On Tue, 2004-07-13 at 20:39 -0400, Rick Seitz wrote: > policy > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > This is where the root of your troubles are. The policy for loc->fw is (as is default) to REJECT. > rules > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL > RATE USER/ > # PORT PORT(S) DEST LIMIT > GROUP > # > # Accept DNS connections from the firewall to the network > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 You will want loc->fw copies of these rules to permit DNS to resolve off your fw (assuming you are running a caching nameserver here, otherwise, specify your ISP dns servers on your internal systems and DNS should work. > # > # Accept SSH connections from the local network for administration > # > ACCEPT loc fw tcp 22 > # > # Allow Ping To And From Firewall > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp > ACCEPT fw net icmp > # assume this is for the redirect of squid > REDIRECT loc 3128 tcp www - It''s certainly possible that you do not have squid properly configured for transparent proxy. I would suggest adding an ACCEPT loc fw tcp 3128 and comment out the REDIRECT at this point to ensure that you can get squid working properly when not doing transparent proxy I''m not familiar with LinNeighborhood and how it does it''s browsing though I assume that it looks for Samba/Win boxes. If so, add a: AllowSMB loc fw AllowSMB fw loc (I assume you are using a pretty recent version of Shorewall) and browsing should work. -- David T Hollis <dhollis@davehollis.com> _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm OK David I added the lines and I can browse my LAN with shorewall running. also now when I try to access the internet with it running I get the same squid error that I received without it running so that could be a squid configure error/problem. However I lose my printers on the remote computer now. is there anything else I need to add to allow the printers to not drop off? Again thanks for the help and the quick response. I am running version 2.0.1 of shorewall Rick
On Tue, 2004-07-13 at 21:40 -0400, Rick Seitz wrote:> OK David I added the lines and I can browse my LAN with shorewall > running. also now when I try to access the internet with it running > I get the same squid error that I received without it running so that > could be a squid configure error/problem. However I lose my printers > on the remote computer now. is there anything else I need to add to > allow the printers to not drop off? > > Again thanks for the help and the quick response. I am running > version 2.0.1 of shorewallI''m not sure which one is the ''remote'' computer, I''ll assume the internal one and also assume that you are using cups. Cups uses port 631 (ipp) on tcp and/or udp so you would add rules as: ACCEPT fw loc tcp 631 ACCEPT fw loc udp 631 If the printer is on the fw, reverse the loc/fw parts above obviously. Depending on your distro and how cups is setup, printer sharing may not be enabled by default, so you may want to check that out while you are working on it. One note: if you are having difficulty passing traffic for a certain protocol, check your logs (typically /var/log/messages). Check FAQ 17 at http://shorewall.net for info on how to break down the log message. You should be able to pretty quickly pick out what the port and protocol are so you can create a rule. -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:>On Tue, 2004-07-13 at 21:40 -0400, Rick Seitz wrote: > > >>OK David I added the lines and I can browse my LAN with shorewall >>running. also now when I try to access the internet with it running >>I get the same squid error that I received without it running so that >>could be a squid configure error/problem. However I lose my printers >>on the remote computer now. is there anything else I need to add to >>allow the printers to not drop off? >> >>Again thanks for the help and the quick response. I am running >>version 2.0.1 of shorewall >> >> > >I''m not sure which one is the ''remote'' computer, I''ll assume the >internal one and also assume that you are using cups. Cups uses port >631 (ipp) on tcp and/or udp so you would add rules as: > >ACCEPT fw loc tcp 631 >ACCEPT fw loc udp 631 > >If the printer is on the fw, reverse the loc/fw parts above obviously. >Depending on your distro and how cups is setup, printer sharing may not >be enabled by default, so you may want to check that out while you are >working on it. > >One note: if you are having difficulty passing traffic for a certain >protocol, check your logs (typically /var/log/messages). Check FAQ 17 >at http://shorewall.net for info on how to break down the log message. >You should be able to pretty quickly pick out what the port and >protocol are so you can create a rule. > > >David, thank you very much for your help. I have shorewall up and running and everything is working except I still have the internet error for squid. I am thinking the problem is in squid and I will have to look that direction. but again thank you for your help on setting up my local network.