Stephen Liu
2003-Nov-04 02:53 UTC
[Shorewall-users] Config shorewall-two-interface question
Hi folks, RH9 Shorewall-1.4.7 two-interface ==========Hardware config PC1 eth0 connected to broadband via ADSL modem eth1 connected to PC2 via a crossover cable PC2 eth0 connected to eth1 of PC@ for broadband sharing (not setup yet) Can any folk assist me to understand why uncomment following line on /etc/shorewall/policy #all all REJECT info resulting in PC1 cut off from Internet Hereinbelow are the respective config files /etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL loc net ACCEPT fw net ACCEPT net all DROP info #all all REJECT info /etc/shorewall/zone #ZONE DISPLAY COMMENTS modem modem ADSL Modem net Net Internet loc Local Local Networks #dmz DMZ Demilitarized zone /etc/shorewall/tunnels # TYPE ZONE GATEWAY GATEWAY pptpclient modem 192.168.1.1 /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS #net eth0 "-" dhcp,routefilter,norfc1918 loc eth1 detect modem eth0 192.168.1.255 dhcp Thanks in advance. B.R. Stephen Liu
Tom Eastep
2003-Nov-04 04:49 UTC
[Shorewall-users] Config shorewall-two-interface question
On Tue, 4 Nov 2003, Stephen Liu wrote:> Hi folks, > > RH9 > Shorewall-1.4.7 > two-interface > ==========> Hardware config > PC1 > eth0 connected to broadband via ADSL modem > eth1 connected to PC2 via a crossover cable > > PC2 > eth0 connected to eth1 of PC@ for broadband sharing > (not setup yet)Then why are you asking why it doesn''t work?> > Can any folk assist me to understand why uncomment following line on > /etc/shorewall/policy > #all all REJECT info > > resulting in PC1 cut off from Internet >a) Your ''net'' zone is empty (no interface assigned to it) b) you haven''t shown us the ''masq'' file so it may be wrong. c) you have apparently hacked the policy file to make something work. d) your log probably contains useful information. My suggestion is to set everything up according to the two-interface quickstart guide (which you apparently didn''t use given the commented-out dmz zone). If PC2 doesn have internet access then *stop* and post a problem report. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Stephen Liu
2003-Nov-04 06:25 UTC
[Shorewall-users] Config shorewall-two-interface question
Hi Tom, Thanks for your advice.>>- snip - >> >>PC2 >>eth0 connected to eth1 of PC@ for broadband sharing >>(not setup yet) >> >> >Then why are you asking why it doesn''t work? > >First I have to solve the problem of PC1 being cut off from Internet when shorewall is up.>>Can any folk assist me to understand why uncomment following line on >>/etc/shorewall/policy >>#all all REJECT info >> >>resulting in PC1 cut off from Internet >> >a) Your ''net'' zone is empty (no interface assigned to it) > >/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS #net eth0 "-" dhcp,routefilter,norfc1918 loc eth1 detect modem eth0 192.168.1.255 dhcp I followed Quickstart guide to add the last line "modem eth0 192.168.1.255 dhcp" and "-" to first line. I commented out "net eth0 "-" dhcp,routefilter,norfc1918", because shorewall complained on starting, double interface.>b) you haven''t shown us the ''masq'' file so it may be wrong. > >/etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0 eth1 Only one line. I have not touched this file.>c) you have apparently hacked the policy file to make something work. >d) your log probably contains useful information. > >/etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL loc net ACCEPT fw net ACCEPT net all DROP info #all all REJECT info This is the original sample file. I only uncomment "fw net ACCEPT" Kindly advise which file under /var/log/ I have to look at. I could not find a file relevant.>My suggestion is to set everything up according to the two-interface >quickstart guide (which you apparently didn''t use given the commented-out >dmz zone). >/etc/shorewall/zone #ZONE DISPLAY COMMENTS modem modem ADSL Modem net Net Internet loc Local Local Networks #dmz DMZ Demilitarized zone The last line "dmz DMZ Demilitarized zone" was added by me not in the sample file. Later I commented it out because it seemed making no difference.>If PC2 doesn have internet access then *stop* and post a >problem report. > >Yes, I will test PC2 later after solving the problem of PC1. Thanks B.R. Stephen
Tom Eastep
2003-Nov-04 06:32 UTC
[Shorewall-users] Config shorewall-two-interface question
On Tue, 4 Nov 2003, Stephen Liu wrote:> Hi Tom, > > Thanks for your advice. > > >>- snip - > >> > >>PC2 > >>eth0 connected to eth1 of PC@ for broadband sharing > >>(not setup yet) > >> > >> > >Then why are you asking why it doesn''t work? > > > > > > First I have to solve the problem of PC1 being cut off from Internet > when shorewall is up. > > >>Can any folk assist me to understand why uncomment following line on > >>/etc/shorewall/policy > >>#all all REJECT info > >> > >>resulting in PC1 cut off from Internet > >> > >a) Your ''net'' zone is empty (no interface assigned to it) > > > > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > #net eth0 "-" dhcp,routefilter,norfc1918 > loc eth1 detect > modem eth0 192.168.1.255 dhcp > > I followed Quickstart guide to add the last line "modem eth0 > 192.168.1.255 dhcp" > and "-" to first line. I commented out > "net eth0 "-" dhcp,routefilter,norfc1918", because shorewall > complained on starting, double interface. >To those of you who want to help with Shorewall Support -- please step in now. I''m off to work.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Stephen, Not an expert here but it looks like you borked things when you commented out net and added modem to interface. You created an interface and a zone (unnecessarily?) that are not referenced in your policy or rules. Basically, you''ve told it to use modem but then not told it to allow modem to accept any traffic. (IIRC if it''s not specifically given permission to accept traffic then it won''t.) OPINION: Start from scratch. Don''t add modem, configure net in ineterface to the settings you need modem to have. Get it working with an absolute minimum number of changes and THEN start tinkering with things like adding interfaces/zones. (backup often!) Take it for what it''s worth. HTH, =C * Cal Evans * http://www.eicc.com * We take care of your IT, * So you can take care of your business. * * I think inside the sphere. Stephen Liu wrote:> Hi folks, > > RH9 > Shorewall-1.4.7 > two-interface > ==========> Hardware config > PC1 > eth0 connected to broadband via ADSL modem > eth1 connected to PC2 via a crossover cable > > PC2 > eth0 connected to eth1 of PC@ for broadband sharing > (not setup yet) > > Can any folk assist me to understand why uncomment following line on > /etc/shorewall/policy > #all all REJECT info > > resulting in PC1 cut off from Internet > > > Hereinbelow are the respective config files > /etc/shorewall/policy > #SOURCE DEST POLICY LOG LEVEL > loc net ACCEPT > fw net ACCEPT > net all DROP info > #all all REJECT info > > /etc/shorewall/zone > #ZONE DISPLAY COMMENTS > modem modem ADSL Modem > net Net Internet > loc Local Local Networks > #dmz DMZ Demilitarized zone > > /etc/shorewall/tunnels > # TYPE ZONE GATEWAY GATEWAY > pptpclient modem 192.168.1.1 > > /etc/shorewall/rules > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT loc fw tcp 22 > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp 8 > ACCEPT fw net icmp 8 > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > #net eth0 "-" dhcp,routefilter,norfc1918 > loc eth1 detect > modem eth0 192.168.1.255 dhcp > > Thanks in advance. > > B.R. > Stephen Liu > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Nov-04 07:06 UTC
[Shorewall-users] Config shorewall-two-interface question
On Tue, 4 Nov 2003, Cal Evans wrote:> Stephen, > > Not an expert here but it looks like you borked things when you > commented out net and added modem to interface. You created an interface > and a zone (unnecessarily?) that are not referenced in your policy or rules. > > Basically, you''ve told it to use modem but then not told it to allow > modem to accept any traffic. (IIRC if it''s not specifically given > permission to accept traffic then it won''t.) >I suspect that Stephen may have a PPTP connection to his modem given that he claims to have followed the guide and added the "modem" zone on eth0. What he neglected to do was to define ppp0 as the interface to the "net". Stephen: The instructions at http://www.shorewall.net/PPTP.htm ARE IN ADDITIONAL to those in the QuickStart Guide -- they don''t replace the guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Stephen Liu
2003-Nov-04 08:19 UTC
[Shorewall-users] Config shorewall-two-interface question
