Hi, I''m very new to shorewall. I use it now for about 2-3 months. At this stage there are two things I can''t seem to get right: 1. Telnet from the loc to the net. This is especially required for fics.org. I messed around but seem unable to get that through. Any ideas where I should look next? 2. FTP. I seem to get very slow response or no response when I use FTP to transfer files, but here I think Squid/Dansguardian could be the cause. Maybe I''m wrong and I misconfigured Shorewall? What should I post for you guys to give me advice, rules or config or something else? Regards, Louis. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 1. Telnet from the loc to the net. This is especially required for > fics.org. I messed around but seem unable to get that through. Any ideas > where I should look next? >did you enable port forwarding on the firewall? add this rule in rules file might help :- ACCEPT loc net tcp 23> 2. FTP. I seem to get very slow response or no response when I use FTP to > transfer files, but here I think Squid/Dansguardian could be the cause. > Maybe I''m wrong and I misconfigured Shorewall?hmm..i think squid could be the problem. did you enable delay pool for squid? maybe the squid limit the download rate. as far as i know, Shorewall has nothing to do with Squid except the port redirection back to the firewall itself if you need to set up your Squid as transparent proxy at the firewall itself. just my 2 cents. hope this helps ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thursday 03 August 2006 15:07, Wong Chee Chun wrote:> > 1. Telnet from the loc to the net. This is especially required for > > fics.org. I messed around but seem unable to get that through. Any > > ideas where I should look next? > > did you enable port forwarding on the firewall? add this rule in rules > file might help :- > > ACCEPT loc net tcp 23 >my rules: DNS/ACCEPT $FW net SSH/ACCEPT loc $FW Ping/ACCEPT loc $FW Ping/REJECT net $FW Webmin/ACCEPT loc fw REDIRECT loc 8080 tcp 80 - !192.168.0.3 REDIRECT loc 8080 tcp 3128 - !192.168.0.3 ACCEPT $FW loc icmp ACCEPT $FW net icmp Gnutella/ACCEPT net loc - - - !192.168.0.4 Telnet/ACCEPT loc all ACCEPT loc net tcp 23 ACCEPT loc fw tcp 23 ACCEPT fw all tcp 23 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Louis Kruger wrote:> > > What should I post for you guys to give me advice, rules or config or > something else? >http://www.shorwall.net/support.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thursday 03 August 2006 20:28, Tom Eastep wrote:> Louis Kruger wrote: > > What should I post for you guys to give me advice, rules or config or > > something else? > > http://www.shorwall.net/support.htm > > -TomAttempt: ch1@cheetah:~# telnet freechess.org Trying 69.36.243.188... Connected to freechess.org. Escape character is ''^]''. and it will at that forever and the day afterwards. Attached is the result of: 1. /sbin/shorewall reset. 2. Try making the connection that is failing. (above) 3. /sbin/shorewall dump > status.txt 4. status.txt file as an attachment compressed with bzip2. Regards, Louis. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
llk@iburst.co.za wrote:> On Thursday 03 August 2006 20:28, Tom Eastep wrote: >> Louis Kruger wrote: >>> What should I post for you guys to give me advice, rules or config or >>> something else? >> http://www.shorwall.net/support.htm >> >> -Tom > Attempt: > ch1@cheetah:~# telnet freechess.org > Trying 69.36.243.188... > Connected to freechess.org. > Escape character is ''^]''. > > and it will at that forever and the day afterwards. >The problem is not in your Shorewall configuration -- the telnet connection is being made to 69.36.243.188: tcp 6 431991 ESTABLISHED src=192.168.0.10 dst=69.36.243.188 sport=33235 dport=23 src=69.36.243.188 dst=196.2.111.129 sport=23 dport=33235 [ASSURED] use=1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> llk@iburst.co.za wrote: >> On Thursday 03 August 2006 20:28, Tom Eastep wrote: >>> Louis Kruger wrote: >>>> What should I post for you guys to give me advice, rules or config or >>>> something else? >>> http://www.shorwall.net/support.htm >>> >>> -Tom >> Attempt: >> ch1@cheetah:~# telnet freechess.org >> Trying 69.36.243.188... >> Connected to freechess.org. >> Escape character is ''^]''. >> >> and it will at that forever and the day afterwards. >> > > The problem is not in your Shorewall configuration -- the telnet connection is > being made to 69.36.243.188: > > tcp 6 431991 ESTABLISHED src=192.168.0.10 dst=69.36.243.188 sport=33235 > dport=23 src=69.36.243.188 dst=196.2.111.129 sport=23 dport=33235 [ASSURED] use=1 >But.... You apparently have CLAMPMSS=1422 in your shorewall.conf file while the MTU of ppp0 is 1392. So your CLAMPMSS specification isn''t doing a ^%$# thing. You would be better off with CLAMPMSS=Yes -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thursday 03 August 2006 23:35, Tom Eastep wrote:> > The problem is not in your Shorewall configuration -- the telnet > > connection is being made to 69.36.243.188: > > > > tcp 6 431991 ESTABLISHED src=192.168.0.10 dst=69.36.243.188 > > sport=33235 dport=23 src=69.36.243.188 dst=196.2.111.129 sport=23 > > dport=33235 [ASSURED] use=1 >Any idea then why I can do it successful on the FW, but not from anywhere else?> But.... > You apparently have CLAMPMSS=1422 in your shorewall.conf file while the MTU > of ppp0 is 1392. So your CLAMPMSS specification isn''t doing a ^%$# thing. > > You would be better off with CLAMPMSS=YesTnx, will action it. -- Louis LSJ Krüger ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Louis Kruger wrote:> On Thursday 03 August 2006 23:35, Tom Eastep wrote: > >>> The problem is not in your Shorewall configuration -- the telnet >>> connection is being made to 69.36.243.188: >>> >>> tcp 6 431991 ESTABLISHED src=192.168.0.10 dst=69.36.243.188 >>> sport=33235 dport=23 src=69.36.243.188 dst=196.2.111.129 sport=23 >>> dport=33235 [ASSURED] use=1 > Any idea then why I can do it successful on the FW, but not from anywhere > else?See below.> > >> But.... >> You apparently have CLAMPMSS=1422 in your shorewall.conf file while the MTU >> of ppp0 is 1392. So your CLAMPMSS specification isn''t doing a ^%$# thing. >> >> You would be better off with CLAMPMSS=Yes > Tnx, will action it. >-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Friday 04 August 2006 02:35, Tom Eastep wrote:> See below. > > >> But.... > >> You apparently have CLAMPMSS=1422 in your shorewall.conf file while the > >> MTU of ppp0 is 1392. So your CLAMPMSS specification isn''t doing a ^%$# > >> thing. > >> > >> You would be better off with CLAMPMSS=Yes > > > > Tnx, will action it. >TNX. problem solved! -- Louis LSJ Krüger ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV