Shorewall users - Oct 2004 - Intermittant Samba glitch

Hi there,

Let me just start by saying that I am a bit of a Linux newbie, but that
Shorewall seems an excellant product. The issue I''m reporting wont stop
me from using it, it still does 99% of what I need.

Anyway, I have a resonably simple two interface system. My server (HatMannz,
P3-900MHz with a RAID-1 array of 80GB IDE drives running Red Hat 9.0) connects
to a cable modem via eth1 (just to be different) and to the rest of the network
via eth0.

The sever is configured to provide
o DHCP serving to the local network
o File and Print Sharing via SaMBa (all other local machines are Windows)
o Internet via Firewall to the local network
o FTP Serving

Previously I was running a different not-very-secure script as a
''firewall'' which also did port-forwarding; this is before I
wanted to add the FTP Server.

So I dumped the script and decided to use ShoreWall 2.0.9 (bawed on
two-interface sample) with vsftpd to solve that.

DHCP, Internet sharing and FTP serving all seem to work very well, but my
problem is there seems to be some ''glitches'' with File Sharing
via SaMBa. It does work, but every quarter of an hour or so there seems to be a
''glitch'' and the server ''disappears'',
usually for a matter of a few seconds. This is most noticeable when playing
server-side MP3s from a local machine in Winamp - when the dropout comes, the
song stops.

The server always ''reappears'' within a few seconds, too quick
for me to open a terminal window a try a ping!

Anyway, here are the modified files I used from the two-interface with single
Static IP sample.

interfaces (just swappped eth1 and eth0 to suit my configuration)
__________
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth1		detect		dhcp,routefilter,norfc1918,tcpflags
loc	eth0		detect		tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

masq (again swapped eth1 and eth0, and added my static IP for efficiency)
____

#INTERFACE		SUBNET		ADDRESS
eth1			eth0		218.101.48.51
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

policy (uncommented the line to allow internet acces from firwewall)
______

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		net		ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
fw		net		ACCEPT
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

routestopped (again, just changed eth1 to eth0)
____________

#INTERFACE	HOST(S)
eth0		-
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

rules (added rules to allow ftp access and file sharing via SMB)
_____

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER/
#							PORT	PORT(S)	DEST			LIMIT	GROUP
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
#
#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22
#
#	Allow Ping To And From Firewall
#
ACCEPT		loc		fw		icmp	8
ACCEPT		net		fw		icmp	8
ACCEPT		fw		loc		icmp	
ACCEPT		fw		net		icmp
#
#	Allow Firewall to act as FTP Server (added by Graham 2004.10.11)
AllowFTP	net		fw
AllowFTP	loc		fw
#
#	Allow Firewall to do SaMBa file sharing (added by Graham2004.10.11)
#
ACCEPT		fw		loc		udp	137:139
ACCEPT		fw		loc		tcp	137,139,445
ACCEPT		fw		loc		udp	1024:	137
ACCEPT		loc		fw		udp	137:139
ACCEPT		loc		fw		tcp	137,139,445
ACCEPT		loc		fw		udp 	1024:	137
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I also had a slight probelm trying to get shorewall to start on reboot - there
seemed to be know start-disabled file that I could find, so I used the following
command from the /etc/shorewall directory:

chkconfig --add shorewall --level 2345

ip addr show + ip route show
____________________________
[root@HatMannz root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:03:47:00:15:c3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:ba:13:33:32 brd ff:ff:ff:ff:ff:ff
    inet 218.101.48.51/24 brd 218.101.48.255 scope global eth1
[root@HatMannz root]# ip route show
192.168.0.0/24 dev eth0  scope link
218.101.48.0/24 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 218.101.48.1 dev eth1
[root@HatMannz root]#

output of shorewall show log
____________________________

[root@HatMannz root]# shorewall show log
Shorewall-2.0.9 Log at HatMannz - Mon Oct 11 23:30:04 NZDT 2004

Counters reset Mon Oct 11 15:27:49 NZDT 2004

Oct 11 23:27:12 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:27:35 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.100
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:27:38 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.100
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:27:46 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.100
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:02 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52 DST=192.168.0.1
LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35047 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 11 23:28:02 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:05 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52 DST=192.168.0.1
LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35048 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 11 23:28:05 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:13 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52 DST=192.168.0.1
LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35049 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 11 23:28:13 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:34 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52 DST=192.168.0.1
LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35050 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 11 23:28:34 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:38 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:28:46 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:29:26 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:29:29 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:29:37 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:29:52 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:29:57 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Oct 11 23:30:06 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.52
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=308
[root@HatMannz root]#

Anyway, any hints on where I''m going wrong or what the roblem might be
would be very much appreciated.

