7.0.0.0/8
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 10.0.0.0/8
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 23.0.0.0/8
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 27.0.0.0/8
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 31.0.0.0/8
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 36.0.0.0/7
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 39.0.0.0/8
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 41.0.0.0/8
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 42.0.0.0/8
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 49.0.0.0/8
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 50.0.0.0/8
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 58.0.0.0/7
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 70.0.0.0/7
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 72.0.0.0/5
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 83.0.0.0/8
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 84.0.0.0/6
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 88.0.0.0/5
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 96.0.0.0/3
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 127.0.0.0/8
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 197.0.0.0/8
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 198.18.0.0/15
0 0 logdrop all -- * * 223.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 223.0.0.0/8
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
ctorigdst 240.0.0.0/4
NAT Table
Chain PREROUTING (policy ACCEPT 39 packets, 3444 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 324 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1440 bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 45 packets, 5351 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 45 packets, 5351 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 21 packets, 1496 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6 packets, 380 bytes)
pkts bytes target prot opt in out source destination
-------------- next part --------------
[H[2JShorewall-1.4.7 Status at localhost.localdomain - Fri Oct 10 14:53:14 HKT
2003
Counters reset Mon Sep 15 22:57:46 HKT 2003
Chain INPUT (policy ACCEPT 69 packets, 8354 bytes)
pkts bytes target prot opt in out source destination
143 11986 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 143 packets, 11812 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp spts:67:68 dpts:67:68
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
udp spts:67:68 dpts:67:68
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
74 3632 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:0:1023 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:2049 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable
NAT Table
Chain PREROUTING (policy ACCEPT 129 packets, 8692 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 563 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 563 bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 143 packets, 11986 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 143 packets, 11986 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 143 packets, 11812 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 143 packets, 11812 bytes)
pkts bytes target prot opt in out source destination
udp 17 56 src=202.123.68.80 dst=202.123.77.209 sport=32769 dport=53
src=202.123.77.209 dst=202.123.68.80 sport=53 dport=32769 [ASSURED] use=1
On Fri, 2003-10-10 at 00:52, Stephen Liu wrote:> Hi Tom, > > I made another test by shuting down the PC and booted it again. > Shorewall automatically started, I suppose. > Then restarted iptables. >Steven, a) Your Internet interface is ppp0 which doesn''t appear anywhere in your configuration. b) You seem to be using a PPTP tunnel to communicate with your PPTP modem so you will have to set up your Shorewall configuration accordingly. Go back to the QuickStart Guide and start from scratch. Armed with this new information, you need to set things up quite differently from what you have currently. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Thanks for your advice. I will re-start from the very beginning and come back again later. One further question; I tried follow to check ''interfaces'', ''zones'', etc. # mkdir /etc/test # cd /etc/test # cp /etc/shorewall/interfaces ./ # shorewall -c . check > /tmp/interfaces_check It seems ''check'' not functioning correctly or I did it wrong. What will the ''.'' (dot) represent Kindly advise. Thanks B.R. Stephen Tom Eastep wrote:>On Fri, 2003-10-10 at 00:52, Stephen Liu wrote: > > >>Hi Tom, >> >>I made another test by shuting down the PC and booted it again. >>Shorewall automatically started, I suppose. >>Then restarted iptables. >> >> >> > >Steven, > >a) Your Internet interface is ppp0 which doesn''t appear anywhere in your >configuration. > >b) You seem to be using a PPTP tunnel to communicate with your PPTP >modem so you will have to set up your Shorewall configuration >accordingly. > >Go back to the QuickStart Guide and start from scratch. Armed with this >new information, you need to set things up quite differently from what >you have currently. > >-Tom > >
On Fri, 2003-10-10 at 08:33, Stephen Liu wrote:> Hi Tom, > > Thanks for your advice. > > I will re-start from the very beginning and come back again later. > > One further question; > I tried follow to check ''interfaces'', ''zones'', etc. > > # mkdir /etc/test > # cd /etc/test > # cp /etc/shorewall/interfaces ./ > # shorewall -c . check > /tmp/interfaces_check > It seems ''check'' not functioning correctly or I did it wrong. What will > the ''.'' (dot) represent >I do that same sequence of commands regularly -- what didn''t work? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom,>On Fri, 2003-10-10 at 08:33, Stephen Liu wrote: > > >>Hi Tom, >> >>Thanks for your advice. >> >>I will re-start from the very beginning and come back again later. >> >>One further question; >>I tried follow to check ''interfaces'', ''zones'', etc. >> >># mkdir /etc/test >># cd /etc/test >># cp /etc/shorewall/interfaces ./ >># shorewall -c . check > /tmp/interfaces_check >>It seems ''check'' not functioning correctly or I did it wrong. What will >>the ''.'' (dot) represent >> >> >> > >I do that same sequence of commands regularly -- what didn''t work? > >I compare the files generated e.g. interfaces_check and zones_check. They look more less the same and there is a warning; *The "check" command is totally unsuppored and does not parse and validate .... * Therefore I stopped to continue. B.R. Stephen
On Fri, 2003-10-10 at 09:20, Stephen Liu wrote:> > > >I do that same sequence of commands regularly -- what didn''t work? > > > > > I compare the files generated e.g. interfaces_check and zones_check. > They look more less the same and there is a warning; > > *The "check" command is totally unsuppored and does not parse and > validate .... > * > Therefore I stopped to continue.The warning is there to inform you of what the command does and does not do. It does not mean that the command isn''t useful. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>On Fri, 2003-10-10 at 09:20, Stephen Liu wrote: > >>> do that same sequence of commands regularly -- what didn''t work? >>> >>> >>I compare the files generated e.g. interfaces_check and zones_check. >>They look more less the same and there is a warning; >> >>*The "check" command is totally unsuppored and does not parse and >>validate .... >>* >>Therefore I stopped to continue. >> >> > >The warning is there to inform you of what the command does and does not >do. It does not mean that the command isn''t useful. > >Understood. Thanks Tom B.R. Stephen