Shorewall users - Feb 2007 - Client cannot connect to Internet

Hello List,

This is my first post to the list, and as such I apologize for the length of
it. I tried to put as much detail into this as possible.

I recently installed Shorewall on a computer running Gentoo Linux. The
computer has 3 network cards in it, but I''ve only configured 2. Going
the
cheap route, I''m connecting my client directly to my firewall using a
crossover cable.

When I try to access the Internet from my client, the operation times out.

Client is running Windows XP Home Edition.
Card is set to Auto-negotiate the speed and duplex.

Firewall is running Gentoo Linux (2006.1).
The version of shorewall I have installed is: 3.0.8
eth0 is connected to a cable modem and gets its IP information via DHCP from
my ISP.
eth1 reports the following information from ifconfig eth1:

eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:10 Base address:0x6c00

My routing table is as follows:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
c-71-203-144-0. *               255.255.252.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         c-71-203-144-1. 0.0.0.0         UG    0      0        0 eth0

One thing that I noticed is if I do mii-tool eth1 I get:
eth1: no link

Since I can ping eth1 from the firewall, shouldn''t that mean there is a
link?

Things I''ve tested / tried / ensured:

On the firewall side of things:
The link light is lit on my client and firewall (eth1 and on the
client''s
NIC)
>From the firewall I can get to the Internet (I can browse sites, SSH to
another computer on another network, etc)
I can ping the address of the interior interface (eth1: 192.168.1.1) from
the firewall. (replies are in < 1ms)
I''ve toggled the SSH rule on the firewall to ensure that if I am not
accepting SSH from net to fw that it won''t work, and that works fine,
so I
think that rule is behaving as I''d expect.
I''ve blocked ping at the firewall, and that works fine, so that rule
seems
to be correct.
I cannot ping the address of my client from the firewall (the clients
address is 192.168.1.2).

On the client side of things:
When I try to ping my firewall or reach the Internet I can see that it is
sending packets.
The send counter increases, but not the received counter (the received
counter stays at 0)

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
>From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
--- 192.168.1.2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3009ms
, pipe 3

I don''t think it''s an issue with my DNS setup, as
I''ve entered the IP
address of the site I wish to visit, but still can''t get there. The
operation will take too long, and just timeout.
I''ve set the IP parameters as follows on the client:
IP address: 192.168.1.2
Netmask:    255.255.255.0
Default Gateway: 192.168.1.1
Preferred DNS:    192.168.1.1

No matter what traffic I send to the firewall, whether it be a ping or my
client trying to get to the Internet, I don''t see anything getting
logged. I
see the firewall is busy, but it''s not getting anything from my client.

just a snippet of shorewall show log:

Feb  2 07:59:28 fury [32025.333661] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=107 ID=27105
PROTO=UDP SPT=2119 DPT=1434 LEN=384
Feb  2 08:08:43 fury [32579.604207] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC71.204.17.37 DST=71.203.146.136 LEN=92 TOS=0x00 PREC=0x20 TTL=114 ID=5644
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
Feb  2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
Feb  2 08:11:13 fury [32730.239305] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC193.95.190.178 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=108
ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
Feb  2 08:16:33 fury [33049.711995] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC180.10.35.7 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=45 ID=34719
PROTO=UDP SPT=31187 DPT=1026 LEN=384
Feb  2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=32769 DPT=53 LEN=50

I set my rules, policy, masq, interfaces, etc according to the basic
two-interface firewall howto, and used an FAQ to configure my firewall as
follows:

/etc/shorewall/params:
ETH0_IP=`find_first_interface_address eth0`

/etc/shorewall/rules:
#
# Local Rules
SSH/ACCEPT      loc     $FW
Ping/ACCEPT     loc     $FW

# DNS
DNS/ACCEPT      loc     $FW

# DHCP SERVER
ACCEPT          loc     net             UDP     67
ACCEPT          loc     net             TCP     67

# DHCP CLIENT
ACCEPT          loc     net             UDP     68
ACCEPT          loc     net             TCP     68
#
# Remote Rules
#
SSH/ACCEPT      net     $FW
Ping/ACCEPT     $FW     loc

# DNAT
DNAT     loc    loc:192.168.1.1        tcp     www   -    $ETH0_IP

/etc/shorewall/policy:
loc            net             ACCEPT          info
$FW         net             ACCEPT          info
$FW         loc             ACCEPT          info
net            all             DROP            info
all             all             REJECT          info

/etc/shorewall/interfaces:
net     eth0            detect          dhcp
loc     eth1            192.168.1.255   routeback


/etc/shorewall/masq:
eth1:192.168.1.1        eth1           192.168.1.1     tcp     www

I was getting an error when I initially setup shorewall telling me that the
route had not been defined for my internal interface at the point where the
firewall was trying to start, so I placed the following entry into
/etc/shorewall/init
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1

However, I''ve been through many evolutions since then; so this may no
longer
be needed.



"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
---Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

crap... I just realized one thing ... in the section where I was trying to
illustrate the ping from my client to my firewall, I did the opposite
(pinged the client from my firewall).

so:
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
>From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
is when I''m logged into my fw (remotely) trying to ping my client
machine.

sorry for the confusion.

On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
>
> Hello List,
>
> This is my first post to the list, and as such I apologize for the length
> of it. I tried to put as much detail into this as possible.
>
> I recently installed Shorewall on a computer running Gentoo Linux. The
> computer has 3 network cards in it, but I''ve only configured 2.
Going the
> cheap route, I''m connecting my client directly to my firewall
using a
> crossover cable.
>
> When I try to access the Internet from my client, the operation times out.
>
> Client is running Windows XP Home Edition.
> Card is set to Auto-negotiate the speed and duplex.
>
> Firewall is running Gentoo Linux ( 2006.1).
> The version of shorewall I have installed is: 3.0.8
> eth0 is connected to a cable modem and gets its IP information via DHCP
> from my ISP.
> eth1 reports the following information from ifconfig eth1:
>
> eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
>           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>           Interrupt:10 Base address:0x6c00
>
> My routing table is as follows:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0        0
> eth1
> 192.168.1.0      *               255.255.255.0   U     0      0        0
> eth1
> c-71-203-144-0. *               255.255.252.0   U     0      0        0
> eth0
> loopback        *               255.0.0.0       U     0      0        0 lo
> default         c-71-203-144-1. 0.0.0.0         UG    0      0        0
> eth0
>
> One thing that I noticed is if I do mii-tool eth1 I get:
> eth1: no link
>
> Since I can ping eth1 from the firewall, shouldn''t that mean there
is a
> link?
>
> Things I''ve tested / tried / ensured:
>
> On the firewall side of things:
> The link light is lit on my client and firewall (eth1 and on the
client''s
> NIC)
> From the firewall I can get to the Internet (I can browse sites, SSH to
> another computer on another network, etc)
> I can ping the address of the interior interface (eth1: 192.168.1.1 ) from
> the firewall. (replies are in < 1ms)
> I''ve toggled the SSH rule on the firewall to ensure that if I am
not
> accepting SSH from net to fw that it won''t work, and that works
fine, so I
> think that rule is behaving as I''d expect.
> I''ve blocked ping at the firewall, and that works fine, so that
rule seems
> to be correct.
> I cannot ping the address of my client from the firewall (the clients
> address is 192.168.1.2).
>
> On the client side of things:
> When I try to ping my firewall or reach the Internet I can see that it is
> sending packets.
> The send counter increases, but not the received counter (the received
> counter stays at 0)
>
> PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
>
> --- 192.168.1.2 ping statistics ---
> 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
> 3009ms
> , pipe 3
>
> I don''t think it''s an issue with my DNS setup, as
I''ve entered the IP
> address of the site I wish to visit, but still can''t get there.
The
> operation will take too long, and just timeout.
> I''ve set the IP parameters as follows on the client:
> IP address: 192.168.1.2
> Netmask:    255.255.255.0
> Default Gateway: 192.168.1.1
> Preferred DNS:    192.168.1.1
>
> No matter what traffic I send to the firewall, whether it be a ping or my
> client trying to get to the Internet, I don''t see anything getting
logged. I
> see the firewall is busy, but it''s not getting anything from my
client.
>
> just a snippet of shorewall show log:
>
> Feb  2 07:59:28 fury [32025.333661] Shorewall:net2all:DROP:IN=eth0 OUT>
SRC=220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=107
> ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> Feb  2 08:08:43 fury [32579.604207] Shorewall:net2all:DROP:IN=eth0 OUT>
SRC=71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20 TTL=114
> ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> Feb  2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
> SRC=71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
> ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> Feb  2 08:11:13 fury [32730.239305] Shorewall:net2all:DROP:IN=eth0 OUT>
SRC= 193.95.190.178 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=108
> ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> Feb  2 08:16:33 fury [33049.711995] Shorewall:net2all:DROP:IN=eth0 OUT>
SRC= 180.10.35.7 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=45
> ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> Feb  2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
> SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=UDP SPT=32769 DPT=53 LEN=50
>
> I set my rules, policy, masq, interfaces, etc according to the basic
> two-interface firewall howto, and used an FAQ to configure my firewall as
> follows:
>
> /etc/shorewall/params:
> ETH0_IP=`find_first_interface_address eth0`
>
> /etc/shorewall/rules:
> #
> # Local Rules
> SSH/ACCEPT      loc     $FW
> Ping/ACCEPT     loc     $FW
>
> # DNS
> DNS/ACCEPT      loc     $FW
>
> # DHCP SERVER
> ACCEPT          loc     net             UDP     67
> ACCEPT          loc     net             TCP     67
>
> # DHCP CLIENT
> ACCEPT          loc     net             UDP     68
> ACCEPT          loc     net             TCP     68
> #
> # Remote Rules
> #
> SSH/ACCEPT      net     $FW
> Ping/ACCEPT     $FW     loc
>
> # DNAT
> DNAT     loc    loc:192.168.1.1        tcp     www   -    $ETH0_IP
>
> /etc/shorewall/policy:
> loc            net             ACCEPT          info
> $FW         net             ACCEPT          info
> $FW         loc             ACCEPT          info
> net            all             DROP            info
> all             all             REJECT          info
>
> /etc/shorewall/interfaces:
> net     eth0            detect          dhcp
> loc     eth1            192.168.1.255   routeback
>
>
> /etc/shorewall/masq:
> eth1: 192.168.1.1        eth1           192.168.1.1     tcp     www
>
> I was getting an error when I initially setup shorewall telling me that
> the route had not been defined for my internal interface at the point where
> the firewall was trying to start, so I placed the following entry into
> /etc/shorewall/init
> route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
>
> However, I''ve been through many evolutions since then; so this may
no
> longer be needed.
>
>
>
> "Doing linear scans over an associative array is like trying to club
> someone to death with a loaded Uzi."
> ---Larry Wall



-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Fri, 2007-02-02 at 08:46 -0500, Shawn Singh wrote:
> Hello List,
> 
> This is my first post to the list, and as such I apologize for the
> length of it. I tried to put as much detail into this as possible.
> 
> I recently installed Shorewall on a computer running Gentoo Linux. The
> computer has 3 network cards in it, but I''ve only configured 2.
Going
> the cheap route, I''m connecting my client directly to my firewall
> using a crossover cable. 
> 
> When I try to access the Internet from my client, the operation times
> out.
> 
> Client is running Windows XP Home Edition.
> Card is set to Auto-negotiate the speed and duplex.
> 
> Firewall is running Gentoo Linux ( 2006.1).
> The version of shorewall I have installed is: 3.0.8
> eth0 is connected to a cable modem and gets its IP information via
> DHCP from my ISP.
> eth1 reports the following information from ifconfig eth1:
> 
> eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
>           inet addr:192.168.1.1  Bcast:192.168.1.255
> Mask:255.255.255.0
>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>           Interrupt:10 Base address:0x6c00
> 
> My routing table is as follows:
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use Iface 
> 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0
> 0 eth1
Get rid of the above route.
> 192.168.1.0     *               255.255.255.0   U     0      0
> 0 eth1
> c-71-203-144-0. *               255.255.252.0   U     0      0
> 0 eth0
> loopback        *               255.0.0.0       U     0      0
> 0 lo
> default         c-71-203-144-1. 0.0.0.0         UG    0      0
> 0 eth0
> 
> One thing that I noticed is if I do mii-tool eth1 I get:
> eth1: no link
This should not show no link.  Does the client show it''s interface as
up?  Are you sure your x-over cable is good? This it the root of your
problem.

> 
> /etc/shorewall/masq:
> eth1:192.168.1.1        eth1           192.168.1.1     tcp     www
You want something more like:
#INTERFACE	SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0		eth1

Keep it simple like that until you know things are working.
> I was getting an error when I initially setup shorewall telling me
> that the route had not been defined for my internal interface at the
> point where the firewall was trying to start, so I placed the
> following entry into 
> /etc/shorewall/init
> route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
Dump it


Thanks,


-- 
Bryan Vukich

Network Administrator
The Olson Company


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi,
did things work without shorewall? Disconnect from the internet
(unplug the cable), run ''shorewall clear'' and at least make
sure that
the firewall and the client can ping each other before you attempt any
shorewall troubleshooting.

~David

On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
> crap... I just realized one thing ... in the section where I was trying to
> illustrate the ping from my client to my firewall, I did the opposite
> (pinged the client from my firewall).
>
> so:
> PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
>  >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
>
> is when I''m logged into my fw (remotely) trying to ping my client
machine.
>
> sorry for the confusion.
>
>
> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > Hello List,
> >
> > This is my first post to the list, and as such I apologize for the
length
> of it. I tried to put as much detail into this as possible.
> >
> > I recently installed Shorewall on a computer running Gentoo Linux. The
> computer has 3 network cards in it, but I''ve only configured 2.
Going the
> cheap route, I''m connecting my client directly to my firewall
using a
> crossover cable.
> >
> > When I try to access the Internet from my client, the operation times
out.
> >
> > Client is running Windows XP Home Edition.
> > Card is set to Auto-negotiate the speed and duplex.
> >
> > Firewall is running Gentoo Linux ( 2006.1).
> > The version of shorewall I have installed is: 3.0.8
> > eth0 is connected to a cable modem and gets its IP information via
DHCP
> from my ISP.
> > eth1 reports the following information from ifconfig eth1:
> >
> > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> >           inet addr:192.168.1.1  Bcast: 192.168.1.255 
Mask:255.255.255.0
> >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> >           Interrupt:10 Base address:0x6c00
> >
> > My routing table is as follows:
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use
> Iface
> > 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0       
0
> eth1
> > 192.168.1.0      *               255.255.255.0   U     0      0       
0
> eth1
> > c-71-203-144-0. *               255.255.252.0   U     0      0       
0
> eth0
> > loopback        *               255.0.0.0       U     0      0       
0 lo
> > default         c-71-203-144-1. 0.0.0.0         UG    0      0       
0
> eth0
> >
> > One thing that I noticed is if I do mii-tool eth1 I get:
> > eth1: no link
> >
> > Since I can ping eth1 from the firewall, shouldn''t that mean
there is a
> link?
> >
> > Things I''ve tested / tried / ensured:
> >
> > On the firewall side of things:
> > The link light is lit on my client and firewall (eth1 and on the
client''s
> NIC)
> > From the firewall I can get to the Internet (I can browse sites, SSH
to
> another computer on another network, etc)
> > I can ping the address of the interior interface (eth1: 192.168.1.1 )
from
> the firewall. (replies are in < 1ms)
> > I''ve toggled the SSH rule on the firewall to ensure that if I
am not
> accepting SSH from net to fw that it won''t work, and that works
fine, so I
> think that rule is behaving as I''d expect.
> > I''ve blocked ping at the firewall, and that works fine, so
that rule seems
> to be correct.
> > I cannot ping the address of my client from the firewall (the clients
> address is 192.168.1.2).
> >
> > On the client side of things:
> > When I try to ping my firewall or reach the Internet I can see that it
is
> sending packets.
> > The send counter increases, but not the received counter (the received
> counter stays at 0)
> >
> > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> >
> > --- 192.168.1.2 ping statistics ---
> > 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
> 3009ms
> > , pipe 3
> >
> > I don''t think it''s an issue with my DNS setup, as
I''ve entered the IP
> address of the site I wish to visit, but still can''t get there.
The
> operation will take too long, and just timeout.
> > I''ve set the IP parameters as follows on the client:
> > IP address: 192.168.1.2
> > Netmask:    255.255.255.0
> > Default Gateway: 192.168.1.1
> > Preferred DNS:    192.168.1.1
> >
> > No matter what traffic I send to the firewall, whether it be a ping or
my
> client trying to get to the Internet, I don''t see anything getting
logged. I
> see the firewall is busy, but it''s not getting anything from my
client.
> >
> > just a snippet of shorewall show log:
> >
> > Feb  2 07:59:28 fury [32025.333661] Shorewall:net2all:DROP:IN=eth0
OUT> SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=107
> ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > Feb  2 08:08:43 fury [32579.604207] Shorewall:net2all:DROP:IN=eth0
OUT> SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20 TTL=114
> ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > Feb  2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN=
OUT=eth0
> SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
> ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > Feb  2 08:11:13 fury [ 32730.239305] Shorewall:net2all:DROP:IN=eth0
OUT> SRC= 193.95.190.178 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
TTL=108
> ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > Feb  2 08:16:33 fury [33049.711995] Shorewall:net2all:DROP:IN=eth0
OUT> SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=45
> ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > Feb  2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN=
OUT=eth0
> SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> >
> > I set my rules, policy, masq, interfaces, etc according to the basic
> two-interface firewall howto, and used an FAQ to configure my firewall as
> follows:
> >
> > /etc/shorewall/params:
> > ETH0_IP=`find_first_interface_address eth0`
> >
> > /etc/shorewall/rules:
> > #
> > # Local Rules
> > SSH/ACCEPT      loc     $FW
> > Ping/ACCEPT     loc     $FW
> >
> > # DNS
> > DNS/ACCEPT      loc     $FW
> >
> > # DHCP SERVER
> > ACCEPT          loc     net             UDP     67
> > ACCEPT          loc     net             TCP     67
> >
> > # DHCP CLIENT
> > ACCEPT          loc     net             UDP     68
> > ACCEPT          loc     net             TCP     68
> > #
> > # Remote Rules
> > #
> > SSH/ACCEPT      net     $FW
> > Ping/ACCEPT     $FW     loc
> >
> > # DNAT
> > DNAT     loc    loc: 192.168.1.1        tcp     www   -    $ETH0_IP
> >
> > /etc/shorewall/policy:
> > loc            net             ACCEPT          info
> > $FW         net             ACCEPT          info
> > $FW         loc             ACCEPT          info
> > net            all             DROP            info
> > all             all             REJECT          info
> >
> > /etc/shorewall/interfaces:
> > net     eth0            detect          dhcp
> > loc     eth1            192.168.1.255    routeback
> >
> >
> > /etc/shorewall/masq:
> > eth1: 192.168.1.1        eth1           192.168.1.1     tcp     www
> >
> > I was getting an error when I initially setup shorewall telling me
that
> the route had not been defined for my internal interface at the point where
> the firewall was trying to start, so I placed the following entry into
> > /etc/shorewall/init
> > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
> >
> > However, I''ve been through many evolutions since then; so
this may no
> longer be needed.
> >
> >
> >
> > "Doing linear scans over an associative array is like trying to
club
> someone to death with a loaded Uzi."
> > ---Larry Wall
>
>
>
> --
>
> "Doing linear scans over an associative array is like trying to club
someone
> to death with a loaded Uzi."
> Larry Wall
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I think the cable is good. I''ll try testing it by connecting b/w two
computers that I know have good network setups. At present the end connected
to eth1 is wire scheme A, and the end plugged into the client is wire scheme
B ...
> /etc/shorewall/masq:
> eth1:192.168.1.1        eth1           192.168.1.1     tcp     www
You want something more like:
#INTERFACE      SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0            eth1

