Folks, I need your help.
I continue to get problem reports that contain the poster''s
configuration files (or more commonly, *part* of the poster''s
configuration files) as documentation about problems.
To put it bluntly, I don''t want to see your configuration files. A
Shorewall configuration file never passed a single packet nor did it
ever prevent a connection from succeeding. All of the Shorewall
configuration files in the world won''t tell me anything about the IP
configuration of a system; they can tell me nothing about the default
routing table or the key contents of /proc. They don''t show me log
messages or information about connections. They don''t show how many
packets have matched each rule.
I''ve spend a lot of time and effort tailoring the output of
"shorewall
dump" to allow me learn everything I need to know to make a quick
diagnosis of firewall/gateway problems and the Shorewall support page
(http://www.shorewall.net/support.htm) clearly asks for that output.
Quoting from the support page:
a. If Shorewall isn''t started then /sbin/shorewall start.
Otherwise /sbin/shorewall reset.
b. Try making the connection that is failing (reproduce the
problem)
c. /sbin/shorewall dump > /tmp/status.txt
d. Post the /tmp/status.txt file as an attachment compressed with
gzip or bzip2.
e. Describe where you are trying to make the connection from (IP
address) and what host (IP address) you are trying to connect
to.
The last point is really important. Knowing the exact details about the
endpoints of failing connections is key to finding the underlying
problem. Statements like "I can ping from end to end and then it
fails"
give only enough information to be tantalizing.
After I have looked at the output of "shorewall dump" from your
system,
I can tell you exactly what you have in each of your Shorewall
configuration files. So sending the files themselves is completely
redundant as far as I''m personally concerned (although other people who
help on the list may prefer that you also send the files along). But the
properly-collected output of "shorewall dump" is essential as are the
exact details of what is being attempted.
I appreciate your help -- it will save time for you (you only have to
send one email rather than two) and it saves me having to ask for the
information that I need.
Thanks,
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642