If I''m using eth1 as my lan zone on my router box, it needs a static ip... what do I set the gateway option to in /etc/network/interfaces since this computer is actually the gateway for the rest of the lan? Itself? My "net" NIC''s address? Something else? My lan isn''t getting internet access using the default Shorewall config file (edited per http://www.shorewall.net/two-interface.htm) and I think it may be a interfaces setup problem. -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
> If I''m using eth1 as my lan zone on my router box, it needs a static > ip... what do I set the gateway option to in /etc/network/interfaces > since this computer is actually the gateway for the rest of the lan? > > Itself? My "net" NIC''s address? Something else? > > My lan isn''t getting internet access using the default Shorewall config > file (edited per http://www.shorewall.net/two-interface.htm) and I think > it may be a interfaces setup problem. > > -- > Landy J. Bible >Debain? You don''t, just remove the gateway line. Have a look at a sample here: http://www.shorewall.net/myfiles.htm Jerry
Interfaces: net eth0 detect dhcp Loc eth1 detect Policy: (block all by default) $FW net REJECT info net $FW DROP info all all REJECT info Rules: AllowWeb loc net (let lan users web, see actions to set up more ports) (add more rules here, ftp, mail etc.) Masq: eth0 eth1 On your client machines, they should point to the address of eth1 on the firewall as their gateway. This should work. Does your firewall get traffic out to the net? Can you ping the firewall from inside? Can your firewall ping inside and outside? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Landy Bible Sent: Friday, June 10, 2005 3:47 PM To: Mailing List for Shorewall Users Subject: [Shorewall-users] /etc/network/interfaces If I''m using eth1 as my lan zone on my router box, it needs a static ip... what do I set the gateway option to in /etc/network/interfaces since this computer is actually the gateway for the rest of the lan? Itself? My "net" NIC''s address? Something else? My lan isn''t getting internet access using the default Shorewall config file (edited per http://www.shorewall.net/two-interface.htm) and I think it may be a interfaces setup problem. -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
Landy Bible wrote:> If I''m using eth1 as my lan zone on my router box, it needs a static > ip... what do I set the gateway option to in /etc/network/interfaces > since this computer is actually the gateway for the rest of the lan?You did not quite say so I have to assume. In the case that eth0 is the WAN connection then it would have a gateway statement and would set up the default gateway for your machine. For your firewall think only of the outside connection and configure it appropriately. If eth1 is the LAN connection it would *not* have a gateway associated with that interface. You will do ip forwarding in the kernel between the interfaces. On Debian the /etc/network/interfaces files would have a gateway listed for eth0 as the wan connection in this static ip configuration but not for eth1 as the private lan.> Itself? My "net" NIC''s address? Something else?None at all.> My lan isn''t getting internet access using the default Shorewall config > file (edited per http://www.shorewall.net/two-interface.htm) and I think > it may be a interfaces setup problem.I am guessing that you have IP forwarding set to off in the linux kernel. That is the linux kernel default. The shorewall configuration default is to turn this on. The Debian default is Keep to handle interactions with other packages and other configurations. The classic way to turn on forwarding on the linux kernel is this way: echo 1 > /proc/sys/net/ipv4/ip_forward You will see that in a lot of packages and other firewall configurations. But if you are using Shorewall it would probably be simplest to set this up the shorewall default. Set the value for IP_FORWARDING to Yes. This is described in the README.Debian file. /etc/shorewall/shorewall.conf: IP_FORWARDING=On This may not be exactly your problem but it reads like it. Bob
eth0 is wan, configured via dhcp from my isp. IP forwarding is on. /etc/shorewall/Interfaces, Policy, Rules, and Masq are correct Firewall has no net access because of "$FW net REJECT info" though removing that still doesn''t allow access, but if I stop shorewall, my firewall has net access. I can ping the firewall from the inside, but not the outside. Still no net access from lan. Here is my /etc/network/interfaces # loopback auto lo iface lo inet loopback # eth0 wan interface auto eth0 iface eth0 inet dhcp # eth1 lan interface auto eth1 iface eth1 inet static address 192.168.6.1 netmask 255.255.255.0 #end file I know the client configs are pointing at my firewall as their gateway, I have a dhcp server on my network that points to its internal ip address, which I know worked because it was my linksys router''s ip until it died. Thanks, -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
I noticed that shorewall was outputing info the console (don''t know how I missed that before, but...) and all my internet requests were getting logged as "all2all" reject, when they should be "loc2net" so I set all to all allow, and traffic flows through as expected, so I have to figure out why its classified as all2all rather than loc2net.... it says loc2fw when I connect my ssh to work on it... very strange indeed. -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
On Fri, 10 Jun 2005, Landy Bible wrote:> I noticed that shorewall was outputing info the console (don''t know how I > missed that before, but...) and all my internet requests were getting logged > as "all2all" reject, when they should be "loc2net" so I set all to all allow, > and traffic flows through as expected, so I have to figure out why its > classified as all2all rather than loc2net....What is your loc2net policy?> it says loc2fw when I connect > my ssh to work on it... very strange indeed.That is correct. The firewall is a separate zone. -- Stephen
Stephen Carville wrote:> What is your loc2net policy?I don''t have anything in my policy file regarding loc2net, but in my rules file, I have... AllowWeb loc net -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
On Fri, 10 Jun 2005, Landy Bible wrote:> Stephen Carville wrote: > >> What is your loc2net policy? > > I don''t have anything in my policy file regarding loc2net, but in my rules > file, I have... > > AllowWeb loc net >Rules are _exceptions_ to a policy so you need a policy to except. Without a policy a zone2zone chain just inherits all2all. At least that is how I think it works. :-) -- Stephen
Stephen Carville wrote:> Rules are _exceptions_ to a policy so you need a policy to except. > Without a policy a zone2zone chain just inherits all2all. At least > that is how I think it works. :-)It works! Thanks! Now to set up those rules to allow traffic back to my web and mail servers :-) -- Landy J. Bible The University of Tulsa Computer Science Student IS Computer Help Desk Tech. Java Programmer Lighting Designer Train Nut
Landy Bible wrote:> I noticed that shorewall was outputing info the console (don''t know how > I missed that before, but...) and all my internet requests were gettingThis is just a Debian specific aside but... The Linux kernel default console logging is 8 so that all messages are logged to the console. At least one other distro sets this to 3 in /etc/syscontrol/init and so users there never see console messages. A firewall on the Internet today is always flooded with probes. People are always pulling on the door and trying to lift the windows. The logging to the console causes messages to be printed on the console so often that it is virtually useless. This is arguably a system policy decision. Debian does not make this policy anywhere else that I can find and the system uses the Linux kernel default. Using the kernel default is arguably a safe choice for the system but possibly unpleasant for the user of the kernel. This is not normally an issue but when running an active firewall it does tend to flood the console with information. Therefore I always set the following in the ''/etc/shorewall/init'' shorewall init file to set the console logging level to something a little more quiet. This avoids logging packet messages to the console. They are still logged normally to syslog. I prefer KERN_NOTICE level 5. Setting it to 3 would pretty much turn off console messages. dmesg -n5 You can find the kernel logging levels in the linux/kernel.h file. #define KERN_EMERG "<0>" /* system is unusable */ #define KERN_ALERT "<1>" /* action must be taken immediately */ #define KERN_CRIT "<2>" /* critical conditions */ #define KERN_ERR "<3>" /* error conditions */ #define KERN_WARNING "<4>" /* warning conditions */ #define KERN_NOTICE "<5>" /* normal but significant condition */ #define KERN_INFO "<6>" /* informational */ #define KERN_DEBUG "<7>" /* debug-level messages */ Bob
Landy Bible wrote:> I noticed that shorewall was outputing info the console (don''t know how > I missed that before, but...) and all my internet requests were getting > logged as "all2all" reject, when they should be "loc2net" so I set all > to all allow, and traffic flows through as expected, so I have to figure > out why its classified as all2all rather than loc2net.... it says loc2fw > when I connect my ssh to work on it... very strange indeed.Tip: write an explicit policy for every zone2zone combination - this gives you the exact zone names in every log message. -- Paul <http://paulgear.webhop.net> -- Did you know? Many viruses specifically target Microsoft Outlook and Outlook Express. You can help to keep your computer free of viruses by using one of the more secure alternatives from <http://mozilla.org>.