I get the following message when shutting down my server: ipt_owner: pid, sid and command matching is broken on SMP this is a default installation on Mandriva 2006.0 (official), version 2.4.1 looking around in Google, I see no direct comments on this, only a couple of people asking questions that haven''t been answered... -- Thomas Leavitt -- thomasleavitt@hotmail.com, Sr. Systems Admin For Hire Resume at http://www.thomasleavitt.org/personal/resume/ Wired since 1981. Internet-enabled since 1990. Web-enabled since 1993. Older, wiser, and poorer, post-crash. :) ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Monday 03 October 2005 11:23, Thomas Leavitt wrote:> I get the following message when shutting down my server: > > ipt_owner: pid, sid and command matching is broken on SMP > > this is a default installation on Mandriva 2006.0 (official), version > 2.4.1 > > looking around in Google, I see no direct comments on this, only a couple > of people asking questions that haven''t been answered...There are patches to remove sid/pid matching because it can''t be fixed. Its not a shorewall issue. You might try a later version of your distro to see if it has these patches applied. -- John Andersen - NORCOM http://www.norcomsoftware.com/ ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Hi I''m quite an amateur in networking and I got stucked with Shorewall... The situation is as it is shown here http://www.shorewall.net/Multiple_Zones.html#id2461220 (a router going to an other network (other city) from the first local network) But a bit more difficult, because there is a router, then a modem, then the isp''s router, then an other router in the other city... I''ve added the routes to Mandriva, and the firewall computer now sees all the computers in the other city (192.168.1.*) and also the computers sees the firewall, can download messages. BUT! They can''t see out to the net, through the fw... No pinging/no web, nothing. 192.168.0.*, with 70 computers is just fine, but 192.168.2.* addresses can''t go to the net. Both systems are on eth0 and the net is on eth1. I don''t know what to do... Can you give me a detailed config "for dummies" I''ve did everything as on the URL above, but nothing changed (Mandriva 64 bit, Shorewall 2.4). I think I used the right routes add parameters, because pinging is ok through the local net to the fw and fw to second local nw (after adding the routes). Or should I choose an other gateway for the routes? Choosing the nearest router to the 168.2.* net, or choosing the nearest router to the firewall? Thanks very much in advance! -- And an other one. Squid is just working fine, as a transparent proxy, on the 192.168.1.* network. But I want to Reject local to net connection, and then in rules, allow the web, ssh, ftp, etc (just to net let viruses, online radios, ... Communicate), but if i do that and leave the redirect www 3128 setting on, no web connection is available. How should I configure it, to Reject every loc to net connections, get squid working, and AllowWeb(through Squid), AllowSSH, AllowPop3, ... ? (I probably think, that the problem only consists on the no net issue) Thanks very much! Peter, from Hungary ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
----- Original Message -----> Hi > I''m quite an amateur in networking and I got stucked with Shorewall... > The situation is as it is shown here > http://www.shorewall.net/Multiple_Zones.html#id2461220 > (a router going to an other network (other city) from the first local > network) > But a bit more difficult, because there is a router, then a modem, then the > isp''s router, then an other router in the other city... > I''ve added the routes to Mandriva, and the firewall computer now sees all > the computers in the other city (192.168.1.*) and also the computers sees > the firewall, can download messages. > BUT! They can''t see out to the net, through the fw... No pinging/no web, > nothing. > 192.168.0.*, with 70 computers is just fine, but 192.168.2.* addresses can''t > go to the net. Both systems are on eth0 and the net is on eth1. > I don''t know what to do... Can you give me a detailed config "for dummies" > I''ve did everything as on the URL above, but nothing changed (Mandriva 64 > bit, Shorewall 2.4). I think I used the right routes add parameters, because > pinging is ok through the local net to the fw and fw to second local nw > (after adding the routes). Or should I choose an other gateway for the > routes? Choosing the nearest router to the 168.2.* net, or choosing the > nearest router to the firewall? > Thanks very much in advance! > -- > And an other one. Squid is just working fine, as a transparent proxy, on the > 192.168.1.* network. But I want to Reject local to net connection, and then > in rules, allow the web, ssh, ftp, etc (just to net let viruses, online > radios, ... Communicate), but if i do that and leave the redirect www 3128 > setting on, no web connection is available. How should I configure it, to > Reject every loc to net connections, get squid working, and AllowWeb(through > Squid), AllowSSH, AllowPop3, ... ? (I probably think, that the problem only > consists on the no net issue) > > Thanks very much! > Peter, from HungaryPlease forward the info as requested from: http://shorewall.net/support.htm. Please include your config files also. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
