Hi, I''m having some problems with connection from the firewall to the net. I think my bridge is configured correctly since connection loc->net works and when I clear shorewall settings fw->net works as well. I tried to search this list and web and I red docs, but just can''t find a solution. Here are my config files: shorewall.conf has BRIDGING=Yes policy: $FW all ACCEPT loc all ACCEPT net all DROP info all all REJECT info rules: no rules since policy is basically set to accept all hosts: loc br0:eth0 net br0:eth1 interfaces: - br0 192.168.254.255 zones: fw firewall net ipv4 loc ipv4 routestopped: br0 192.168.254.0/24 routeback Thanks, Pawel ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 15 March 2006 06:22, Art Crazy wrote:> Hi, > I''m having some problems with connection from the firewall to the net. I > think my bridge is configured correctly since connection loc->net works and > when I clear shorewall settings fw->net works as well. I tried to search > this list and web and I red docs, but just can''t find a solution. Here are > my config files: shorewall.conf has BRIDGING=Yes > policy: > $FW all ACCEPT > loc all ACCEPT > net all DROP info > all all REJECT info > rules: no rules since policy is basically set to accept all > hosts: > loc br0:eth0 > net br0:eth1 > interfaces: > - br0 192.168.254.255 > zones: > fw firewall > net ipv4 > loc ipv4 > routestopped: > br0 192.168.254.0/24 routebackPlease give us the information we ask for at http://www.shorewall.net/support.htm (3.0) or http://www.shorewall.net/2.0/support.htm (2.x). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 15 March 2006 08:05, Tom Eastep wrote:> On Wednesday 15 March 2006 06:22, Art Crazy wrote: > > Hi, > > I''m having some problems with connection from the firewall to the net. I > > think my bridge is configured correctly since connection loc->net works > > and when I clear shorewall settings fw->net works as well. I tried to > > search this list and web and I red docs, but just can''t find a solution. > > Here are my config files: shorewall.conf has BRIDGING=Yes >---> > Please give us the information we ask for at > http://www.shorewall.net/support.htm (3.0) or > http://www.shorewall.net/2.0/support.htm (2.x).Before that though, you might look at your log(s) -- if clearing Shorewall allows traffic to flow then it is virtually certain that there are Shorewall log messages describing the rejected/dropped packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, I''m quite new to linux etc, so I''m not sure if I looked in all the right places, anyway "messages" shows nothing, well it shows this: Mar 15 17:53:46 mainserver root: Shorewall Started Mar 15 17:57:10 mainserver root: Shorewall Stopped Mar 15 17:57:10 mainserver root: Shorewall Cleared For those 4 minutes I opened firefox and tried to connect to google.com, status was "looking up www...." and nothing. After I cleared shorewall, well I''m writing this e-mail. Anyway, I did the "shorewall dump" and I''m attaching the output file. I really don''t know what I''m doing wrong; if you need anything else... Thank you, Pawel -----Original Message----- From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net Date: Wed, 15 Mar 2006 12:15:15 -0800 Subject: Re: [Shorewall-users] Bridge - no connection from fw to net On Wednesday 15 March 2006 08:05, Tom Eastep wrote:> On Wednesday 15 March 2006 06:22, Art Crazy wrote: > > Hi, > > I''m having some problems with connection from the firewall to the net. I > > think my bridge is configured correctly since connection loc->net works > > and when I clear shorewall settings fw->net works as well. I tried to > > search this list and web and I red docs, but just can''t find a solution. > > Here are my config files: shorewall.conf has BRIDGING=Yes >---> > Please give us the information we ask for at > http://www.shorewall.net/support.htm (3.0) or > http://www.shorewall.net/2.0/support.htm (2.x).Before that though, you might look at your log(s) -- if clearing Shorewall allows traffic to flow then it is virtually certain that there are Shorewall log messages describing the rejected/dropped packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 15 March 2006 16:13, Art Crazy wrote:> Hi, > I''m quite new to linux etc, so I''m not sure if I looked in all the right > places, anyway "messages" shows nothing, well it shows this: Mar 15 > 17:53:46 mainserver root: Shorewall Started > Mar 15 17:57:10 mainserver root: Shorewall Stopped > Mar 15 17:57:10 mainserver root: Shorewall Cleared > > For those 4 minutes I opened firefox and tried to connect to google.com, > status was "looking up www...." and nothing. After I cleared shorewall, > well I''m writing this e-mail. Anyway, I did the "shorewall dump" and I''m > attaching the output file. I really don''t know what I''m doing wrong; if you > need anything else...What distribution are you running here? Your netfilter bridging/conntrack support looks very broken. When you start Shorewall, DNS lookup requests are being passed from the firewall to the ''net'' zone but when the replies return they are not recognized as being associated with the outgoing request; as a consequence, they are being (silently) dropped as ''late'' DNS responses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
It''s Fedora4 -----Original Message----- From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net Date: Wed, 15 Mar 2006 17:02:48 -0800 Subject: Re: [Shorewall-users] Bridge - no connection from fw to net On Wednesday 15 March 2006 16:13, Art Crazy wrote:> Hi, > I''m quite new to linux etc, so I''m not sure if I looked in all the right > places, anyway "messages" shows nothing, well it shows this: Mar 15 > 17:53:46 mainserver root: Shorewall Started > Mar 15 17:57:10 mainserver root: Shorewall Stopped > Mar 15 17:57:10 mainserver root: Shorewall Cleared > > For those 4 minutes I opened firefox and tried to connect to google.com, > status was "looking up www...." and nothing. After I cleared shorewall, > well I''m writing this e-mail. Anyway, I did the "shorewall dump" and I''m > attaching the output file. I really don''t know what I''m doing wrong; if you > need anything else...What distribution are you running here? Your netfilter bridging/conntrack support looks very broken. When you start Shorewall, DNS lookup requests are being passed from the firewall to the ''net'' zone but when the replies return they are not recognized as being associated with the outgoing request; as a consequence, they are being (silently) dropped as ''late'' DNS responses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 15 March 2006 17:16, Art Crazy wrote:> It''s Fedora4 >I sure wish you won''t top-post. What is the output of" cat /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 15 March 2006 17:16, Art Crazy wrote:> It''s Fedora4 >I sure wish you won''t top-post. What is the output of" cat /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----Original Message----- From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net Date: Wed, 15 Mar 2006 17:23:12 -0800 Subject: Re: [Shorewall-users] Bridge - no connection from fw to net It''s 30 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 15 March 2006 17:34, Art Crazy wrote:>> >> What is the output of" >> >> cat /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout >> > It''s 30Then I don''t know what to tell you -- it appears as though UDP connection tracking isn''t working on requests from the firewall. You might try tracing DNS requests with tcpdump (tcpdump -ni eth1 port 53) to see if anything looks funny about the packets themselves. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key