On Thursday 23 March 2006 04:35, Rob Ende v/d wrote:> Hi,
>
> I''ve installed shorewall on a gateway with the following
configuration:
>
> zone interface omschrijving
> loc eth0 network 130.1.1.0/24
> net eth1 internet 130.1.10.0/24
> net eth2 internet 130.1.20.0/24
>
> On a local computer, i can ping, ftp etc. to the internet
> but i can''t surf.
>
> What''s wrong??
>
Three suggestions:
a) When you send us a problem report, please don''t include all of the
extra
rules that you''ve added trying to make things work. ACCEPT:LOG rules on
top
of an ACCEPT policy are always silly and make the problem harder to debug,
not easier. If you intend to have a REJECT loc->net policy then configure
your firewall that way and stick to it; by adding logging to the policy, you
will know when Shorewall is blocking traffic and when the problem lies
elsewhere. By adding a non-logging ACCEPT policy, you rob yourself of one of
the most valuable diagnostic tools that Shorewall offers.
b) You are masquerading out of one net interface but not the other --
that''s
probably wrong; especially since you''ve taken out the part of the
Multi-ISP
configuration that dealt with eth2 which now has your default gateway and is
not masqueraded. Remember that removing entries from /etc/shorewall/providers
doesn''t remove them from the kernel''s routing table -- you
have to restart
networking on the box to clear those entries.
c) You haven''t added the required masquerade rules to make fw->net
traffic
work. See the Multi-ISP article on the Shorewall site for instructions.
I see nothing here that is specific to web browsing -- looks to me like
nothing should work but then I don''t know how all of the systems
surrounding
this box are configured.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key