I promise - this time all buffers in the editor are saved! Here mon shorewall # /etc/init.d/shorewall start * Starting firewall... Warning: default route ignored on interface eth0 iptables: No chain/target/match by that name ERROR: Command "/sbin/iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 --dpor t ssh -j TOS --set-tos 16" Failed /sbin/runscript.sh: line 532: 14701 Terminated /sbin/shorewall star t >/dev/null [ !! ] tos contains #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp ftp-data - 8 all all tcp - ftp-data 8 If I comment out all these lines the firewall starts. zones has #ZONE DISPLAY COMMENTS net Net Internet loc Local Local net interfaces has #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect routefilter,tcpflags,nosmurfs loc eth0 detect At the moment eth1 is not connected. Might this be the source of the problem? Something else? ====== Another question In params I have (numbers changed to protect the guilty) # TRU Trusted IP addresses TRU=123.4.5.6,987.6.5.4 In rules (among other things) I have AllowFTP fw net AllowFTP net fw But I really only want to allow this access from $TRU. Ideally I would like to an ftp session that is initiated on the firewall to be allowed everywhere, but other ftp sessions to the firewall to only be allowed from $TRU. How is this done? Many thanks, Fred
Fred Krogh wrote:> I promise - this time all buffers in the editor are saved! Here > > > mon shorewall # /etc/init.d/shorewall start > * Starting firewall... > Warning: default route ignored on interface eth0 > iptables: No chain/target/match by that name > ERROR: Command "/sbin/iptables -t mangle -A outtos -p tcp -d 0.0.0.0/0 > --dpor > t ssh -j TOS --set-tos 16" Failed > /sbin/runscript.sh: line 532: 14701 Terminated > /sbin/shorewall star > t >/dev/null [ !! ] > > tos contains >Sounds like your kernel and/or iptables doesn''t/don''t support the TOS target.> ====== Another question > > In params I have (numbers changed to protect the guilty) > > # TRU Trusted IP addresses > TRU=123.4.5.6,987.6.5.4 > > In rules (among other things) I have > > AllowFTP fw net > AllowFTP net fw > > But I really only want to allow this access from $TRU. Ideally I > would like to an ftp session that is initiated on the firewall to be > allowed everywhere, but other ftp sessions to the firewall to only be > allowed from $TRU. How is this done? >Come on -- RTFM! AllowFTP fw net AllowFTP net:$TRU fw -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The tos was hidden under a ''+'' that indicated the full page was not on my screen in the make menuconfig. I might note that an effort was made to RTFM. At least for me there are way to many things that perhaps I should understand, but don''t. (Like how data coming from net to fw is covered by a rule with source fw and destination net when the request was initiated at fw.) Anyway all is working up to this point. I don''t see how anyone would manage to use iptables without a tool like this. Many thanks for the help and the tool. Fred
Fred Krogh wrote:> (Like how data coming from net to fw is > covered by a rule with source fw and destination net when the request > was initiated at fw.)It''s not -- a rule of that type covers connections initiated by programs running on the firewall to hosts in the ''net'' zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key