I haven''t made any big modifications compared to the default (tried a lot of settings, but still not working, now everything is as it has to be configured for a two-interface firewall). (I can not post it right now because the server is now offline, some kilometres of me) The config in words: I have a net and local zone, on eth1 and eth0. Both of them are automatically seen. Now every loc to net is accepted, and net to loc is dropped. I can acces to pop3, smtp, ping, ssh from the net to firewall. The www is redirected to squid (and working). So the problem is how to add the 192.168.1.* addresses through the 192.168.0.254 gateway (with netmask 255.255.255.0. The 192.168.0.* addresses are working. And also the firewall and 1.* networks can ping. If you still think, that there is a need for the configs, I will post them on Thursday Thanks very much for your fast reply! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Monday, October 03, 2005 9:57 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Config ----- Original Message -----> Hi > I''m quite an amateur in networking and I got stucked with Shorewall... > The situation is as it is shown here > http://www.shorewall.net/Multiple_Zones.html#id2461220 > (a router going to an other network (other city) from the first local > network) > But a bit more difficult, because there is a router, then a modem, > then the isp''s router, then an other router in the other city... > I''ve added the routes to Mandriva, and the firewall computer now sees > all the computers in the other city (192.168.1.*) and also the > computers sees the firewall, can download messages. > BUT! They can''t see out to the net, through the fw... No pinging/no > web, nothing. > 192.168.0.*, with 70 computers is just fine, but 192.168.2.* addresses > can''t go to the net. Both systems are on eth0 and the net is on eth1. > I don''t know what to do... Can you give me a detailed config "for dummies" > I''ve did everything as on the URL above, but nothing changed (Mandriva > 64 bit, Shorewall 2.4). I think I used the right routes add > parameters, because pinging is ok through the local net to the fw and > fw to second local nw (after adding the routes). Or should I choose an > other gateway for the routes? Choosing the nearest router to the > 168.2.* net, or choosing the nearest router to the firewall? > Thanks very much in advance! > -- > And an other one. Squid is just working fine, as a transparent proxy, > on the > 192.168.1.* network. But I want to Reject local to net connection, and > then in rules, allow the web, ssh, ftp, etc (just to net let viruses, > online radios, ... Communicate), but if i do that and leave the > redirect www 3128 setting on, no web connection is available. How > should I configure it, to Reject every loc to net connections, get > squid working, and AllowWeb(through Squid), AllowSSH, AllowPop3, ... ? > (I probably think, that the problem only consists on the no net issue) > > Thanks very much! > Peter, from HungaryPlease forward the info as requested from: http://shorewall.net/support.htm. Please include your config files also. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Thomas Leavitt wrote:> I get the following message when shutting down my server: > > ipt_owner: pid, sid and command matching is broken on SMP >that''s exactly the problem. ipt_owner is broken on SMP systems. not a shorewall problem.;-)
----- Original Message -----> I haven''t made any big modifications compared to the default (tried a lot of > settings, but still not working, now everything is as it has to be > configured for a two-interface firewall). (I can not post it right now > because the server is now offline, some kilometres of me) > The config in words: > I have a net and local zone, on eth1 and eth0. Both of them are > automatically seen. Now every loc to net is accepted, and net to loc is > dropped. I can acces to pop3, smtp, ping, ssh from the net to firewall. The > www is redirected to squid (and working).That''s a good start.> So the problem is how to add the 192.168.1.* addresses through the > 192.168.0.254 gateway (with netmask 255.255.255.0. The 192.168.0.* addresses > are working. And also the firewall and 1.* networks can ping.This sounds more like a routing issue, that is why a "shorewall status" is needed. I could think of a few different ways this maybe configured, all which would work, and be correct in the terms of using shorewall.> If you still think, that there is a need for the configs, I will post them > on Thursday > Thanks very much for your fast reply! >Please do, We only know what your layout is like by the info you report. The more or better the info, the likelyhood of your problem becoming resolved faster increases. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Jerry Vonau wrote:> >> If you still think, that there is a need for the configs, I will post them >> on Thursday >> Thanks very much for your fast reply! >> > Please do, We only know what your layout is like by the info you report. > The more or better the info, the likelyhood of your problem becoming > resolved faster increases. >And please let us know if the systems in the remote city can ping the IP address of your firewall''s *external* interface. That will tell us a lot about the routing that you have set up on systems other than the firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi I''m starting from scratch and not doing so great. I''m putting Bering-uClibc 2.3 on dell dimension 4400. I''ve successfully downloaded and booted off the image. My problem now is that I''m not seeing the network card at all. I''m wondering if someone can point me to the right module? I was hoping it would be one of the included ones. Is there anything else I have to do other than add the module to /lib/modules? --jsl ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Julie S. Lin wrote:> Hi > > I''m starting from scratch and not doing so great. I''m putting Bering-uClibc > 2.3 on dell dimension 4400. I''ve successfully downloaded and booted off the > image. My problem now is that I''m not seeing the network card at all. I''m > wondering if someone can point me to the right module? I was hoping it would > be one of the included ones. Is there anything else I have to do > other than add the module to /lib/modules?Julie, I think you also confused about which list can help you with this problem. You would be much better off posting to leaf-user@lists.sourceforge.net with your Bering-uClibc questions. This list only covers Shorewall which has nothing to do with network interface drivers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > I think you also confused about which list can help you with this >I really *am* a native English speaker -- that of course should have read "I think that you are also confused..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Guys! (I posted this message already 1,5 hours ago, but I haven''t added the jpg to the tar, I hope you won''t receive it twice) After one day of hard work again, nothing improved... Lanj.jpg: The ''map'' of the network. A bit strange for me, but it is not my task and I can''t change anything to it. There is an old firewall (without Shorewall), resolv.conf, hosts, ifcfg-eth0 and eth1 is the same on the new one also. And the output of route also. The output of route is: 192.168.2.0 * 255.255.255.0 U 10 0 0 eth1 192.168.1.0 192.168.0.254 255.255.255.0 UG 10 0 0 eth0 192.168.0.0 * 255.255.255.0 U 10 0 0 eth0 default 192.168.2.1 0.0.0.0 UG 10 0 0 eth1 192.168.0.0/16 is the local network, everything is fine on it. 192.168.1.0/16 is the other cities network. I can ping from the firewall to it and that city''s network can only ping the firewall''s eth0 (local) interface. I can not ping the external interface (eth1). Maybe it is because ping is rejected in rules, but I think only from the net, not from local. So I guess local to firewall external IP ping is also treated to be loc to fw and it is accepted. I can reach the Intranet webpage on the inner IP address from the other city, and that can''t be reached from the internet, as shorewall setup says. It seems to be working, because if I try to reach it via the external ip from the local citys network, shorewall gives an error. That''s why I am guessing, that other cities network is also treated to be local, not ''no zone''. But just a guess, I am not sure... So, the config files: Interface #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth1 detect loc eth0 detect newnotsyn,routeback # also tried to modify the broadcast to 196.168.255.255 and to 192.168.0.255,192.168.1.255 but nothing changed Policy # LEVEL loc net ACCEPT loc fw ACCEPT fw loc ACCEPT fw net ACCEPT net all DROP info all all REJECT info Rules: REDIRECT loc 3128 tcp www - ACCEPT net fw tcp 22,25,109,110,143 REJECT net fw icmp 8 - ACCEPT net fw tcp 17895 The tar.gz filecontains the output of ifconfig and the Shorewall status. I have no guess, what to do... The older firewall is working, so though the network is a bit dizzy for me, it must be a firewall setting somewhere... It is driving me mad... I also can instantly change the two firewalls without reseting a router, or something like this in the local city, so I don''t think I should restart a router, or somethink like this. I worked with the linux server 30 hours last weekend (only on the location, now I have more than 120 hours in it for the last 2 weeks and I also had to study... ;) I am becoming exhausted ;) ), became really happy when everything worked (I only checked the first city, me amateur... ;) ) then this happened... No guess how to get this working... Thank you very much in advance!
----- Original Message ----- <snip>> The output of route is: > 192.168.2.0 * 255.255.255.0 U 10 0 0 eth1 > 192.168.1.0 192.168.0.254 255.255.255.0 UG 10 0 0 eth0 > 192.168.0.0 * 255.255.255.0 U 10 0 0 eth0 > default 192.168.2.1 0.0.0.0 UG 10 0 0 eth1 > > 192.168.0.0/16 is the local network, everything is fine on it. > 192.168.1.0/16 is the other cities network. I can ping from the firewall to > it and that city''s network can only ping the firewall''s eth0 (local) > interface. I can not ping the external interface (eth1).Just tring to get a handle on how the ciscos (routed or bridged?) and the remote lan (what gateway is the remote lan using?) are configured. You can ping all the hosts on 192.168.1.0/24 from any machine on the 192.168.0.0/24 network or just from the firewall? Can a client in the remote city ping anything else on the 192.168.0.0/24 network other than the firewall?> Maybe it is because > ping is rejected in rules, but I think only from the net, not from local. So > I guess local to firewall external IP ping is also treated to be loc to fw > and it is accepted.Yes, all the interfaces on the firewall are part of the ''fw'' zone.> I can reach the Intranet webpage on the inner IP address from the other > city, and that can''t be reached from the internet, as shorewall setup says.Just to clarify, the webpage is on the firewall or some other box on 192.168.0.X?> It seems to be working, because if I try to reach it via the external ip > from the local citys network, shorewall gives an error. That''s why I am > guessing, that other cities network is also treated to be local, not ''no > zone''. But just a guess, I am not sure...Yes, all traffic on eth0 would be concidered to be in the ''loc'' zone. <snip>> > I have no guess, what to do... > The older firewall is working, so though the network is a bit dizzy for me, > it must be a firewall setting somewhere... It is driving me mad...What does "cat /proc/sys/net/ipv4/conf/eth0/send_redirects" return? The routing table from the old filewall may be of some help here. Just need to get a better understanding of what is working and what doesn''t, and just how everything is setup. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:> The older firewall is working, so though the network is a bit dizzy for me, > it must be a firewall setting somewhere... It is driving me mad... I also > can instantly change the two firewalls without reseting a router, or > something like this in the local city, so I don''t think I should restart a > router, or somethink like this.Does the older firewall also have internal IP address 192.168.0.10? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Jerry! Thank For the reply!> Just tring to get a handle on how the ciscos (routed or bridged?) and theremote lan (what gateway is the remote lan using?) are configured. You can ping all the hosts on 192.168.1.0/24 from any machine on the 192.168.0.0/24 network or just from the firewall? Can a client in the remote city ping anything else on the 192.168.0.0/24 network other than the firewall? Both city''s network clients can ping each other! There is a working lan among them, all of the clients (on both networks) can reach a windows data server, so if I plug out the firewall, there will be no internet connection but the local network will be still available (a router is responsible for the dhcp).>Just to clarify, the webpage is on the firewall or some other box on192.168.0.X? It is on the firewall. And if I use the internal IP of the fw from the other cities network it can reach the webpage. That''s why I was guessing, that Shorewall doesn''t treat the 192.168.1.0/24 network as net, because then it would drop the request (port 80 is now allowed for net to fw). Or it is just because every addresses is treated to be local which comes from eth0(local). And when 192.168.1.0/24 wants to reach the net it is stopped somewhere, somehow... That network can''t see the the external IP of the fw also.>What does "cat /proc/sys/net/ipv4/conf/eth0/send_redirects" return?The routing table from the old filewall may be of some help here. Unfortunetly, I can''t really check it now. What do you think, is it a shorewall setting, or something other than it? Which files should I check on the old firewall? The mentioned files in my last mail are the same. It is interesting, that the broadcast for eth0(loc) in ifcg file is 192.168.0.255. (but it should not be the problem, because the router to the other city is 192.168.0.254, and I also tried to modify it)>Just need to get a better understanding of what is working and whatdoesn''t, and just how everything is setup. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
> Does the older firewall also have internal IP address 192.168.0.10?Yes I was also thinking of some kind of ''latency'' because of changing the fwalls, but I can''t really imagine it, because the local city''s internet connection is working instantly, and the other cities can reach the internal IP also, but not the external. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:>> Does the older firewall also have internal IP address 192.168.0.10? > > Yes > > I was also thinking of some kind of ''latency'' because of changing the > fwalls, but I can''t really imagine it, because the local city''s internet > connection is working instantly, and the other cities can reach the internal > IP also, but not the external. >Here''s a test that I would like you to perform: a) "shorewall clear" b) Ping 192.168.2.2 from another city -- verify that the ping still fails. c) While pinging from another city, on the firewall run "tcpdump -nei eth0. Do you see the ICMP type 8s (echo-request)? Is the link level destination address correct (00:11:d8:cd:6c:c3)? - Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Kortvelyesi Peter wrote: >>> Does the older firewall also have internal IP address 192.168.0.10? >> Yes >> >> I was also thinking of some kind of ''latency'' because of changing the >> fwalls, but I can''t really imagine it, because the local city''s internet >> connection is working instantly, and the other cities can reach the internal >> IP also, but not the external. >> > > Here''s a test that I would like you to perform: > > a) "shorewall clear" > b) Ping 192.168.2.2 from another city -- verify that the ping still fails. > c) While pinging from another city, on the firewall run "tcpdump -nei > eth0.You might want to make that "tcpdump -nei eth0 icmp" to cut down on the amount of traffic you capture. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you Tom for your help! I''ve found in my shorewall status (pinging yesterday) icmp 1 14 src=192.168.1.33 dst=192.168.2.1 type=8 code=0 id=512 packets=4 bytes=240 [UNREPLIED] src=192.168.2.1 dst=192.168.1.33 type=0 code=0 id=512 packets=0 bytes=0 mark=0 use=1 rate=0 I think that gives the answer for your question (I can''t reach the server now, it is offline and not at my location). I always restarted shorewall after modifications, sometimes also rebooted the system or restarted the net. I was thinking a lot, and can not understand... Because if I can ping from the firewall and to the firewall from the 2nd city, that means, the routes are known, but as it says, the requests which wants to go through the internal interface, are [UNREPLIED] Also some lines that could be meanful, from shorewall status: (that I included yesterday) ARP ? (192.168.0.42) at 00:05:5D:DC:CD:FA [ether] on eth0 ... ? (192.168.2.1) at 00:09:43:8D:92:49 [ether] on eth1 ... ? (192.168.1.33) at 00:0B:46:66:C2:23 [ether] on eth0 ...> udp 17 24 src=192.168.1.73 dst=213.163.0.65 sport=1055dport=53> packets=84 bytes=5372 [UNREPLIED] src=213.163.0.65dst=192.168.1.73> sport=53 dport=1055 packets=0 bytes=0 mark=0 use=2 rate=10(the 213.163.0.65 is the DNS server) Table main:> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.2 metric10> 192.168.1.0/24 via 192.168.0.254 dev eth0 metric 10------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Also in my included shorewall status, it seems interesting for me, it doesn''t seems to be, that 192.168.1.0/24 is in in Table local. Or is it enough if it is in Table main? (sorry for posting that much, but I think it maybe helps. And I am really glad that you spend your free time helping me, so thanks very much again!) Table default: Table local: broadcast 192.168.0.255 dev eth0 proto kernel scope link src 192.168.0.10 broadcast 192.168.2.255 dev eth1 proto kernel scope link src 192.168.2.2 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 192.168.0.10 dev eth0 proto kernel scope host src 192.168.0.10 broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.0.10 broadcast 192.168.2.0 dev eth1 proto kernel scope link src 192.168.2.2 local 192.168.2.2 dev eth1 proto kernel scope host src 192.168.2.2 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.2 metric 10 192.168.1.0/24 dev eth0 scope link 192.168.1.0/24 via 192.168.0.254 dev eth0 metric 10 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10 metric 10 default via 192.168.2.1 dev eth1 metric 10 ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:> Thank you Tom for your help! > > I''ve found in my shorewall status (pinging yesterday) > > icmp 1 14 src=192.168.1.33 dst=192.168.2.1 type=8 code=0 id=512 > packets=4 bytes=240 [UNREPLIED] src=192.168.2.1 dst=192.168.1.33 > type=0 code=0 id=512 packets=0 bytes=0 mark=0 use=1 rate=0 >Your /etc/shorewall/masq file is wrong! It looks like you have: eth1 192.168.0.0/24 eth1 192.168.0.0/24 You need: eth1 192.168.0.0/24 eth1 192.168.2.0/24 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Do you think, that is the only problem? I would be so happy ;) So eth1 is my outgoing connection and I should masquared 0.0 and 2.0 (the other cities network is 1.0, haven''t you meant 1.0/24 instead of 2.0/24?) Thanks very much!! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, October 07, 2005 7:22 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Config Kortvelyesi Peter wrote:> Thank you Tom for your help! > > I''ve found in my shorewall status (pinging yesterday) > > icmp 1 14 src=192.168.1.33 dst=192.168.2.1 type=8 code=0 id=512 > packets=4 bytes=240 [UNREPLIED] src=192.168.2.1 dst=192.168.1.33 > type=0 code=0 id=512 packets=0 bytes=0 mark=0 use=1 rate=0 >Your /etc/shorewall/masq file is wrong! It looks like you have: eth1 192.168.0.0/24 eth1 192.168.0.0/24 You need: eth1 192.168.0.0/24 eth1 192.168.2.0/24 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:> Do you think, that is the only problem? I would be so happy ;) > So eth1 is my outgoing connection and I should masquared 0.0 and 2.0 (the > other cities network is 1.0, haven''t you meant 1.0/24 instead of 2.0/24?)Yes -- sorry.> Thanks very much!! >Yes -- the problem is that 192.168.2.1 doesn''t know how to route reply packets to 192.168.1.*. The conntrack entry you posted indicates that the ''echo-request'' packet had been sent to 192.168.2.1 but no reply had been received (because 192.168.2.1 was sending the reply out to the Internet rather than back to your firewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
So it will be good also #INTERFACE SUBNET ADDRESS eth1 eth0 Am I right (eth1 is net, eth0 is local)? --- An other issue (if you are not fed up with me yet ;) ): As you have seen, Squid is working as a transparent proxy. If I say that loc net REJECT in policyes, and then leave the redirect 3128 www on and say AllowWeb, AllowSSH, ... Loc to net in rules, then no web connection is available! What can I do in that situation? ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:> So it will be good also > #INTERFACE SUBNET ADDRESS > eth1 eth0 > Am I right (eth1 is net, eth0 is local)?That will work provided that the route to 192.168.1.0/24 is in place when Shorewall starts. Shorewall needs to decode the routing table to build the list of networks to be masqueraded.> --- > An other issue (if you are not fed up with me yet ;) ): > As you have seen, Squid is working as a transparent proxy. > If I say that loc net REJECT in policyes, and then leave the redirect 3128 > www on and say AllowWeb, AllowSSH, ... Loc to net in rules, then no web > connection is available! > What can I do in that situation?Sounds like a DNS problem. Where is the DNS server that the local systems use -- the clients need to be able to communicate with that server and the server needs access to the internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok I will use that setting, thank you Tom! Probably it was the wrong setting and then 2 miserable weeks is over... ;) So the situation fow Squid, I haven''t said some infos, sorry! Squid is up and working really fine (after some days). It is set to be transparent and now, the policy of Shorewall says, that local to Net is accepted for every ports. But I would like to set Local to net to be Rejected and then in rules i would like to decide which ports to let to go. So I have added some rules like AlowWeb, AlowSSH and then the rule to redirect web request to 3128 squid port. And after that, no web connection is available from the local network (if in policies every loc to net is accepted it is working and squid is also working transparently). You have said DNS, it is outside the local network (the ISP''s - another dizzy thing in the network, I think). So maybe, the soultion is to add an allowDNS rule also and if I say in policy loc to net reject, then in rules AllowDNS, AllowWeb from loc to net and then the redirect to squid rule. Will it work then? -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, October 07, 2005 7:57 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Config Kortvelyesi Peter wrote:> So it will be good also > #INTERFACE SUBNET ADDRESS > eth1 eth0 > Am I right (eth1 is net, eth0 is local)?That will work provided that the route to 192.168.1.0/24 is in place when Shorewall starts. Shorewall needs to decode the routing table to build the list of networks to be masqueraded.> --- > An other issue (if you are not fed up with me yet ;) ): > As you have seen, Squid is working as a transparent proxy. > If I say that loc net REJECT in policyes, and then leave the redirect > 3128 www on and say AllowWeb, AllowSSH, ... Loc to net in rules, then > no web connection is available! > What can I do in that situation?Sounds like a DNS problem. Where is the DNS server that the local systems use -- the clients need to be able to communicate with that server and the server needs access to the internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Kortvelyesi Peter wrote:> > But I would like to set Local to net to be Rejected and then in rules i > would like to decide which ports to let to go. So I have added some rules > like AlowWeb, AlowSSH and then the rule to redirect web request to 3128 > squid port.Peter -- http://www.shorewall.net/Shorewall_Squid_Usage.html gives you the rules that you need. If you want to use actions, in addition to the REDIRECT rule you need: AllowWeb fw net AND THAT IS ALL! In particular, you do NOT need: AllowWeb loc net So if changing the loc->net policy stops Web access from working, it *must be some traffic that goes from loc->net* that is being blocked. And furthermore, all you have to do is *look at your log* to see what traffic Shorewall is causing to be blocked. And it''s probably DNS (UDP with destination port 53) which can be allowed using: AllowDNS loc net -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key