thr3ads.net - Shorewall users - Shorewall upgrade messed up my firewall [Aug 2004]

If this information is useful, please help other people find it:
Share via:

Paulo Jorge O. C. Matos

2004-Aug-30 13:08 UTC

Shorewall upgrade messed up my firewall

Hi all,

I''m using Gentoo Linux Distribution and I''ve upgraded my
firewall
from Shorewall 1.4 to 2.0.4, however my LANs stop having internet 
access.
I have a server with shorewall 2.0.4 installed and 3 interfaces. 
eth0 and eth1 are interfaces to a LAN and to my laptop and eth2 
is the net interface.

I have masq like:
eth2                    eth0
eth2                    eth1

I have zones:
net     Net             Internet
loc     Local           Local networks

I have interfaces:
net     eth2            detect         dhcp,routefilter,norfc1918
loc     eth0            detect
loc     eth1            detect

And policy:
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

And then a lot of rules... for ping permission, ssh, webserver, 
etc. When I start shorewall I get:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Connection Tracking Match: Available
Determining Zones...
    Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
    Net Zone: eth2:0.0.0.0/0
    Local Zone: eth0:0.0.0.0/0 eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
    Pre-processing /usr/share/shorewall/action.DropSMB...
    Pre-processing /usr/share/shorewall/action.RejectSMB...
    Pre-processing /usr/share/shorewall/action.DropUPnP...
    Pre-processing /usr/share/shorewall/action.RejectAuth...
    Pre-processing /usr/share/shorewall/action.DropPing...
    Pre-processing /usr/share/shorewall/action.DropDNSrep...
    Pre-processing /usr/share/shorewall/action.AllowPing...
    Pre-processing /usr/share/shorewall/action.AllowFTP...
    Pre-processing /usr/share/shorewall/action.AllowDNS...
    Pre-processing /usr/share/shorewall/action.AllowSSH...
    Pre-processing /usr/share/shorewall/action.AllowWeb...
    Pre-processing /usr/share/shorewall/action.AllowSMB...
    Pre-processing /usr/share/shorewall/action.AllowAuth...
    Pre-processing /usr/share/shorewall/action.AllowSMTP...
    Pre-processing /usr/share/shorewall/action.AllowPOP3...
    Pre-processing /usr/share/shorewall/action.AllowIMAP...
    Pre-processing /usr/share/shorewall/action.AllowTelnet...
    Pre-processing /usr/share/shorewall/action.AllowVNC...
    Pre-processing /usr/share/shorewall/action.AllowVNCL...
    Pre-processing /usr/share/shorewall/action.AllowNTP...
    Pre-processing /usr/share/shorewall/action.AllowRdate...
    Pre-processing /usr/share/shorewall/action.AllowNNTP...
    Pre-processing /usr/share/shorewall/action.AllowTrcrt...
    Pre-processing /usr/share/shorewall/action.AllowSNMP...
    Pre-processing /usr/share/shorewall/action.AllowPCA...
    Pre-processing /usr/share/shorewall/action.Drop...
    Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
    Rule "ACCEPT fw net tcp 53" added.
    Rule "ACCEPT fw net udp 53" added.
    Rule "ACCEPT fw loc tcp 22" added.
    Rule "ACCEPT loc fw tcp 22" added.
    Rule "ACCEPT net fw tcp 22" added.
    Rule "ACCEPT fw net tcp 22" added.
    Rule "ACCEPT loc fw tcp 873" added.
    Rule "ACCEPT loc fw icmp 8" added.
    Rule "ACCEPT net fw icmp 8" added.
    Rule "ACCEPT fw loc icmp 8" added.
    Rule "ACCEPT fw net icmp 8" added.
    Rule "ACCEPT net fw tcp 80" added.
    Rule "ACCEPT net fw tcp 443" added.
    Rule "ACCEPT loc fw tcp 80" added.
    Rule "ACCEPT loc fw tcp 443" added.
    Rule "ACCEPT loc fw tcp 10000" added.
    Rule "ACCEPT loc fw tcp 25" added.
    Rule "ACCEPT loc fw tcp 143" added.
    Rule "ACCEPT net fw tcp 143" added.
    Rule "ACCEPT loc fw tcp 993" added.
    Rule "ACCEPT net fw tcp 993" added.
    Rule "REJECT loc net:213.228.128.64 tcp 25" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
    Rule "RejectAuth" added.
    Rule "dropBcast" added.
    Rule "DropSMB" added.
    Rule "DropUPnP" added.
    Rule "dropNotSyn" added.
    Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
    Rule "RejectAuth" added.
    Rule "dropBcast" added.
    Rule "RejectSMB" added.
    Rule "DropUPnP" added.
    Rule "dropNotSyn" added.
    Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth...
    Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
    Rule "DROP - - udp 135" added.
    Rule "DROP - - udp 137:139" added.
    Rule "DROP - - udp 445" added.
    Rule "DROP - - tcp 135" added.
    Rule "DROP - - tcp 139" added.
    Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
    Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
    Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
    Rule "REJECT - - udp 135" added.
    Rule "REJECT - - udp 137:139" added.
    Rule "REJECT - - udp 445" added.
    Rule "REJECT - - tcp 135" added.
    Rule "REJECT - - tcp 139" added.
    Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
    Policy ACCEPT for fw to net using chain fw2net
    Policy REJECT for fw to loc using chain all2all
    Policy DROP for net to fw using chain net2all
    Policy REJECT for loc to fw using chain all2all
    Policy ACCEPT for loc to net using chain loc2net
Masqueraded Networks and Hosts:
    Warning: default route ignored on interface eth0
    To 0.0.0.0/0 (all) from 192.168.0.0/24 through eth2
    To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth2
Processing /etc/shorewall/tos...
    Rule "all all tcp - ssh 16" added.
    Rule "all all tcp ssh - 16" added.
    Rule "all all tcp - ftp 16" added.
    Rule "all all tcp ftp - 16" added.
    Rule "all all tcp ftp-data - 8" added.
    Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted


And this is it. There''s a strange warning up there that I
don''t
know what it means:
Warning: default route ignored on interface eth0

I don''t think I''ve set up other files. And this is all, now I
can
access the net from the firewall but not from the LANs attached 
to eth0 or eth1. Cannot even ping the firewall. With ethereal 
installed in the firewall I see that the firewall keeps receiving 
ARPs but don''t get an answer.

Any ideas on what the problem might be?

Cheers,

-- 
Paulo J. Matos : pocm [_at_] mega . ist . utl . pt
Instituto Superior Tecnico - Lisbon
Computer and Software Eng. - A.I.
  - > http://mega.ist.utl.pt/~pocm
---
         -> God had a deadline...
                 So, he wrote it all in Lisp!

Tom Eastep

2004-Aug-30 13:51 UTC

head link

Re: Shorewall upgrade messed up my firewall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paulo Jorge O. C. Matos wrote:
| Hi all,
|
| I''m using Gentoo Linux Distribution and I''ve upgraded my
firewall from
| Shorewall 1.4 to 2.0.4, however my LANs stop having internet access.
| I have a server with shorewall 2.0.4 installed and 3 interfaces. eth0
| and eth1 are interfaces to a LAN and to my laptop and eth2 is the net
| interface.
|

Now please send us the information asked for at
http://shorweall.net/support.htm under the heading:

	When reporting a problem, *ALWAYS* include this information:

Also please tell us the steps that you went through to upgrade. Since
you were upgrading between major releases, did you consult the "Upgrade
Issues" on the web site or in your documentation. There are a number of
things to watch out for when upgrading from 1.4 to 2.0; you can''t just
load the new version, restart and expect it to work.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBMzD9O/MAbZfjDLIRAjtIAJ9s4f74YEvf59XzUmHO0qag+S6VvQCfc8JF
um/VNpKSzINMVXSmjm+ZZ/8=YO6w
-----END PGP SIGNATURE-----

Paulo Jorge O. C. Matos

2004-Aug-31 00:25 UTC

head link

Re: Shorewall upgrade messed up my firewall

> 
> Now please send us the information asked for at
> http://shorweall.net/support.htm under the heading:
> 
>     When reporting a problem, *ALWAYS* include this information:
>
Sorry for the missing information:

descartes root # shorewall version
2.0.4

descartes root # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc 
pfifo_fast qlen 1000
     link/ether 00:50:fc:3b:69:2f brd ff:ff:ff:ff:ff:ff
     inet 192.168.0.99/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:4f:49:02:86:5b brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc 
pfifo_fast qlen 1000
     link/ether 00:0c:6e:23:ad:28 brd ff:ff:ff:ff:ff:ff
     inet 217.129.147.210/22 brd 217.129.147.255 scope global eth2

descartes root # ip route show
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.99
217.129.144.0/22 dev eth2  proto kernel  scope link  src 
217.129.147.210
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 217.129.144.1 dev eth2
default via 192.168.0.1 dev eth0

> Also please tell us the steps that you went through to upgrade. Since
> you were upgrading between major releases, did you consult the
"Upgrade
> Issues" on the web site or in your documentation. There are a number
of
> things to watch out for when upgrading from 1.4 to 2.0; you can''t
just
> load the new version, restart and expect it to work.
> 
Ok, so I just deleted all my config files...
I started a new 2.0.4 installation with the two-interface quick 
start. Since I have two internal interfaces I added a new one and 
exchanged letters since my external iface is eth2.

I also have a DHCP server giving up addresses and it gave 
192.168.0.100 to my laptop and the funny thing is that I can ping 
the laptop but I cannot ping the firewall.

And I get the following when starting the firewall:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Connection Tracking Match: Available
Determining Zones...
    Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
    Net Zone: eth2:0.0.0.0/0
    Local Zone: eth1:0.0.0.0/0 eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
    Pre-processing /usr/share/shorewall/action.DropSMB...
    Pre-processing /usr/share/shorewall/action.RejectSMB...
    Pre-processing /usr/share/shorewall/action.DropUPnP...
    Pre-processing /usr/share/shorewall/action.RejectAuth...
    Pre-processing /usr/share/shorewall/action.DropPing...
    Pre-processing /usr/share/shorewall/action.DropDNSrep...
    Pre-processing /usr/share/shorewall/action.AllowPing...
    Pre-processing /usr/share/shorewall/action.AllowFTP...
    Pre-processing /usr/share/shorewall/action.AllowDNS...
    Pre-processing /usr/share/shorewall/action.AllowSSH...
    Pre-processing /usr/share/shorewall/action.AllowWeb...
    Pre-processing /usr/share/shorewall/action.AllowSMB...
    Pre-processing /usr/share/shorewall/action.AllowAuth...
    Pre-processing /usr/share/shorewall/action.AllowSMTP...
    Pre-processing /usr/share/shorewall/action.AllowPOP3...
    Pre-processing /usr/share/shorewall/action.AllowIMAP...
    Pre-processing /usr/share/shorewall/action.AllowTelnet...
    Pre-processing /usr/share/shorewall/action.AllowVNC...
    Pre-processing /usr/share/shorewall/action.AllowVNCL...
    Pre-processing /usr/share/shorewall/action.AllowNTP...
    Pre-processing /usr/share/shorewall/action.AllowRdate...
    Pre-processing /usr/share/shorewall/action.AllowNNTP...
    Pre-processing /usr/share/shorewall/action.AllowTrcrt...
    Pre-processing /usr/share/shorewall/action.AllowSNMP...
    Pre-processing /usr/share/shorewall/action.AllowPCA...
    Pre-processing /usr/share/shorewall/action.Drop...
    Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
    Rule "ACCEPT fw net tcp 53" added.
    Rule "ACCEPT fw net udp 53" added.
    Rule "ACCEPT loc fw tcp 22" added.
    Rule "ACCEPT loc fw icmp 8" added.
    Rule "ACCEPT net fw icmp 8" added.
    Rule "ACCEPT fw loc icmp" added.
    Rule "ACCEPT fw net icmp" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
    Rule "RejectAuth" added.
    Rule "dropBcast" added.
    Rule "DropSMB" added.
    Rule "DropUPnP" added.
    Rule "dropNotSyn" added.
    Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
    Rule "RejectAuth" added.
    Rule "dropBcast" added.
    Rule "RejectSMB" added.
    Rule "DropUPnP" added.
    Rule "dropNotSyn" added.
    Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth...
    Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
    Rule "DROP - - udp 135" added.
    Rule "DROP - - udp 137:139" added.
    Rule "DROP - - udp 445" added.
    Rule "DROP - - tcp 135" added.
    Rule "DROP - - tcp 139" added.
    Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
    Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
    Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
    Rule "REJECT - - udp 135" added.
    Rule "REJECT - - udp 137:139" added.
    Rule "REJECT - - udp 445" added.
    Rule "REJECT - - tcp 135" added.
    Rule "REJECT - - tcp 139" added.
    Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
    Policy ACCEPT for fw to net using chain fw2net
    Policy REJECT for fw to loc using chain all2all
    Policy DROP for net to fw using chain net2all
    Policy REJECT for loc to fw using chain all2all
    Policy ACCEPT for loc to net using chain loc2net
Masqueraded Networks and Hosts:
    To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth2
    Warning: default route ignored on interface eth0
    To 0.0.0.0/0 (all) from 192.168.0.0/24 through eth2
Processing /etc/shorewall/tos...
    Rule "all all tcp - ssh 16" added.
    Rule "all all tcp ssh - 16" added.
    Rule "all all tcp - ftp 16" added.
    Rule "all all tcp ftp - 16" added.
    Rule "all all tcp ftp-data - 8" added.
    Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...

