Shorewall users - Apr 2005 - dumb, dumb question

I''m very new to shorewall. My setup is IP Gateway (CentOS 4 +
Shorewall)
with 3 NIC cards.

Shorewall works great on the firewall machine. Bind also works (local
net machines get IPs fine). Under firestarter, all works great.

With shorewall, the loc machines can not route past the firewall. They
can connect to the firewall, but not past it.


Exactly what information should I post to get help?  I''m using
shorewall
2.2.3 , CentOS 4, 3 NIC cards, DHCP WAN connection (cable modem),
statically set 192.168.1.1 and 192.168.0.1 on the LAN/DMZ.


thanks

Do you have a fw to net policy set up? DNS rules? Please gives the
config files needed :)

On Apr 10, 2005 7:38 AM, ryanag@zoominternet.net
<ryanag@zoominternet.net> wrote:
> I''m very new to shorewall. My setup is IP Gateway (CentOS 4 +
Shorewall)
> with 3 NIC cards.
> 
> Shorewall works great on the firewall machine. Bind also works (local
> net machines get IPs fine). Under firestarter, all works great.
> 
> With shorewall, the loc machines can not route past the firewall. They
> can connect to the firewall, but not past it.
> 
> Exactly what information should I post to get help?  I''m using
shorewall
> 2.2.3 , CentOS 4, 3 NIC cards, DHCP WAN connection (cable modem),
> statically set 192.168.1.1 and 192.168.0.1 on the LAN/DMZ.
> 
> thanks
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 

-- 
Dustin Carl

>Please gives the
> config files needed :)
See below, please let me know anything else needed.

>Do you have a fw to net policy set up?
policy
#SOURCE         DEST            POLICY          LOG
LIMIT:BURST
#                                               LEVEL
loc             fw              ACCEPT
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
#LAST LINE -- DO NOT REMOVE

>DNS rules? 
rules
#       Accept DNS connections from the firewall to the Internet
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53




On Sun, 2005-04-10 at 07:50 -0600, Dustin Carl wrote:
> Do you have a fw to net policy set up? DNS rules? Please gives the
> config files needed :)
> 
> On Apr 10, 2005 7:38 AM, ryanag@zoominternet.net
> <ryanag@zoominternet.net> wrote:
> > I''m very new to shorewall. My setup is IP Gateway (CentOS 4 +
Shorewall)
> > with 3 NIC cards.
> > 
> > Shorewall works great on the firewall machine. Bind also works (local
> > net machines get IPs fine). Under firestarter, all works great.
> > 
> > With shorewall, the loc machines can not route past the firewall. They
> > can connect to the firewall, but not past it.
> > 
> > Exactly what information should I post to get help?  I''m
using shorewall
> > 2.2.3 , CentOS 4, 3 NIC cards, DHCP WAN connection (cable modem),
> > statically set 192.168.1.1 and 192.168.0.1 on the LAN/DMZ.
> > 
> > thanks
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> > 
> 
>

ryanag@zoominternet.net wrote:
>>Please gives the
>>config files needed :)
> 
> See below, please let me know anything else needed.
> 
Please see http://shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Version
2.2.3

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::20c:41ff:feec:cd92/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
    inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0


192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
169.254.0.0/16 dev eth2  scope link
default via 24.239.122.1 dev eth2


On Sun, 2005-04-10 at 07:59 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> >>Please gives the
> >>config files needed :)
> > 
> > See below, please let me know anything else needed.
> > 
> 
> Please see http://shorewall.net/support.htm#Guidelines
> 
> -Tom

ryanag@zoominternet.net wrote:
> Version
> 2.2.3
> 
> ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
>     inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
>     inet6 fe80::20c:41ff:feec:cd92/64 scope link
>        valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
>     inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
>     inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
>        valid_lft forever preferred_lft forever
> 5: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> 
> 
> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> 24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
> 169.254.0.0/16 dev eth2  scope link
> default via 24.239.122.1 dev eth2
> 
There are SIX bullets in the guidelines list -- you (like 1,000s before)
you) have chosen only to provide the information in the first three of
those. Why? Do you think that because the fourth one starts THIS IS
IMPORTANT that the rest of the information asked for is unimportant?

You ARE having connection problems, are you not?

How can I word/organize the guidelines so that this confusion is
eliminated? I really would like to know because unless I call people''s
attention to the THIS IS IMPORTANT! bullet, that information (and the
information in the bullets that follow) is almost universally omitted.

Thanks for your help,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>Why?
The layout of the webpage. My eyes only caught the first few lines, and
what was highlighted in blue. 
>Do you think that because the fourth one starts THIS IS
> IMPORTANT that the rest of the information asked for is unimportant?
Although, I should have read more carefully, the layout is going to
throw off most newcomers.
>How can I word/organize the guidelines so that this confusion is
> eliminated? 
I''m not qualified to offer advice until I better understand the
program,
but that a simple form with checkboxes (such as "check here if you
included command x") that mailed itself to the mailing list (or to the
end user so that they can forward).

Wrong information/lack of = error message. I''ve seen some commercial
support sites do this.

Please keep in mind, that shorewall is very complex, and by the time I
(or any other new user) has emailed for help I''ve read a *lot* of the
documentation, and spent even more time googling.


Once I get this up and running, I''d be glad to help.





here''s the rest....

I''m attaching all of my config files for review. They are currently at
the default (the rpm save are what I had in before).


/tmp/status.txt
attached

Used the 3-interface quickstart guide.
http://shorewall.net/three-interface.htm

Shorewall status gives:
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=560 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=561 PROTO=UDP
SPT=137 DPT=137 LEN=58

NAT Table

Chain PREROUTING (policy ACCEPT 8 packets, 1383 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain POSTROUTING (policy ACCEPT 13 packets, 808 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain OUTPUT (policy ACCEPT 7 packets, 451 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Mangle Table

Chain PREROUTING (policy ACCEPT 499 packets, 110K bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain INPUT (policy ACCEPT 241 packets, 52698 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain FORWARD (policy ACCEPT 258 packets, 57209 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain OUTPUT (policy ACCEPT 54 packets, 5467 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain POSTROUTING (policy ACCEPT 312 packets, 62676 bytes)
 pkts bytes target     prot opt in     out     source
destination 

udp      17 167 src=192.168.1.4 dst=216.115.27.21 sport=5061 dport=5061
packets=426 bytes=270406 src=216.115.27.21 dst=24.239.122.161 sport=5061
dport=5061 packets=426 bytes=162301 [ASSURED] use=1
udp      17 4 src=67.95.45.5 dst=24.239.122.161 sport=7572 dport=1026
packets=1 bytes=826 [UNREPLIED] src=24.239.122.161 dst=67.95.45.5
sport=1026 dport=7572 packets=0 bytes=0 use=1
udp      17 172 src=24.239.122.161 dst=24.154.1.36 sport=33077 dport=53
packets=6 bytes=520 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33077 packets=6 bytes=878 [ASSURED] use=1
udp      17 75 src=24.239.122.161 dst=24.154.1.36 sport=33073 dport=53
packets=28 bytes=2360 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33073 packets=28 bytes=4067 [ASSURED] use=1
tcp      6 15 TIME_WAIT src=24.239.122.161 dst=205.156.51.200
sport=33470 dport=80 packets=8 bytes=500 src=205.156.51.200
dst=24.239.122.161 sport=80 dport=33470 packets=6 bytes=1797 [ASSURED]
use=1
udp      17 75 src=24.239.122.161 dst=24.154.1.36 sport=33076 dport=53
packets=2 bytes=141 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33076 packets=2 bytes=306 [ASSURED] use=1
tcp      6 15 TIME_WAIT src=24.239.122.161 dst=205.156.51.200
sport=33471 dport=80 packets=18 bytes=893 src=205.156.51.200
dst=24.239.122.161 sport=80 dport=33471 packets=16 bytes=7487 [ASSURED]
use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::20c:41ff:feec:cd92/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
    inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    3889549    11697    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    3889549    11697    0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    6388868    74605    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    162984104  112072   0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        9       0       9       0
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    169243298  145136   0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    6542424    79673    0       0       0       0
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth2/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table local:

local 192.168.1.1 dev eth0  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.0 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src
127.0.0.1
broadcast 24.239.122.0 dev eth2  proto kernel  scope link  src
24.239.122.161
local 24.239.122.161 dev eth2  proto kernel  scope host  src
24.239.122.161
local 192.168.0.1 dev eth1  proto kernel  scope host  src 192.168.0.1
broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.255 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 24.239.122.255 dev eth2  proto kernel  scope link  src
24.239.122.161
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
169.254.0.0/16 dev eth2  scope link
default via 24.239.122.1 dev eth2

Table default:


ARP

? (24.239.122.1) at 00:30:B8:80:19:4E [ether] on eth2
? (192.168.1.5) at 00:40:05:86:B7:53 [ether] on eth0
? (192.168.1.4) at 00:0B:BE:51:54:6E [ether] on eth0

Modules

ipt_pkttype             1601  0
ipt_recent             13133  0
ipt_iprange             1985  0
ipt_physdev             2001  0
ipt_multiport           1985  0
ipt_conntrack           2369  0
ip_nat_tftp             3761  0
ip_conntrack_tftp       3953  0
ipt_TCPMSS              4033  0
ipt_limit               2881  0
ip_nat_irc              4401  0
ip_nat_ftp              4913  0
ipt_LOG                 6465  0
ipt_MASQUERADE          3649  0
ipt_TOS                 2369  0
ipt_REJECT              6593  0
ip_conntrack_irc       71921  1 ip_nat_irc
ip_conntrack_ftp       72689  1 ip_nat_ftp
ipt_state               1857  0
ip_conntrack           40949  10
ipt_conntrack,ip_nat_tftp,ip_conntrack_tftp,ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
ip_tables              16833  16
ipt_pkttype,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_conntrack,ipt_TCPMSS,ipt_limit,iptable_mangle,ipt_LOG,ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,iptable_filter
[root@acs-24-239-122-161 ~]# 192.168.1.0/24 dev eth0  proto kernel
scope link src 192.168.1.1
-bash: 192.168.1.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 192.168.0.0/24 dev eth1  proto kernel
scope link src 192.168.0.1
-bash: 192.168.0.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 24.239.122.0/24 dev eth2  proto kernel
scope link  src 24.239.122.161
-bash: 24.239.122.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 169.254.0.0/16 dev eth2  scope link
-bash: 169.254.0.0/16: No such file or directory
[root@acs-24-239-122-161 ~]# 192.168.1.0/24 dev eth0  proto kernel
scope link src 192.168.1.1
-bash: 192.168.1.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 192.168.0.0/24 dev eth1  proto kernel
scope link src 192.168.0.1
-bash: 192.168.0.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 24.239.122.0/24 dev eth2  proto kernel
scope link  src 24.239.122.161
-bash: 24.239.122.0/24: No such file or directory
[root@acs-24-239-122-161 ~]# 169.254.0.0/16 dev eth2  scope link
-bash: 169.254.0.0/16: No such file or directory
[root@acs-24-239-122-161 ~]# shorewall status

Shorewall-2.2.3 Status at acs-24-239-122-161.zoominternet.net - Sun Apr
10 11:23:05 EDT 2005

Chain INPUT (policy ACCEPT 241 packets, 52698 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain FORWARD (policy ACCEPT 262 packets, 58901 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain OUTPUT (policy ACCEPT 54 packets, 5467 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Apr 10 09:06:30 net2all:DROP:IN=eth2 OUT= SRC=61.235.154.90
DST=24.239.122.161 LEN=487 TOS=0x00 PREC=0x00 TTL=41 ID=0 DF PROTO=UDP
SPT=59496 DPT=1027 LEN=467
Apr 10 09:06:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=341 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:09:31 net2all:DROP:IN=eth2 OUT= SRC=222.88.173.5
DST=24.239.122.161 LEN=666 TOS=0x00 PREC=0x00 TTL=110 ID=30514 PROTO=UDP
SPT=9687 DPT=1026 LEN=646
Apr 10 09:11:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=360 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:11:53 net2all:DROP:IN=eth2 OUT= SRC=61.172.249.201
DST=24.239.122.161 LEN=614 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
SPT=42469 DPT=1026 LEN=594
Apr 10 09:14:22 net2all:DROP:IN=eth2 OUT= SRC=221.216.8.69
DST=24.239.122.161 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=25888 DF
PROTO=TCP SPT=4767 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 10 09:14:26 net2all:DROP:IN=eth2 OUT= SRC=221.10.224.226
DST=24.239.122.161 LEN=483 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP
SPT=55348 DPT=1027 LEN=463
Apr 10 09:15:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=375 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:15:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=376 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:15:47 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=377 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:16:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=404 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:16:43 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=407 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:19:32 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=440 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:52 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=487 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:53 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=488 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:54 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=489 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:26:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=511 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:28:45 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=559 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=560 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=561 PROTO=UDP
SPT=137 DPT=137 LEN=58

NAT Table

Chain PREROUTING (policy ACCEPT 8 packets, 1383 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain POSTROUTING (policy ACCEPT 13 packets, 808 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain OUTPUT (policy ACCEPT 7 packets, 451 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Mangle Table

Chain PREROUTING (policy ACCEPT 503 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain INPUT (policy ACCEPT 241 packets, 52698 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain FORWARD (policy ACCEPT 262 packets, 58901 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain OUTPUT (policy ACCEPT 54 packets, 5467 bytes)
 pkts bytes target     prot opt in     out     source
destination 

Chain POSTROUTING (policy ACCEPT 316 packets, 64368 bytes)
 pkts bytes target     prot opt in     out     source
destination 

udp      17 177 src=192.168.1.4 dst=216.115.27.21 sport=5061 dport=5061
packets=428 bytes=271340 src=216.115.27.21 dst=24.239.122.161 sport=5061
dport=5061 packets=428 bytes=163059 [ASSURED] use=1
udp      17 150 src=24.239.122.161 dst=24.154.1.36 sport=33077 dport=53
packets=6 bytes=520 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33077 packets=6 bytes=878 [ASSURED] use=1
udp      17 53 src=24.239.122.161 dst=24.154.1.36 sport=33073 dport=53
packets=28 bytes=2360 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33073 packets=28 bytes=4067 [ASSURED] use=1
udp      17 53 src=24.239.122.161 dst=24.154.1.36 sport=33076 dport=53
packets=2 bytes=141 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33076 packets=2 bytes=306 [ASSURED] use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::20c:41ff:feec:cd92/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
    inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    3889549    11697    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    3889549    11697    0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    6390010    74610    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    162984890  112074   0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        9       0       9       0
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    169245704  145165   0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    6543386    79675    0       0       0       0
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth2/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table local:

local 192.168.1.1 dev eth0  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.0 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src
127.0.0.1
broadcast 24.239.122.0 dev eth2  proto kernel  scope link  src
24.239.122.161
local 24.239.122.161 dev eth2  proto kernel  scope host  src
24.239.122.161
local 192.168.0.1 dev eth1  proto kernel  scope host  src 192.168.0.1
broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.255 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 24.239.122.255 dev eth2  proto kernel  scope link  src
24.239.122.161
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
169.254.0.0/16 dev eth2  scope link
default via 24.239.122.1 dev eth2

Table default:


ARP

? (24.239.122.1) at 00:30:B8:80:19:4E [ether] on eth2
? (192.168.1.5) at 00:40:05:86:B7:53 [ether] on eth0
? (192.168.1.4) at 00:0B:BE:51:54:6E [ether] on eth0

Modules

ipt_pkttype             1601  0
ipt_recent             13133  0
ipt_iprange             1985  0
ipt_physdev             2001  0
ipt_multiport           1985  0
ipt_conntrack           2369  0
ip_nat_tftp             3761  0
ip_conntrack_tftp       3953  0
ipt_TCPMSS              4033  0
ipt_limit               2881  0
ip_nat_irc              4401  0
ip_nat_ftp              4913  0
ipt_LOG                 6465  0
ipt_MASQUERADE          3649  0
ipt_TOS                 2369  0
ipt_REJECT              6593  0
ip_conntrack_irc       71921  1 ip_nat_irc
ip_conntrack_ftp       72689  1 ip_nat_ftp
ipt_state               1857  0
ip_conntrack           40949  10
ipt_conntrack,ip_nat_tftp,ip_conntrack_tftp,ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
ip_tables              16833  16
ipt_pkttype,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_conntrack,ipt_TCPMSS,ipt_limit,iptable_mangle,ipt_LOG,ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,iptable_filter



On Sun, 2005-04-10 at 08:08 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> > Version
> > 2.2.3
> > 
> > ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 scope host lo
> >     inet6 ::1/128 scope host
> >        valid_lft forever preferred_lft forever
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
> >     inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
> >        valid_lft forever preferred_lft forever
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
> >     inet6 fe80::20c:41ff:feec:cd92/64 scope link
> >        valid_lft forever preferred_lft forever
> > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
> >     inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
> >     inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
> >        valid_lft forever preferred_lft forever
> > 5: sit0: <NOARP> mtu 1480 qdisc noop
> >     link/sit 0.0.0.0 brd 0.0.0.0
> > 
> > 
> > 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
> > 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> > 24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
> > 169.254.0.0/16 dev eth2  scope link
> > default via 24.239.122.1 dev eth2
> > 
> 
> There are SIX bullets in the guidelines list -- you (like 1,000s before)
> you) have chosen only to provide the information in the first three of
> those. Why? Do you think that because the fourth one starts THIS IS
> IMPORTANT that the rest of the information asked for is unimportant?
> 
> You ARE having connection problems, are you not?
> 
> How can I word/organize the guidelines so that this confusion is
> eliminated? I really would like to know because unless I call
people''s
> attention to the THIS IS IMPORTANT! bullet, that information (and the
> information in the bullets that follow) is almost universally omitted.
> 
> Thanks for your help,
> -Tom

ryanag@zoominternet.net wrote:
> 
>>How can I word/organize the guidelines so that this confusion is
>>eliminated? 
> 
> I''m not qualified to offer advice until I better understand the
program,
> but that a simple form with checkboxes (such as "check here if you
> included command x") that mailed itself to the mailing list (or to the
> end user so that they can forward).
> 
> Wrong information/lack of = error message. I''ve seen some
commercial
> support sites do this.
> 
> Please keep in mind, that shorewall is very complex, and by the time I
> (or any other new user) has emailed for help I''ve read a *lot* of
the
> documentation, and spent even more time googling.
> 
> 
> Once I get this up and running, I''d be glad to help.
> 
Thanks!

....
> 
> I''m attaching all of my config files for review. They are
currently at
> the default (the rpm save are what I had in before).
> 
> 
> Chain INPUT (policy ACCEPT 241 packets, 52698 bytes)
>  pkts bytes target     prot opt in     out     source
> destination 
> Chain FORWARD (policy ACCEPT 282 packets, 67361 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 326 packets, 24305 bytes)
> pkts bytes target     prot opt in     out     source
> destination
Shorewall isn''t started! Please start shorewall, try to access the net
from the local systems and collect the output of "shorewall status"
again.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

ryanag@zoominternet.net wrote:
> 
> I''m attaching all of my config files for review. They are
currently at
> the default (the rpm save are what I had in before).
Your /etc/shorewall/masq file is incorrect. You have

#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
eth0			eth1
eth0			eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

But in /etc/shorewall/interfaces, you (correctly) have:

#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth2		detect		dhcp,routefilter,norfc1918
loc	eth0		192.168.0.255
dmz	eth1		192.168.1.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

So what you really want in /etc/shorewall/masq is:

#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
eth2			eth0
eth2			eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Apr 10, 2005 11:34 AM, ryanag@zoominternet.net
<ryanag@zoominternet.net> wrote:
> >Why?
> 
> The layout of the webpage. My eyes only caught the first few lines, and
> what was highlighted in blue.
> 
> >Do you think that because the fourth one starts THIS IS
> > IMPORTANT that the rest of the information asked for is unimportant?
> 
> Although, I should have read more carefully, the layout is going to
> throw off most newcomers.
> 
> >How can I word/organize the guidelines so that this confusion is
> > eliminated?
> 
> I''m not qualified to offer advice until I better understand the
program,
> but that a simple form with checkboxes (such as "check here if you
> included command x") that mailed itself to the mailing list (or to the
> end user so that they can forward).
> 
> Wrong information/lack of = error message. I''ve seen some
commercial
> support sites do this.
> 
> Please keep in mind, that shorewall is very complex, and by the time I
> (or any other new user) has emailed for help I''ve read a *lot* of
the
> documentation, and spent even more time googling.
> 
> Once I get this up and running, I''d be glad to help.
> 
> here''s the rest....
> 
> I''m attaching all of my config files for review. They are
currently at
> the default (the rpm save are what I had in before).
> 
> [info-removed]
take a look at your interfaces file entries are incorrect.

loc	eth0		192.168.0.255
dmz	eth1		192.168.1.255

acording to your setup, should be:

loc	eth0		192.168.1.255
dmz	eth1		192.168.0.255
>Bind also works (local
>net machines get IPs fine).
BIND its a DNS server NOT a DHCP server,BIND takes care of name
resolution,not IP assignment ,also if you dont need the full
capabilities of BIND,IMHO you should install something like dnsmasq
instead of BIND.

take a look at your masq file,is also incorrect

eth0			eth1
eth0			eth2

according to your setup,it should be:

eth2			eth1
eth2			eth0


try again bye.

On Apr 10, 2005 12:08 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> 
> But in /etc/shorewall/interfaces, you (correctly) have:
> 
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth2            detect          dhcp,routefilter,norfc1918
> loc     eth0            192.168.0.255
> dmz     eth1            192.168.1.255
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
nope.according to this
>Table main:
>192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
>192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
>24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
>169.254.0.0/16 dev eth2  scope link
>default via 24.239.122.1 dev eth2
should be:

loc     eth1            192.168.0.255
dmz     eth0            192.168.1.255

bye.

The LAN still won''t route past fw. I made the change you emailed.

Bizarrely - my vonage phone **rings** (its on loc) but the other party
can not hear me. 


Are you really interested in me helping with the support request page? 

If so, I''ll try and gather some examples from commercial and free
projects and see what the slickest way is to keep people from asking the
same questions and not providing enough information and get it back to
you.

Thanks,

Ryan

Below is output of shorewall status after shorewall start

Chain INPUT (policy ACCEPT 11 packets, 2132 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 76 packets, 14424 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 10 packets, 1295 bytes)
 pkts bytes target     prot opt in     out     source
destination

Apr 10 09:06:30 net2all:DROP:IN=eth2 OUT= SRC=61.235.154.90
DST=24.239.122.161 LEN=487 TOS=0x00 PREC=0x00 TTL=41 ID=0 DF PROTO=UDP
SPT=59496 DPT=1027 LEN=467
Apr 10 09:06:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=341 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:09:31 net2all:DROP:IN=eth2 OUT= SRC=222.88.173.5
DST=24.239.122.161 LEN=666 TOS=0x00 PREC=0x00 TTL=110 ID=30514 PROTO=UDP
SPT=9687 DPT=1026 LEN=646
Apr 10 09:11:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=360 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:11:53 net2all:DROP:IN=eth2 OUT= SRC=61.172.249.201
DST=24.239.122.161 LEN=614 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
SPT=42469 DPT=1026 LEN=594
Apr 10 09:14:22 net2all:DROP:IN=eth2 OUT= SRC=221.216.8.69
DST=24.239.122.161 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=25888 DF
PROTO=TCP SPT=4767 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 10 09:14:26 net2all:DROP:IN=eth2 OUT= SRC=221.10.224.226
DST=24.239.122.161 LEN=483 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP
SPT=55348 DPT=1027 LEN=463
Apr 10 09:15:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=375 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:15:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=376 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:15:47 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=377 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:16:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=404 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:16:43 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=407 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:19:32 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=440 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:52 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=487 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:53 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=488 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:25:54 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=489 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:26:38 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=511 PROTO=UDP
SPT=138 DPT=138 LEN=224
Apr 10 09:28:45 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=559 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=560 PROTO=UDP
SPT=137 DPT=137 LEN=58
Apr 10 09:28:46 loc2fw:DROP:IN=eth0 OUT= SRC=192.168.1.5
DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=561 PROTO=UDP
SPT=137 DPT=137 LEN=58

NAT Table

Chain PREROUTING (policy ACCEPT 8 packets, 1193 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 7 packets, 459 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 1 packets, 81 bytes)
 pkts bytes target     prot opt in     out     source
destination

Mangle Table

Chain PREROUTING (policy ACCEPT 87 packets, 16556 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 11 packets, 2132 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 76 packets, 14424 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 10 packets, 1295 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 86 packets, 15719 bytes)
 pkts bytes target     prot opt in     out     source
destination

udp      17 166 src=192.168.1.4 dst=216.115.27.21 sport=5061 dport=5061
packets=789 bytes=454604 src=216.115.27.21 dst=24.239.122.161 sport=5061
dport=5061 packets=789 bytes=308430 [ASSURED] use=1
udp      17 140 src=24.239.122.161 dst=24.154.1.36 sport=33122 dport=53
packets=6 bytes=520 src=24.154.1.36 dst=24.239.122.161 sport=53
dport=33122 packets=6 bytes=878 [ASSURED] use=1
udp      17 5 src=61.235.154.90 dst=24.239.122.161 sport=37082
dport=1027 packets=1 bytes=487 [UNREPLIED] src=24.239.122.161
dst=61.235.154.90 sport=1027 dport=37082 packets=0 bytes=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::208:a1ff:fe6a:4f13/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::20c:41ff:feec:cd92/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    inet 24.239.122.161/24 brd 24.239.122.255 scope global eth2
    inet6 fe80::20e:a6ff:fe61:7eb7/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    4014572    11765    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    4014572    11765    0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:6a:4f:13 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    33693664   202174   0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    189321833  234907   0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:41:ec:cd:92 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        9       0       9       0
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:61:7e:b7 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    197806760  285472   0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    34081887   208331   0       0       0       0
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth2/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table local:

local 192.168.1.1 dev eth0  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.0 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src
127.0.0.1
broadcast 24.239.122.0 dev eth2  proto kernel  scope link  src
24.239.122.161
local 24.239.122.161 dev eth2  proto kernel  scope host  src
24.239.122.161
local 192.168.0.1 dev eth1  proto kernel  scope host  src 192.168.0.1
broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src
192.168.0.1
broadcast 192.168.1.255 dev eth0  proto kernel  scope link  src
192.168.1.1
broadcast 24.239.122.255 dev eth2  proto kernel  scope link  src
24.239.122.161
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
24.239.122.0/24 dev eth2  proto kernel  scope link  src 24.239.122.161
169.254.0.0/16 dev eth2  scope link
default via 24.239.122.1 dev eth2

Table default:


ARP

? (24.239.122.1) at 00:30:B8:80:19:4E [ether] on eth2
? (192.168.1.4) at 00:0B:BE:51:54:6E [ether] on eth0

Modules

ipt_pkttype             1601  0
ipt_recent             13133  0
ipt_iprange             1985  0
ipt_physdev             2001  0
ipt_multiport           1985  0
ipt_conntrack           2369  0
ip_nat_tftp             3761  0
ip_conntrack_tftp       3953  0
ipt_TCPMSS              4033  0
ipt_limit               2881  0
ip_nat_irc              4401  0
ip_nat_ftp              4913  0
ipt_LOG                 6465  0
ipt_MASQUERADE          3649  0
ipt_TOS                 2369  0
ipt_REJECT              6593  0
ip_conntrack_irc       71921  1 ip_nat_irc
ip_conntrack_ftp       72689  1 ip_nat_ftp
ipt_state               1857  0
ip_conntrack           40949  10
ipt_conntrack,ip_nat_tftp,ip_conntrack_tftp,ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,ip_conntrack_irc,ip_conntrack_ftp,ipt_state
ip_tables              16833  16
ipt_pkttype,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_conntrack,ipt_TCPMSS,ipt_limit,iptable_mangle,ipt_LOG,ipt_MASQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state,iptable_filter




On Sun, 2005-04-10 at 09:08 -0700, Tom Eastep wrote: 
> ryanag@zoominternet.net wrote:
> 
> > 
> > I''m attaching all of my config files for review. They are
currently at
> > the default (the rpm save are what I had in before).
> 
> Your /etc/shorewall/masq file is incorrect. You have
> 
> #INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
> eth0			eth1
> eth0			eth2
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> But in /etc/shorewall/interfaces, you (correctly) have:
> 
> #ZONE	INTERFACE	BROADCAST	OPTIONS
> net	eth2		detect		dhcp,routefilter,norfc1918
> loc	eth0		192.168.0.255
> dmz	eth1		192.168.1.255
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> So what you really want in /etc/shorewall/masq is:
> 
> #INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
> eth2			eth0
> eth2			eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> -Tom

ryanag@zoominternet.net wrote:
> The LAN still won''t route past fw. I made the change you emailed.
> 
> Bizarrely - my vonage phone **rings** (its on loc) but the other party
> can not hear me. 
> 
> 
> Are you really interested in me helping with the support request page? 
Yes.
> 
> If so, I''ll try and gather some examples from commercial and free
> projects and see what the slickest way is to keep people from asking the
> same questions and not providing enough information and get it back to
> you.
Thanks -- I''ve reorganized the current information -- see if you think
it is easier to follow -- http://shorewall.net/support.htm
> 
> Below is output of shorewall status after shorewall start
Ryan -- Shorewall IS STILL NOT STARTED. Are you seeing a startup error
when you "shorewall start"?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Made these changes, the lan can still not route past fw.



On Sun, 2005-04-10 at 12:31 -0400, Cristian Rodriguez
wrote:
> On Apr 10, 2005 11:34 AM, ryanag@zoominternet.net
> <ryanag@zoominternet.net> wrote:
> > >Why?
> > 
> > The layout of the webpage. My eyes only caught the first few lines,
and
> > what was highlighted in blue.
> > 
> > >Do you think that because the fourth one starts THIS IS
> > > IMPORTANT that the rest of the information asked for is
unimportant?
> > 
> > Although, I should have read more carefully, the layout is going to
> > throw off most newcomers.
> > 
> > >How can I word/organize the guidelines so that this confusion is
> > > eliminated?
> > 
> > I''m not qualified to offer advice until I better understand
the program,
> > but that a simple form with checkboxes (such as "check here if
you
> > included command x") that mailed itself to the mailing list (or
to the
> > end user so that they can forward).
> > 
> > Wrong information/lack of = error message. I''ve seen some
commercial
> > support sites do this.
> > 
> > Please keep in mind, that shorewall is very complex, and by the time I
> > (or any other new user) has emailed for help I''ve read a
*lot* of the
> > documentation, and spent even more time googling.
> > 
> > Once I get this up and running, I''d be glad to help.
> > 
> > here''s the rest....
> > 
> > I''m attaching all of my config files for review. They are
currently at
> > the default (the rpm save are what I had in before).
> > 
> > [info-removed]
> take a look at your interfaces file entries are incorrect.
> 
> loc	eth0		192.168.0.255
> dmz	eth1		192.168.1.255
> 
> acording to your setup, should be:
> 
> loc	eth0		192.168.1.255
> dmz	eth1		192.168.0.255
> 
> >Bind also works (local
> >net machines get IPs fine).
> 
> BIND its a DNS server NOT a DHCP server,BIND takes care of name
> resolution,not IP assignment ,also if you dont need the full
> capabilities of BIND,IMHO you should install something like dnsmasq
> instead of BIND.
> 
> take a look at your masq file,is also incorrect
> 
> eth0			eth1
> eth0			eth2
> 
> according to your setup,it should be:
> 
> eth2			eth1
> eth2			eth0
> 
> 
> try again bye.
>

On Sun, 2005-04-10 at 09:45 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> > The LAN still won''t route past fw. I made the change you
emailed.
> > 
> > Bizarrely - my vonage phone **rings** (its on loc) but the other party
> > can not hear me. 
> > 
> > 
> > Are you really interested in me helping with the support request page?
> 
> Yes.
Although this is just a start, I''m guessing Linksys is fairly good at
collecting information from new-user suscribers:
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/ask.php?
p_icf_3=1

Notice that when you pick a different product, the fields change
slightly, prodding for more information.

