Hey all, A while ago today I posted about not being able to get my two interface setup working with a router (di 652 wireless/wired). I recieved help from Tom and got everything in the router turned off and set it up as a switch rather then a rouiter, this still never corrected my problems. Use tcpdump I see there is alot of traffic, but as soon as I dhcpcd eth1 (local) I loose all outside access from the firewall, and can never get any in the LAN at all. -- Dustin Carl
Dustin Carl wrote:> Hey all, A while ago today I posted about not being able to get my two > interface setup working with a router (di 652 wireless/wired). I > recieved help from Tom and got everything in the router turned off and > set it up as a switch rather then a rouiter, this still never > corrected my problems. Use tcpdump I see there is alot of traffic, but > as soon as I dhcpcd eth1 (local) I loose all outside access from the > firewall, and can never get any in the LAN at all.Given the requirement for all local system to configure their default gateway to the firewall local interface IP address, most people find it self-evident that the fireall *CAN NOT* have a dynamic local IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Dustin Carl wrote: >>Hey all, A while ago today I posted about not being able to get my two >>interface setup working with a router (di 652 wireless/wired). I >>recieved help from Tom and got everything in the router turned off and >>set it up as a switch rather then a rouiter, this still never >>corrected my problems. Use tcpdump I see there is alot of traffic, but >>as soon as I dhcpcd eth1 (local) I loose all outside access from the >>firewall, and can never get any in the LAN at all. > > Given the requirement for all local system to configure their default > gateway to the firewall local interface IP address, most people find > it self-evident that the fireall *CAN NOT* have a dynamic local IP > address. >It''s time to direct you to http://shorewall.net/support.htm -- I am not going to spend any more of my weekend trying to guess what you are doing (or not doing) until we see what your configuration looks like. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Alright, sorry for not providing this before wasent aware of the site. Inluded in the tar are all of the config files from /etc/shorewall, the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is being used . I can provide a text file of router config if needed. Also, should I/shouldnt I be running this as root? Thanks On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > Dustin Carl wrote: > >>Hey all, A while ago today I posted about not being able to get my two > >>interface setup working with a router (di 652 wireless/wired). I > >>recieved help from Tom and got everything in the router turned off and > >>set it up as a switch rather then a rouiter, this still never > >>corrected my problems. Use tcpdump I see there is alot of traffic, but > >>as soon as I dhcpcd eth1 (local) I loose all outside access from the > >>firewall, and can never get any in the LAN at all. > > > > Given the requirement for all local system to configure their default > > gateway to the firewall local interface IP address, most people find > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > address. > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > not going to spend any more of my weekend trying to guess what you > are doing (or not doing) until we see what your configuration looks > like. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-- Dustin Carl
Forgot to mention the ip route addr etc output is in shorewall-troubleshooting file. On Mon, 4 Apr 2005 16:44:34 -0600, Dustin Carl <ddwcarl@gmail.com> wrote:> Alright, sorry for not providing this before wasent aware of the site. > Inluded in the tar are all of the config files from /etc/shorewall, > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > being used . I can provide a text file of router config if needed. > Also, should I/shouldnt I be running this as root? > > Thanks > > On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > > Tom Eastep wrote: > > > Dustin Carl wrote: > > >>Hey all, A while ago today I posted about not being able to get my two > > >>interface setup working with a router (di 652 wireless/wired). I > > >>recieved help from Tom and got everything in the router turned off and > > >>set it up as a switch rather then a rouiter, this still never > > >>corrected my problems. Use tcpdump I see there is alot of traffic, but > > >>as soon as I dhcpcd eth1 (local) I loose all outside access from the > > >>firewall, and can never get any in the LAN at all. > > > > > > Given the requirement for all local system to configure their default > > > gateway to the firewall local interface IP address, most people find > > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > > address. > > > > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > > not going to spend any more of my weekend trying to guess what you > > are doing (or not doing) until we see what your configuration looks > > like. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > -- > Dustin Carl > >-- Dustin Carl
Hey Dustin; I have a few questions whose answers might point you to a solution... 1) In your interfaces file you have ''loc eth1 192.168.0.101 tcpflags'' however your eth1 interface is actually configured as inet 192.168.0.101/24 brd 192.168.0.255 scope global eth1 therefore your Interfaces file should really read ''loc eth1 detect tcpflags'' 2) You have several rules with both source and destination port listed which may (or may not) ever happen. You probably don''t want to list that source port do you? (Unless all of these applications DO use the same source and destination ports for connections?) 3) You are DNAT''ing to 192.168.0.2 but your status only shows an ARP address for 192.168.0.1? 4) You have several REJECT messages from 192.168.0.100 and from 192.168.0.8 that are prevented from entering your firewall (DNS as well as others) If you need DNS resolution for these hosts from your firewall you should really add ''loc fw udp 53'' to your rules file. I don''t think your ''rulesn'' file is working. 5) You have bridging turned on in your shorewall.conf file but your status doesn''t show any interfaces listed. Your configuration files look like you want a ''two interface'' firewall setup but your problems seem to be related to the BRIDGING=yes option and your networking is not actually being setup as a bridge. Answering these should get you started in the right direction... Either re-read the bridging how-to or start over with a clean ''two-interface'' sample. Jeff ----- Original Message ----- From: "Dustin Carl" <ddwcarl@gmail.com> To: "Tom Eastep" <teastep@shorewall.net> Cc: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, April 04, 2005 6:44 PM Subject: [Shorewall-users] Re: Two Interface Setup + router problems II> Alright, sorry for not providing this before wasent aware of the site. > Inluded in the tar are all of the config files from /etc/shorewall, > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > being used . I can provide a text file of router config if needed. > Also, should I/shouldnt I be running this as root? > > Thanks > > On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net>wrote:> > Tom Eastep wrote: > > > Dustin Carl wrote: > > >>Hey all, A while ago today I posted about not being able to get my two > > >>interface setup working with a router (di 652 wireless/wired). I > > >>recieved help from Tom and got everything in the router turned off and > > >>set it up as a switch rather then a rouiter, this still never > > >>corrected my problems. Use tcpdump I see there is alot of traffic, but > > >>as soon as I dhcpcd eth1 (local) I loose all outside access from the > > >>firewall, and can never get any in the LAN at all. > > > > > > Given the requirement for all local system to configure their default > > > gateway to the firewall local interface IP address, most people find > > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > > address. > > > > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > > not going to spend any more of my weekend trying to guess what you > > are doing (or not doing) until we see what your configuration looks > > like. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > -- > Dustin Carl >---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmDISCLAIMER: This message was sent from The-Techy.com.
Dustin Carl wrote:> Alright, sorry for not providing this before wasent aware of the site.Hmmmmm - wasn''t aware of the site. <SOAPBOX> You must suffer from a malady that is common among people who have problems with Shorewall -- it''s called "Shorewall-selective opthalinklaprosis". When the sufferer looks at a web page that deals with Shorewall, the download links and the address of the support mailing lists appear as 48 point bold blinking red font whereas the surrounding text and graphics are virtually invisable (advanced cases have been reported where the subject can''t even see his/her monitor -- the download/support links appear to just float above the suffer''s desk). To illustrate my point, go to http://lists.shorewall.net#Users. Above the link to the page where you subscribed to this list is the following in bold red large font: "Problem reports that do not include the information requested in the _problem reporting guidelines_ will go unanswered (at least by the Shorewall author)." "problem reporting guidelines" is a link to the guidelines. Also, the email that was sent to you when you subscribed to this list begins as follow: "Welcome to the Shorewall-users@lists.shorewall.net mailing list! Please review that FAQ (http://www.shorewall.net/FAQ.htm) and the Support Guidelines (http://www.shorewall.net/support.htm) before posting." So it isn''t as if I haven''t tried to make you "aware of the site" </SOAPBOX>> Inluded in the tar are all of the config files from /etc/shorewall, > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > being used . I can provide a text file of router config if needed. > Also, should I/shouldnt I be running this as root? >You must run Shorewall as root. In addition to what others have reported, I see this in your log: Apr 3 18:11:20 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.100 DST=192.168.0.101 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=527 PROTO=UDP SPT=1076 DPT=53 LEN=42 So 192.168.0.100 seems to be configured to use the firewall as its DNS server yet you have no rule allowing DNS from loc->fw: Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 18 1727 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hey Jeff, Thanks for the info, yes I am using the two interface setup, I used the sample one provided, the reason bridging is turned on is because before I was using bridging, but released it was the wrong one, Forgot to turn it off =/. As for #2 these are all special apps I use, I carbon copied my working router setup into the rules area. @Tom the reason I never noticed the site was I subscribed to the site and wrote the email in a rush to get to work, Again I apologize for it. I was running shorewall as root as I figured It would be best to. Thanks On Apr 4, 2005 6:40 PM, Tom Eastep <teastep@shorewall.net> wrote:> Dustin Carl wrote: > > Alright, sorry for not providing this before wasent aware of the site. > > Hmmmmm - wasn''t aware of the site. > > <SOAPBOX> > > You must suffer from a malady that is common among people who have > problems with Shorewall -- it''s called "Shorewall-selective opthalinklaprosis". > When the sufferer looks at a web page that deals with Shorewall, the > download links and the address of the support mailing lists appear as 48 > point bold blinking red font whereas the surrounding text and graphics > are virtually invisable (advanced cases have been reported where the > subject can''t even see his/her monitor -- the download/support links > appear to just float above the suffer''s desk). > > To illustrate my point, go to http://lists.shorewall.net#Users. Above > the link to the page where you subscribed to this list is the following > in bold red large font: > > "Problem reports that do not include the information requested in the > _problem reporting guidelines_ will go unanswered (at least by the > Shorewall author)." > > "problem reporting guidelines" is a link to the guidelines. > > Also, the email that was sent to you when you subscribed to this list > begins as follow: > > "Welcome to the Shorewall-users@lists.shorewall.net mailing list! > Please review that FAQ (http://www.shorewall.net/FAQ.htm) and the > Support Guidelines (http://www.shorewall.net/support.htm) before > posting." > > So it isn''t as if I haven''t tried to make you "aware of the site" > > </SOAPBOX> > > > Inluded in the tar are all of the config files from /etc/shorewall, > > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > > being used . I can provide a text file of router config if needed. > > Also, should I/shouldnt I be running this as root? > > > > You must run Shorewall as root. > > In addition to what others have reported, I see this in your log: > > Apr 3 18:11:20 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.100 DST=192.168.0.101 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=527 PROTO=UDP SPT=1076 DPT=53 LEN=42 > > So 192.168.0.100 seems to be configured to use the firewall as its DNS > server yet you have no rule allowing DNS from loc->fw: > > Chain loc2fw (1 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 > 18 1727 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Dustin Carl
Hey, I have changed those things and fixed DNS resolve, but I still have no net access, Here is shorewall status rejecting: Pinging the external ISP DNS server: Apr 4 21:15:06 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65129 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 Apr 4 21:15:11 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65142 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8704 Attempting to access a website, the DNS resolves now because the IP is there: Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 DST=80.192.162.14 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64734 DF PROTO=TCP SPT=3060 DPT=6882 WINDOW=65535 RES=0x00 SYN URGP=0 Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 DST=69.165.25.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64736 DF PROTO=TCP SPT=3062 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 I have attached the new rules file, it is the only changed file other then bridging = no in shorewall.conf, Heavy debugging stuff in there that shouldn but yea. No idea why its IN eth1(loc) and out eth1? Thanks On Mon, 4 Apr 2005 19:57:02 -0400, Jeff <jsoehner@the-techy.com> wrote:> Hey Dustin; > > I have a few questions whose answers might point you to a solution... > > 1) In your interfaces file you have ''loc eth1 192.168.0.101 tcpflags'' > however your eth1 interface is actually configured as inet 192.168.0.101/24 > brd 192.168.0.255 scope global eth1 therefore your Interfaces file should > really read ''loc eth1 detect tcpflags'' > > 2) You have several rules with both source and destination port listed > which > may (or may not) ever happen. You probably don''t want to list that source > port do you? (Unless all of these applications DO use the same source and > destination ports for connections?) > > 3) You are DNAT''ing to 192.168.0.2 but your status only shows an ARP > address > for 192.168.0.1? > > 4) You have several REJECT messages from 192.168.0.100 and from 192.168.0.8 > that are prevented from entering your firewall (DNS as well as others) If > you need DNS resolution for these hosts from your firewall you should > really > add ''loc fw udp 53'' to your rules file. I don''t think your ''rulesn'' file is > working. > > 5) You have bridging turned on in your shorewall.conf file but your status > doesn''t show any interfaces listed. Your configuration files look like you > want a ''two interface'' firewall setup but your problems seem to be related > to the BRIDGING=yes option and your networking is not actually being setup > as a bridge. > > Answering these should get you started in the right direction... > > Either re-read the bridging how-to or start over with a clean > ''two-interface'' sample. > > Jeff > > ----- Original Message ----- > From: "Dustin Carl" <ddwcarl@gmail.com> > To: "Tom Eastep" <teastep@shorewall.net> > Cc: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Monday, April 04, 2005 6:44 PM > Subject: [Shorewall-users] Re: Two Interface Setup + router problems II > > > > Alright, sorry for not providing this before wasent aware of the site. > > Inluded in the tar are all of the config files from /etc/shorewall, > > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > > being used . I can provide a text file of router config if needed. > > Also, should I/shouldnt I be running this as root? > > > > Thanks > > > > On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > > > Tom Eastep wrote: > > > > Dustin Carl wrote: > > > >>Hey all, A while ago today I posted about not being able to get my > two > > > >>interface setup working with a router (di 652 wireless/wired). I > > > >>recieved help from Tom and got everything in the router turned off > and > > > >>set it up as a switch rather then a rouiter, this still never > > > >>corrected my problems. Use tcpdump I see there is alot of traffic, > but > > > >>as soon as I dhcpcd eth1 (local) I loose all outside access from the > > > >>firewall, and can never get any in the LAN at all. > > > > > > > > Given the requirement for all local system to configure their default > > > > gateway to the firewall local interface IP address, most people find > > > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > > > address. > > > > > > > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > > > not going to spend any more of my weekend trying to guess what you > > > are doing (or not doing) until we see what your configuration looks > > > like. > > > > > > -Tom > > > -- > > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ teastep@shorewall.net > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > -- > > Dustin Carl > > > > > ---------------------------------------------------------------------------- > ---- > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > DISCLAIMER: > This message was sent from The-Techy.com. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Dustin Carl
----- Original Message ----- From: "Dustin Carl" <ddwcarl@gmail.com> To: "Jeff" <jsoehner@the-techy.com>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 05, 2005 12:49 AM Subject: Re: Two Interface Setup + router problems II> Hey, I have changed those things and fixed DNS resolve, but I still > have no net access, Here is shorewall status rejecting: > > Pinging the external ISP DNS server: > Apr 4 21:15:06 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65129 > PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 > Apr 4 21:15:11 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65142 > PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8704 > > > Attempting to access a website, the DNS resolves now because the IP isthere:> > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=80.192.162.14 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64734 DF > PROTO=TCP SPT=3060 DPT=6882 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=69.165.25.