I must be thinking incorrectly but when I start shorewall I can''t access the internet on my server and also it seems like my firewall is not blocking any ports on eth1. Below is how it is setup. This is VM machine so eth0 is nat to local internal lan so I want full access on eth0 and eth1 is External Internet line. Thanks for any help -----------Interfaces--------------------------- #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect tcpflags net eth1 detect routefilter,norfc1918,tcpflags --------Policy----------- #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net loc ACCEPT net fw ACCEPT loc fw ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Friday 21 October 2005 08:03, Eric H.. wrote:> I must be thinking incorrectly but when I start > shorewall I can''t access the internet on my server and > also it seems like my firewall is not blocking any > ports on eth1. Below is how it is setup. This is VM > machine so eth0 is nat to local internal lan so I want > full access on eth0 and eth1 is External Internet > line. Thanks for any help > > -----------Interfaces--------------------------- > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect tcpflags > net eth1 detect > routefilter,norfc1918,tcpflags > > --------Policy----------- > #SOURCE DEST POLICY LOG > LEVEL LIMIT:BURST > loc net ACCEPT > net loc ACCEPT > net fw ACCEPT > loc fw ACCEPT >Unfortunately there is nothing in your post that will allow us to help you. To make matters worse, you have added several permissive policies above in a misguided attempt to "make it work". That prevents the logging policies below from being able to log information that might help you solve your problem.> # If you want open access to the Internet from your > Firewall > # remove the comment from the following line. > #fw net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > >I recommend that you: a) Include only the policies that you want in your final configuration. b) Follow the instructions at http://www.shorewall.net/support.htm for gathering the information that we need to be able to diagnose your problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
As Tom already pointed out, your provided information isn''t sufficient and maybe misleading as to what you actually want. Anyway, here is a shot at it...> I must be thinking incorrectly but when I start > shorewall I can''t access the internet on my server and > also it seems like my firewall is not blocking any > ports on eth1. Below is how it is setup. This is VM > machine so eth0 is nat to local internal lan so I want > full access on eth0 and eth1 is External Internet > line. Thanks for any helpIf I got that right, two of your issues are: The firewall is not blocking any ports from the Internet (eth1) and you can''t access the net from your firewall. Well, how possibly could it?> -----------Interfaces--------------------------- > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect tcpflags > net eth1 detect > routefilter,norfc1918,tcpflags > > --------Policy----------- > #SOURCE DEST POLICY LOG > LEVEL LIMIT:BURST > loc net ACCEPT > net loc ACCEPT > net fw ACCEPTYou''re allowing all traffic from the net to your firewall. So this sure will not block anything.> loc fw ACCEPT > > # If you want open access to the Internet from your > Firewall > # remove the comment from the following line. > #fw net ACCEPTYou did not uncomment this line, which clearly states, that it will allow access to the net from your firewall.> net all DROP infonet2fw and net2loc already explicitely ACCEPTed. So this line effectively is useless in your case.> # THE FOLLOWING POLICY MUST BE LAST > all all REJECT infoI''d start *fresh* and think about the policies and rules that should be accomplished first. The above very likely is not it. You probably should read the documentation at shorewall.net carefully again (you did do this already, right?) and follow one of the QuickStart Guides. Karsten -- Davision - Atelier fuer Gestaltung / Internet / Multimedia UNIX / Linux Netzwerke und Schulungen Telefon 06151/273859 Fax 06151/273862