Hello, I have read the getting started guides, FAQ, etc, so if your response to the following is RTFM, please at least refer me to the appropriate one :) I have shorewall set up as follows: zones: net Net Internet loc Local Local networks dmz DMZ Demilitarized zone policies: loc net ACCEPT dmz net ACCEPT net all DROP info all all REJECT info interfaces: loc eth0 detect dhcp I interpret this to mean that eth0 is in the local zone, and therefore by the loc2net policy should be able to browse. However, I get stuff like this in the log: Sep 3 19:43:35 all2all:REJECT:IN=eth0 OUT= SRC=[my ip] DST=[isp dns ip] LEN=48 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18568 SEQ=0 ...and I can''t connect to the outside world if shorewall is running. My setup is a single PC using a network card to connect to a DSL modem. I will at some point have a network behind the firewall, but that''s a long way off. For now, I''d just like to enable shorewall for everyday use. Can somebody help? Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reuben Firmin wrote: | Hello, I have read the getting started guides, FAQ, etc, so if your | response to the following is RTFM, please at least refer me to the | appropriate one :) | http://shorewall.net/support.htm -- that''s the guide that you need to follow to submit a problem report that gives us enough information to help you. And you *do* have a connection problem (you can''t _connect_ to the net) so please follow the instructions in the paragraph that begins in bold type: "THIS IS IMPORTANT". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBOTDaO/MAbZfjDLIRAhCgAJ9BadScIJs9rCxkpDljEo020zbzbwCeMEaz +M84HaloqjhY5RRBrr5BS5s=IiPN -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reuben Firmin wrote: | | My setup is a single PC using a network card to connect to a DSL modem. | I will at some point have a network behind the firewall, but that''s a | long way off. For now, I''d just like to enable shorewall for everyday | use. | | Can somebody help? Read your post again this morning and I''m going to suggest that you start again and this time use the following guide: http://shorewall.net/standalone.htm If you follow that guide, you should be up and running in short order. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBOczZO/MAbZfjDLIRAp8VAJ4xowugNDvNhDeRqpHuDLD0cMHqZgCcDg0L Xj/k5HkcB6c/t2b+XoRNRpQ=hSBL -----END PGP SIGNATURE-----
Reuben Firmin wrote:> Hello, I have read the getting started guides, FAQ, etc, so if your > response to the following is RTFM, please at least refer me to the > appropriate one :) > ... > policies: > loc net ACCEPT > dmz net ACCEPT > net all DROP info > all all REJECT info > ... > I interpret this to mean that eth0 is in the local zone, and therefore > by the loc2net policy should be able to browse. However, I get stuff > like this in the log: > > Sep 3 19:43:35 all2all:REJECT:IN=eth0 OUT= SRC=[my ip] > DST=[isp dns ip] LEN=48 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=18568 SEQ=0Tom has given you the appropriate RTFMs, but here are a couple more thoughts: 1. Your line above is not hitting your loc2net policy, it''s hitting your all2all policy. 2. To find out why this is, explicitly define your policies matrix to include every combination of src & dest zones. That way you get more helpful log messages. 3. Why is something coming IN on eth0 if it''s from your IP? It should be going OUT! Without looking too much further, i think you''ve mis-cut&paste the log message, and what you''re probably looking for to get the standalone functionality is a fw2net policy of ACCEPT. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.