I made the changes you mentioned:
> /etc/shorewall/init
> route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
Dump it

After doing so I issued shorewall clear and tried to ping my client (
192.168.1.2). Still destination unreachable. Is that to be expected, or now
that the fw is stopped, should the client be replying (if my network
settings on my firewall are correct and my x-over cable are good)? I can
still ping 192.168.1.1 from the firewall.

On 2/2/07, Bryan Vukich <bvukich@shorewall.net>
wrote:
>
> On Fri, 2007-02-02 at 08:46 -0500, Shawn Singh wrote:
> > Hello List,
> >
> > This is my first post to the list, and as such I apologize for the
> > length of it. I tried to put as much detail into this as possible.
> >
> > I recently installed Shorewall on a computer running Gentoo Linux. The
> > computer has 3 network cards in it, but I''ve only configured
2. Going
> > the cheap route, I''m connecting my client directly to my
firewall
> > using a crossover cable.
> >
> > When I try to access the Internet from my client, the operation times
> > out.
> >
> > Client is running Windows XP Home Edition.
> > Card is set to Auto-negotiate the speed and duplex.
> >
> > Firewall is running Gentoo Linux ( 2006.1).
> > The version of shorewall I have installed is: 3.0.8
> > eth0 is connected to a cable modem and gets its IP information via
> > DHCP from my ISP.
> > eth1 reports the following information from ifconfig eth1:
> >
> > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> >           inet addr:192.168.1.1  Bcast:192.168.1.255
> > Mask:255.255.255.0
> >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> >           Interrupt:10 Base address:0x6c00
> >
> > My routing table is as follows:
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref
> > Use Iface
> > 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0
> > 0 eth1
>
> Get rid of the above route.
>
> > 192.168.1.0     *               255.255.255.0   U     0      0
> > 0 eth1
> > c-71-203-144-0. *               255.255.252.0   U     0      0
> > 0 eth0
> > loopback        *               255.0.0.0       U     0      0
> > 0 lo
> > default         c-71-203-144-1. 0.0.0.0         UG    0      0
> > 0 eth0
> >
> > One thing that I noticed is if I do mii-tool eth1 I get:
> > eth1: no link
>
> This should not show no link.  Does the client show it''s interface
as
> up?  Are you sure your x-over cable is good? This it the root of your
> problem.
>
>
> >
> > /etc/shorewall/masq:
> > eth1:192.168.1.1        eth1           192.168.1.1     tcp     www
>
> You want something more like:
> #INTERFACE      SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
> eth0            eth1
>
> Keep it simple like that until you know things are working.
>
> > I was getting an error when I initially setup shorewall telling me
> > that the route had not been defined for my internal interface at the
> > point where the firewall was trying to start, so I placed the
> > following entry into
> > /etc/shorewall/init
> > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
>
> Dump it
>
>
> Thanks,
>
>
> --
> Bryan Vukich
>
> Network Administrator
> The Olson Company
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I suspect my shorewall config is correct, I think something network-wise
might be screwy. I just can''t put my figure on what it is.
On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
>
> Hi,
> did things work without shorewall? Disconnect from the internet
> (unplug the cable), run ''shorewall clear'' and at least
make sure that
> the firewall and the client can ping each other before you attempt any
> shorewall troubleshooting.
>
> ~David
>
> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > crap... I just realized one thing ... in the section where I was
trying
> to
> > illustrate the ping from my client to my firewall, I did the opposite
> > (pinged the client from my firewall).
> >
> > so:
> > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> >  >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> >
> > is when I''m logged into my fw (remotely) trying to ping my
client
> machine.
> >
> > sorry for the confusion.
> >
> >
> > On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > > Hello List,
> > >
> > > This is my first post to the list, and as such I apologize for
the
> length
> > of it. I tried to put as much detail into this as possible.
> > >
> > > I recently installed Shorewall on a computer running Gentoo
Linux. The
> > computer has 3 network cards in it, but I''ve only configured
2. Going
> the
> > cheap route, I''m connecting my client directly to my firewall
using a
> > crossover cable.
> > >
> > > When I try to access the Internet from my client, the operation
times
> out.
> > >
> > > Client is running Windows XP Home Edition.
> > > Card is set to Auto-negotiate the speed and duplex.
> > >
> > > Firewall is running Gentoo Linux ( 2006.1).
> > > The version of shorewall I have installed is: 3.0.8
> > > eth0 is connected to a cable modem and gets its IP information
via
> DHCP
> > from my ISP.
> > > eth1 reports the following information from ifconfig eth1:
> > >
> > > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> > >           inet addr:192.168.1.1  Bcast: 192.168.1.255  Mask:
> 255.255.255.0
> > >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> > >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >           collisions:0 txqueuelen:1000
> > >           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> > >           Interrupt:10 Base address:0x6c00
> > >
> > > My routing table is as follows:
> > >
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags Metric
> Ref    Use
> > Iface
> > > 192.168.1.0     192.168.1.1     255.255.255.0
> UG    0      0        0
> > eth1
> > > 192.168.1.0      *               255.255.255.0   U
> 0      0        0
> > eth1
> > > c-71-203-144-0. *               255.255.252.0   U
> 0      0        0
> > eth0
> > > loopback        *               255.0.0.0       U
> 0      0        0 lo
> > > default         c-71-203-144-1. 0.0.0.0
> UG    0      0        0
> > eth0
> > >
> > > One thing that I noticed is if I do mii-tool eth1 I get:
> > > eth1: no link
> > >
> > > Since I can ping eth1 from the firewall, shouldn''t that
mean there is
> a
> > link?
> > >
> > > Things I''ve tested / tried / ensured:
> > >
> > > On the firewall side of things:
> > > The link light is lit on my client and firewall (eth1 and on the
> client''s
> > NIC)
> > > From the firewall I can get to the Internet (I can browse sites,
SSH
> to
> > another computer on another network, etc)
> > > I can ping the address of the interior interface (eth1:
192.168.1.1 )
> from
> > the firewall. (replies are in < 1ms)
> > > I''ve toggled the SSH rule on the firewall to ensure that
if I am not
> > accepting SSH from net to fw that it won''t work, and that
works fine, so
> I
> > think that rule is behaving as I''d expect.
> > > I''ve blocked ping at the firewall, and that works fine,
so that rule
> seems
> > to be correct.
> > > I cannot ping the address of my client from the firewall (the
clients
> > address is 192.168.1.2).
> > >
> > > On the client side of things:
> > > When I try to ping my firewall or reach the Internet I can see
that it
> is
> > sending packets.
> > > The send counter increases, but not the received counter (the
received
> > counter stays at 0)
> > >
> > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > >
> > > --- 192.168.1.2 ping statistics ---
> > > 4 packets transmitted, 0 received, +4 errors, 100% packet loss,
time
> > 3009ms
> > > , pipe 3
> > >
> > > I don''t think it''s an issue with my DNS setup,
as I''ve entered the IP
> > address of the site I wish to visit, but still can''t get
there. The
> > operation will take too long, and just timeout.
> > > I''ve set the IP parameters as follows on the client:
> > > IP address: 192.168.1.2
> > > Netmask:    255.255.255.0
> > > Default Gateway: 192.168.1.1
> > > Preferred DNS:    192.168.1.1
> > >
> > > No matter what traffic I send to the firewall, whether it be a
ping or
> my
> > client trying to get to the Internet, I don''t see anything
getting
> logged. I
> > see the firewall is busy, but it''s not getting anything from
my client.
> > >
> > > just a snippet of shorewall show log:
> > >
> > > Feb  2 07:59:28 fury [32025.333661]
Shorewall:net2all:DROP:IN=eth0
> OUT> > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00
PREC=0x20 TTL=107
> > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > Feb  2 08:08:43 fury [32579.604207]
Shorewall:net2all:DROP:IN=eth0
> OUT> > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00
PREC=0x20 TTL=114
> > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> OUT=eth0
> > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
> > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > Feb  2 08:11:13 fury [ 32730.239305]
Shorewall:net2all:DROP:IN=eth0
> OUT> > SRC= 193.95.190.178 DST=71.203.146.136 LEN=404 TOS=0x00
PREC=0x20
> TTL=108
> > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > Feb  2 08:16:33 fury [33049.711995]
Shorewall:net2all:DROP:IN=eth0
> OUT> > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00
PREC=0x20 TTL=45
> > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> OUT=eth0
> > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
> ID=0
> > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > >
> > > I set my rules, policy, masq, interfaces, etc according to the
basic
> > two-interface firewall howto, and used an FAQ to configure my firewall
> as
> > follows:
> > >
> > > /etc/shorewall/params:
> > > ETH0_IP=`find_first_interface_address eth0`
> > >
> > > /etc/shorewall/rules:
> > > #
> > > # Local Rules
> > > SSH/ACCEPT      loc     $FW
> > > Ping/ACCEPT     loc     $FW
> > >
> > > # DNS
> > > DNS/ACCEPT      loc     $FW
> > >
> > > # DHCP SERVER
> > > ACCEPT          loc     net             UDP     67
> > > ACCEPT          loc     net             TCP     67
> > >
> > > # DHCP CLIENT
> > > ACCEPT          loc     net             UDP     68
> > > ACCEPT          loc     net             TCP     68
> > > #
> > > # Remote Rules
> > > #
> > > SSH/ACCEPT      net     $FW
> > > Ping/ACCEPT     $FW     loc
> > >
> > > # DNAT
> > > DNAT     loc    loc: 192.168.1.1        tcp     www   -   
$ETH0_IP
> > >
> > > /etc/shorewall/policy:
> > > loc            net             ACCEPT          info
> > > $FW         net             ACCEPT          info
> > > $FW         loc             ACCEPT          info
> > > net            all             DROP            info
> > > all             all             REJECT          info
> > >
> > > /etc/shorewall/interfaces:
> > > net     eth0            detect          dhcp
> > > loc     eth1            192.168.1.255    routeback
> > >
> > >
> > > /etc/shorewall/masq:
> > > eth1: 192.168.1.1        eth1           192.168.1.1     tcp    
www
> > >
> > > I was getting an error when I initially setup shorewall telling
me
> that
> > the route had not been defined for my internal interface at the point
> where
> > the firewall was trying to start, so I placed the following entry into
> > > /etc/shorewall/init
> > > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
eth1
> > >
> > > However, I''ve been through many evolutions since then;
so this may no
> > longer be needed.
> > >
> > >
> > >
> > > "Doing linear scans over an associative array is like trying
to club
> > someone to death with a loaded Uzi."
> > > ---Larry Wall
> >
> >
> >
> > --
> >
> > "Doing linear scans over an associative array is like trying to
club
> someone
> > to death with a loaded Uzi."
> > Larry Wall
> >
> -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
> security?
> > Get stuff done quickly with pre-integrated technology to make your job
> > easier.
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> >
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> >
> >
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
> I suspect my shorewall config is correct, I think something network-wise
> might be screwy. I just can''t put my figure on what it is.
If you really have the setup that you described, then the only thing
network-wise that you have is your crossover cable. Are you sure that
you tested it and were able to transmit data over it?
There is pretty much nothing that should prevent you from pinging if
neither host has a firewall activated.
> On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> > Hi,
> > did things work without shorewall? Disconnect from the internet
> > (unplug the cable), run ''shorewall clear'' and at
least make sure that
> > the firewall and the client can ping each other before you attempt any
> > shorewall troubleshooting.
> >
> > ~David
> >
> > On 2/2/07, Shawn Singh < callmeshawn@gmail.com> wrote:
> > > crap... I just realized one thing ... in the section where I was
trying
> to
> > > illustrate the ping from my client to my firewall, I did the
opposite
> > > (pinged the client from my firewall).
> > >
> > > so:
> > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > >  >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > >
> > > is when I''m logged into my fw (remotely) trying to ping
my client
> machine.
> > >
> > > sorry for the confusion.
> > >
> > >
> > > On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > > > Hello List,
> > > >
> > > > This is my first post to the list, and as such I apologize
for the
> length
> > > of it. I tried to put as much detail into this as possible.
> > > >
> > > > I recently installed Shorewall on a computer running Gentoo
Linux. The
> > > computer has 3 network cards in it, but I''ve only
configured 2. Going
> the
> > > cheap route, I''m connecting my client directly to my
firewall using a
> > > crossover cable.
> > > >
> > > > When I try to access the Internet from my client, the
operation times
> out.
> > > >
> > > > Client is running Windows XP Home Edition.
> > > > Card is set to Auto-negotiate the speed and duplex.
> > > >
> > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > The version of shorewall I have installed is: 3.0.8
> > > > eth0 is connected to a cable modem and gets its IP
information via
> DHCP
> > > from my ISP.
> > > > eth1 reports the following information from ifconfig eth1:
> > > >
> > > > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> > > >           inet addr:192.168.1.1  Bcast: 192.168.1.255
> Mask:255.255.255.0
> > > >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> > > >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > >           TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
> > > >           collisions:0 txqueuelen:1000
> > > >           RX bytes:0 ( 0.0 b)  TX bytes:0 (0.0 b)
> > > >           Interrupt:10 Base address:0x6c00
> > > >
> > > > My routing table is as follows:
> > > >
> > > > Kernel IP routing table
> > > > Destination     Gateway         Genmask         Flags Metric
Ref
> Use
> > > Iface
> > > > 192.168.1.0     192.168.1.1     255.255.255.0   UG    0     
0
> 0
> > > eth1
> > > > 192.168.1.0      *               255.255.255.0   U     0    
0
> 0
> > > eth1
> > > > c-71-203-144-0. *               255.255.252.0   U     0     
0
> 0
> > > eth0
> > > > loopback        *               255.0.0.0       U     0     
0
> 0 lo
> > > > default         c-71-203-144-1. 0.0.0.0         UG    0     
0
> 0
> > > eth0
> > > >
> > > > One thing that I noticed is if I do mii-tool eth1 I get:
> > > > eth1: no link
> > > >
> > > > Since I can ping eth1 from the firewall, shouldn''t
that mean there is
> a
> > > link?
> > > >
> > > > Things I''ve tested / tried / ensured:
> > > >
> > > > On the firewall side of things:
> > > > The link light is lit on my client and firewall (eth1 and on
the
> client''s
> > > NIC)
> > > > From the firewall I can get to the Internet (I can browse
sites, SSH
> to
> > > another computer on another network, etc)
> > > > I can ping the address of the interior interface (eth1:
192.168.1.1 )
> from
> > > the firewall. (replies are in < 1ms)
> > > > I''ve toggled the SSH rule on the firewall to ensure
that if I am not
> > > accepting SSH from net to fw that it won''t work, and
that works fine, so
> I
> > > think that rule is behaving as I''d expect.
> > > > I''ve blocked ping at the firewall, and that works
fine, so that rule
> seems
> > > to be correct.
> > > > I cannot ping the address of my client from the firewall
(the clients
> > > address is 192.168.1.2).
> > > >
> > > > On the client side of things:
> > > > When I try to ping my firewall or reach the Internet I can
see that it
> is
> > > sending packets.
> > > > The send counter increases, but not the received counter
(the received
> > > counter stays at 0)
> > > >
> > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of data.
> > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > > >
> > > > --- 192.168.1.2 ping statistics ---
> > > > 4 packets transmitted, 0 received, +4 errors, 100% packet
loss, time
> > > 3009ms
> > > > , pipe 3
> > > >
> > > > I don''t think it''s an issue with my DNS
setup, as I''ve entered the IP
> > > address of the site I wish to visit, but still can''t get
there. The
> > > operation will take too long, and just timeout.
> > > > I''ve set the IP parameters as follows on the
client:
> > > > IP address: 192.168.1.2
> > > > Netmask:    255.255.255.0
> > > > Default Gateway: 192.168.1.1
> > > > Preferred DNS:     192.168.1.1
> > > >
> > > > No matter what traffic I send to the firewall, whether it be
a ping or
> my
> > > client trying to get to the Internet, I don''t see
anything getting
> logged. I
> > > see the firewall is busy, but it''s not getting anything
from my client.
> > > >
> > > > just a snippet of shorewall show log:
> > > >
> > > > Feb  2 07:59:28 fury [32025.333661]
Shorewall:net2all:DROP:IN=eth0
> OUT> > > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00
PREC=0x20 TTL=107
> > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > Feb  2 08:08:43 fury [ 32579.604207]
Shorewall:net2all:DROP:IN=eth0
> OUT> > > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00
PREC=0x20 TTL=114
> > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> OUT=eth0
> > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
TTL=64
> > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > Feb  2 08:11:13 fury [ 32730.239305]
Shorewall:net2all:DROP:IN=eth0
> OUT> > > SRC= 193.95.190.178 DST= 71.203.146.136 LEN=404 TOS=0x00
PREC=0x20
> TTL=108
> > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > Feb  2 08:16:33 fury [33049.711995]
Shorewall:net2all:DROP:IN=eth0
> OUT> > > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00
PREC=0x20 TTL=45
> > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> OUT=eth0
> > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
TTL=64
> ID=0
> > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > >
> > > > I set my rules, policy, masq, interfaces, etc according to
the basic
> > > two-interface firewall howto, and used an FAQ to configure my
firewall
> as
> > > follows:
> > > >
> > > > /etc/shorewall/params:
> > > > ETH0_IP=`find_first_interface_address eth0`
> > > >
> > > > /etc/shorewall/rules:
> > > > #
> > > > # Local Rules
> > > > SSH/ACCEPT      loc     $FW
> > > > Ping/ACCEPT     loc     $FW
> > > >
> > > > # DNS
> > > > DNS/ACCEPT      loc     $FW
> > > >
> > > > # DHCP SERVER
> > > > ACCEPT          loc     net             UDP     67
> > > > ACCEPT          loc     net             TCP     67
> > > >
> > > > # DHCP CLIENT
> > > > ACCEPT          loc     net             UDP     68
> > > > ACCEPT          loc     net             TCP     68
> > > > #
> > > > # Remote Rules
> > > > #
> > > > SSH/ACCEPT      net     $FW
> > > > Ping/ACCEPT     $FW     loc
> > > >
> > > > # DNAT
> > > > DNAT     loc    loc: 192.168.1.1        tcp     www   -   
$ETH0_IP
> > > >
> > > > /etc/shorewall/policy:
> > > > loc            net             ACCEPT          info
> > > > $FW         net             ACCEPT          info
> > > > $FW         loc             ACCEPT          info
> > > > net            all             DROP            info
> > > > all             all             REJECT          info
> > > >
> > > > /etc/shorewall/interfaces:
> > > > net     eth0            detect          dhcp
> > > > loc     eth1            192.168.1.255    routeback
> > > >
> > > >
> > > > /etc/shorewall/masq:
> > > > eth1: 192.168.1.1        eth1           192.168.1.1     tcp 
www
> > > >
> > > > I was getting an error when I initially setup shorewall
telling me
> that
> > > the route had not been defined for my internal interface at the
point
> where
> > > the firewall was trying to start, so I placed the following entry
into
> > > > /etc/shorewall/init
> > > > route add -net 192.168.1.0 netmask 255.255.255.0 gw
192.168.1.1 eth1
> > > >
> > > > However, I''ve been through many evolutions since
then; so this may no
> > > longer be needed.
> > > >
> > > >
> > > >
> > > > "Doing linear scans over an associative array is like
trying to club
> > > someone to death with a loaded Uzi."
> > > > ---Larry Wall
> > >
> > >
> > >
> > > --
> > >
> > > "Doing linear scans over an associative array is like trying
to club
> someone
> > > to death with a loaded Uzi."
> > > Larry Wall
> > >
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

thanks for your input David. maybe my x-over cable is the culprit. I''ll
try
connecting two other computers together using it and see what happens.

On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
>
> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > I suspect my shorewall config is correct, I think something
network-wise
> > might be screwy. I just can''t put my figure on what it is.
>
> If you really have the setup that you described, then the only thing
> network-wise that you have is your crossover cable. Are you sure that
> you tested it and were able to transmit data over it?
> There is pretty much nothing that should prevent you from pinging if
> neither host has a firewall activated.
>
> > On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> > > Hi,
> > > did things work without shorewall? Disconnect from the internet
> > > (unplug the cable), run ''shorewall clear'' and
at least make sure that
> > > the firewall and the client can ping each other before you
attempt any
> > > shorewall troubleshooting.
> > >
> > > ~David
> > >
> > > On 2/2/07, Shawn Singh < callmeshawn@gmail.com> wrote:
> > > > crap... I just realized one thing ... in the section where I
was
> trying
> > to
> > > > illustrate the ping from my client to my firewall, I did the
> opposite
> > > > (pinged the client from my firewall).
> > > >
> > > > so:
> > > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > > >  >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
> > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > > >
> > > > is when I''m logged into my fw (remotely) trying to
ping my client
> > machine.
> > > >
> > > > sorry for the confusion.
> > > >
> > > >
> > > > On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > > > > Hello List,
> > > > >
> > > > > This is my first post to the list, and as such I
apologize for the
> > length
> > > > of it. I tried to put as much detail into this as possible.
> > > > >
> > > > > I recently installed Shorewall on a computer running
Gentoo Linux.
> The
> > > > computer has 3 network cards in it, but I''ve only
configured 2.
> Going
> > the
> > > > cheap route, I''m connecting my client directly to
my firewall using
> a
> > > > crossover cable.
> > > > >
> > > > > When I try to access the Internet from my client, the
operation
> times
> > out.
> > > > >
> > > > > Client is running Windows XP Home Edition.
> > > > > Card is set to Auto-negotiate the speed and duplex.
> > > > >
> > > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > > The version of shorewall I have installed is: 3.0.8
> > > > > eth0 is connected to a cable modem and gets its IP
information via
> > DHCP
> > > > from my ISP.
> > > > > eth1 reports the following information from ifconfig
eth1:
> > > > >
> > > > > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> > > > >           inet addr:192.168.1.1  Bcast: 192.168.1.255
> > Mask:255.255.255.0
> > > > >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> > > > >           RX packets:0 errors:0 dropped:0 overruns:0
frame:0
> > > > >           TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
> > > > >           collisions:0 txqueuelen:1000
> > > > >           RX bytes:0 ( 0.0 b)  TX bytes:0 (0.0 b)
> > > > >           Interrupt:10 Base address:0x6c00
> > > > >
> > > > > My routing table is as follows:
> > > > >
> > > > > Kernel IP routing table
> > > > > Destination     Gateway         Genmask         Flags
Metric Ref
> > Use
> > > > Iface
> > > > > 192.168.1.0     192.168.1.1     255.255.255.0   UG    0
0
> > 0
> > > > eth1
> > > > > 192.168.1.0      *               255.255.255.0   U    
0      0
> > 0
> > > > eth1
> > > > > c-71-203-144-0. *               255.255.252.0   U     0
0
> > 0
> > > > eth0
> > > > > loopback        *               255.0.0.0       U     0
0
> > 0 lo
> > > > > default         c-71-203-144-1. 0.0.0.0         UG    0
0
> > 0
> > > > eth0
> > > > >
> > > > > One thing that I noticed is if I do mii-tool eth1 I
get:
> > > > > eth1: no link
> > > > >
> > > > > Since I can ping eth1 from the firewall,
shouldn''t that mean there
> is
> > a
> > > > link?
> > > > >
> > > > > Things I''ve tested / tried / ensured:
> > > > >
> > > > > On the firewall side of things:
> > > > > The link light is lit on my client and firewall (eth1
and on the
> > client''s
> > > > NIC)
> > > > > From the firewall I can get to the Internet (I can
browse sites,
> SSH
> > to
> > > > another computer on another network, etc)
> > > > > I can ping the address of the interior interface (eth1:
> 192.168.1.1 )
> > from
> > > > the firewall. (replies are in < 1ms)
> > > > > I''ve toggled the SSH rule on the firewall to
ensure that if I am
> not
> > > > accepting SSH from net to fw that it won''t work,
and that works
> fine, so
> > I
> > > > think that rule is behaving as I''d expect.
> > > > > I''ve blocked ping at the firewall, and that
works fine, so that
> rule
> > seems
> > > > to be correct.
> > > > > I cannot ping the address of my client from the
firewall (the
> clients
> > > > address is 192.168.1.2).
> > > > >
> > > > > On the client side of things:
> > > > > When I try to ping my firewall or reach the Internet I
can see
> that it
> > is
> > > > sending packets.
> > > > > The send counter increases, but not the received
counter (the
> received
> > > > counter stays at 0)
> > > > >
> > > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of data.
> > > > > >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> > > > >
> > > > > --- 192.168.1.2 ping statistics ---
> > > > > 4 packets transmitted, 0 received, +4 errors, 100%
packet loss,
> time
> > > > 3009ms
> > > > > , pipe 3
> > > > >
> > > > > I don''t think it''s an issue with my
DNS setup, as I''ve entered the
> IP
> > > > address of the site I wish to visit, but still
can''t get there. The
> > > > operation will take too long, and just timeout.
> > > > > I''ve set the IP parameters as follows on the
client:
> > > > > IP address: 192.168.1.2
> > > > > Netmask:    255.255.255.0
> > > > > Default Gateway: 192.168.1.1
> > > > > Preferred DNS:     192.168.1.1
> > > > >
> > > > > No matter what traffic I send to the firewall, whether
it be a
> ping or
> > my
> > > > client trying to get to the Internet, I don''t see
anything getting
> > logged. I
> > > > see the firewall is busy, but it''s not getting
anything from my
> client.
> > > > >
> > > > > just a snippet of shorewall show log:
> > > > >
> > > > > Feb  2 07:59:28 fury [32025.333661]
Shorewall:net2all:DROP:IN=eth0
> > OUT> > > > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404
TOS=0x00 PREC=0x20
> TTL=107
> > > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > > Feb  2 08:08:43 fury [ 32579.604207]
> Shorewall:net2all:DROP:IN=eth0
> > OUT> > > > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92
TOS=0x00 PREC=0x20
> TTL=114
> > > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > > Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> > OUT=eth0
> > > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00
PREC=0x00
> TTL=64
> > > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > Feb  2 08:11:13 fury [ 32730.239305]
> Shorewall:net2all:DROP:IN=eth0
> > OUT> > > > SRC= 193.95.190.178 DST= 71.203.146.136 LEN=404
TOS=0x00 PREC=0x20
> > TTL=108
> > > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > > Feb  2 08:16:33 fury [33049.711995]
Shorewall:net2all:DROP:IN=eth0
> > OUT> > > > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404
TOS=0x00 PREC=0x20
> TTL=45
> > > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > > Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> > OUT=eth0
> > > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00
PREC=0x00
> TTL=64
> > ID=0
> > > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > >
> > > > > I set my rules, policy, masq, interfaces, etc according
to the
> basic
> > > > two-interface firewall howto, and used an FAQ to configure
my
> firewall
> > as
> > > > follows:
> > > > >
> > > > > /etc/shorewall/params:
> > > > > ETH0_IP=`find_first_interface_address eth0`
> > > > >
> > > > > /etc/shorewall/rules:
> > > > > #
> > > > > # Local Rules
> > > > > SSH/ACCEPT      loc     $FW
> > > > > Ping/ACCEPT     loc     $FW
> > > > >
> > > > > # DNS
> > > > > DNS/ACCEPT      loc     $FW
> > > > >
> > > > > # DHCP SERVER
> > > > > ACCEPT          loc     net             UDP     67
> > > > > ACCEPT          loc     net             TCP     67
> > > > >
> > > > > # DHCP CLIENT
> > > > > ACCEPT          loc     net             UDP     68
> > > > > ACCEPT          loc     net             TCP     68
> > > > > #
> > > > > # Remote Rules
> > > > > #
> > > > > SSH/ACCEPT      net     $FW
> > > > > Ping/ACCEPT     $FW     loc
> > > > >
> > > > > # DNAT
> > > > > DNAT     loc    loc: 192.168.1.1        tcp     www
> -    $ETH0_IP
> > > > >
> > > > > /etc/shorewall/policy:
> > > > > loc            net             ACCEPT          info
> > > > > $FW         net             ACCEPT          info
> > > > > $FW         loc             ACCEPT          info
> > > > > net            all             DROP            info
> > > > > all             all             REJECT          info
> > > > >
> > > > > /etc/shorewall/interfaces:
> > > > > net     eth0            detect          dhcp
> > > > > loc     eth1            192.168.1.255    routeback
> > > > >
> > > > >
> > > > > /etc/shorewall/masq:
> > > > > eth1: 192.168.1.1        eth1           192.168.1.1    
tcp
> www
> > > > >
> > > > > I was getting an error when I initially setup shorewall
telling me
> > that
> > > > the route had not been defined for my internal interface at
the
> point
> > where
> > > > the firewall was trying to start, so I placed the following
entry
> into
> > > > > /etc/shorewall/init
> > > > > route add -net 192.168.1.0 netmask 255.255.255.0 gw
192.168.1.1eth1
> > > > >
> > > > > However, I''ve been through many evolutions
since then; so this may
> no
> > > > longer be needed.
> > > > >
> > > > >
> > > > >
> > > > > "Doing linear scans over an associative array is
like trying to
> club
> > > > someone to death with a loaded Uzi."
> > > > > ---Larry Wall
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > "Doing linear scans over an associative array is like
trying to club
> > someone
> > > > to death with a loaded Uzi."
> > > > Larry Wall
> > > >
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

hey guys ... user error ... my cable checked out ...  I plugged the wire
scheme A end into my client and the wire scheme B end into my work laptop,
and was able to ping "the other host" ... remember I said I had 3 NICs
...
in my "brilliance" I figured that I''d "correctly"
identified eth0, eth1, and
eth2 ... NOPE! once I plugged into the correct NIC things began to work just
fine.

thanks for your help.

Shawn

On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
>
> thanks for your input David. maybe my x-over cable is the culprit.
I''ll
> try connecting two other computers together using it and see what happens.
>
> On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> >
> > On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > > I suspect my shorewall config is correct, I think something
> > network-wise
> > > might be screwy. I just can''t put my figure on what it
is.
> >
> > If you really have the setup that you described, then the only thing
> > network-wise that you have is your crossover cable. Are you sure that
> > you tested it and were able to transmit data over it?
> > There is pretty much nothing that should prevent you from pinging if
> > neither host has a firewall activated.
> >
> > > On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> > > > Hi,
> > > > did things work without shorewall? Disconnect from the
internet
> > > > (unplug the cable), run ''shorewall clear''
and at least make sure
> > that
> > > > the firewall and the client can ping each other before you
attempt
> > any
> > > > shorewall troubleshooting.
> > > >
> > > > ~David
> > > >
> > > > On 2/2/07, Shawn Singh < callmeshawn@gmail.com> wrote:
> > > > > crap... I just realized one thing ... in the section
where I was
> > trying
> > > to
> > > > > illustrate the ping from my client to my firewall, I
did the
> > opposite
> > > > > (pinged the client from my firewall).
> > > > >
> > > > > so:
> > > > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > > > >  >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> > > > > From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> > > > >
> > > > > is when I''m logged into my fw (remotely)
trying to ping my client
> > > machine.
> > > > >
> > > > > sorry for the confusion.
> > > > >
> > > > >
> > > > > On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
> > > > > > Hello List,
> > > > > >
> > > > > > This is my first post to the list, and as such I
apologize for
> > the
> > > length
> > > > > of it. I tried to put as much detail into this as
possible.
> > > > > >
> > > > > > I recently installed Shorewall on a computer
running Gentoo
> > Linux. The
> > > > > computer has 3 network cards in it, but I''ve
only configured 2.
> > Going
> > > the
> > > > > cheap route, I''m connecting my client directly
to my firewall
> > using a
> > > > > crossover cable.
> > > > > >
> > > > > > When I try to access the Internet from my client,
the operation
> > times
> > > out.
> > > > > >
> > > > > > Client is running Windows XP Home Edition.
> > > > > > Card is set to Auto-negotiate the speed and
duplex.
> > > > > >
> > > > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > > > The version of shorewall I have installed is:
3.0.8
> > > > > > eth0 is connected to a cable modem and gets its IP
information
> > via
> > > DHCP
> > > > > from my ISP.
> > > > > > eth1 reports the following information from
ifconfig eth1:
> > > > > >
> > > > > > eth1      Link encap:Ethernet  HWaddr
00:10:B5:0E:D6:E9
> > > > > >           inet addr: 192.168.1.1  Bcast:
192.168.1.255
> > > Mask:255.255.255.0
> > > > > >           UP BROADCAST MULTICAST  MTU:1500 
Metric:1
> > > > > >           RX packets:0 errors:0 dropped:0
overruns:0 frame:0
> > > > > >           TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
> > > > > >           collisions:0 txqueuelen:1000
> > > > > >           RX bytes:0 ( 0.0 b)  TX bytes:0 (0.0 b)
> > > > > >           Interrupt:10 Base address:0x6c00
> > > > > >
> > > > > > My routing table is as follows:
> > > > > >
> > > > > > Kernel IP routing table
> > > > > > Destination     Gateway         Genmask        
Flags Metric Ref
> > > Use
> > > > > Iface
> > > > > > 192.168.1.0     192.168.1.1     255.255.255.0   UG
0      0
> > > 0
> > > > > eth1
> > > > > > 192.168.1.0       *               255.255.255.0  
U     0      0
> > > 0
> > > > > eth1
> > > > > > c-71-203-144-0. *               255.255.252.0    U
0      0
> > > 0
> > > > > eth0
> > > > > > loopback        *               255.0.0.0       U 
0      0
> > > 0 lo
> > > > > > default         c-71-203-144-1. 0.0.0.0         UG
0      0
> > > 0
> > > > > eth0
> > > > > >
> > > > > > One thing that I noticed is if I do mii-tool eth1
I get:
> > > > > > eth1: no link
> > > > > >
> > > > > > Since I can ping eth1 from the firewall,
shouldn''t that mean
> > there is
> > > a
> > > > > link?
> > > > > >
> > > > > > Things I''ve tested / tried / ensured:
> > > > > >
> > > > > > On the firewall side of things:
> > > > > > The link light is lit on my client and firewall
(eth1 and on the
> > > client''s
> > > > > NIC)
> > > > > > From the firewall I can get to the Internet (I can
browse sites,
> > SSH
> > > to
> > > > > another computer on another network, etc)
> > > > > > I can ping the address of the interior interface
(eth1:
> > 192.168.1.1 )
> > > from
> > > > > the firewall. (replies are in < 1ms)
> > > > > > I''ve toggled the SSH rule on the firewall
to ensure that if I am
> > not
> > > > > accepting SSH from net to fw that it won''t
work, and that works
> > fine, so
> > > I
> > > > > think that rule is behaving as I''d expect.
> > > > > > I''ve blocked ping at the firewall, and
that works fine, so that
> > rule
> > > seems
> > > > > to be correct.
> > > > > > I cannot ping the address of my client from the
firewall (the
> > clients
> > > > > address is 192.168.1.2).
> > > > > >
> > > > > > On the client side of things:
> > > > > > When I try to ping my firewall or reach the
Internet I can see
> > that it
> > > is
> > > > > sending packets.
> > > > > > The send counter increases, but not the received
counter (the
> > received
> > > > > counter stays at 0)
> > > > > >
> > > > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of
data.
> > > > > > >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> > > > > >
> > > > > > --- 192.168.1.2 ping statistics ---
> > > > > > 4 packets transmitted, 0 received, +4 errors, 100%
packet loss,
> > time
> > > > > 3009ms
> > > > > > , pipe 3
> > > > > >
> > > > > > I don''t think it''s an issue with
my DNS setup, as I''ve entered
> > the IP
> > > > > address of the site I wish to visit, but still
can''t get there.
> > The
> > > > > operation will take too long, and just timeout.
> > > > > > I''ve set the IP parameters as follows on
the client:
> > > > > > IP address: 192.168.1.2
> > > > > > Netmask:    255.255.255.0
> > > > > > Default Gateway: 192.168.1.1
> > > > > > Preferred DNS:     192.168.1.1
> > > > > >
> > > > > > No matter what traffic I send to the firewall,
whether it be a
> > ping or
> > > my
> > > > > client trying to get to the Internet, I don''t
see anything getting
> > > logged. I
> > > > > see the firewall is busy, but it''s not getting
anything from my
> > client.
> > > > > >
> > > > > > just a snippet of shorewall show log:
> > > > > >
> > > > > > Feb  2 07:59:28 fury [32025.333661]
> > Shorewall:net2all:DROP:IN=eth0
> > > OUT> > > > > SRC= 220.178.32.78 DST=71.203.146.136
LEN=404 TOS=0x00 PREC=0x20
> > TTL=107
> > > > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > > > Feb  2 08:08:43 fury [ 32579.604207 ]
> > Shorewall:net2all:DROP:IN=eth0
> > > OUT> > > > > SRC= 71.204.17.37 DST= 71.203.146.136
LEN=92 TOS=0x00 PREC=0x20
> > TTL=114
> > > > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > > > Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> > > OUT=eth0
> > > > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00
PREC=0x00
> > TTL=64
> > > > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > > Feb  2 08:11:13 fury [ 32730.239305]
> > Shorewall:net2all:DROP:IN=eth0
> > > OUT> > > > > SRC= 193.95.190.178 DST=
71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> > > TTL=108
> > > > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > > > Feb  2 08:16:33 fury [ 33049.711995]
> > Shorewall:net2all:DROP:IN=eth0
> > > OUT> > > > > SRC= 180.10.35.7 DST= 71.203.146.136
LEN=404 TOS=0x00 PREC=0x20
> > TTL=45
> > > > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > > > Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> > > OUT=eth0
> > > > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00
PREC=0x00
> > TTL=64
> > > ID=0
> > > > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > >
> > > > > > I set my rules, policy, masq, interfaces, etc
according to the
> > basic
> > > > > two-interface firewall howto, and used an FAQ to
configure my
> > firewall
> > > as
> > > > > follows:
> > > > > >
> > > > > > /etc/shorewall/params:
> > > > > > ETH0_IP=`find_first_interface_address eth0`
> > > > > >
> > > > > > /etc/shorewall/rules:
> > > > > > #
> > > > > > # Local Rules
> > > > > > SSH/ACCEPT      loc     $FW
> > > > > > Ping/ACCEPT     loc     $FW
> > > > > >
> > > > > > # DNS
> > > > > > DNS/ACCEPT      loc     $FW
> > > > > >
> > > > > > # DHCP SERVER
> > > > > > ACCEPT          loc     net             UDP     67
> > > > > > ACCEPT          loc     net             TCP     67
> > > > > >
> > > > > > # DHCP CLIENT
> > > > > > ACCEPT          loc     net             UDP     68
> > > > > > ACCEPT          loc     net             TCP     68
> > > > > > #
> > > > > > # Remote Rules
> > > > > > #
> > > > > > SSH/ACCEPT      net     $FW
> > > > > > Ping/ACCEPT     $FW     loc
> > > > > >
> > > > > > # DNAT
> > > > > > DNAT     loc    loc: 192.168.1.1        tcp    
www
> > -    $ETH0_IP
> > > > > >
> > > > > > /etc/shorewall/policy:
> > > > > > loc            net             ACCEPT         
info
> > > > > > $FW         net             ACCEPT          info
> > > > > > $FW         loc             ACCEPT          info
> > > > > > net            all             DROP           
info
> > > > > > all             all             REJECT         
info
> > > > > >
> > > > > > /etc/shorewall/interfaces:
> > > > > > net     eth0            detect          dhcp
> > > > > > loc     eth1             192.168.1.255   
routeback
> > > > > >
> > > > > >
> > > > > > /etc/shorewall/masq:
> > > > > > eth1: 192.168.1.1         eth1          
192.168.1.1     tcp
> > www
> > > > > >
> > > > > > I was getting an error when I initially setup
shorewall telling
> > me
> > > that
> > > > > the route had not been defined for my internal
interface at the
> > point
> > > where
> > > > > the firewall was trying to start, so I placed the
following entry
> > into
> > > > > > /etc/shorewall/init
> > > > > > route add -net 192.168.1.0 netmask 255.255.255.0
gw 192.168.1.1eth1
> > > > > >
> > > > > > However, I''ve been through many
evolutions since then; so this
> > may no
> > > > > longer be needed.
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Doing linear scans over an associative array
is like trying to
> > club
> > > > > someone to death with a loaded Uzi."
> > > > > > ---Larry Wall
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > "Doing linear scans over an associative array is
like trying to
> > club
> > > someone
> > > > > to death with a loaded Uzi."
> > > > > Larry Wall
> > > > >
> >
> >
> >
-------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
> > security?
> > Get stuff done quickly with pre-integrated technology to make your job
> > easier.
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > Geronimo
> >
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>
>
>
> --
> "Doing linear scans over an associative array is like trying to club
> someone to death with a loaded Uzi."
> Larry Wall
>