Hi Tom and Cal, Previously I configured /etc/shorewall/tunnels /etc/shorewall/interfaces /etc/shorewall/zones according to 5. PPTP Client running on your Firewall with PPTP Server in an ADSL Modem of http://www.shorewall.net/PPTP.htm I added "modem eth0 192.168.1.255 dhcp" to /etc/shorewall/interfaces #net eth0 "-" dhcp,routefilter,norfc1918 loc eth1 detect modem eth0 192.168.1.255 dhcp But I was compelled to comment the first line because complaint on starting Shorewall Should I make a wrong selection, please advise me. Thanks B.R. Stephen Tom Eastep wrote:>On Tue, 4 Nov 2003, Cal Evans wrote: > > > >>Stephen, >> >>Not an expert here but it looks like you borked things when you >>commented out net and added modem to interface. You created an interface >>and a zone (unnecessarily?) that are not referenced in your policy or rules. >> >>Basically, you''ve told it to use modem but then not told it to allow >>modem to accept any traffic. (IIRC if it''s not specifically given >>permission to accept traffic then it won''t.) >> >> >> > >I suspect that Stephen may have a PPTP connection to his modem given that >he claims to have followed the guide and added the "modem" zone on eth0. >What he neglected to do was to define ppp0 as the interface to the "net". > >Stephen: The instructions at http://www.shorewall.net/PPTP.htm ARE IN >ADDITIONAL to those in the QuickStart Guide -- they don''t replace the >guide. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
Julian Church
2003-Nov-04 09:01 UTC
[Shorewall-users] Config shorewall-two-interface question
On Wed, 05 Nov 2003 00:22:23 +0800, Stephen Liu <satimis@icare.com.hk> wrote:> Hi Tom and Cal, > > Previously I configured > /etc/shorewall/tunnels > /etc/shorewall/interfaces > /etc/shorewall/zones > > according to > 5. PPTP Client running on your Firewall with PPTP Server in an ADSL Modem > of > > http://www.shorewall.net/PPTP.htm > > I added "modem eth0 192.168.1.255 dhcp" to > /etc/shorewall/interfaces > #net eth0 "-" dhcp,routefilter,norfc1918 > loc eth1 detect > modem eth0 192.168.1.255 dhcp > > But I was compelled to comment the first line because complaint on > starting Shorewall > > Should I make a wrong selection, please advise me.First, we need to confirm that you are in fact using PPTP to connect to your ISP. If not, we''re on the wrong track. Then, note that the instructions you are following (http://www.shorewall.net/PPTP.htm) also says "You will of course modify the ''net'' entry in /etc/shorewall/interfaces to specify ''ppp0'' as the interface as described in the QuickStart Guide corresponding to your setup." Which you don''t appear to have done. You need to change eth0 to ppp0, but you''ve commented out the line instead. We''ll get there! cheers Julian -- jc@ljchurch.co.uk www.ljchurch.co.uk
Joshua Banks
2003-Nov-04 09:06 UTC
[Shorewall-users] Config shorewall-two-interface question
--- Stephen Liu <satimis@icare.com.hk> wrote:> Hi Tom and Cal, > > Previously I configured > /etc/shorewall/tunnels > /etc/shorewall/interfaces > /etc/shorewall/zones > > according to > 5. PPTP Client running on your Firewall with PPTP Server in an ADSL > Modem > of > > http://www.shorewall.net/PPTP.htm > > I added "modem eth0 192.168.1.255 dhcp" to > /etc/shorewall/interfaces > #net eth0 "-" dhcp,routefilter,norfc1918 > loc eth1 detect > modem eth0 192.168.1.255 dhcpDid you miss this part: "You will of course modify the ''net'' entry in /etc/shorewall/interfaces to specify ''ppp0'' as the interface as described in the QuickStart Guide corresponding to your setup." So I believe (in addition too) to the 2 I/F quickstart guide you need to follow the directions carefully in the link you provided above. Keyword.. (in addition too) Does that help??? OK...Uncomment the (net entery) and replace eth0 with ppp0. Make sense. JBanks __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Stephen Liu
2003-Nov-04 17:57 UTC
[Shorewall-users] Config shorewall-two-interface question
Hi Julian and Joshua Thanks for your advice. I did following steps 1) on /etc/shorewall/interfaces uncommented following line and change eth0 to ppp0 net ppp0 "-" dhcp,routefilter,norfc1918 now /etc/shorewall/interfaces looks as follows #ZONE INTERFACE BROADCAST OPTIONS net ppp0 "-" dhcp,routefilter,norfc1918 loc eth1 detect modem eth0 192.168.1.255 dhcp 2) on /etc/shorewall/zones uncommented "dmz DMZ Demilitarized zone" now /etc/shorewall/zones looks as follows; #ZONE DISPLAY COMMENTS modem modem ADSL Modem net Net Internet loc Local Local Networks dmz DMZ Demilitarized zone 3) on /etc/shorewall/policy uncommented "all all REJECT info" now /etc/shorewall/policy looks as follows #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT fw net ACCEPT net all DROP info all all REJECT info Could you please explain what will be the function of "all all REJECT info" Thanks 4) # /sbin/shorewall stop # /sbin/shorewall start It looks OK now. PC1 can connect Internet. I will start config PC2 later and come back to the List if problem occurs Thanks B.R. Stephen Julian Church wrote:> On Wed, 05 Nov 2003 00:22:23 +0800, Stephen Liu <satimis@icare.com.hk> > wrote: > >> Hi Tom and Cal, >> >> Previously I configured >> /etc/shorewall/tunnels >> /etc/shorewall/interfaces >> /etc/shorewall/zones >> >> according to >> 5. PPTP Client running on your Firewall with PPTP Server in an ADSL >> Modem >> of >> >> http://www.shorewall.net/PPTP.htm >> >> I added "modem eth0 192.168.1.255 dhcp" to >> /etc/shorewall/interfaces >> #net eth0 "-" dhcp,routefilter,norfc1918 >> loc eth1 detect >> modem eth0 192.168.1.255 dhcp >> >> But I was compelled to comment the first line because complaint on >> starting Shorewall >> >> Should I make a wrong selection, please advise me. > > > First, we need to confirm that you are in fact using PPTP to connect > to your ISP. If not, we''re on the wrong track. > > Then, note that the instructions you are following > (http://www.shorewall.net/PPTP.htm) also says > > "You will of course modify the ''net'' entry in > /etc/shorewall/interfaces to specify ''ppp0'' as the interface as > described in the QuickStart Guide corresponding to your setup." > > Which you don''t appear to have done. You need to change eth0 to ppp0, > but you''ve commented out the line instead. > > We''ll get there! > > cheers > > Julian
Joshua Banks
2003-Nov-04 20:01 UTC
[Shorewall-users] Config shorewall-two-interface question
--- Stephen Liu <satimis@icare.com.hk> wrote:> Could you please explain what will be the function of > "all all REJECT info" > ThanksStraight from the Shorewall site. "For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If that policy is REJECT or DROP the request is first checked against the rules in /etc/shorewall/common.def." It then goes onto say: Given the default set of policies below and to include your example as part of the default policy of course, Source Zone Destination Zone Policy Log Level Limit:Burst loc net ACCEPT net all DROP info all all REJECT info The above policy will (by general zone now) if now rule is matched in the rules file: 1. allow all connection requests from your local network to the internet 2. drop (ignore) all connection requests from the internet to your firewall or local network and log a message at the info level (here is a description of log levels). 3. reject all other connection requests and log a message at the info level. When a request is rejected, the firewall will return an RST (if the protocol is TCP) or an ICMP port-unreachable packet for other protocols. Stephen, I believe that this works similar to/like an Access Control List in a sense. You need a policy at the end that says "you haven''t matched any rule or policy so therefore your connection is rejected. Since I have implicitly allowed you then you are denied, basically" If you didn''t have an implicit deny/drop/reject (what ever you want to call it) policy then the packet would stay caught in a loop recycling itself back through the rules and then policy file, over and over, eating cpu cycles and wasting resources until the TTL in the packet expires. Having such a policy is standard operating proceedure in the Firewalling bizz from my understanding. If this doesn''t make sense then please set me straight. :D It wouldn''t be the first time I thought I knew something when I didn''t. Have you read or looked at the policy file?: It kindof explains the same thing. cat /etc/shorewall/policy [file] If you try and do what you were trying to do shorewall will not start. I commented the last policy like your example and low and behold, a firewall that does what its supposed to do. Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Error: No default policy for zone fw to zone loc Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... Terminated And this is when you set syslog up to have you paged and the admin walks away having no idea what happened.. Why is everyone screaming at me.. :) Kindof hard to get to this list when your firewall is broken...but I think Tom even thought of that. Wouldn''t surprise me anyways.. Heh.. HTH''s, JBanks __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Julian Church
2003-Nov-05 00:20 UTC
[Shorewall-users] Config shorewall-two-interface question