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64736 DF > PROTO=TCP SPT=3062 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 > > > I have attached the new rules file, it is the only changed file other > then bridging = no in shorewall.conf, Heavy debugging stuff in there > that shouldn but yea. No idea why its IN eth1(loc) and out eth1? > > Thanks > > On Mon, 4 Apr 2005 19:57:02 -0400, Jeff <jsoehner@the-techy.com> wrote: > > Hey Dustin; > > > > I have a few questions whose answers might point you to a solution... > > > > 1) In your interfaces file you have ''loc eth1 192.168.0.101 tcpflags'' > > however your eth1 interface is actually configured as inet192.168.0.101/24> > brd 192.168.0.255 scope global eth1 therefore your Interfaces fileshould> > really read ''loc eth1 detect tcpflags'' > > > > 2) You have several rules with both source and destination port listed > > which > > may (or may not) ever happen. You probably don''t want to list thatsource> > port do you? (Unless all of these applications DO use the same sourceand> > destination ports for connections?) > > > > 3) You are DNAT''ing to 192.168.0.2 but your status only shows an ARP > > address > > for 192.168.0.1? > > > > 4) You have several REJECT messages from 192.168.0.100 and from192.168.0.8> > that are prevented from entering your firewall (DNS as well as others)If> > you need DNS resolution for these hosts from your firewall you should > > really > > add ''loc fw udp 53'' to your rules file. I don''t think your ''rulesn'' fileis> > working. > > > > 5) You have bridging turned on in your shorewall.conf file but yourstatus> > doesn''t show any interfaces listed. Your configuration files look likeyou> > want a ''two interface'' firewall setup but your problems seem to berelated> > to the BRIDGING=yes option and your networking is not actually beingsetup> > as a bridge. > > > > Answering these should get you started in the right direction... > > > > Either re-read the bridging how-to or start over with a clean > > ''two-interface'' sample. > > > > Jeff > > > > ----- Original Message ----- > > From: "Dustin Carl" <ddwcarl@gmail.com> > > To: "Tom Eastep" <teastep@shorewall.net> > > Cc: "Mailing List for Shorewall Users" > > <shorewall-users@lists.shorewall.net> > > Sent: Monday, April 04, 2005 6:44 PM > > Subject: [Shorewall-users] Re: Two Interface Setup + router problems II > > > > > > > Alright, sorry for not providing this before wasent aware of the site. > > > Inluded in the tar are all of the config files from /etc/shorewall, > > > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > > > being used . I can provide a text file of router config if needed. > > > Also, should I/shouldnt I be running this as root? > > > > > > Thanks > > > > > > On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net> > > wrote: > > > > Tom Eastep wrote: > > > > > Dustin Carl wrote: > > > > >>Hey all, A while ago today I posted about not being able to get my > > two > > > > >>interface setup working with a router (di 652 wireless/wired). I > > > > >>recieved help from Tom and got everything in the router turned off > > and > > > > >>set it up as a switch rather then a rouiter, this still never > > > > >>corrected my problems. Use tcpdump I see there is alot of traffic, > > but > > > > >>as soon as I dhcpcd eth1 (local) I loose all outside access fromthe> > > > >>firewall, and can never get any in the LAN at all. > > > > > > > > > > Given the requirement for all local system to configure theirdefault> > > > > gateway to the firewall local interface IP address, most peoplefind> > > > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > > > > address. > > > > > > > > > > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > > > > not going to spend any more of my weekend trying to guess what you > > > > are doing (or not doing) until we see what your configuration looks > > > > like. > > > > > > > > -Tom > > > > -- > > > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > > > Shoreline, \ http://shorewall.net > > > > Washington USA \ teastep@shorewall.net > > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > > -- > > > Dustin Carl > > > > > > > > > ----------------------------------------------------------------------------> > ---- > > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > > DISCLAIMER: > > This message was sent from The-Techy.com. > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > -- > Dustin Carl >Hey Dustin; You should just keep this on the list. I noticed that you also sent it to the MailingList but I didn''t see it appear so I am responding here. Fine you removed the bridging and added a rule for DNS but you haven''t changed the DNAT rules except to make them loc:192.168.0.101 (which is actually the firewall zone right?). These are wrong. Your DNAT rules were better the first time. Let''s leave those out for the moment. (comment them out). Your mention that you only changed the rules file but I suggested that you change the interfaces file to use ''detect'' rather than ''192.168.0.101'' as the broadcast address. Make this change and test that you can use the internet. You can then post again confirming it with your (new) status and files again. Announce what you are then trying to accomplish and we can try to advise further. This is beginning to appear that you have two interfaces plugged into the same router but I can''t tell. You should also supply a quick chain of connections. i.e. Internet (Telephone or Cable?) | router ? | Firewall - eth0,eth1 | hub/switch? \ \ \ \ \ \ \ lan clients Jeff DISCLAIMER: This message was sent from The-Techy.com.
