Hi all I currently run shorewall 2.0.7 on Gentoo. In portage (Gentoo''s packing system) the next current version is 2.2.5 Network is laid out as follows: Gentoo has 2 NICs; one for internal LAN and second for the Internet. Gentoo Machine running shorewall as fw LAN using fw as the gateway to the net. I am currently having issues with upgrading. Once I have upgraded and restarted shorewall, the firewall can contact the Internet, outside hosts can connect to the firewall but the internal LAN cannot connect past the firewall. Nothing appears in syslog to indicate a problem with rules. I have deleted all the rules and recreated them by hand and made sure my zones and other files are correct. Does anyone have any ideas? Regards Ray Booysen ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Additional Support Information:
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
3: ip6tnl0: <NOARP> mtu 1460 qdisc noop
link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd
00:00:00:00
:00:00:00:00:00:00:00:00:00:00:00:00
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:e3:02:8b:4e brd ff:ff:ff:ff:ff:ff
inet 217.205.225.251/29 brd 217.205.225.255 scope global eth0
inet 217.205.225.253/24 brd 217.205.225.255 scope global eth0:2
inet 217.205.225.254/29 brd 217.205.225.255 scope global secondary
eth0:1
inet6 fe80::202:e3ff:fe02:8b4e/64 scope link
valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:a6:c5:62:20 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
inet6 fe80::20e:a6ff:fec5:6220/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
ip route show:
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
217.205.225.248/29 dev eth0 proto kernel scope link src 217.205.225.251
217.205.225.0/24 dev eth0 proto kernel scope link src 217.205.225.253
10.8.0.0/24 via 10.8.0.2 dev tun0
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
10.10.10.0/24 via 10.8.0.2 dev tun0
127.0.0.0/8 dev lo scope link
default via 217.205.225.249 dev eth0
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
A shorewall status would be better http://www.shorewall.net/support.html Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry Vonau wrote:> A shorewall status would be better > http://www.shorewall.net/support.html > > Jerry > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersHi Jerry Seems I can''t post files over 40KB or zip files at all. Suggestions? Regards Ray ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Ray Booysen wrote:> Jerry Vonau wrote: > >> A shorewall status would be better >> http://www.shorewall.net/support.html >>... > > Seems I can''t post files over 40KB or zip files at all. Suggestions?shorewall status > /tmp/status bzip2 -9 /tmp/status Send us /tmp/status.bz2 -- Paul <http://paulgear.webhop.net> -- This message is signed with a GNU Privacy Guard cryptographic signature. If you are reading this message in a text attachment, it is because your email program does not support OpenPGP. Please consider upgrading to one of the secure alternatives at <http://mozilla.org/>.
Jerry Vonau wrote:> A shorewall status would be better > http://www.shorewall.net/support.html > > Jerry > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jerry was asking for "shorewall status" output while you are running 2.2.5, not 2.0.7. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Jerry was asking for "shorewall status" output while you are running 2.2.5, > not 2.0.7. >You should also review the migration issues in the 2.2.5 release notes. Any time that you upgrade from one major release of Shorewall to another, there may be minor manual changes required to your configuration. For example, be sure to heed the warning about STARTUP_ENABLED in shorewall.conf; otherwise, Shorewall may not start at all which would produce symptoms exactly as you describe. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jerry Vonau wrote:> A shorewall status would be better > http://www.shorewall.net/support.html > > Jerry > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersHi Jerry Here is shorewall status from after the upgrade. I followed all the upgrade steps but the issue still remains. Regards Ray
Tom Eastep wrote:> Tom Eastep wrote: > >>Jerry was asking for "shorewall status" output while you are running 2.2.5, >>not 2.0.7. >> > > > You should also review the migration issues in the 2.2.5 release notes. Any > time that you upgrade from one major release of Shorewall to another, there > may be minor manual changes required to your configuration. > > For example, be sure to heed the warning about STARTUP_ENABLED in > shorewall.conf; otherwise, Shorewall may not start at all which would > produce symptoms exactly as you describe. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyHi Tom Yup, I followed all the steps and STARTUP_ENABLED is set to yes, but the symptoms remain. Regards Ray ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Hi Jerry > > Here is shorewall status from after the upgrade. > > I followed all the upgrade steps but the issue still remains. > > Regards > Ray >Your trying to masq the loc zone to net right? Check the masq file, I can''t find any masq chains in that status. If that is not the fix, I''d like to see all the config files. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Hi Jerry Yup, that was the problem. It is all working now. Thank you for your time and help. Regards Ray Jerry Vonau wrote:>>Hi Jerry >> >>Here is shorewall status from after the upgrade. >> >>I followed all the upgrade steps but the issue still remains. >> >>Regards >>Ray >> > > Your trying to masq the loc zone to net right? Check the masq file, I can''t > find any masq chains in that status. If that is not the fix, I''d like to see all the > config files. > > Jerry > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf