Shorewall users - Mar 2005 - Do i need a proxy??

Goodday,

First my network layout:

dsl router (10.0.0.99)
|
server (eth0 10.0.0.1, eth1 10.0.1.10)
|
3 times windows machine (10.0.1.2, 10.0.1.3, 10.0.1.4)
(all with proxy settings 10.0.1.10:8080)

Now on the server is mandrake 10 installed with shorewall as firewall.
And a apache webserver (and no ftp server).
When i turned internet sharing on it started squid which added a line in the 
shorewall rules file (which i changed to port 8080 because of the apache 
webserver).
Internet works fine on the windowz machines but ftp won''t work.

When searching with google i found that i had to use frox as a ftp proxy.
But i can''t get it running for several reasons.

But the question is: do i need a proxy?
Can''t i just stop squid and only use shorewall?

If so what are the rules to be used?

Thanx
Dave
--

On Sat, 26 Mar 2005 21:14:41 +0100, mailinglist@dakoni.org
<mailinglist@dakoni.org> wrote:
> Goodday,
> 
> First my network layout:
> 
> dsl router (10.0.0.99)
> |
> server (eth0 10.0.0.1, eth1 10.0.1.10)
> |
> 3 times windows machine (10.0.1.2, 10.0.1.3, 10.0.1.4)
> (all with proxy settings 10.0.1.10:8080)
> 
> Now on the server is mandrake 10 installed with shorewall as firewall.
> And a apache webserver (and no ftp server).
> When i turned internet sharing on it started squid which added a line in
the
> shorewall rules file (which i changed to port 8080 because of the apache
> webserver).
> Internet works fine on the windowz machines but ftp won''t work.
> 
> When searching with google i found that i had to use frox as a ftp proxy.
> But i can''t get it running for several reasons.
> 
> But the question is: do i need a proxy?
> Can''t i just stop squid and only use shorewall?
> 
> If so what are the rules to be used?
> 
> Thanx
> Dave
just create a new rule /etc/shorewall/rules

AllowFTP  loc    net 

that´s all.

if you are having issue PLEASE PROVIDE the necessary information

http://www.shorewall.net/support.htm
and RTFM http://www.shorewall.net/FTP.html

bye

I RTFM and I added the line in the rules file.
But it didn''t work

after that I added another line:
ACCEPT loc net tcp 20

but it still won''t work

this is the total set of rules
ACCEPT  net     fw      tcp     80        -
ACCEPT  loc     fw      tcp     22,80     -
AllowFTP        loc     net
ACCEPT  loc     net     tcp     20
REDIRECT        loc     3128    tcp     8080    -


i get messages saying that there probably isn''t a internet connection
or can''t find the location
but http works fine

Gr
Dave

Op zondag 27 maart 2005 05:40, schreef Cristian
Rodriguez:
> On Sat, 26 Mar 2005 21:14:41 +0100, mailinglist@dakoni.org
>
> <mailinglist@dakoni.org> wrote:
> > Goodday,
> >
> > First my network layout:
> >
> > dsl router (10.0.0.99)
> >
> > server (eth0 10.0.0.1, eth1 10.0.1.10)
> >
> > 3 times windows machine (10.0.1.2, 10.0.1.3, 10.0.1.4)
> > (all with proxy settings 10.0.1.10:8080)
> >
> > Now on the server is mandrake 10 installed with shorewall as firewall.
> > And a apache webserver (and no ftp server).
> > When i turned internet sharing on it started squid which added a line
in
> > the shorewall rules file (which i changed to port 8080 because of the
> > apache webserver).
> > Internet works fine on the windowz machines but ftp won''t
work.
> >
> > When searching with google i found that i had to use frox as a ftp
proxy.
> > But i can''t get it running for several reasons.
> >
> > But the question is: do i need a proxy?
> > Can''t i just stop squid and only use shorewall?
> >
> > If so what are the rules to be used?
> >
> > Thanx
> > Dave
>
> just create a new rule /etc/shorewall/rules
>
> AllowFTP  loc    net
>
> that´s all.
>
> if you are having issue PLEASE PROVIDE the necessary information
>
> http://www.shorewall.net/support.htm
> and RTFM http://www.shorewall.net/FTP.html
>
> bye
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
--

mailinglist@dakoni.org wrote:
> I RTFM and I added the line in the rules file.
> But it didn''t work
> 
> after that I added another line:
> ACCEPT loc net tcp 20
> 
> but it still won''t work
> 
> this is the total set of rules
> ACCEPT  net     fw      tcp     80        -
> ACCEPT  loc     fw      tcp     22,80     -
> AllowFTP        loc     net
> ACCEPT  loc     net     tcp     20
> REDIRECT        loc     3128    tcp     8080    -
> 
> 
> i get messages saying that there probably isn''t a internet
connection
> or can''t find the location
> but http works fine
> 
Please see http://shorewall.net/support.htm#Guidelines for the
information that we require to troubleshoot connection problems. Please
pay careful attention to the bullet that begins THIS IS IMPORTANT!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

[root@webserver root]# shorewall version
2.0.8
[root@webserver root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:a7:42:ab brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
    inet6 fe80::240:f4ff:fea7:42ab/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:a7:3e:21 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.10/24 brd 10.0.1.255 scope global eth1
    inet6 fe80::240:f4ff:fea7:3e21/64 scope link
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
[root@webserver root]# ip route show
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.10
default via 10.0.0.138 dev eth0

and atttached the status.txt file

And by looking in the status file I got the feeling "could it be
dns??"
But i can''t test the ftp action right now (office is closed - time is
19:30)

If so ............ shame on me.

But thanx in advance,
Dave

Op dinsdag 29 maart 2005 19:12, schreef Tom Eastep:
> mailinglist@dakoni.org wrote:
> > I RTFM and I added the line in the rules file.
> > But FTP didn''t work
> >
> > after that I added another line:
> > ACCEPT loc net tcp 20
> >
> > but FTP still won''t work
> >
> > this is the total set of rules
> > ACCEPT  net     fw      tcp     80        -
> > ACCEPT  loc     fw      tcp     22,80     -
> > AllowFTP        loc     net
> > ACCEPT  loc     net     tcp     20
> > REDIRECT        loc     3128    tcp     8080    -
> >
> >
> > i get messages saying that there probably isn''t a internet
connection
> > or can''t find the location
> > but http works fine
>
> Please see http://shorewall.net/support.htm#Guidelines for the
> information that we require to troubleshoot connection problems. Please
> pay careful attention to the bullet that begins THIS IS IMPORTANT!
>
> -Tom
--

mailinglist@dakoni.org wrote:
> [root@webserver root]# shorewall version
> 2.0.8
> [root@webserver root]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:40:f4:a7:42:ab brd ff:ff:ff:ff:ff:ff
>     inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
>     inet6 fe80::240:f4ff:fea7:42ab/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:40:f4:a7:3e:21 brd ff:ff:ff:ff:ff:ff
>     inet 10.0.1.10/24 brd 10.0.1.255 scope global eth1
>     inet6 fe80::240:f4ff:fea7:3e21/64 scope link
>        valid_lft forever preferred_lft forever
> 4: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> [root@webserver root]# ip route show
> 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
> 10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.10
> default via 10.0.0.138 dev eth0
> 
> and atttached the status.txt file
> 
> And by looking in the status file I got the feeling "could it be
dns??"
> But i can''t test the ftp action right now (office is closed - time
is 19:30)
> 
> If so ............ shame on me.
> 
Yes -- it appears that your local clients are configured to use a DNS
server on your firewall but you have no "AllowDNS loc fw" rule.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tue, 29 Mar 2005 19:36:59 +0200, mailinglist@dakoni.org
<mailinglist@dakoni.org> wrote:
> [root@webserver root]# shorewall version
> 2.0.8
> [root@webserver root]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:40:f4:a7:42:ab brd ff:ff:ff:ff:ff:ff
>     inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
>     inet6 fe80::240:f4ff:fea7:42ab/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:40:f4:a7:3e:21 brd ff:ff:ff:ff:ff:ff
>     inet 10.0.1.10/24 brd 10.0.1.255 scope global eth1
>     inet6 fe80::240:f4ff:fea7:3e21/64 scope link
>        valid_lft forever preferred_lft forever
> 4: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> [root@webserver root]# ip route show
> 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
> 10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.10
> default via 10.0.0.138 dev eth0
> 
> and atttached the status.txt file
> 
> And by looking in the status file I got the feeling "could it be
dns??"
> But i can''t test the ftp action right now (office is closed - time
is 19:30)
> 
> If so ............ shame on me.
> 
> But thanx in advance,
> Dave
> 
Install a DNS cache/forwarder on the firewall (dnsmasq will be nice ;) ) 

Create a rule allowing dns from your local network 
 AllowDns loc  fw

that ''s all..good luck.

On Tue, 29 Mar 2005 17:13:05 -0400, Cristian Rodriguez
<judas.iscariote@gmail.com> wrote:
> On Tue, 29 Mar 2005 19:36:59 +0200, mailinglist@dakoni.org
> <mailinglist@dakoni.org> wrote:
> > [root@webserver root]# shorewall version
> > 2.0.8
> > [root@webserver root]# ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >     inet6 ::1/128 scope host
> >        valid_lft forever preferred_lft forever
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:40:f4:a7:42:ab brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
> >     inet6 fe80::240:f4ff:fea7:42ab/64 scope link
> >        valid_lft forever preferred_lft forever
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:40:f4:a7:3e:21 brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.1.10/24 brd 10.0.1.255 scope global eth1
> >     inet6 fe80::240:f4ff:fea7:3e21/64 scope link
> >        valid_lft forever preferred_lft forever
> > 4: sit0: <NOARP> mtu 1480 qdisc noop
> >     link/sit 0.0.0.0 brd 0.0.0.0
> > [root@webserver root]# ip route show
> > 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
> > 10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.10
> > default via 10.0.0.138 dev eth0
> >
> > and atttached the status.txt file
> >
> > And by looking in the status file I got the feeling "could it be
dns??"
> > But i can''t test the ftp action right now (office is closed -
time is 19:30)
> >
> > If so ............ shame on me.
> >
> > But thanx in advance,
> > Dave
> >
> Install a DNS cache/forwarder on the firewall (dnsmasq will be nice ;) )
> 
> Create a rule allowing dns from your local network
>  AllowDns loc  fw
> 
> that ''s all..good luck.
> 
excuse me 

AllowDNS loc fw 

:oops

greetz.

Sorry but it is still didn''t working.......

I followed the quick road ........ reinstallment of the system 
(Fedora instead of Mandrake this time)
But this time no proxy........

And after rereading all the mail and FAQ''s it''s working

Thanx for the help

Op dinsdag 29 maart 2005 19:43, schreef Tom Eastep:
> mailinglist@dakoni.org wrote:
> > [root@webserver root]# shorewall version
> > 2.0.8
> > [root@webserver root]# ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >     inet6 ::1/128 scope host
> >        valid_lft forever preferred_lft forever
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:40:f4:a7:42:ab brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
> >     inet6 fe80::240:f4ff:fea7:42ab/64 scope link
> >        valid_lft forever preferred_lft forever
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:40:f4:a7:3e:21 brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.1.10/24 brd 10.0.1.255 scope global eth1
> >     inet6 fe80::240:f4ff:fea7:3e21/64 scope link
> >        valid_lft forever preferred_lft forever
> > 4: sit0: <NOARP> mtu 1480 qdisc noop
> >     link/sit 0.0.0.0 brd 0.0.0.0
> > [root@webserver root]# ip route show
> > 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
> > 10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.10
> > default via 10.0.0.138 dev eth0
> >
> > and atttached the status.txt file
> >
> > And by looking in the status file I got the feeling "could it be
dns??"
> > But i can''t test the ftp action right now (office is closed -
time is
> > 19:30)
> >
> > If so ............ shame on me.
>
> Yes -- it appears that your local clients are configured to use a DNS
> server on your firewall but you have no "AllowDNS loc fw" rule.
>
> -Tom
-- 
***************************
 Kmail       
 dave@dakoni.org 
 bianca@dakoni.org 
***************************

On Apr 11, 2005 5:20 AM, mailinglist@dakoni.org <mailinglist@dakoni.org>
wrote:
> Sorry but it is still didn''t working.......
> 
> I followed the quick road ........ reinstallment of the system
> (Fedora instead of Mandrake this time)
> But this time no proxy........
> 
> And after rereading all the mail and FAQ''s it''s working
> 
> Thanx for the help
> 
If you dont provide us the error messages ..there is nothing we
can(want to)  do.

if the problem is related to squid post in the squid-users mail list
at www.squid-cache.org

Cristian Rodriguez wrote:
> On Apr 11, 2005 5:20 AM, mailinglist@dakoni.org
<mailinglist@dakoni.org> wrote:
>>Sorry but it is still didn''t working.......
>>
>>I followed the quick road ........ reinstallment of the system
>>(Fedora instead of Mandrake this time)
>>But this time no proxy........
>>
>>And after rereading all the mail and FAQ''s it''s
working
>>
>>Thanx for the help
>>
> If you dont provide us the error messages ..there is nothing we
> can(want to)  do.
> 
> if the problem is related to squid post in the squid-users mail list
> at www.squid-cache.org
> _______________________________________________
I interpreted the OP''s message to mean that his problem is solved
("...it''s working").

Is this not the case?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom, that''s it.

It''s working.

I just wanted to say thanx for the help.

Gr
Dave

On Apr 11, 2005 7:52 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> Cristian Rodriguez wrote:
> > On Apr 11, 2005 5:20 AM, mailinglist@dakoni.org
<mailinglist@dakoni.org> wrote:
> >>Sorry but it is still didn''t working.......
> >>
> >>I followed the quick road ........ reinstallment of the system
> >>(Fedora instead of Mandrake this time)
> >>But this time no proxy........
> >>
> >>And after rereading all the mail and FAQ''s it''s
working
> >>
> >>Thanx for the help
> >>
> > If you dont provide us the error messages ..there is nothing we
> > can(want to)  do.
> >
> > if the problem is related to squid post in the squid-users mail list
> > at www.squid-cache.org
> > _______________________________________________
> 
> I interpreted the OP''s message to mean that his problem is solved
> ("...it''s working").
> 
> Is this not the case?
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>