Hey Jeff, I also changed the inerfaces file to "detect", Will comment out the DNAT rules, they should be 100 not 101 =/ I have the following chain: DSL modem | Firewall eth0 | eth1 | router | wired LAN/WAP Using to interfaces yes, used the howto as well as the sample two interfaces file from the howto guide. Thanks On Apr 5, 2005 4:02 AM, Jeff <jsoehner@the-techy.com> wrote:> > ----- Original Message ----- > From: "Dustin Carl" <ddwcarl@gmail.com> > To: "Jeff" <jsoehner@the-techy.com>; "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Tuesday, April 05, 2005 12:49 AM > Subject: Re: Two Interface Setup + router problems II > > > Hey, I have changed those things and fixed DNS resolve, but I still > > have no net access, Here is shorewall status rejecting: > > > > Pinging the external ISP DNS server: > > Apr 4 21:15:06 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > > DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65129 > > PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8448 > > Apr 4 21:15:11 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > > DST=209.115.152.130 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=65142 > > PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=8704 > > > > > > Attempting to access a website, the DNS resolves now because the IP is > there: > > > > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > > DST=80.192.162.14 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64734 DF > > PROTO=TCP SPT=3060 DPT=6882 WINDOW=65535 RES=0x00 SYN URGP=0 > > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > > DST=69.165.25.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64736 DF > > PROTO=TCP SPT=3062 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > > > I have attached the new rules file, it is the only changed file other > > then bridging = no in shorewall.conf, Heavy debugging stuff in there > > that shouldn but yea. No idea why its IN eth1(loc) and out eth1? > > > > Thanks > > > > On Mon, 4 Apr 2005 19:57:02 -0400, Jeff <jsoehner@the-techy.com> wrote: > > > Hey Dustin; > > > > > > I have a few questions whose answers might point you to a solution... > > > > > > 1) In your interfaces file you have ''loc eth1 192.168.0.101 tcpflags'' > > > however your eth1 interface is actually configured as inet > 192.168.0.101/24 > > > brd 192.168.0.255 scope global eth1 therefore your Interfaces file > should > > > really read ''loc eth1 detect tcpflags'' > > > > > > 2) You have several rules with both source and destination port listed > > > which > > > may (or may not) ever happen. You probably don''t want to list that > source > > > port do you? (Unless all of these applications DO use the same source > and > > > destination ports for connections?) > > > > > > 3) You are DNAT''ing to 192.168.0.2 but your status only shows an ARP > > > address > > > for 192.168.0.1? > > > > > > 4) You have several REJECT messages from 192.168.0.100 and from > 192.168.0.8 > > > that are prevented from entering your firewall (DNS as well as others) > If > > > you need DNS resolution for these hosts from your firewall you should > > > really > > > add ''loc fw udp 53'' to your rules file. I don''t think your ''rulesn'' file > is > > > working. > > > > > > 5) You have bridging turned on in your shorewall.conf file but your > status > > > doesn''t show any interfaces listed. Your configuration files look like > you > > > want a ''two interface'' firewall setup but your problems seem to be > related > > > to the BRIDGING=yes option and your networking is not actually being > setup > > > as a bridge. > > > > > > Answering these should get you started in the right direction... > > > > > > Either re-read the bridging how-to or start over with a clean > > > ''two-interface'' sample. > > > > > > Jeff > > > > > > ----- Original Message ----- > > > From: "Dustin Carl" <ddwcarl@gmail.com> > > > To: "Tom Eastep" <teastep@shorewall.net> > > > Cc: "Mailing List for Shorewall Users" > > > <shorewall-users@lists.shorewall.net> > > > Sent: Monday, April 04, 2005 6:44 PM > > > Subject: [Shorewall-users] Re: Two Interface Setup + router problems II > > > > > > > > > > Alright, sorry for not providing this before wasent aware of the site. > > > > Inluded in the tar are all of the config files from /etc/shorewall, > > > > the status dump, and ip addr show/ ip route show. Kernel 2.6.11 is > > > > being used . I can provide a text file of router config if needed. > > > > Also, should I/shouldnt I be running this as root? > > > > > > > > Thanks > > > > > > > > On Sun, 03 Apr 2005 19:25:04 -0700, Tom Eastep <teastep@shorewall.net> > > > wrote: > > > > > Tom Eastep wrote: > > > > > > Dustin Carl wrote: > > > > > >>Hey all, A while ago today I posted about not being able to get my > > > two > > > > > >>interface setup working with a router (di 652 wireless/wired). I > > > > > >>recieved help from Tom and got everything in the router turned off > > > and > > > > > >>set it up as a switch rather then a rouiter, this still never > > > > > >>corrected my problems. Use tcpdump I see there is alot of traffic, > > > but > > > > > >>as soon as I dhcpcd eth1 (local) I loose all outside access from > the > > > > > >>firewall, and can never get any in the LAN at all. > > > > > > > > > > > > Given the requirement for all local system to configure their > default > > > > > > gateway to the firewall local interface IP address, most people > find > > > > > > it self-evident that the fireall *CAN NOT* have a dynamic local IP > > > > > > address. > > > > > > > > > > > > > > > > It''s time to direct you to http://shorewall.net/support.htm -- I am > > > > > not going to spend any more of my weekend trying to guess what you > > > > > are doing (or not doing) until we see what your configuration looks > > > > > like. > > > > > > > > > > -Tom > > > > > -- > > > > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > > > > Shoreline, \ http://shorewall.net > > > > > Washington USA \ teastep@shorewall.net > > > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > > > > > -- > > > > Dustin Carl > > > > > > > > > > > > > > -------------------------------------------------------------------------- > -- > > > ---- > > > > > > > > > > _______________________________________________ > > > > Shorewall-users mailing list > > > > Post: Shorewall-users@lists.shorewall.net > > > > Subscribe/Unsubscribe: > > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > > Support: http://www.shorewall.net/support.htm > > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > > > > > > DISCLAIMER: > > > This message was sent from The-Techy.com. > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > -- > > Dustin Carl > > > > Hey Dustin; > > You should just keep this on the list. I noticed that you also sent it to > the MailingList but I didn''t see it appear so I am responding here. > > Fine you removed the bridging and added a rule for DNS but you haven''t > changed the DNAT rules except to make them loc:192.168.0.101 (which is > actually the firewall zone right?). These are wrong. Your DNAT rules were > better the first time. > > Let''s leave those out for the moment. (comment them out). Your mention that > you only changed the rules file but I suggested that you change the > interfaces file to use ''detect'' rather than ''192.168.0.101'' as the > broadcast address. Make this change and test that you can use the internet. > You can then post again confirming it with your (new) status and files > again. > > Announce what you are then trying to accomplish and we can try to advise > further. This is beginning to appear that you have two interfaces plugged > into the same router but I can''t tell. You should also supply a quick chain > of connections. > i.e. > Internet (Telephone or Cable?) > | > router ? > | > Firewall - eth0,eth1 > | > hub/switch? > \ \ \ \ \ \ \ > lan clients > > Jeff > > > DISCLAIMER: > This message was sent from The-Techy.com. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Dustin Carl
Dustin Carl wrote:> > Attempting to access a website, the DNS resolves now because the IP is there: > > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=80.192.162.14 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64734 DF > PROTO=TCP SPT=3060 DPT=6882 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 4 21:01:00 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.100 > DST=69.165.25.71 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64736 DF > PROTO=TCP SPT=3062 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0 >>From the information that you sent previously:ip route show 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.101 209.89.192.0/21 dev eth0 proto kernel scope link src 209.89.197.144 127.0.0.0/8 dev lo scope link default via 192.168.0.1 dev eth1 default via 209.89.192.1 dev eth0 Get rid of the default gateway on eth1 -- you don''t need it and it''s preventing you from accessing the internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message ----- From: "Dustin Carl" <ddwcarl@gmail.com> To: "Jeff" <jsoehner@the-techy.com>; "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 05, 2005 10:34 AM Subject: Re: [Shorewall-users] Re: Two Interface Setup + router problems II> Hey Jeff, I also changed the inerfaces file to "detect", Will comment > out the DNAT rules, they should be 100 not 101 =/ > > I have the following chain: > DSL modem > | > Firewall eth0 > | > eth1 > | > router > | > wired LAN/WAP<snip> Here is when the confusion starts. Are you saying that this router is also a access point and that your client connection is using a wireless Ethernet card? Does this router have a built-in firewall? If so then Tom was right to point you to use a bridge configuration and NOT a two interface configuration. If the ''router'' does NOT have a firewall built in then you can use the two interface design. Understand the difference? (The dlink, linksys type routers already have NAT enabled which makes using another NAT device difficult to configure.) Also I suggested that you confirm your ability to connect to the Internet and to send us your configs (again). I now suggest that you advise us to your make/model of ''router'' and take the next step with respect to the directions above. Either of these will work to connect to the Internet BUT DNAT rules will be more difficult to manage depending on that router using NAT. And yes remove the default route for eth1 as Tom suggests. Jeff DISCLAIMER: This message was sent from The-Techy.com.
Jeff wrote:> > Here is when the confusion starts. Are you saying that this router is also a > access point and that your client connection is using a wireless Ethernet > card? Does this router have a built-in firewall? If so then Tom was right to > point you to use a bridge configuration and NOT a two interface > configuration. If the ''router'' does NOT have a firewall built in then you > can use the two interface design. Understand the difference? (The dlink, > linksys type routers already have NAT enabled which makes using another NAT > device difficult to configure.)That''s why I advocated using the Dlink as a simply switch/WAP (don''t use the WAN interface at all).> > Also I suggested that you confirm your ability to connect to the Internet > and to send us your configs (again). I now suggest that you advise us to > your make/model of ''router'' and take the next step with respect to the > directions above. Either of these will work to connect to the Internet BUT > DNAT rules will be more difficult to manage depending on that router using > NAT. > > And yes remove the default route for eth1 as Tom suggests. >I suspect that Dustin is also still using the DHCP server built into the Dlink and I further suspect that that server is configuring DHCP clients with the wrong default gateway as well (it should be the IP address of the firewall''s eth1 - 192.168.0.101). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hey all, I am writing this from school to clear a few things up. Yes I am using the Dlink''s DHCP interface, Should I be? Yes the gateway is set to 198.168.0.101. I am using the Dlink router as a switch and a WAP. I can turn off DHCP in the router and assign the clients static IPs if it would be better, as well as turning of NAT in the router by using a differnt firmware? On Apr 5, 2005 9:02 AM, Tom Eastep <teastep@shorewall.net> wrote:> Jeff wrote: > > > > > Here is when the confusion starts. Are you saying that this router is also a > > access point and that your client connection is using a wireless Ethernet > > card? Does this router have a built-in firewall? If so then Tom was right to > > point you to use a bridge configuration and NOT a two interface > > configuration. If the ''router'' does NOT have a firewall built in then you > > can use the two interface design. Understand the difference? (The dlink, > > linksys type routers already have NAT enabled which makes using another NAT > > device difficult to configure.) > > That''s why I advocated using the Dlink as a simply switch/WAP (don''t use > the WAN interface at all). > > > > > Also I suggested that you confirm your ability to connect to the Internet > > and to send us your configs (again). I now suggest that you advise us to > > your make/model of ''router'' and take the next step with respect to the > > directions above. Either of these will work to connect to the Internet BUT > > DNAT rules will be more difficult to manage depending on that router using > > NAT. > > > > And yes remove the default route for eth1 as Tom suggests. > > > > I suspect that Dustin is also still using the DHCP server built into the > Dlink and I further suspect that that server is configuring DHCP clients > with the wrong default gateway as well (it should be the IP address of > the firewall''s eth1 - 192.168.0.101). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Dustin Carl
Dustin Carl wrote:> Hey all, I am writing this from school to clear a few things up. Yes I > am using the Dlink''s DHCP interface, Should I be? Yes the gateway is > set to 198.168.0.101. I am using the Dlink router as a switch and a > WAP. I can turn off DHCP in the router and assign the clients static > IPs if it would be better, as well as turning of NAT in the router by > using a differnt firmware? >It''s ok to use the Dlink''s DHCP server provided that you can configure that server to use a default gateway other than the Dlink''s local IP address. Alternatively, you can disable the DHCP server in the Dlink and run one on your firewall (it''s pretty trivial to set up). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key