Can''t figure this one out: I''ve been running shorewall 1.4.10 for many months now on a Fedora Core 1 machine. Just finished setting up a new machine (Fedora Core 2) with shorewall 2.0.9. In the new installation, I editted the shorewall config files, copying over my rules, masq entries, policies, etc to each new file. Shorewall startup goes thru fine. Today I switched between the machines, and I found that name resolution would no longer work. In the dmz zone we have a server running named. DNS requests from computers in the local and private zones were getting to that server, but it''s requests thru the FW to remote DNS servers did not go thru. tcpdump showed the port 53 packets coming in to the dmz interface (DNATed from the other zones), and the server''s requests going out, but NOT getting thru to the external ''net'' interface. I have masq set up for the dmz interface (eth2), for the local interface (eth1) and for the private interface (eth3). I''m sure I missed somthing silly, but I can''t lay my finger on it. Attached is the support stuff. Hope someone can get me back on track. Thanks, Micha
On Fri, 2004-12-17 at 15:56 +0200, Micha Silver wrote:> Attached is the support stuff. Hope someone can get me back on track.Micha, I would really prefer to have the output from "shorewall status" in these cases; trying to look at a dozen config files that make heavy use of shell variables is very time-consuming and error prone. I''m also curious why you installed 2.0.9 on a new system given that the current stable version is 2.0.13. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Fri, 2004-12-17 at 15:56 +0200, Micha Silver wrote: > > I would really prefer to have the output from "shorewall status" in > these cases; trying to look at a dozen config files that make heavy use > of shell variables is very time-consuming and error prone. > > I''m also curious why you installed 2.0.9 on a new system given that the > current stable version is 2.0.13. > > -TomWell I was right about 1 thing, and wrong about 1 thing: I did overlook a small bit of the new FW''s configuration, but I was wrong in looking for it in shorewall. <hanging head in shame> I had forgotten to set the default gateway on the firewall machine. That certainly put a damper on all masqed traffic! The first result of this "minor" oversight was failed name resolution, and I mistakenly looked for the error there. </hanging head> All''s well now. (I also installed 2.0.13.) As always a warm thanks to Tom for this great contribution to free software and internet security. And a happy holiday season to all. -- Micha