Cheers,

Graham

> Hi there,
>
> Let me just start by saying that I am a bit of a Linux newbie, but that
> Shorewall seems an excellant product. The issue I''m reporting wont
stop me
> from using it, it still does 99% of what I need.
>
> Anyway, I have a resonably simple two interface system. My server
> (HatMannz, P3-900MHz with a RAID-1 array of 80GB IDE drives running Red
> Hat 9.0) connects to a cable modem via eth1 (just to be different) and to
> the rest of the network via eth0.
>
> The sever is configured to provide
> o DHCP serving to the local network
> o File and Print Sharing via SaMBa (all other local machines are Windows)
> o Internet via Firewall to the local network
> o FTP Serving
>
> Previously I was running a different not-very-secure script as a
> ''firewall'' which also did port-forwarding; this is before
I wanted to add
> the FTP Server.
>
> So I dumped the script and decided to use ShoreWall 2.0.9 (bawed on
> two-interface sample) with vsftpd to solve that.
>
> DHCP, Internet sharing and FTP serving all seem to work very well, but my
> problem is there seems to be some ''glitches'' with File
Sharing via SaMBa.
> It does work, but every quarter of an hour or so there seems to be a
> ''glitch'' and the server ''disappears'',
usually for a matter of a few
> seconds. This is most noticeable when playing server-side MP3s from a
> local machine in Winamp - when the dropout comes, the song stops.
>
> The server always ''reappears'' within a few seconds, too
quick for me to
> open a terminal window a try a ping!
>
> Anyway, here are the modified files I used from the two-interface with
> single Static IP sample.
>
> interfaces (just swappped eth1 and eth0 to suit my configuration)
> __________
> #ZONE	INTERFACE	BROADCAST	OPTIONS
> net	eth1		detect		dhcp,routefilter,norfc1918,tcpflags
> loc	eth0		detect		tcpflags
Didn''t you say you''re running a DHCP server on the box, then I
think you
should add the dhcp option to the eth0 too to make it work.

Simon
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> masq (again swapped eth1 and eth0, and added my static IP for efficiency)
> ____
>
> #INTERFACE		SUBNET		ADDRESS
> eth1			eth0		218.101.48.51
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> policy (uncommented the line to allow internet acces from firwewall)
> ______
>
> #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
> loc		net		ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw		net		ACCEPT
> net		all		DROP		info
> # THE FOLLOWING POLICY MUST BE LAST
> all		all		REJECT		info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> routestopped (again, just changed eth1 to eth0)
> ____________
>
> #INTERFACE	HOST(S)
> eth0		-
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> rules (added rules to allow ftp access and file sharing via SMB)
> _____
>
> #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER/
> #							PORT	PORT(S)	DEST			LIMIT	GROUP
> #
> #	Accept DNS connections from the firewall to the network
> #
> ACCEPT		fw		net		tcp	53
> ACCEPT		fw		net		udp	53
> #
> #	Accept SSH connections from the local network for administration
> #
> ACCEPT		loc		fw		tcp	22
> #
> #	Allow Ping To And From Firewall
> #
> ACCEPT		loc		fw		icmp	8
> ACCEPT		net		fw		icmp	8
> ACCEPT		fw		loc		icmp
> ACCEPT		fw		net		icmp
> #
> #	Allow Firewall to act as FTP Server (added by Graham 2004.10.11)
> AllowFTP	net		fw
> AllowFTP	loc		fw
> #
> #	Allow Firewall to do SaMBa file sharing (added by Graham2004.10.11)
> #
> ACCEPT		fw		loc		udp	137:139
> ACCEPT		fw		loc		tcp	137,139,445
> ACCEPT		fw		loc		udp	1024:	137
> ACCEPT		loc		fw		udp	137:139
> ACCEPT		loc		fw		tcp	137,139,445
> ACCEPT		loc		fw		udp 	1024:	137
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> I also had a slight probelm trying to get shorewall to start on reboot -
> there seemed to be know start-disabled file that I could find, so I used
> the following command from the /etc/shorewall directory:
>
> chkconfig --add shorewall --level 2345
>
> ip addr show + ip route show
> ____________________________
> [root@HatMannz root]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:03:47:00:15:c3 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:ba:13:33:32 brd ff:ff:ff:ff:ff:ff
>     inet 218.101.48.51/24 brd 218.101.48.255 scope global eth1
> [root@HatMannz root]# ip route show
> 192.168.0.0/24 dev eth0  scope link
> 218.101.48.0/24 dev eth1  scope link
> 169.254.0.0/16 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 218.101.48.1 dev eth1
> [root@HatMannz root]#
>
> output of shorewall show log
> ____________________________
>
> [root@HatMannz root]# shorewall show log
> Shorewall-2.0.9 Log at HatMannz - Mon Oct 11 23:30:04 NZDT 2004
>
> Counters reset Mon Oct 11 15:27:49 NZDT 2004
>
> Oct 11 23:27:12 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:27:35 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:27:38 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:27:46 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:02 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
> DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35047 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Oct 11 23:28:02 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:05 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
> DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35048 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Oct 11 23:28:05 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:13 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
> DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35049 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Oct 11 23:28:13 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:34 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
> DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35050 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Oct 11 23:28:34 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:38 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:28:46 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:29:26 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:29:29 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:29:37 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:29:52 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:29:57 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> Oct 11 23:30:06 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
> DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=67 DPT=68 LEN=308
> [root@HatMannz root]#
>
> Anyway, any hints on where I''m going wrong or what the roblem
might be
> would be very much appreciated.
>
> Cheers,
>
> Graham
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>

Graham Mann wrote:
> 
> Hi there,
> 
> Let me just start by saying that I am a bit of a Linux newbie, but that
Shorewall seems an excellant product. The issue I''m reporting wont stop
me from using it, it still does 99% of what I need.
> 
> Anyway, I have a resonably simple two interface system. My server
(HatMannz, P3-900MHz with a RAID-1 array of 80GB IDE drives running Red Hat 9.0)
connects to a cable modem via eth1 (just to be different) and to the rest of the
network via eth0.
Hi Graham,

Well, trying to use a "different" configuration can cause problems..
;)
I''m assuming you''re using a static ip for the net zone and
serving dhcp
to your own internal network, as you mention below.
 
> The sever is configured to provide
> o DHCP serving to the local network
> o File and Print Sharing via SaMBa (all other local machines are Windows)
> o Internet via Firewall to the local network
> o FTP Serving
> DHCP, Internet sharing and FTP serving all seem to work very well, but my
problem is there seems to be some ''glitches'' with File Sharing
via SaMBa. It does work, but every quarter of an hour or so there seems to be a
''glitch'' and the server ''disappears'',
usually for a matter of a few seconds. This is most noticeable when playing
server-side MP3s from a local machine in Winamp - when the dropout comes, the
song stops.
> 
> The server always ''reappears'' within a few seconds, too
quick for me to open a terminal window a try a ping!
> 
> Anyway, here are the modified files I used from the two-interface with
single Static IP sample.
> 
> interfaces (just swappped eth1 and eth0 to suit my configuration)
> __________
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth1            detect       dhcp,routefilter,norfc1918,tcpflags
> loc     eth0            detect          tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This is where some confusion becomes apparent. This interface
configuration is common with users who use cable, ADSL with DHCP from
their Internet providers. But since you are using a static ip and
serving DHCP for your own network the dhcp option should be listed in
your loc zone instead. http://shorewall.net/dhcp.htm Likewise the
norfc1918 option should not be listed on your loc interface, that should
be listed on your external interface since that is the route where
packets from these private ip''s should not be coming from. 
> masq (again swapped eth1 and eth0, and added my static IP for efficiency)
> ____
> 
> #INTERFACE              SUBNET          ADDRESS
> eth1                    eth0            218.101.48.51
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> policy (uncommented the line to allow internet acces from firwewall)
> ______
> 
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> loc             net             ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw              net             ACCEPT
> net             all             DROP            info
> # THE FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> routestopped (again, just changed eth1 to eth0)
> ____________
> 
> #INTERFACE      HOST(S)
> eth0            -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> rules (added rules to allow ftp access and file sharing via SMB)
> _____
> 
> #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE 
ORIGINAL                RATE    USER/
> #                                                       PORT    PORT(S)
DEST                    LIMIT   GROUP
> #
> #       Accept DNS connections from the firewall to the network
> #
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> #
> #       Accept SSH connections from the local network for administration
> #
> ACCEPT          loc             fw              tcp     22
> #
> #       Allow Ping To And From Firewall
> #
> ACCEPT          loc             fw              icmp    8
> ACCEPT          net             fw              icmp    8
> ACCEPT          fw              loc             icmp
> ACCEPT          fw              net             icmp
> #
> #       Allow Firewall to act as FTP Server (added by Graham 2004.10.11)
> AllowFTP        net             fw
> AllowFTP        loc             fw
> #
> #       Allow Firewall to do SaMBa file sharing (added by Graham2004.10.11)
> #
> ACCEPT          fw              loc             udp     137:139
> ACCEPT          fw              loc             tcp     137,139,445
> ACCEPT          fw              loc             udp     1024:   137
> ACCEPT          loc             fw              udp     137:139
> ACCEPT          loc             fw              tcp     137,139,445
> ACCEPT          loc             fw              udp     1024:   137
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> I also had a slight probelm trying to get shorewall to start on reboot -
there seemed to be know start-disabled file that I could find, so I used the
following command from the /etc/shorewall directory:
By the way, how is DNS functioning with your internal network, the
firewall seems fine but no rules for the loc zone to resolve DNS..
> chkconfig --add shorewall --level 2345
> 
> ip addr show + ip route show
> ____________________________
> [root@HatMannz root]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:03:47:00:15:c3 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:ba:13:33:32 brd ff:ff:ff:ff:ff:ff
>     inet 218.101.48.51/24 brd 218.101.48.255 scope global eth1
> [root@HatMannz root]# ip route show
> 192.168.0.0/24 dev eth0  scope link
> 218.101.48.0/24 dev eth1  scope link
> 169.254.0.0/16 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 218.101.48.1 dev eth1
> [root@HatMannz root]#
How does the entry with 169.254.0.0/16 dev eth1 come into the picture,
when you have a public net listing there? 
> output of shorewall show log
> ____________________________
> 
> [root@HatMannz root]# shorewall show log
> Shorewall-2.0.9 Log at HatMannz - Mon Oct 11 23:30:04 NZDT 2004
> 
> Counters reset Mon Oct 11 15:27:49 NZDT 2004
> 
> Oct 11 23:27:12 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=68 LEN=308
> Oct 11 23:27:35 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=68 LEN=308
> Oct 11 23:27:38 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=68 LEN=308
> Oct 11 23:27:46 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.100 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=68 LEN=308
> Oct 11 23:28:02 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35047 PROTO=UDP SPT=68
DPT=67 LEN=308
> Oct 11 23:28:02 all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.52 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=68 LEN=308
> Oct 11 23:28:05 all2all:REJECT:IN=eth0 OUT= SRC=192.168.0.52
DST=192.168.0.1 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=35048 PROTO=UDP SPT=68
DPT=67 LEN=308
The snippit from your logs show what I mentioned above, you''re clearly
having problems with dhcp to two specific machines in your network,
192.168.0.52 and 192.168.0.100.

