I''m trying to set-up the firewall so that most of the users on my network can only access the net through a proxy and most ports are closed. But I need certain machines to be able to access all ports both inbound and outbound. I''ve tried all sorts of rules but they haven''t worked. Mainly steam, messenger live, amsn and windowsupdate won''t connect. Any help will be greatly appreciated Fernando Galvan _________________________________________________________________ Share your special moments by uploading 500 photos per month to Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp0100000001msn/direct/01/?href=http://spaces.live.com/signup.aspx ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Fernando Galvan wrote:> I''m trying to set-up the firewall so that most of the users on my network > can only access the net through a proxy and most ports are closed. But I > need certain machines to be able to access all ports both inbound and > outbound. I''ve tried all sorts of rules but they haven''t worked. > Mainly steam, messenger live, amsn and windowsupdate won''t connect.A) You haven''t correctly configured LOGFILE in shorewall.conf so the dump you attached shows no rejected traffic. Are you looking at your log? It should be telling you what is being blocked (if, in fact Shorewall is blocking the connections that aren''t working). Your log together with Shorewall FAQ 17 should allow you to solve most connection problems of this kind. It appears that you are running a late SuSE distribution so the iptables log should be /var/log/firewall. B) You haven''t told us what non-working connection(s) you tried during the 9 minutes covered by this dump (source IP, destination IP, protocol, destination port). Without that information, we have no idea where in the dump to look for the problem (especially with no log messages). From your report, it isn''t even clear whether the unworking connections are from the users that have unrestricted access or from those who do not. C) You have a long list of ACCEPT rules for loc->fw even though you have a loc->fw ACCEPT policy -- why? D) I''ve never seen a DMZ with dmz->all and all->dmz ACCEPT policies (again, you have a long list of ACCEPT rules involving the DMZ). If you have been changing policies to ACCEPT (with no logging) to try to make this work, I suggest that you stop. That''s a poor way to go about troubleshooting (the troubleshooting guide specifically recommends against it) -- using your log properly is much more likely to get results and you won''t accidentally leave gaping holes in your firewall afterward. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Fernando Galvan wrote: >> I''m trying to set-up the firewall so that most of the users on my network >> can only access the net through a proxy and most ports are closed. But I >> need certain machines to be able to access all ports both inbound and >> outbound. I''ve tried all sorts of rules but they haven''t worked. >> Mainly steam, messenger live, amsn and windowsupdate won''t connect. > > A) You haven''t correctly configured LOGFILE in shorewall.conf so the dump you > attached shows no rejected traffic. Are you looking at your log? It should be > telling you what is being blocked (if, in fact Shorewall is blocking the > connections that aren''t working). Your log together with Shorewall FAQ 17 should > allow you to solve most connection problems of this kind. > > It appears that you are running a late SuSE distribution so the iptables log > should be /var/log/firewall. > > B) You haven''t told us what non-working connection(s) you tried during the 9 > minutes covered by this dump (source IP, destination IP, protocol, destination > port). Without that information, we have no idea where in the dump to look for > the problem (especially with no log messages). From your report, it isn''t even > clear whether the unworking connections are from the users that have > unrestricted access or from those who do not. > > C) You have a long list of ACCEPT rules for loc->fw even though you have a > loc->fw ACCEPT policy -- why? > > D) I''ve never seen a DMZ with dmz->all and all->dmz ACCEPT policies (again, you > have a long list of ACCEPT rules involving the DMZ). >F) You also appear to have a wide range of net->loc ACCEPT rules even though your local network is masqueraded -- that will never work! See Shorewall FAQ 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV