I have 7 stand alone servers all configured with shorewall as a stand alone appliacation. The all work perfectly. I would like to activate the second nic card in each server (static ip), hook them all up to a hub, and configure the second nics for a private network. Even if I put in "loc allow all", or configure the rules"rules" and other statements / files and followed other suggestions / howto''s, it seems to blow up on me. I would be most grateful if someone would through me a bone.
> I have 7 stand alone servers all configured with shorewall as a stand alone > appliacation. The all work perfectly. I would like to activate the second > nic card in each server (static ip), hook them all up to a hub, and > configure the second nics for a private network. Even if I put in "loc allow > all", or configure the rules"rules" and other statements / files and > followed other suggestions / howto''s, it seems to blow up on me. I would be > most grateful if someone would through me a bone.How about a quick rundown of what you have configured now. A config file set from one of the running boxes would be helpful. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
What exactly are you trying to do? Connect to a LAN or backup network somehow? Without more info and just totally guessing, you probably need to create a policy like: $FW loc ACCEPT This just says that any traffic from the firewall to the local zone is allowed. You need to think of the firewall as its own zone. Otherwise, if you have a policy like all all REJECT and nothing allowing the firewall to "talk" to the loc zone, all the firewall traffic will get picked off by that policy. The policy above is most likely your last policy (as it should be), so check it out. ________________________________________ Chip Burke ________________________________________ -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Wednesday, August 10, 2005 10:12 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Needed some suggestions> I have 7 stand alone servers all configured with shorewall as a standalone> appliacation. The all work perfectly. I would like to activate the second > nic card in each server (static ip), hook them all up to a hub, and > configure the second nics for a private network. Even if I put in "locallow> all", or configure the rules"rules" and other statements / files and > followed other suggestions / howto''s, it seems to blow up on me. I wouldbe> most grateful if someone would through me a bone.How about a quick rundown of what you have configured now. A config file set from one of the running boxes would be helpful. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Here is what I got. http://www.nightowlsnetwork.net/images/network.jpg And shorewall files follow: /etc/shorewall/shorewall.conf: (default settings with the following exceptions) IP_FORWARDING=Off ADD_IP_ALIASES=No ROUTE_FILTER=Yes BLACKLISTNEWONLY=No /etc/shorewall/interfaces: net eth0 detect norfc1918,nobogons,blacklist,tcpflags,routeback,nosmurfs /etc/shorewall/policy: net all DROP info $FW net ACCEPT /etc/shorewall/rules: AllowPing net fw AllowSSH net fw AllowDNS net fw AllowFTP net fw AllowWeb net fw AllowSMTP net fw AllowPOP3 net fw AllowIMAP net fw AllowNTP net fw ACCEPT net fw tcp 10000 # Webmin ACCEPT net fw tcp 19638 # Ensim /etc/shorewall/zones: net Net Internet /etc/shorewall/routestopped eth0 xxx.xxx.xxx.xxx #(my ip addie is here) Thanks for the help. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Wednesday, August 10, 2005 10:12 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Needed some suggestions> I have 7 stand alone servers all configured with shorewall as a stand > alone appliacation. The all work perfectly. I would like to activate > the second nic card in each server (static ip), hook them all up to a > hub, and configure the second nics for a private network. Even if I > put in "loc allow all", or configure the rules"rules" and other > statements / files and followed other suggestions / howto''s, it seems > to blow up on me. I would be most grateful if someone would through me abone. How about a quick rundown of what you have configured now. A config file set from one of the running boxes would be helpful. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Here is what I got. > > http://www.nightowlsnetwork.net/images/network.jpg > > And shorewall files follow: > > /etc/shorewall/shorewall.conf: > (default settings with the following exceptions) > IP_FORWARDING=Off > ADD_IP_ALIASES=No > ROUTE_FILTER=Yes > BLACKLISTNEWONLY=No > > /etc/shorewall/interfaces: > net eth0 detect > norfc1918,nobogons,blacklist,tcpflags,routeback,nosmurfs >add loc eth1 detect> /etc/shorewall/policy: > net all DROP info > $FW net ACCEPT >Put the drop last: $FW net ACCEPT $FW loc ACCEPT net all DROP info> /etc/shorewall/rules: > AllowPing net fw > AllowSSH net fw > AllowDNS net fw > AllowFTP net fw > AllowWeb net fw > AllowSMTP net fw > AllowPOP3 net fw > AllowIMAP net fw > AllowNTP net fw > ACCEPT net fw tcp 10000 # Webmin > ACCEPT net fw tcp 19638 # Ensim >Add you loc rules. AllowPing loc fw etc...> /etc/shorewall/zones: > net Net Internet >add loc Loc Local> /etc/shorewall/routestopped > eth0 xxx.xxx.xxx.xxx #(my ip addie is here) > > Thanks for the help. >Remember that the fqdn is still the public ip address, you may have to refer to the machines by their private ip address for traffic to use the private lan. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Cool...That must have been what I was doing wrong. I was not moving the net all drop info to last place. No wonder it would work for about 10 secs. Then lock up like a big dog. Thanks! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Wednesday, August 10, 2005 8:11 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Needed some suggestions> Here is what I got. > > http://www.nightowlsnetwork.net/images/network.jpg > > And shorewall files follow: > > /etc/shorewall/shorewall.conf: > (default settings with the following exceptions) IP_FORWARDING=Off > ADD_IP_ALIASES=No ROUTE_FILTER=Yes BLACKLISTNEWONLY=No > > /etc/shorewall/interfaces: > net eth0 detect > norfc1918,nobogons,blacklist,tcpflags,routeback,nosmurfs >add loc eth1 detect> /etc/shorewall/policy: > net all DROP info > $FW net ACCEPT >Put the drop last: $FW net ACCEPT $FW loc ACCEPT net all DROP info> /etc/shorewall/rules: > AllowPing net fw > AllowSSH net fw > AllowDNS net fw > AllowFTP net fw > AllowWeb net fw > AllowSMTP net fw > AllowPOP3 net fw > AllowIMAP net fw > AllowNTP net fw > ACCEPT net fw tcp 10000 # Webmin > ACCEPT net fw tcp 19638 # Ensim >Add you loc rules. AllowPing loc fw etc...> /etc/shorewall/zones: > net Net Internet >add loc Loc Local> /etc/shorewall/routestopped > eth0 xxx.xxx.xxx.xxx #(my ip addie is here) > > Thanks for the help. >Remember that the fqdn is still the public ip address, you may have to refer to the machines by their private ip address for traffic to use the private lan. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf