OS: Debian
Shorewall: shorewall-1.4.8
groovy:~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:50:55:03 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:baff:fe50:5503/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:95:0b:99:f1 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1
inet6 fe80::240:95ff:fe0b:99f1/64 scope link
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:95:0b:bb:3c brd ff:ff:ff:ff:ff:ff
inet 10.10.11.254/24 brd 10.10.11.255 scope global eth2
inet6 fe80::240:95ff:fe0b:bb3c/64 scope link
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 219.94.63.38 peer 219.93.218.177/32 scope global ppp0
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
groovy:~#
groovy:~# ip route show
219.93.218.177 dev ppp0 proto kernel scope link src 219.94.63.38
10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.254
10.10.11.0/24 dev eth2 proto kernel scope link src 10.10.11.254
default via 219.93.218.177 dev ppp0
groovy:~#
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
fw net ACCEPT
loc dmz ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER
# PORT PORT(S) DEST
LIMIT SET
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT loc dmz tcp 22
ACCEPT net fw tcp 22
ACCEPT fw dmz tcp 22
ACCEPT dmz fw tcp 22
ACCEPT dmz loc tcp 22
ACCEPT dmz net tcp 22
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
ACCEPT net dmz icmp 8 # Only with
Proxy ARP and
ACCEPT net loc icmp 8 # static NAT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Computers in zone ''LOC'' can''t talk to computers in
zone ''DMZ'' at all.
Policy has been set to ACCEPT.
Can''t ping nor whatsoever. Seems like there is no route between subnet
10.10.10.0/24 and 10.10.11.0/24
I setup the firewall following the three-interfaces setup guide.
Please help..
Cheers
Jason
a) Please show us your /etc/shorewall/interfaces and /etc/shorewall/hosts files -- How do you expect us to analyze your problem if we don''t know how zones map to interfaces and hosts? b) Please include Shorewall messages from your log when you try to ping. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 30 January 2004 12:08 pm, Tom Eastep wrote:> a) Please show us your /etc/shorewall/interfaces and /etc/shorewall/hosts > files -- How do you expect us to analyze your problem if we don''t know how > zones map to interfaces and hosts? > > b) Please include Shorewall messages from your log when you try to ping. >Also, I assume that if you "shorewall clear" that you can communicate perfectly between the two LAN segments? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 30 January 2004 12:15, Tom Eastep wrote:> On Friday 30 January 2004 12:08 pm, Tom Eastep wrote: > > a) Please show us your /etc/shorewall/interfaces and /etc/shorewall/hosts > > files -- How do you expect us to analyze your problem if we don''t know > > how zones map to interfaces and hosts? > > > > b) Please include Shorewall messages from your log when you try to ping. > > Also, I assume that if you "shorewall clear" that you can communicate > perfectly between the two LAN segments?If not then I suggest that you check the default gateway settings on the systems that you are trying to ping between. Both systems should have as their default gateway the IP address of the firewall interface to which they are connected. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net