Shorewall users - Jul 2004 - cant get LAN to run with shorewall

Ok. first of all thanks to anyone that can help me here. I am new to 
linux and
learning something everyday. But I have a problem. I have two computers 
at my
home networked.

x86 based computers
Mandrake 10.0
realtek NIC interfaces
US RObotics 56K modem
HP PCS 2410 printer
Lexmark optra R+ lazer jet

I have a static LAN setup that works fine
Computer 1 has the modem and one NIC card (eth0)
Computer 2 has NIC card (eth0) only

1. I have downloaded and edited my files as per the two computer sample,
placed in the etc/shorewall directory

2. now with shorewall stopped my network works great for local use. I can
print from either computer and share files. I can use LinNeighborhood and
browse both computers.

3. When I start shorewalls I can no longer browse the computers. but I can
still ping them and they both respond fine.

4. When shorewalls is off squid responds with THE REQUESTED URL could 
not be
Retrieved. when on I get unknown host

5. computers are as followed;

 a. computer one is set up as follows

127.0.0.1 local
192.168.1.1 for eth0
ppp0 is for the modem

 b.  computer two is setup as follows

127.0.0.1 local
192.168.1.2 for eth0

6. below is the changes i made to my shorewall files

This is the last lines of the shorewall setup files

hosts
#ZONE        HOST(S)                OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

interfaces
#ZONE    INTERFACE    BROADCAST    OPTIONS
net    ppp0        detect        dhcp,routefilter,norfc1918,tcpflags
loc    eth0        detect        tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

masq ( i tried this with each different line commented out)
#INTERFACE        SUBNET        ADDRESS
#ppp0            eth0
ppp0            192.168.1.1/255.255.255.0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

NAT
#EXTERNAL    INTERFACE    INTERNAL    ALL             LOCAL
#                        INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

policy
#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
loc        net        ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw        net        ACCEPT
net        all        DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all        all        REJECT        info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

proxyarp
#ADDRESS    INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

rules
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE   
 ORIGINAL        
RATE    USER/
#                            PORT    PORT(S)    DEST            LIMIT   
 GROUP
#
#    Accept DNS connections from the firewall to the network
#
ACCEPT        fw        net        tcp    53
ACCEPT        fw        net        udp    53
#
#    Accept SSH connections from the local network for administration
#
ACCEPT        loc        fw        tcp    22
#
#    Allow Ping To And From Firewall
#
ACCEPT        loc        fw        icmp    8
ACCEPT        net        fw        icmp    8
ACCEPT        fw        loc        icmp  
ACCEPT        fw        net        icmp  
# assume this is for the redirect of squid
REDIRECT    loc    3128    tcp    www    -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

zones
#ZONE    DISPLAY        COMMENTS
net    Net        Internet
loc    Local        Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

in the shorewall.conf file
CLAMPMMS=yes

I still want to be able to use the local network and get online from either
computer to check emai browse the www etc.

Any help would be greatly appreciated.

Rick

On Tue, 2004-07-13 at 20:39 -0400, Rick Seitz wrote:
> policy
> #SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
> loc        net        ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw        net        ACCEPT
> net        all        DROP        info
> # THE FOLLOWING POLICY MUST BE LAST
> all        all        REJECT        info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
This is where the root of your troubles are.  The policy for loc->fw is
(as is default) to REJECT.

> rules
> #ACTION        SOURCE        DEST        PROTO    DEST    SOURCE   
>  ORIGINAL        
> RATE    USER/
> #                            PORT    PORT(S)    DEST            LIMIT   
>  GROUP
> #
> #    Accept DNS connections from the firewall to the network
> #
> ACCEPT        fw        net        tcp    53
> ACCEPT        fw        net        udp    53
You will want loc->fw copies of these rules to permit DNS to resolve off
your fw (assuming you are running a caching nameserver here, otherwise,
specify your ISP dns servers on your internal systems and DNS should
work.
> #
> #    Accept SSH connections from the local network for administration
> #
> ACCEPT        loc        fw        tcp    22
> #
> #    Allow Ping To And From Firewall
> #
> ACCEPT        loc        fw        icmp    8
> ACCEPT        net        fw        icmp    8
> ACCEPT        fw        loc        icmp  
> ACCEPT        fw        net        icmp  
> # assume this is for the redirect of squid
> REDIRECT    loc    3128    tcp    www    -
It''s certainly possible that you do not have squid properly configured
for transparent proxy.  I would suggest adding an ACCEPT loc fw tcp 3128
and comment out the REDIRECT at this point to ensure that you can get
squid working properly when not doing transparent proxy

I''m not familiar with LinNeighborhood and how it does it''s
browsing
though I assume that it looks for Samba/Win boxes.  If so, add a:
AllowSMB	loc	fw
AllowSMB	fw	loc

(I assume you are using a pretty recent version of Shorewall) and
browsing should work.

-- 
David T Hollis <dhollis@davehollis.com>