Perhaps something similar, but when the user would select shorewall
version #, OS, etc, then it would ask for more information based upon
those fields. Failure to provide will result in a greyed out send
field/submit button.

Try the linksys page with no info entered- a javascript error.


What is the average skill level of person requesting help here?

ryanag@zoominternet.net wrote:
>>Ryan -- Shorewall IS STILL NOT STARTED. Are you seeing a startup error
>>when you "shorewall start"?
> 
> 
> A victim of cut and paste - see below
> 
Ryan -- I''ve looked at all the pasted output in your post latest
off-list post and none of it shows shorewall in a started state.

Please:

a) shorewall start
b) shorewall show shorewall

The second command should produce output like this:

Shorewall-2.2.2 Chain shorewall at gateway - Sun Apr 10 10:11:28 PDT 2005

Counters reset Fri Apr  8 07:49:35 PDT 2005

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination
gateway:~#

If it looks like this, then Shorewall is failing to start:

Shorewall-2.2.0 Chain shorewall at lists.shorewall.net - Sun Apr 10
10:12:06 PDT 2005

Counters reset Wed Feb 23 15:58:29 PST 2005

iptables: Table does not exist (do you need to insmod?)
[root@lists ~]#

If Shorewall is failing to start then please follow the (new)
instructions at the beginning of http://shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

b.) returns -- (ibtables is installed)

shorewall show shorewall
Shorewall-2.2.3 Chain shorewall at acs-24-239-122-161.zoominternet.net -
Sun Apr 10 13:24:56 EDT 2005

iptables: Table does not exist (do you need to insmod?)


On Sun, 2005-04-10 at 10:13 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> >>Ryan -- Shorewall IS STILL NOT STARTED. Are you seeing a startup
error
> >>when you "shorewall start"?
> > 
> > 
> > A victim of cut and paste - see below
> > 
> 
> Ryan -- I''ve looked at all the pasted output in your post latest
> off-list post and none of it shows shorewall in a started state.
> 
> Please:
> 
> a) shorewall start
> b) shorewall show shorewall
> 
> The second command should produce output like this:
> 
> Shorewall-2.2.2 Chain shorewall at gateway - Sun Apr 10 10:11:28 PDT 2005
> 
> Counters reset Fri Apr  8 07:49:35 PDT 2005
> 
> Chain shorewall (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
> gateway:~#
> 
> If it looks like this, then Shorewall is failing to start:
> 
> Shorewall-2.2.0 Chain shorewall at lists.shorewall.net - Sun Apr 10
> 10:12:06 PDT 2005
> 
> Counters reset Wed Feb 23 15:58:29 PST 2005
> 
> iptables: Table does not exist (do you need to insmod?)
> [root@lists ~]#
> 
> If Shorewall is failing to start then please follow the (new)
> instructions at the beginning of
http://shorewall.net/support.htm#Guidelines
> 
> -Tom

ryanag@zoominternet.net wrote:
> b.) returns -- (ibtables is installed)
> 
> shorewall show shorewall
> Shorewall-2.2.3 Chain shorewall at acs-24-239-122-161.zoominternet.net -
> Sun Apr 10 13:24:56 EDT 2005
> 
> iptables: Table does not exist (do you need to insmod?)
Ryan --

Ok that confirms that Shorewall isn''t starting. So as I asked in my
prior post, please get a trace of the start failure and post it.

As it now says in the first bullet of
http://shorewall.net/support.htm#Guidelines (hit the refresh button on
your browser):

a) "shorewall trace start 2> /tmp/trace"
b) Forward the /tmp/trace file as an attachment (you may compress it if
you like).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Apr 10, 2005 1:25 PM, ryanag@zoominternet.net
<ryanag@zoominternet.net> wrote:
> b.) returns -- (ibtables is installed)
> 
> shorewall show shorewall
> Shorewall-2.2.3 Chain shorewall at acs-24-239-122-161.zoominternet.net -
> Sun Apr 10 13:24:56 EDT 2005
> 
> iptables: Table does not exist (do you need to insmod?)

shorewall trace start 2> /tmp/trace 

and send us /tmp/trace

On Sun, 2005-04-10 at 10:27 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> > b.) returns -- (ibtables is installed)
> > 
> > shorewall show shorewall
> > Shorewall-2.2.3 Chain shorewall at acs-24-239-122-161.zoominternet.net
-
> > Sun Apr 10 13:24:56 EDT 2005
> > 
> > iptables: Table does not exist (do you need to insmod?)
> 
> Ryan --
> 
> Ok that confirms that Shorewall isn''t starting. So as I asked in
my
> prior post, please get a trace of the start failure and post it.
> 
> As it now says in the first bullet of
> http://shorewall.net/support.htm#Guidelines (hit the refresh button on
> your browser):
> 
> a) "shorewall trace start 2> /tmp/trace"
> b) Forward the /tmp/trace file as an attachment (you may compress it if
> you like).
> 
> -Tom

ryanag@zoominternet.net wrote:
---------------------------
>>
>>shorewall trace start 2> /tmp/trace
>>Loading /usr/share/shorewall/functions...
>>Processing /etc/shorewall/params ...
>>Processing /etc/shorewall/shorewall.conf...
>>Loading Modules...
>>Starting Shorewall...
>>Initializing...
Boy -- this is like pulling teeth.

We need the /tmp/trace file -- it should contain a shell trace and will
look something like this:

+ shift
+ nolock+ [ 1 -gt 1 ]
+ trap my_mutex_off; exit 2 1 2 3 4 5 6 9
+ COMMAND=restart
+ [ 1 -ne 1 ]
+ do_initialize
+ export LC_ALL=C
+ umask 177
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ terminator=startup_error
+ version+ IPTABLES+ FW+ SUBSYSLOCK+ STATEDIR+
...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> ---------------------------
> 
>>>shorewall trace start 2> /tmp/trace
>>>Loading /usr/share/shorewall/functions...
>>>Processing /etc/shorewall/params ...
>>>Processing /etc/shorewall/shorewall.conf...
>>>Loading Modules...
>>>Starting Shorewall...
>>>Initializing...
> 
> 
> Boy -- this is like pulling teeth.
> 
> We need the /tmp/trace file -- it should contain a shell trace and will
> look something like this:
> 
Ok -- I got the trace. I''m not forwarding it to the list becaue of
it''s
enormous size.

When you start shorewall, you are getting this fatal error message:

	Error: No appropriate chain for zone fw to zone loc

Your /etc/shorewall/policy file is wrong. It looks like you don''t have
the ''all all REJECT'' policy at the end (semms like you
commented out the
original contents of the sample policy file and replaced it with an
incomplete set).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Apr 10, 2005 1:47 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> Tom Eastep wrote:
> > ryanag@zoominternet.net wrote:
> > ---------------------------
> >
> >>>shorewall trace start 2> /tmp/trace
> >>>Loading /usr/share/shorewall/functions...
> >>>Processing /etc/shorewall/params ...
> >>>Processing /etc/shorewall/shorewall.conf...
> >>>Loading Modules...
> >>>Starting Shorewall...
> >>>Initializing...
> >
> >
> > Boy -- this is like pulling teeth.
> >
> > We need the /tmp/trace file -- it should contain a shell trace and
will
> > look something like this:
> >
> 
> Ok -- I got the trace. I''m not forwarding it to the list becaue of
it''s
> enormous size.
> 
> When you start shorewall, you are getting this fatal error message:
> 
>         Error: No appropriate chain for zone fw to zone loc
> 
> Your /etc/shorewall/policy file is wrong. It looks like you don''t
have
> the ''all all REJECT'' policy at the end (semms like you
commented out the
> original contents of the sample policy file and replaced it with an
> incomplete set).
> 
> -Tom
> --
also..open shorewall.conf and find:

DISABLE_IPV6=Yes

and change to:

DISABLE_IPV6=No

please verify your setup _completely_,one more time.

woooooo-hoooooo, it works!!!!

#1: Thank you everyone for your help. Its not easy to do this with a
toddler tugging on my arm. :-D


#2: I get the (obvious :-) ) feeling this has been pretty painful for
everyone. I will look around and get some ideas on how to format support
requests so they are extremely clear, and impossible to ignore.

I have some questions regarding this list:
-What is the average skill level of the average shorewall newb? 
-What is the most common type of internet connection / firewall setup
people that come with questions want/have?
-Are the support requests mostly from home users, or mostly from
businesses?




On Sun, 2005-04-10 at 10:47 -0700, Tom Eastep wrote:
> Tom Eastep wrote:
> > ryanag@zoominternet.net wrote:
> > ---------------------------
> > 
> >>>shorewall trace start 2> /tmp/trace
> >>>Loading /usr/share/shorewall/functions...
> >>>Processing /etc/shorewall/params ...
> >>>Processing /etc/shorewall/shorewall.conf...
> >>>Loading Modules...
> >>>Starting Shorewall...
> >>>Initializing...
> > 
> > 
> > Boy -- this is like pulling teeth.
> > 
> > We need the /tmp/trace file -- it should contain a shell trace and
will
> > look something like this:
> > 
> 
> Ok -- I got the trace. I''m not forwarding it to the list becaue of
it''s
> enormous size.
> 
> When you start shorewall, you are getting this fatal error message:
> 
> 	Error: No appropriate chain for zone fw to zone loc
> 
> Your /etc/shorewall/policy file is wrong. It looks like you don''t
have
> the ''all all REJECT'' policy at the end (semms like you
commented out the
> original contents of the sample policy file and replaced it with an
> incomplete set).
> 
> -Tom

ryanag@zoominternet.net wrote:
> woooooo-hoooooo, it works!!!!
Great!
> 
> #1: Thank you everyone for your help. Its not easy to do this with a
> toddler tugging on my arm. :-D
> 
> 
> #2: I get the (obvious :-) ) feeling this has been pretty painful for
> everyone. I will look around and get some ideas on how to format support
> requests so they are extremely clear, and impossible to ignore.
> 
> I have some questions regarding this list:
> -What is the average skill level of the average shorewall newb? 
Of the ones who have problems, most do not understand how IP works, how
ethernet works or how the two work together. Often their posts begin
"I''m new to Shorewall and to Linux and firewalls...".

Even in small businesses, it seems like someone is picked at random and
made network administrator whether they have any networking knowledge or
not.
> -What is the most common type of internet connection / firewall setup
> people that come with questions want/have?
Two-interface.
> -Are the support requests mostly from home users, or mostly from
> businesses?
> 
On weekdays, it tends to be mostly businesses. On the weekends, it''s
home users.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

After thinking a lot about this, searching around, and checking some
academia-related articles (here is a great one:
http://www.firstmonday.org/issues/issue9_4/levesque/#l3 ), I have some
ideas.

I think the easiest way for a new user to request support is through a
series of yes/no questions with the end being a MS Word/Open Office
document with some values filled in already.

For example, 

Have a large-font link here http://www.shorewall.net/support.htm
indicating new-users should click on it.

The first click takes them to a page with only two hyperlink questions,
and the answer is either true or false. Some supporting information
(such as what NAT is , etc) can be listed below.

A nice starter question might be "do you want shorewall to protect one
PC?" answer: I want shorewall to protect a network of computers? or I
want shorewall to protect 1 PC.  

A second question might be "Do you want to run any servers on this
PC?",
but only if the person had selected "I want shorewall to protect 1 PC.
"

Eventually, you''ll run out of yes/no questions - then you can make very
specific requests, such as "open a terminal, then type su - , provide
the root password, then type shorewall status > tmp.txt"  


At then end, depending on how the hyperlinks where clicked have an MS
Word/Open Office/Abiword document already filled out with instructions
to mail the document along with the tmp files to the list for help.

The list will get a document that will be filled out completely (the
user wouldn''t be able to get it if it wasn''t), and some
attached files.


If anyone likes this setup, I''d be glad to help with a flowchart of
questions.


On Sun, 2005-04-10 at 08:40 -0700, Tom Eastep wrote:
> ryanag@zoominternet.net wrote:
> 
> > 
> >>How can I word/organize the guidelines so that this confusion is
> >>eliminated? 
> > 
> > I''m not qualified to offer advice until I better understand
the program,
> > but that a simple form with checkboxes (such as "check here if
you
> > included command x") that mailed itself to the mailing list (or
to the
> > end user so that they can forward).
> > 
> > Wrong information/lack of = error message. I''ve seen some
commercial
> > support sites do this.
> > 
> > Please keep in mind, that shorewall is very complex, and by the time I
> > (or any other new user) has emailed for help I''ve read a
*lot* of the
> > documentation, and spent even more time googling.
> > 
> > 
> > Once I get this up and running, I''d be glad to help.
> > 
> 
> Thanks!
>

ryanag@zoominternet.net wrote:
> After thinking a lot about this, searching around, and checking some
> academia-related articles (here is a great one:
> http://www.firstmonday.org/issues/issue9_4/levesque/#l3 ),
Interesting article. By in large, I agree with Ms Levesque''s
observations
but I would like to offer some comments:

A) User Interface

Having spent my entire career working on mainframes, designing graphical
user interfaces is something that I admit knowing nothing about. This is one
of the main reasons that I haven''t tried to provide one -- I have every
expectation that whatever I produced would take me a long time (steep
learning curve) and would still suck (most first efforts do).

B) Documentation

I submit that Shorewall is atypical in that regard. That having been said, I
agree with Ms Levesque that when people encounter problems with Open Source
Software, they tend to discard the documentation as a source of help. I
think that Shorewall suffers as a result because people don''t bother to
look
at the documenation.

C) Feature-centric development.

If you look on my personal web page (http://shorewall.net/shoreline.htm),
you will see a quote from Antoine de Saint-Exupery. While Saint-Exupery is
best known to us as the author of "The Little Prince", he was also a
gifted
designer and engineer and I truly attempt to live by his principle that I
quote on that page. I believe that when maintaining a product over a long
period of time, the most valuable word at one''s disposal is
"No!".

D) Programming for the Self.

I wonder if Ms Levesque has ever ask herself what motivates people to spend
their nights and weekends producing products for which they receive
absolutely no renumeration whatsoever. The day that I have to apply the same
mindset to Shorewall that I do to my project assignments at Hewlett-Packard
is the day that I walk away from Shorewall for good.

E) Religous Blindness

With Shorewall, I try to avoid copying any one else''s work -- Unix,
Linux OR
Windows :-)

I''ll address your other remarks in a separate post.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

ryanag@zoominternet.net wrote:
> I think the easiest way for a new user to request support is through a
> series of yes/no questions with the end being a MS Word/Open Office
> document with some values filled in already.
> 
> For example, 
> 
> Have a large-font link here http://www.shorewall.net/support.htm
> indicating new-users should click on it.
> 
Today, there are all sorts of bold large red font on the Shorewall website
that people routinely ignore; that''s one of my chief frustrations. Why
would
this link be any different?
> The first click takes them to a page with only two hyperlink questions,
> and the answer is either true or false. Some supporting information
> (such as what NAT is , etc) can be listed below.
> 
> A nice starter question might be "do you want shorewall to protect one
> PC?" answer: I want shorewall to protect a network of computers? or I
> want shorewall to protect 1 PC.  
Just a personal opinion -- I''m mystified that newbies with one PC
running
Linux choose to install Shorewall. It''s like using a backhoe to plant a
geranium. But that''s another topic...
> 
> A second question might be "Do you want to run any servers on this
PC?",
> but only if the person had selected "I want shorewall to protect 1 PC.
> "
These sorts of systems work well if you can enumerate the classes of
problems that can be reported through them. They tend to work badly if
people have a problem that the system designer hasn''t considered.

And if you can enumerate the classes of problems, what does this system
provide that a well-written troubleshooting guide does not?
> 
> Eventually, you''ll run out of yes/no questions - then you can make
very
> specific requests, such as "open a terminal, then type su - , provide
> the root password, then type shorewall status > tmp.txt"  
> 
And if Shorewall is running on an embedded system in the closet? (see
http://leaf.sourceforge.org).
> 
> At then end, depending on how the hyperlinks where clicked have an MS
> Word/Open Office/Abiword document already filled out with instructions
> to mail the document along with the tmp files to the list for help.
> 
> The list will get a document that will be filled out completely (the
> user wouldn''t be able to get it if it wasn''t), and some
attached files.
> 
> 
> If anyone likes this setup, I''d be glad to help with a flowchart
of
> questions.
> 
I somehow think that the 80/20 rule should apply here -- isn''t there
something that takes 20% of the effort of what you propose that accomplishes
80% of what is provides?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sat, 2005-04-16 at 16:49 -0700, Tom Eastep wrote:
> 
> 
> Today, there are all sorts of bold large red font on the Shorewall
> website
> that people routinely ignore; that''s one of my chief frustrations.
Why
> would
> this link be any different?
There are too many - offer one which says "new user support click
here"
then limit the answers to "yes/no" when possible.

>And if you can enumerate the classes of problems, what does this system
>provide that a well-written troubleshooting guide does not?
Absolutely nothing - I think my way is a step backward. But
realistically, how many open source projects have troubleshooting guides
worth looking at? 

Remember - many people aren''t doing this at work, and aren''t
ready to
sit down with the entire user manual / troubleshooting guide until
they''ve determined the program is useful. 

>And if Shorewall is running on an embedded system in the closet? (see
>http://leaf.sourceforge.org).
Can you use a different set of questions? Perhaps some instructions on
how to use WinSCP to get files...


>I somehow think that the 80/20 rule should apply here -- isn''t
there
>something that takes 20% of the effort of what you propose that
>accomplishes 80% of what is provides?
I don''t know. Think of the new user, not the advanced. What would a new
user be used to? Windows2000/XP most likely, and probably familiar with
home-user routers DLink, linksys, etc

Windows users are certainly used to wizards with yes/no answers, and
Dlink and Linksys also use wizards to setup their routers. I think a
support system setup in that manner will help them out a lot (Linksys''s
and netgear''s online support is similar to what I described).


The flip side of all this is that its great your provide any support at
all, especially given the price of shorewall. :-)