Here is my situation... Linux eth0->internet Linux eth1->hub->vpn router other machines are also connected to this hub. Other machines can ping and be pinged by this linux machine(and share files through samba). However, machines on the other side of the vpn can communicate with these local machines(win2k machines), but cannot ping or communicate with the linux machine. I have the feeling this my be due to shorewall. Here is my rules file. Any ideas? ACCEPT net fw udp 53,67 - ACCEPT net fw tcp 80,443,53,22,25,109,110,143,9999,25506 - REJECT net fw udp 137,138 - REJECT net fw tcp 139,445 - ACCEPT loc fw udp 7,25 - ACCEPT loc fw tcp 7,25,137,138,139,445 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com
On Tuesday 16 December 2003 11:22 pm, mrmailer wrote:> Here is my situation... > > Linux eth0->internet > Linux eth1->hub->vpn router > > other machines are also connected to this hub. Other machines can ping and > be pinged by this linux machine(and share files through samba). > > However, machines on the other side of the vpn can communicate with these > local machines(win2k machines), but cannot ping or communicate with the > linux machine. > > I have the feeling this my be due to shorewall. Here is my rules file. > Any ideas?Please see http://www.shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Well, I don''t think it''s multiple zones, is it, at least not in the way specified on the page(192.168.x.? and 192.168.x+1.?), because to the linux machine, this should just appear as another local machine pinging it, right? I don''t need the linux machine to be able to access the other machines through the vpn, only the linux machine to be accessible itself through the vpn, if that makes sense. --- On Wed 12/17, Tom Eastep < teastep@shorewall.net > wrote: From: Tom Eastep [mailto: teastep@shorewall.net] To: mrmailer@myway.com, shorewall-users@lists.shorewall.net Date: Wed, 17 Dec 2003 07:21:57 -0800 Subject: Re: [Shorewall-users] linux not accessible through VPN On Tuesday 16 December 2003 11:22 pm, mrmailer wrote:<br>> Here is my situation...<br>><br>> Linux eth0->internet<br>> Linux eth1->hub->vpn router<br>><br>> other machines are also connected to this hub. Other machines can ping and<br>> be pinged by this linux machine(and share files through samba).<br>><br>> However, machines on the other side of the vpn can communicate with these<br>> local machines(win2k machines), but cannot ping or communicate with the<br>> linux machine.<br>><br>> I have the feeling this my be due to shorewall. Here is my rules file.<br>> Any ideas?<br><br>Please see http://www.shorewall.net/Multiple_Zones.html<br><br>-Tom<br>-- <br>Tom Eastep \ Nothing is foolproof to a sufficiently talented fool<br>Shoreline, \ http://shorewall.net<br>Washington USA \ teastep@shorewall.net<br><br><br> _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com
Would just enabling all traffic over the local network fix this? (with a rule) --- On Wed 12/17, Tom Eastep < teastep@shorewall.net > wrote: From: Tom Eastep [mailto: teastep@shorewall.net] To: mrmailer@myway.com, shorewall-users@lists.shorewall.net Date: Wed, 17 Dec 2003 07:21:57 -0800 Subject: Re: [Shorewall-users] linux not accessible through VPN On Tuesday 16 December 2003 11:22 pm, mrmailer wrote:<br>> Here is my situation...<br>><br>> Linux eth0->internet<br>> Linux eth1->hub->vpn router<br>><br>> other machines are also connected to this hub. Other machines can ping and<br>> be pinged by this linux machine(and share files through samba).<br>><br>> However, machines on the other side of the vpn can communicate with these<br>> local machines(win2k machines), but cannot ping or communicate with the<br>> linux machine.<br>><br>> I have the feeling this my be due to shorewall. Here is my rules file.<br>> Any ideas?<br><br>Please see http://www.shorewall.net/Multiple_Zones.html<br><br>-Tom<br>-- <br>Tom Eastep \ Nothing is foolproof to a sufficiently talented fool<br>Shoreline, \ http://shorewall.net<br>Washington USA \ teastep@shorewall.net<br><br><br> _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com
On Wednesday 17 December 2003 10:48 am, mrmailer wrote:> Well, I don''t think it''s multiple zones, is it, at least not in the way > specified on the page(192.168.x.? and 192.168.x+1.?), because to the linux > machine, this should just appear as another local machine pinging it, > right?The article deals with routers/VPN servers in the local zone and goes on to discuss when you need multiple zones, when you don''t and options for configuring those zones.> I don''t need the linux machine to be able to access the other > machines through the vpn, only the linux machine to be accessible itself > through the vpn, if that makes sense. >Uh -- packets have to go in both directions; for the linux machine to be accessible "through the VPN", the machines on the other end of the VPN must be accessible from the linux machine. Does the Linux box have a route through the VPN server to the remote system? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ok, my mistake, i need 192.168.100.x 192.168.101.x 192.168.102.x 192.168.111.x Someone said I need the equiv of changing loc to 192.168.0.0/16 all to have access over the eth1 interface. Or, can I just disable shorewall on eth1 and have it only work on eth0? That would be ideal. --- On Wed 12/17, Tom Eastep < teastep@shorewall.net > wrote: From: Tom Eastep [mailto: teastep@shorewall.net] To: mrmailer@myway.com, shorewall-users@lists.shorewall.net Date: Wed, 17 Dec 2003 07:21:57 -0800 Subject: Re: [Shorewall-users] linux not accessible through VPN On Tuesday 16 December 2003 11:22 pm, mrmailer wrote:<br>> Here is my situation...<br>><br>> Linux eth0->internet<br>> Linux eth1->hub->vpn router<br>><br>> other machines are also connected to this hub. Other machines can ping and<br>> be pinged by this linux machine(and share files through samba).<br>><br>> However, machines on the other side of the vpn can communicate with these<br>> local machines(win2k machines), but cannot ping or communicate with the<br>> linux machine.<br>><br>> I have the feeling this my be due to shorewall. Here is my rules file.<br>> Any ideas?<br><br>Please see http://www.shorewall.net/Multiple_Zones.html<br><br>-Tom<br>-- <br>Tom Eastep \ Nothing is foolproof to a sufficiently talented fool<br>Shoreline, \ http://shorewall.net<br>Washington USA \ teastep@shorewall.net<br><br><br> _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com
On Wednesday 17 December 2003 11:46 am, mrmailer wrote:> ok, my mistake, i need > 192.168.100.x > 192.168.101.x > 192.168.102.x > 192.168.111.x > > Someone said I need the equiv of changing loc to 192.168.0.0/16 > > all to have access over the eth1 interface. Or, can I just disable > shorewall on eth1 and have it only work on eth0? That would be ideal.You have given us absolutely no evidence that Shorewall is in any way involved in your problem. If "shorewall clear" allows access to the Linux box and you want to open all traffic between your firewall and local network then you can simply add the following policies: fw loc ACCEPT loc fw ACCEPT and remove all fw<->loc rules from /etc/shorewall/rules. If "shorewall clear" doesn''t help (be sure to "shorewall start" after testing) then you have a problem that is totally unrelated to Shorewall. AND WOULD YOU STOP SENDING YOUR REPLIES TO ME AND TO THE LIST -- I subcribe to the list and will get you messages if you just post them there, believe me. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Well, I''d like to just disable shorewall for eth1. Would sticking a # in front of the interface for eth1 in interfaces and putting a # in front of the rules for it, and restarting shorewall, disable shorewall firewalling for eth1 completely? --- On Wed 12/17, Tom Eastep < teastep@shorewall.net > wrote: From: Tom Eastep [mailto: teastep@shorewall.net] To: mrmailer@myway.com, shorewall-users@lists.shorewall.net Date: Wed, 17 Dec 2003 11:15:16 -0800 Subject: Re: [Shorewall-users] linux not accessible through VPN On Wednesday 17 December 2003 10:48 am, mrmailer wrote:<br>> Well, I don''t think it''s multiple zones, is it, at least not in the way<br>> specified on the page(192.168.x.? and 192.168.x+1.?), because to the linux<br>> machine, this should just appear as another local machine pinging it,<br>> right?<br><br>The article deals with routers/VPN servers in the local zone and goes on to <br>discuss when you need multiple zones, when you don''t and options for <br>configuring those zones.<br><br>> I don''t need the linux machine to be able to access the other <br>> machines through the vpn, only the linux machine to be accessible itself<br>> through the vpn, if that makes sense.<br>><br><br>Uh -- packets have to go in both directions; for the linux machine to be <br>accessible "through the VPN", the machines on the other end of the VPN must <br>be accessible from the linux machine. Does the Linux box have a route through <br>the VPN server to the remote system?<br><br>-Tom<br>-- <br>To m Eastep \ Nothing is foolproof to a sufficiently talented fool<br>Shoreline, \ http://shorewall.net<br>Washington USA \ teastep@shorewall.net<br><br><br> _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com
On Wednesday 17 December 2003 12:12 pm, mrmailer wrote:> Well, I''d like to just disable shorewall for eth1. Would sticking a # in > front of the interface for eth1 in interfaces and putting a # in front of > the rules for it, and restarting shorewall, disable shorewall firewalling > for eth1 completely?No it would not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net