On Wed, 05 Nov 2003 10:00:13 +0800, Stephen Liu <satimis@icare.com.hk> wrote:> now /etc/shorewall/policy looks as follows > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > fw net ACCEPT > net all DROP info > all all REJECT info > > Could you please explain what will be the function of > "all all REJECT info" > ThanksThe statements in the policy file are evaluated in order. That line is last, so it means it''s the default behaviour for packets not matched by any other rules or policies.> 4) > # /sbin/shorewall stop > # /sbin/shorewall start > > It looks OK now. PC1 can connect Internet.Congratulations!> > I will start config PC2 later and come back to the List if problem occurs >Please do regards Julian
Stephen Liu
2003-Nov-05 19:13 UTC
[Shorewall-users] Config shorewall-two-interface question
Hi Joshua, Julian and others, Thanks for your advice. I continued testing the second stage - broadband sharing/masq PC1 RH9 ==eth0 connected to broadband eth1 connected to eth0 of PC2 via a crossover cable eth1 config; Under ''General'' tag check Activate device when computer starts check Statically set IP addresses Address 192.168.0.1 Subnet 255.255.255.0 Default Gateway Address blank/no entry Under ''Route'' tag No entry PC2 RH8 ===eth0 connected to eth1 of PC1 via a crossover cable eth0 config; Under ''General'' tag check Activate device when computer starts check Statically set IP addresses Address 192.168.0.2 Subnet 255.255.255.0 Default Gateway Address 192.168.0.1 Under ''Route'' tag No entry /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0 eth1 TEST on PC2 =========PC2 Konsole Window # ping -c 3 192.168.0.1 PING 192.168.0.1 (192.168.0.1) from 192.168.0.2 : 56(84) bytes of data. From 192.168.0.2 icmp_seq=1 Destination Host Unreachable From 192.168.0.2 icmp_seq=2 Destination Host Unreachable From 192.168.0.2 icmp_seq=3 Destination Host Unreachable ......... # service network restart Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Setting network parameters: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] # service iptables stop # service iptables start (all no printout) # /etc/init.d/iptables status # /etc/init.d/iptables stop # /etc/init.d/iptables start (all no printout) # rpm -q iptables iptables-1.2.6a-2 # rpm -q ipchains ipchains-1.3.10-16 # redhat-config-services starting "Service Configuration" window to disable iptables and ipchains # ping -c 3 192.168.0.1 PING 192.168.0.1 (192.168.0.1) from 192.168.0.2 : 56(84) bytes of data. From 192.168.0.2 icmp_seq=1 Destination Host Unreachable From 192.168.0.2 icmp_seq=2 Destination Host Unreachable From 192.168.0.2 icmp_seq=3 Destination Host Unreachable ......... (Remark: led of eth1-PC1 glowed led of eth0-PC2 did not glow Could not proceed testing further. Kindly advice Thanks in advance. B.R. Stephen Joshua Banks wrote:>--- Stephen Liu <satimis@icare.com.hk> wrote: > > > >>Could you please explain what will be the function of >>"all all REJECT info" >>Thanks >> >> > >Straight from the Shorewall site. > >"For each connection request entering the firewall, the request is >first checked against the /etc/shorewall/rules file. If no rule in that >file matches the connection request then the first policy in >/etc/shorewall/policy that matches the request is applied. If that >policy is REJECT or DROP the request is first checked against the >rules in /etc/shorewall/common.def." > >It then goes onto say: Given the default set of policies below and to >include your example as part of the default policy of course, > >Source Zone Destination Zone Policy Log Level Limit:Burst > loc net ACCEPT > net all DROP info > all all REJECT info > >The above policy will (by general zone now) if now rule is matched in >the rules file: > >1. allow all connection requests from your local network to the >internet > >2. drop (ignore) all connection requests from the internet to your > firewall or local network and log a message at the info level (here is >a description of log levels). > >3. reject all other connection requests and log a message at the info >level. When a request is rejected, the firewall will return an RST (if >the protocol is TCP) or an ICMP port-unreachable packet for other >protocols. > >Stephen, I believe that this works similar to/like an Access Control >List in a sense. You need a policy at the end that says "you haven''t >matched any rule or policy so therefore your connection is rejected. >Since I have implicitly allowed you then you are denied, basically" > >If you didn''t have an implicit deny/drop/reject (what ever you want to >call it) policy then the packet would stay caught in a loop recycling >itself back through the rules and then policy file, over and over, >eating cpu cycles and wasting resources until the TTL in the packet >expires. Having such a policy is standard operating proceedure in the >Firewalling bizz from my understanding. > >If this doesn''t make sense then please set me straight. :D It wouldn''t >be the first time I thought I knew something when I didn''t. > >Have you read or looked at the policy file?: It kindof explains the >same thing. > >cat /etc/shorewall/policy [file] > >If you try and do what you were trying to do shorewall will not start. > >I commented the last policy like your example and low and behold, a >firewall that does what its supposed to do. > >Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Error: No default policy for zone fw to zone loc >Processing /etc/shorewall/stop ... >Processing /etc/shorewall/stopped ... >Terminated > >And this is when you set syslog up to have you paged and the admin >walks away having no idea what happened.. Why is everyone screaming at >me.. :) >Kindof hard to get to this list when your firewall is broken...but I >think Tom even thought of that. Wouldn''t surprise me anyways.. Heh.. > >HTH''s, >JBanks > >
Joshua Banks
2003-Nov-05 23:10 UTC
[Shorewall-users] Config shorewall-two-interface question
--- Stephen Liu <satimis@icare.com.hk> wrote: Could you get out to the internet from pc2 going through pc1? Did you try? I''m confused. Don''t take this wrong Stephen. But you have a local networking problem and or mis-configuration problem which is obvious. Not trying to trying to state the obvious but trying to make a statement non-the-less. It''s hard for us to help with shorewall questions when you can''t ping from one machine to another when they are directly connected. If you think shorewall is the problem then uninstall shorewall and see if you can ping from pc2 to pc1. I think you have shorewall installed on both pc1 and pc2. If so this isn''t a reccomended setup for the type of test your trying. I can only sit and guess as to what the problems might be since you didn''t explain what you did to isolate this as a shorewall problem. Did you check pc1''s shorewall logs when the pings failed from pc2 to pc1?? Since you didn''t tell us what you did to further trouble shoot I will assume you didn''t know what to do next. So here are my simple suggestions. Uninstall shorewall from both pc1 and pc2 and regain network connectivity between pc1 and pc2. E.G...get ping to work from pc1 to pc2 and vicea-versa. Reinstall shorewall on pc1 using the 2 interface quick setup guide and additional pptp directions as you did before. Start shorewall and verify internet connectivity from shorewall pc1. Modify pc2 to point to pc1 for its default gateway and retest network connectivity. Modify pc2''s /etc/reslov.conf to have the ISP''s dns servers. Ping pc1 from pc2 and vicea-versa. from pc2 Ping 66.218.71.92 and then also try pinging www.yahoo.com. What you need to do is show through whatever trouble shooting steps you need to take that shorewall is the problem. You haven''t done that yet. I hope this helps. JBanks __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
Stephen Liu
2003-Nov-06 00:58 UTC
[Shorewall-users] Config shorewall-two-interface question-broadband sharing
Hi Joshua,>--- Stephen Liu <satimis@icare.com.hk> wrote: >Could you get out to the internet from pc2 going through pc1? >Did you try? I''m confused. > >Yes. I first ping www.yahoo.com PC2 RH8.0 ====# ping -c 3 www.yahoo.com ping: unknown host www.yahoo.com Later I found ipchains running on it (not iptables) # service ipchains stop Flushing all chains: [ OK ] Removing user defined chains: [ OK ] Resetting built-in chains to the default ACCEPT policy: [ OK ] Situation remained unchanged neither I could ping Internet nor 192.168.0.1 (PC1) PC1 RH9 ===I also did # service iptables stop Flushing all chains: [ OK ] Removing user defined chains: [ OK ] Resetting built-in chains to the default ACCEPT policy: [ OK ] # ping -c 3 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.327 ms 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.200 ms 64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.166 ms --- 192.168.0.