Ok, so I just have again the same warning:
    Warning: default route ignored on interface eth0

Can someone help?

Cheers,

Paulo J. Matos
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBMzD9O/MAbZfjDLIRAjtIAJ9s4f74YEvf59XzUmHO0qag+S6VvQCfc8JF
> um/VNpKSzINMVXSmjm+ZZ/8> =YO6w
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

-- 
Paulo J. Matos : pocm [_at_] mega . ist . utl . pt
Instituto Superior Tecnico - Lisbon
Computer and Software Eng. - A.I.
  - > http://mega.ist.utl.pt/~pocm
---
         -> God had a deadline...
                 So, he wrote it all in Lisp!

Tom Eastep

2004-Aug-31 00:41 UTC

head link

Re: Shorewall upgrade messed up my firewall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paulo Jorge O. C. Matos wrote:
|
|>
|> Now please send us the information asked for at
|> http://shorweall.net/support.htm under the heading:
|>
|>     When reporting a problem, *ALWAYS* include this information:
|>
|
| Sorry for the missing information:
|
| descartes root # shorewall version
| 2.0.4
|
| descartes root # ip addr show
| 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|     inet 127.0.0.1/8 scope host lo
| 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
| qlen 1000
|     link/ether 00:50:fc:3b:69:2f brd ff:ff:ff:ff:ff:ff
|     inet 192.168.0.99/24 brd 192.168.0.255 scope global eth0
| 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|     link/ether 00:4f:49:02:86:5b brd ff:ff:ff:ff:ff:ff
|     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
| 4: eth2: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
| qlen 1000
|     link/ether 00:0c:6e:23:ad:28 brd ff:ff:ff:ff:ff:ff
|     inet 217.129.147.210/22 brd 217.129.147.255 scope global eth2
|
| descartes root # ip route show
| 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
| 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.99
| 217.129.144.0/22 dev eth2  proto kernel  scope link  src 217.129.147.210
| 127.0.0.0/8 via 127.0.0.1 dev lo  scope link
| default via 217.129.144.1 dev eth2
| default via 192.168.0.1 dev eth0
|

The above is what Shorewall has been trying to point out to you --
although your internet interface is eth2, your default route goes out
through *eth0*.

I suspect that you upgraded more than Shorewall because Shorewall does
not mess with your default gateway setting....

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBM8kkO/MAbZfjDLIRAvyoAKCMB1GK0xt4eMg1tA1/Py78HrFHkQCghqAN
R9EQPzuvWE4GSQ/hb2VjS/M=ZLIC
-----END PGP SIGNATURE-----

Tom Eastep

2004-Aug-31 00:55 UTC

head link

Re: Shorewall upgrade messed up my firewall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| Paulo Jorge O. C. Matos wrote:

| |
| | descartes root # ip route show
| | 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
| | 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.99
| | 217.129.144.0/22 dev eth2  proto kernel  scope link  src 217.129.147.210
| | 127.0.0.0/8 via 127.0.0.1 dev lo  scope link
| | default via 217.129.144.1 dev eth2
| | default via 192.168.0.1 dev eth0
| |
|
| The above is what Shorewall has been trying to point out to you --
| although your internet interface is eth2, your default route goes out
| through *eth0*.
|
| I suspect that you upgraded more than Shorewall because Shorewall does
| not mess with your default gateway setting....
|

Ok -- I''ve looked again and notice that you have two default routes --
the first of the two is undoubtedly correct so it is masking the
incorrect one unless eth2 is taken down and then brought back up. So the
message, while it points out a problem in your configuration, probably
doesn''t show us the root cause of your problem.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBM8xrO/MAbZfjDLIRAjs1AJ9ylASJPLB9Yv475601Ru+xITQL2gCdF7DO
JgjmCwhhhJOBz80mORfZ9zk=QIot
-----END PGP SIGNATURE-----

Tom Eastep

2004-Aug-31 00:59 UTC

head link

Re: Shorewall upgrade messed up my firewall

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paulo Jorge O. C. Matos wrote:

|
|
|> Also please tell us the steps that you went through to upgrade. Since
|> you were upgrading between major releases, did you consult the
"Upgrade
|> Issues" on the web site or in your documentation. There are a number
of
|> things to watch out for when upgrading from 1.4 to 2.0; you can''t
just
|> load the new version, restart and expect it to work.
|>
|
| Ok, so I just deleted all my config files...
| I started a new 2.0.4 installation with the two-interface quick start.
| Since I have two internal interfaces I added a new one and exchanged
| letters since my external iface is eth2.

Er, by my count you have three interfaces -- eth0, eth1 and eth2. That
indicates that the three-interface guide was appropriate.

|
| I also have a DHCP server giving up addresses and it gave 192.168.0.100
| to my laptop and the funny thing is that I can ping the laptop but I
| cannot ping the firewall.
|

Let me guess -- you are letting the DHCP server assign the IP address to
the firewall''s eth0 -- is that right?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBM81pO/MAbZfjDLIRAiwkAJ4oxf1Q45QeL5E4EYAnpASO6USWQgCfQHEC
RSbw5erI8B1klKJTRDEcGFU=YHN+
-----END PGP SIGNATURE-----

Paulo Jorge O. C. Matos

2004-Aug-31 01:08 UTC

head link

Re: Shorewall upgrade messed up my firewall

You were completely right. I had upgraded other files and had 
eth0 as the default gateway. Now fixed and everything is fine.
Many Thanks.

Cheers,

Paulo Matos

Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | Paulo Jorge O. C. Matos wrote:
> 
> | |
> | | descartes root # ip route show
> | | 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
> | | 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.99
> | | 217.129.144.0/22 dev eth2  proto kernel  scope link  src 
> 217.129.147.210
> | | 127.0.0.0/8 via 127.0.0.1 dev lo  scope link
> | | default via 217.129.144.1 dev eth2
> | | default via 192.168.0.1 dev eth0
> | |
> |
> | The above is what Shorewall has been trying to point out to you --
> | although your internet interface is eth2, your default route goes out
> | through *eth0*.
> |
> | I suspect that you upgraded more than Shorewall because Shorewall does
> | not mess with your default gateway setting....
> |
> 
> Ok -- I''ve looked again and notice that you have two default
routes --
> the first of the two is undoubtedly correct so it is masking the
> incorrect one unless eth2 is taken down and then brought back up. So the
> message, while it points out a problem in your configuration, probably
> doesn''t show us the root cause of your problem.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBM8xrO/MAbZfjDLIRAjs1AJ9ylASJPLB9Yv475601Ru+xITQL2gCdF7DO
> JgjmCwhhhJOBz80mORfZ9zk> =QIot
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

-- 
Paulo J. Matos : pocm [_at_] mega . ist . utl . pt
Instituto Superior Tecnico - Lisbon
Computer and Software Eng. - A.I.
  - > http://mega.ist.utl.pt/~pocm
---
         -> God had a deadline...
                 So, he wrote it all in Lisp!

Maybe Matching Threads

Search for more maybe matching threads

Shorewall users - Aug 2004 - Shorewall upgrade messed up my firewall

Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Re: Shorewall upgrade messed up my firewall

Maybe Matching Threads