Hi, I''m having problems with new Shorewall installation on Fedora Core 3 (had same problem with Core 2 and upgrade did not help even iptables was upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but starting Shorewall drops all connections and don''t permit any outgoing requests, even with "all allowed" policy. Policy file is below. Current setup has for test purposes and both nics are connected two hubs, which have a also direct connection cable (I''ve arp_filter option in both nics in interfaces file). I hope someone can help, I''ve been struggling with this problem few days now. Br, Riku Interfaces: net eth0 detect dhcp,routefilter,tcpflags,arp_filter loc eth1 detect tcpflags,routefilter,arp_filter Policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #loc all ACCEPT #fw all ACCEPT #net all ACCEPT #net all DROP info # THE FOLLOWING POLICY MUST BE LAST #all all REJECT info all all ACCEPT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Ping results: [root@xstone ~]# ping -c 2 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- 10.0.0.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms [root@xstone ~]# /etc/init.d/shorewall stop Shutting down shorewall: [ OK ] [root@xstone ~]# ping -c 2 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=1.74 ms 64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.759/1.250/1.742/0.492 ms, pipe 2 [root@xstone ~]# Shorewall setup: [root@xstone ~]# shorewall version 2.2.1 [root@xstone ~]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:d0:b7:0a:3f:66 brd ff:ff:ff:ff:ff:ff inet 10.0.0.3/24 brd 10.0.0.255 scope global eth0 inet6 fe80::2d0:b7ff:fe0a:3f66/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:90:27:90:68:0d brd ff:ff:ff:ff:ff:ff inet 10.0.1.1/24 brd 10.0.1.255 scope global eth1 inet6 fe80::290:27ff:fe90:680d/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 [root@xstone ~]# ip route show 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.3 10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.1 169.254.0.0/16 dev eth1 scope link default via 10.0.0.2 dev eth0 [root@xstone ~]# * Riku Nykanen * raigaard at pcuf.fi *
Riku Nykanen wrote:> Hi, > > I''m having problems with new Shorewall installation on Fedora Core 3 (had > same problem with Core 2 and upgrade did not help even iptables was > upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but > starting Shorewall drops all connections and don''t permit any outgoing > requests, even with "all allowed" policy. Policy file is below. Current > setup has for test purposes and both nics are connected two hubs, which > have a also direct connection cable (I''ve arp_filter option in both nics > in interfaces file). I hope someone can help, I''ve been struggling with > this problem few days now. >''shorewall start'' is failing -- please submit a trace (see http://shorewall.net/troubleshoot.htm under: "shorewall start" and "shorewall restart" Errors. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
FYI - Using FC3 without issues. On Apr 3, 2005, at 2:42 PM, Riku Nykanen wrote:> Hi, > > I''m having problems with new Shorewall installation on Fedora Core 3 > (had > same problem with Core 2 and upgrade did not help even iptables was > upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but > starting Shorewall drops all connections and don''t permit any outgoing > requests, even with "all allowed" policy. Policy file is below. Current > setup has for test purposes and both nics are connected two hubs, which > have a also direct connection cable (I''ve arp_filter option in both > nics > in interfaces file). I hope someone can help, I''ve been struggling with > this problem few days now. > > Br, > Riku > > Interfaces: > net eth0 detect > dhcp,routefilter,tcpflags,arp_filter > loc eth1 detect tcpflags,routefilter,arp_filter > > Policy: > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST > #loc all ACCEPT > #fw all ACCEPT > #net all ACCEPT > #net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > #all all REJECT info > all all ACCEPT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > Ping results: > [root@xstone ~]# ping -c 2 10.0.0.2 > PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. > ping: sendmsg: Operation not permitted > ping: sendmsg: Operation not permitted > --- 10.0.0.2 ping statistics --- > 2 packets transmitted, 0 received, 100% packet loss, time 999ms > [root@xstone ~]# /etc/init.d/shorewall stop > Shutting down shorewall: [ OK ] > [root@xstone ~]# ping -c 2 10.0.0.2 > PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. > 64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=1.74 ms > 64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms > --- 10.0.0.2 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1000ms > rtt min/avg/max/mdev = 0.759/1.250/1.742/0.492 ms, pipe 2 > [root@xstone ~]# > > > Shorewall setup: > [root@xstone ~]# shorewall version > 2.2.1 > [root@xstone ~]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:d0:b7:0a:3f:66 brd ff:ff:ff:ff:ff:ff > inet 10.0.0.3/24 brd 10.0.0.255 scope global eth0 > inet6 fe80::2d0:b7ff:fe0a:3f66/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:90:27:90:68:0d brd ff:ff:ff:ff:ff:ff > inet 10.0.1.1/24 brd 10.0.1.255 scope global eth1 > inet6 fe80::290:27ff:fe90:680d/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > [root@xstone ~]# ip route show > 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.3 > 10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.1 > 169.254.0.0/16 dev eth1 scope link > default via 10.0.0.2 dev eth0 > [root@xstone ~]# > > > * Riku Nykanen * raigaard at pcuf.fi * > <status.txt>_______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
TGS wrote:> FYI - Using FC3 without issues. >The OP had installed WonderShaper as tcstart but had not configured it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key