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2014ms rtt min/avg/max/mdev = 0.166/0.231/0.327/0.069 ms It seemed OK. PC1 could ping PC2 but not the other way round>Don''t take this wrong Stephen. But you have a local networking problem >and or mis-configuration problem which is obvious. Not trying to trying >to state the obvious but trying to make a statement non-the-less. > >It''s hard for us to help with shorewall questions when you can''t ping >from one machine to another when they are directly connected. If you >think shorewall is the problem then uninstall shorewall and see if you >can ping from pc2 to pc1. > >Further test On PC1 # /sbin/shorewall stop On PC2 # ping -c 3 192.168.0.1 PING 192.168.0.1 (192.168.0.1) from 192.168.0.2 : 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.369 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.204 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.196 ms --- 192.168.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% loss, time 1998ms rtt min/avg/max/mdev = 0.196/0.256/0.369/0.080 ms It seemed OK now. PC2 could ping PC1 I ceased to test further and restarted Shorewall (because iptables also stopped). I might not configure Shorewall correctly but have no idea where it went wrong B.R. Stephen>I think you have shorewall installed on both pc1 and pc2. If so this >isn''t a reccomended setup for the type of test your trying. > >I can only sit and guess as to what the problems might be since you >didn''t explain what you did to isolate this as a shorewall problem. Did >you check pc1''s shorewall logs when the pings failed from pc2 to pc1?? > >Since you didn''t tell us what you did to further trouble shoot I will >assume you didn''t know what to do next. So here are my simple >suggestions. >Uninstall shorewall from both pc1 and pc2 and regain network >connectivity between pc1 and pc2. E.G...get ping to work from pc1 to >pc2 and vicea-versa. > >Reinstall shorewall on pc1 using the 2 interface quick setup guide and >additional pptp directions as you did before. Start shorewall and >verify internet connectivity from shorewall pc1. > >Modify pc2 to point to pc1 for its default gateway and retest network >connectivity. Modify pc2''s /etc/reslov.conf to have the ISP''s dns >servers. Ping pc1 from pc2 and vicea-versa. from pc2 Ping 66.218.71.92 >and then also try pinging www.yahoo.com. > >What you need to do is show through whatever trouble shooting steps you >need to take that shorewall is the problem. You haven''t done that yet. >I hope this helps. > >JBanks >
Stephen Liu
2003-Nov-06 01:50 UTC
[Shorewall-users] Config shorewall-two-interface question (SOLVED)
Hi Joshua and others Further to my late posting, problem SOLVED now. Solution: edited /etc/shorewall/masq #INTERFACE SUBNET ADDRESS ppp0 eth1 Now PC2 can connect to Internet and ping PC1 Lot of thanks for all of you assisting me to solve problems in the past B.R. Stephen>--- Stephen Liu <satimis@icare.com.hk> wrote: >Could you get out to the internet from pc2 going through pc1? >Did you try? I''m confused. > >Don''t take this wrong Stephen. But you have a local networking problem >and or mis-configuration problem which is obvious. Not trying to trying >to state the obvious but trying to make a statement non-the-less. > >It''s hard for us to help with shorewall questions when you can''t ping >from one machine to another when they are directly connected. If you >think shorewall is the problem then uninstall shorewall and see if you >can ping from pc2 to pc1. > >I think you have shorewall installed on both pc1 and pc2. If so this >isn''t a reccomended setup for the type of test your trying. > >I can only sit and guess as to what the problems might be since you >didn''t explain what you did to isolate this as a shorewall problem. Did >you check pc1''s shorewall logs when the pings failed from pc2 to pc1?? > >Since you didn''t tell us what you did to further trouble shoot I will >assume you didn''t know what to do next. So here are my simple >suggestions. >Uninstall shorewall from both pc1 and pc2 and regain network >connectivity between pc1 and pc2. E.G...get ping to work from pc1 to >pc2 and vicea-versa. > >Reinstall shorewall on pc1 using the 2 interface quick setup guide and >additional pptp directions as you did before. Start shorewall and >verify internet connectivity from shorewall pc1. > >Modify pc2 to point to pc1 for its default gateway and retest network >connectivity. Modify pc2''s /etc/reslov.conf to have the ISP''s dns >servers. Ping pc1 from pc2 and vicea-versa. from pc2 Ping 66.218.71.92 >and then also try pinging www.yahoo.com. > >What you need to do is show through whatever trouble shooting steps you >need to take that shorewall is the problem. You haven''t done that yet. >I hope this helps. > >JBanks > >__________________________________ >Do you Yahoo!? >Protect your identity with Yahoo! Mail AddressGuard >http://antispam.yahoo.com/whatsnewfree >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >