Hi,
I''m having problems with new Shorewall installation on Fedora Core 3
(had
same problem with Core 2 and upgrade did not help even iptables was
upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but
starting Shorewall drops all connections and don''t permit any outgoing
requests, even with "all allowed" policy. Policy file is below.
Current
setup has for test purposes and both nics are connected two hubs, which
have a also direct connection cable (I''ve arp_filter option in both
nics
in interfaces file). I hope someone can help, I''ve been struggling with
this problem few days now.
Br,
Riku
Interfaces:
net eth0 detect
dhcp,routefilter,tcpflags,arp_filter
loc eth1 detect tcpflags,routefilter,arp_filter
Policy:
#SOURCE DEST POLICY LOG LEVEL
LIMIT:BURST
#loc all ACCEPT
#fw all ACCEPT
#net all ACCEPT
#net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
#all all REJECT info
all all ACCEPT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Ping results:
[root@xstone ~]# ping -c 2 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root@xstone ~]# /etc/init.d/shorewall stop
Shutting down shorewall: [ OK ]
[root@xstone ~]# ping -c 2 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=1.74 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.759/1.250/1.742/0.492 ms, pipe 2
[root@xstone ~]#
Shorewall setup:
[root@xstone ~]# shorewall version
2.2.1
[root@xstone ~]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:d0:b7:0a:3f:66 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global eth0
inet6 fe80::2d0:b7ff:fe0a:3f66/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:90:27:90:68:0d brd ff:ff:ff:ff:ff:ff
inet 10.0.1.1/24 brd 10.0.1.255 scope global eth1
inet6 fe80::290:27ff:fe90:680d/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root@xstone ~]# ip route show
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.3
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.1
169.254.0.0/16 dev eth1 scope link
default via 10.0.0.2 dev eth0
[root@xstone ~]#
* Riku Nykanen * raigaard at pcuf.fi *
Riku Nykanen wrote:> Hi, > > I''m having problems with new Shorewall installation on Fedora Core 3 (had > same problem with Core 2 and upgrade did not help even iptables was > upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but > starting Shorewall drops all connections and don''t permit any outgoing > requests, even with "all allowed" policy. Policy file is below. Current > setup has for test purposes and both nics are connected two hubs, which > have a also direct connection cable (I''ve arp_filter option in both nics > in interfaces file). I hope someone can help, I''ve been struggling with > this problem few days now. >''shorewall start'' is failing -- please submit a trace (see http://shorewall.net/troubleshoot.htm under: "shorewall start" and "shorewall restart" Errors. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
FYI - Using FC3 without issues. On Apr 3, 2005, at 2:42 PM, Riku Nykanen wrote:> Hi, > > I''m having problems with new Shorewall installation on Fedora Core 3 > (had > same problem with Core 2 and upgrade did not help even iptables was > upgraded from 1.2.9 to 1.2.11). I''ve followed two nic example, but > starting Shorewall drops all connections and don''t permit any outgoing > requests, even with "all allowed" policy. Policy file is below. Current > setup has for test purposes and both nics are connected two hubs, which > have a also direct connection cable (I''ve arp_filter option in both > nics > in interfaces file). I hope someone can help, I''ve been struggling with > this problem few days now. > > Br, > Riku > > Interfaces: > net eth0 detect > dhcp,routefilter,tcpflags,arp_filter > loc eth1 detect tcpflags,routefilter,arp_filter > > Policy: > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST > #loc all ACCEPT > #fw all ACCEPT > #net all ACCEPT > #net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > #all all REJECT info > all all ACCEPT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > Ping results: > [root@xstone ~]# ping -c 2 10.0.0.2 > PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. > ping: sendmsg: Operation not permitted > ping: sendmsg: Operation not permitted > --- 10.0.0.2 ping statistics --- > 2 packets transmitted, 0 received, 100% packet loss, time 999ms > [root@xstone ~]# /etc/init.d/shorewall stop > Shutting down shorewall: [ OK ] > [root@xstone ~]# ping -c 2 10.0.0.2 > PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. > 64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=1.74 ms > 64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=0.759 ms > --- 10.0.0.2 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1000ms > rtt min/avg/max/mdev = 0.759/1.250/1.742/0.492 ms, pipe 2 > [root@xstone ~]# > > > Shorewall setup: > [root@xstone ~]# shorewall version > 2.2.1 > [root@xstone ~]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:d0:b7:0a:3f:66 brd ff:ff:ff:ff:ff:ff > inet 10.0.0.3/24 brd 10.0.0.255 scope global eth0 > inet6 fe80::2d0:b7ff:fe0a:3f66/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:90:27:90:68:0d brd ff:ff:ff:ff:ff:ff > inet 10.0.1.1/24 brd 10.0.1.255 scope global eth1 > inet6 fe80::290:27ff:fe90:680d/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > [root@xstone ~]# ip route show > 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.3 > 10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.1 > 169.254.0.0/16 dev eth1 scope link > default via 10.0.0.2 dev eth0 > [root@xstone ~]# > > > * Riku Nykanen * raigaard at pcuf.fi * > <status.txt>_______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
TGS wrote:> FYI - Using FC3 without issues. >The OP had installed WonderShaper as tcstart but had not configured it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key