OS: Debian
Shorewall: shorewall-1.4.8
groovy:~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:50:55:03 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:baff:fe50:5503/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:95:0b:99:f1 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1
inet6 fe80::240:95ff:fe0b:99f1/64 scope link
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:95:0b:bb:3c brd ff:ff:ff:ff:ff:ff
inet 10.10.11.254/24 brd 10.10.11.255 scope global eth2
inet6 fe80::240:95ff:fe0b:bb3c/64 scope link
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 219.94.63.38 peer 219.93.218.177/32 scope global ppp0
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
groovy:~#
groovy:~# ip route show
219.93.218.177 dev ppp0 proto kernel scope link src 219.94.63.38
10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.254
10.10.11.0/24 dev eth2 proto kernel scope link src 10.10.11.254
default via 219.93.218.177 dev ppp0
groovy:~#
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
fw net ACCEPT
loc dmz ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER
# PORT PORT(S) DEST
LIMIT SET
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT loc dmz tcp 22
ACCEPT net fw tcp 22
ACCEPT fw dmz tcp 22
ACCEPT dmz fw tcp 22
ACCEPT dmz loc tcp 22
ACCEPT dmz net tcp 22
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
ACCEPT net dmz icmp 8 # Only with
Proxy ARP and
ACCEPT net loc icmp 8 # static NAT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Computers in zone ''LOC'' can''t talk to computers in
zone ''DMZ'' at all.
Policy has been set to ACCEPT.
Can''t ping nor whatsoever. Seems like there is no route between subnet
10.10.10.0/24 and 10.10.11.0/24
I setup the firewall following the three-interfaces setup guide.
Please help..
Cheers
Jason