Regards,
-- 
Patrick Benson
Stockholm, Sweden

Patrick Benson wrote:
> > interfaces (just swappped eth1 and eth0 to suit my configuration)
> > __________
> > #ZONE   INTERFACE       BROADCAST       OPTIONS
> > net     eth1            detect     dhcp,routefilter,norfc1918,tcpflags
> > loc     eth0            detect          tcpflags
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> This is where some confusion becomes apparent. This interface
> configuration is common with users who use cable, ADSL with DHCP from
> their Internet providers. But since you are using a static ip and
> serving DHCP for your own network the dhcp option should be listed in
> your loc zone instead. http://shorewall.net/dhcp.htm Likewise the
> norfc1918 option should not be listed on your loc interface, that should
> be listed on your external interface since that is the route where
> packets from these private ip''s should not be coming from.
Excuse my remark about the norfc1918 option, I got myself confused in
the process!  :-)


-- 
Patrick Benson
Stockholm, Sweden

Graham,

As others have stated, I believe that the intermittancy you are 
experiencing results from the lack of the ''dhcp'' option on
your internal
interface (eth0).

On Mon, 11 Oct 2004, Graham Mann wrote:
> 
> I also had a slight probelm trying to get shorewall to start on reboot -
> there seemed to be know start-disabled file that I could find, so I used
> the following command from the /etc/shorewall directory:
> 
If you install Shorewall using the rpm -U command then no startup_disabled
file is created but Shorewall will not automatically start on boot -- you
must use the -i command as clearly stated in the Shorewall installation
instructions.

-Tom

PS -- please post in plain text and configure your mailer to fold lines at 
an appropriate length. In your post, each paragraph is one long line.
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> ...
> PS -- please post in plain text and configure your mailer to fold lines at 
> an appropriate length. In your post, each paragraph is one long line.
Folks,

Another way to be polite to others is to clip redundant information
like Tom just did, as opposed to leaving in all the original poster''s
text and adding two lines.  Doing so greatly increases the
signal-to-noise ratio of your posts.

Regards,
Paul
-- 
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.