I have tried to replace these lines from ipchains to work with shorewall. # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ # ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT # /These ports are required by bootp, tftpd, and PXE./ # /There are also a handful of udp ports that need to/ # /be open, but we''ve already opened those, above./ # ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 67 -j ACCEPT ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 69 -j ACCEPT ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 4011 -j ACCEPT ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 1759 -j ACCEPT I have tried to change policy and rules with no results. Regards. Quiliro
In "policy" I added: loc loc ACCEPT (before all all) And in "rules" I added: ACCEPT loc loc tcp 111 111 ACCEPT loc loc udp 111 111 Then: service shorewall restart.....no luck Quiliro wrote:> I have tried to replace these lines from ipchains to work with shorewall. > > # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ > # > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT > ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT > > # /These ports are required by bootp, tftpd, and PXE./ > # /There are also a handful of udp ports that need to/ > # /be open, but we''ve already opened those, above./ > # > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 67 -j ACCEPT > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 69 -j ACCEPT > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 4011 -j ACCEPT > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 1759 -j ACCEPT > > I have tried to change policy and rules with no results. > > Regards. > > Quiliro > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
Then replaced in "rules": ACCEPT loc loc tcp 111 ACCEPT loc loc udp And added: ACCEPT loc loc tcp 67 ACCEPT loc loc tcp 69 ACCEPT loc loc tcp 4011 ACCEPT loc loc tcp 1759 And still got: May 30 18:33:31 cpe-0008a1175022 kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=00:0c:f1:7e:a2:a8:00:e0:4c:84:87:c4:08:00 SRC=192.168.0.250 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=20 ID=3 PROTO=UDP SPT=2071 DPT=69 LEN=45 Quiliro wrote:> In "policy" I added: > loc loc ACCEPT > (before all all) > > And in "rules" I added: > ACCEPT loc loc tcp 111 111 > ACCEPT loc loc udp 111 111 > > Then: service shorewall restart.....no luck > > Quiliro wrote: > >> I have tried to replace these lines from ipchains to work with >> shorewall. >> >> # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ >> # >> ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT >> ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT >> >> # /These ports are required by bootp, tftpd, and PXE./ >> # /There are also a handful of udp ports that need to/ >> # /be open, but we''ve already opened those, above./ >> # >> ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 67 -j ACCEPT >> ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 69 -j ACCEPT >> ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 4011 -j ACCEPT >> ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 1759 -j ACCEPT >> >> I have tried to change policy and rules with no results. >> >> Regards. >> >> Quiliro >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
On Tuesday 31 May 2005 01:26, Quiliro wrote: Hi Quiliro, what are you trying to accomplish? Where is the NFS/TFTP/DHCP Server running? On the firewall itself? IMHO these loc loc rules/policies don''t make sense. Or what did I miss caused by this incomplete support request? Have a look at: http://www.shorewall.net/ports.htm You''ll find NFS/TFTP examples there.> In "policy" I added: > loc loc ACCEPT > (before all all) > > And in "rules" I added: > ACCEPT loc loc tcp 111 111 > ACCEPT loc loc udp 111 111You define an ACCEPT rule twice in policy AND rules. Just decide for one. In case that the NFS/TFTP services are running on the firewall itself: change the rule to: ACCEPT loc $FW ....... Another hint: You need the "dhcp" option in the /etc/shorewall/interface file in case that the dhcp/bootp server is running on the firewall itself. No extra rule for this is needed. And as last tip: please read the support guidelines before posting THREE different "try and error" mails. http://shorewall.net/support.htm#Guidelines Thank you. HTH, Alex>> Then: service shorewall restart.....no luck > > Quiliro wrote: > > I have tried to replace these lines from ipchains to work with shorewall. > > > > # /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ > > # > > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT > > ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT > > > > # /These ports are required by bootp, tftpd, and PXE./ > > # /There are also a handful of udp ports that need to/ > > # /be open, but we''ve already opened those, above./ > > # > > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 67 -j ACCEPT > > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 69 -j ACCEPT > > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 4011 -j ACCEPT > > ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 1759 -j ACCEPT > > > > I have tried to change policy and rules with no results. > > > > Regards. > > > > Quiliro > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm
Hi Alexander Alexander Wilms wrote:>On Tuesday 31 May 2005 01:26, Quiliro wrote: >Hi Quiliro, > >what are you trying to accomplish? Where is the NFS/TFTP/DHCP Server running? >On the firewall itself? >Yes the firewall and the NFS/TFTP/DHCP Server are on the same machine.> IMHO these loc loc rules/policies don''t make sense. >Or what did I miss caused by this incomplete support request? > >Have a look at: >http://www.shorewall.net/ports.htm > >You''ll find NFS/TFTP examples there. > > > > >>In "policy" I added: >>loc loc ACCEPT >>(before all all) >> >>And in "rules" I added: >>ACCEPT loc loc tcp 111 111 >>ACCEPT loc loc udp 111 111 >> >> >You define an ACCEPT rule twice in policy AND rules. Just decide for one. >In case that the NFS/TFTP services are running on the firewall itself: change >the rule to: ACCEPT loc $FW ....... > > >I added the following to "rules" ACCEPT loc fw tcp 67 - ACCEPT fw loc tcp 67 - ACCEPT loc fw tcp 69 - ACCEPT fw loc tcp 69 - ACCEPT loc fw tcp 111 - ACCEPT fw loc tcp 111 - ACCEPT loc fw tcp 4011 - ACCEPT fw loc tcp 4011 - ACCEPT loc fw tcp 1759 - ACCEPT fw loc tcp 1759 - ACCEPT loc fw udp - - ACCEPT fw loc udp - - They seem to do what I need. Are they what I need?>Another hint: You need the "dhcp" option in the /etc/shorewall/interface file >in case that the dhcp/bootp server is running on the firewall itself. No >extra rule for this is needed. > > >I had no problems with this. I guess the mandrake 10.0 wizard handled this.>And as last tip: please read the support guidelines before posting THREE >different "try and error" mails. >http://shorewall.net/support.htm#Guidelines > >Sorry. Attached is my *status.txt.*>Thank you. > >HTH, >Alex > >Thank YOU.> > > > > > > >>Then: service shorewall restart.....no luck >> >>Quiliro wrote: >> >> >>>I have tried to replace these lines from ipchains to work with shorewall. >>> >>># /NFS requires 111/tcp (sunrpc/portmapper) and *all* UDP ports./ >>># >>>ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 111 -j ACCEPT >>>ipchains -A input -p udp -s $SUBNET -i eth0 -d 0/0 -j ACCEPT >>> >>># /These ports are required by bootp, tftpd, and PXE./ >>># /There are also a handful of udp ports that need to/ >>># /be open, but we''ve already opened those, above./ >>># >>>ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 67 -j ACCEPT >>>ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 69 -j ACCEPT >>>ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 4011 -j ACCEPT >>>ipchains -A input -p tcp -s $SUBNET -i eth0 -d 0/0 1759 -j ACCEPT >>> >>>I have tried to change policy and rules with no results. >>> >>>Regards. >>> >>>Quiliro >>> >>>_______________________________________________ >>>Shorewall-users mailing list >>>Post: Shorewall-users@lists.shorewall.net >>>Subscribe/Unsubscribe: >>>https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: >>>http://www.shorewall.net/support.htm >>>FAQ: http://www.shorewall.net/FAQ.htm >>> >>>
On Tuesday 31 May 2005 17:21, Quiliro wrote:> Hi Alexander > > Alexander Wilms wrote: > >On Tuesday 31 May 2005 01:26, Quiliro wrote: > >Hi Quiliro, > > > >what are you trying to accomplish? Where is the NFS/TFTP/DHCP Server > > running? On the firewall itself? > > Yes the firewall and the NFS/TFTP/DHCP Server are on the same machine. > > > IMHO these loc loc rules/policies don''t make sense. > >Or what did I miss caused by this incomplete support request? > > > >Have a look at: > >http://www.shorewall.net/ports.htm > > > >You''ll find NFS/TFTP examples there. > > > >>In "policy" I added: > >>loc loc ACCEPT > >>(before all all) > >> > >>And in "rules" I added: > >>ACCEPT loc loc tcp 111 111 > >>ACCEPT loc loc udp 111 111 > > > >You define an ACCEPT rule twice in policy AND rules. Just decide for one. > >In case that the NFS/TFTP services are running on the firewall itself: > > change the rule to: ACCEPT loc $FW ....... > > I added the following to "rules" > ACCEPT loc fw tcp 67 - > ACCEPT fw loc tcp 67 - > ACCEPT loc fw tcp 69 - > ACCEPT fw loc tcp 69 - > ACCEPT loc fw tcp 111 - > ACCEPT fw loc tcp 111 - > ACCEPT loc fw tcp 4011 - > ACCEPT fw loc tcp 4011 - > ACCEPT loc fw tcp 1759 - > ACCEPT fw loc tcp 1759 - > ACCEPT loc fw udp - - > ACCEPT fw loc udp - - > They seem to do what I need. Are they what I need? > > >Another hint: You need the "dhcp" option in the /etc/shorewall/interface > > file in case that the dhcp/bootp server is running on the firewall > > itself. No extra rule for this is needed. > > I had no problems with this. I guess the mandrake 10.0 wizard handled this.I don''t think so, the above rules (port 67) handled it somehow. But that''s not the way shorewall should be configured. Take a look in Tom''s "context sensitive (TM)" help directly in the /etc/shorewall/interfaces file. Also your rules above show that you didn''t read Tom''s excellent Documentation. (Hint: you need only 1 direction, the rest is done via connection tracking) So read again. http://www.shorewall.net/dhcp.htm And I urge you to read this: http://www.shorewall.net/two-interface.htm I think all your question/config mistakes are covered in this quick install guide. Alex