-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

The naming of eth0, eth1, eth2 doesn''t always happen in the same order
in linux - if you remove or add another network card the naming might
change unexpectedly.

I suggest that you setup nameif with desired mactab entries for your
firewall box.

Prasanna.

On 2/3/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
> hey guys ... user error ... my cable checked out ...  I plugged the wire
> scheme A end into my client and the wire scheme B end into my work laptop,
> and was able to ping "the other host" ... remember I said I had 3
NICs  ...
> in my "brilliance" I figured that I''d
"correctly" identified eth0, eth1, and
> eth2 ... NOPE! once I plugged into the correct NIC things began to work
just
> fine.
>
> thanks for your help.
>
> Shawn
>
>
> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > thanks for your input David. maybe my x-over cable is the culprit.
I''ll
> try connecting two other computers together using it and see what happens.
> >
> >
> >
> > On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> > > On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> > > > I suspect my shorewall config is correct, I think something
> network-wise
> > > > might be screwy. I just can''t put my figure on what
it is.
> > >
> > > If you really have the setup that you described, then the only
thing
> > > network-wise that you have is your crossover cable. Are you sure
that
> > > you tested it and were able to transmit data over it?
> > > There is pretty much nothing that should prevent you from pinging
if
> > > neither host has a firewall activated.
> > >
> > > > On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> > > > > Hi,
> > > > > did things work without shorewall? Disconnect from the
internet
> > > > > (unplug the cable), run ''shorewall
clear'' and at least make sure
> that
> > > > > the firewall and the client can ping each other before
you attempt
> any
> > > > > shorewall troubleshooting.
> > > > >
> > > > > ~David
> > > > >
> > > > > On 2/2/07, Shawn Singh < callmeshawn@gmail.com>
wrote:
> > > > > > crap... I just realized one thing ... in the
section where I was
> trying
> > > > to
> > > > > > illustrate the ping from my client to my firewall,
I did the
> opposite
> > > > > > (pinged the client from my firewall).
> > > > > >
> > > > > > so:
> > > > > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of
data.
> > > > > >  >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> > > > > > From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> > > > > >
> > > > > > is when I''m logged into my fw (remotely)
trying to ping my client
> > > > machine.
> > > > > >
> > > > > > sorry for the confusion.
> > > > > >
> > > > > >
> > > > > > On 2/2/07, Shawn Singh
<callmeshawn@gmail.com> wrote:
> > > > > > > Hello List,
> > > > > > >
> > > > > > > This is my first post to the list, and as
such I apologize for
> the
> > > > length
> > > > > > of it. I tried to put as much detail into this as
possible.
> > > > > > >
> > > > > > > I recently installed Shorewall on a computer
running Gentoo
> Linux. The
> > > > > > computer has 3 network cards in it, but
I''ve only configured 2.
> Going
> > > > the
> > > > > > cheap route, I''m connecting my client
directly to my firewall
> using a
> > > > > > crossover cable.
> > > > > > >
> > > > > > > When I try to access the Internet from my
client, the operation
> times
> > > > out.
> > > > > > >
> > > > > > > Client is running Windows XP Home Edition.
> > > > > > > Card is set to Auto-negotiate the speed and
duplex.
> > > > > > >
> > > > > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > > > > The version of shorewall I have installed is:
3.0.8
> > > > > > > eth0 is connected to a cable modem and gets
its IP information
> via
> > > > DHCP
> > > > > > from my ISP.
> > > > > > > eth1 reports the following information from
ifconfig eth1:
> > > > > > >
> > > > > > > eth1      Link encap:Ethernet  HWaddr
00:10:B5:0E:D6:E9
> > > > > > >           inet addr: 192.168.1.1  Bcast:
192.168.1.255
> > > > Mask:255.255.255.0
> > > > > > >           UP BROADCAST MULTICAST  MTU:1500 
Metric:1
> > > > > > >           RX packets:0 errors:0 dropped:0
overruns:0 frame:0
> > > > > > >           TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
> > > > > > >           collisions:0 txqueuelen:1000
> > > > > > >           RX bytes:0 ( 0.0 b)  TX bytes:0
(0.0 b)
> > > > > > >           Interrupt:10 Base address:0x6c00
> > > > > > >
> > > > > > > My routing table is as follows:
> > > > > > >
> > > > > > > Kernel IP routing table
> > > > > > > Destination     Gateway         Genmask      
Flags Metric Ref
> > > > Use
> > > > > > Iface
> > > > > > > 192.168.1.0     192.168.1.1     255.255.255.0
UG    0      0
> > > > 0
> > > > > > eth1
> > > > > > > 192.168.1.0       *              
255.255.255.0   U     0      0
> > > > 0
> > > > > > eth1
> > > > > > > c-71-203-144-0. *               255.255.252.0
U     0      0
> > > > 0
> > > > > > eth0
> > > > > > > loopback        *               255.0.0.0    
U     0      0
> > > > 0 lo
> > > > > > > default         c-71-203-144-1. 0.0.0.0      
UG    0      0
> > > > 0
> > > > > > eth0
> > > > > > >
> > > > > > > One thing that I noticed is if I do mii-tool
eth1 I get:
> > > > > > > eth1: no link
> > > > > > >
> > > > > > > Since I can ping eth1 from the firewall,
shouldn''t that mean
> there is
> > > > a
> > > > > > link?
> > > > > > >
> > > > > > > Things I''ve tested / tried /
ensured:
> > > > > > >
> > > > > > > On the firewall side of things:
> > > > > > > The link light is lit on my client and
firewall (eth1 and on the
> > > > client''s
> > > > > > NIC)
> > > > > > > From the firewall I can get to the Internet
(I can browse sites,
> SSH
> > > > to
> > > > > > another computer on another network, etc)
> > > > > > > I can ping the address of the interior
interface (eth1:
> 192.168.1.1 )
> > > > from
> > > > > > the firewall. (replies are in < 1ms)
> > > > > > > I''ve toggled the SSH rule on the
firewall to ensure that if I am
> not
> > > > > > accepting SSH from net to fw that it
won''t work, and that works
> fine, so
> > > > I
> > > > > > think that rule is behaving as I''d
expect.
> > > > > > > I''ve blocked ping at the firewall,
and that works fine, so that
> rule
> > > > seems
> > > > > > to be correct.
> > > > > > > I cannot ping the address of my client from
the firewall (the
> clients
> > > > > > address is 192.168.1.2).
> > > > > > >
> > > > > > > On the client side of things:
> > > > > > > When I try to ping my firewall or reach the
Internet I can see
> that it
> > > > is
> > > > > > sending packets.
> > > > > > > The send counter increases, but not the
received counter (the
> received
> > > > > > counter stays at 0)
> > > > > > >
> > > > > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes
of data.
> > > > > > > >From 192.168.1.1 icmp_seq=1 Destination
Host Unreachable
> > > > > > > From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> > > > > > > From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> > > > > > > From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> > > > > > >
> > > > > > > --- 192.168.1.2 ping statistics ---
> > > > > > > 4 packets transmitted, 0 received, +4 errors,
100% packet loss,
> time
> > > > > > 3009ms
> > > > > > > , pipe 3
> > > > > > >
> > > > > > > I don''t think it''s an issue
with my DNS setup, as I''ve entered
> the IP
> > > > > > address of the site I wish to visit, but still
can''t get there.
> The
> > > > > > operation will take too long, and just timeout.
> > > > > > > I''ve set the IP parameters as
follows on the client:
> > > > > > > IP address: 192.168.1.2
> > > > > > > Netmask:     255.255.255.0
> > > > > > > Default Gateway: 192.168.1.1
> > > > > > > Preferred DNS:     192.168.1.1
> > > > > > >
> > > > > > > No matter what traffic I send to the
firewall, whether it be a
> ping or
> > > > my
> > > > > > client trying to get to the Internet, I
don''t see anything getting
> > > > logged. I
> > > > > > see the firewall is busy, but it''s not
getting anything from my
> client.
> > > > > > >
> > > > > > > just a snippet of shorewall show log:
> > > > > > >
> > > > > > > Feb  2 07:59:28 fury [32025.333661]
> Shorewall:net2all:DROP:IN=eth0
> > > > OUT> > > > > > SRC= 220.178.32.78
DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> TTL=107
> > > > > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > > > > Feb  2 08:08:43 fury [ 32579.604207 ]
> Shorewall:net2all:DROP:IN=eth0
> > > > OUT> > > > > > SRC= 71.204.17.37 DST=
71.203.146.136 LEN=92 TOS=0x00 PREC=0x20
> TTL=114
> > > > > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > > > > Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> > > > OUT=eth0
> > > > > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
> TTL=64
> > > > > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > > > Feb  2 08:11:13 fury [ 32730.239305]
> Shorewall:net2all:DROP:IN=eth0
> > > > OUT> > > > > > SRC= 193.95.190.178 DST=
71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> > > > TTL=108
> > > > > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > > > > Feb  2 08:16:33 fury [ 33049.711995]
> Shorewall:net2all:DROP:IN=eth0
> > > > OUT> > > > > > SRC= 180.10.35.7 DST=
71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> TTL=45
> > > > > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > > > > Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> > > > OUT=eth0
> > > > > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
> TTL=64
> > > > ID=0
> > > > > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > > >
> > > > > > > I set my rules, policy, masq, interfaces, etc
according to the
> basic
> > > > > > two-interface firewall howto, and used an FAQ to
configure my
> firewall
> > > > as
> > > > > > follows:
> > > > > > >
> > > > > > > /etc/shorewall/params:
> > > > > > > ETH0_IP=`find_first_interface_address eth0`
> > > > > > >
> > > > > > > /etc/shorewall/rules:
> > > > > > > #
> > > > > > > # Local Rules
> > > > > > > SSH/ACCEPT      loc     $FW
> > > > > > > Ping/ACCEPT     loc     $FW
> > > > > > >
> > > > > > > # DNS
> > > > > > > DNS/ACCEPT      loc     $FW
> > > > > > >
> > > > > > > # DHCP SERVER
> > > > > > > ACCEPT          loc     net             UDP  
67
> > > > > > > ACCEPT          loc     net             TCP  
67
> > > > > > >
> > > > > > > # DHCP CLIENT
> > > > > > > ACCEPT          loc     net             UDP  
68
> > > > > > > ACCEPT          loc     net             TCP  
68
> > > > > > > #
> > > > > > > # Remote Rules
> > > > > > > #
> > > > > > > SSH/ACCEPT      net     $FW
> > > > > > > Ping/ACCEPT     $FW     loc
> > > > > > >
> > > > > > > # DNAT
> > > > > > > DNAT     loc    loc: 192.168.1.1        tcp  
www   -
> $ETH0_IP
> > > > > > >
> > > > > > > /etc/shorewall/policy:
> > > > > > > loc            net             ACCEPT        
info
> > > > > > > $FW         net             ACCEPT         
info
> > > > > > > $FW         loc             ACCEPT         
info
> > > > > > > net            all             DROP          
info
> > > > > > > all             all             REJECT       
info
> > > > > > >
> > > > > > > /etc/shorewall/interfaces:
> > > > > > > net     eth0            detect          dhcp
> > > > > > > loc     eth1             192.168.1.255   
routeback
> > > > > > >
> > > > > > >
> > > > > > > /etc/shorewall/masq:
> > > > > > > eth1: 192.168.1.1         eth1          
192.168.1.1     tcp
> www
> > > > > > >
> > > > > > > I was getting an error when I initially setup
shorewall telling
> me
> > > > that
> > > > > > the route had not been defined for my internal
interface at the
> point
> > > > where
> > > > > > the firewall was trying to start, so I placed the
following entry
> into
> > > > > > > /etc/shorewall/init
> > > > > > > route add -net 192.168.1.0 netmask
255.255.255.0 gw 192.168.1.1
> eth1
> > > > > > >
> > > > > > > However, I''ve been through many
evolutions since then; so this
> may no
> > > > > > longer be needed.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "Doing linear scans over an associative
array is like trying to
> club
> > > > > > someone to death with a loaded Uzi."
> > > > > > > ---Larry Wall
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > "Doing linear scans over an associative array
is like trying to
> club
> > > > someone
> > > > > > to death with a loaded Uzi."
> > > > > > Larry Wall
> > > > > >
> > >
> > >
> -------------------------------------------------------------------------
> > > Using Tomcat but need to do more? Need to support web services,
> security?
> > > Get stuff done quickly with pre-integrated technology to make
your job
> easier.
> > > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> > >
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@lists.sourceforge.net
> > >
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> > >
> >
> >
> >
> > --
> >
> > "Doing linear scans over an associative array is like trying to
club
> someone to death with a loaded Uzi."
> > Larry Wall
>
>
>
> --
>
> "Doing linear scans over an associative array is like trying to club
someone
> to death with a loaded Uzi."
> Larry Wall
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I''m popping in here without any real digging in to what the original 
problem was, but it may be of interest to you that you can control which 
NIC comes up as which ethX.

In a Debian-based distro you can specify which interface is assigned 
eth0 or eth1 (etc) by editing the /etc/iftab file. You can tell your 
system which interface  becomes ethX by MAC address in the iftab file. 
I''m not sure how to do this on an RPM or Slack distro, but I''m
sure
there is an equivalent file somewhere.

Glad you got it working,

J


Prasanna Krishnamoorthy wrote:
> The naming of eth0, eth1, eth2 doesn''t always happen in the same
order
> in linux - if you remove or add another network card the naming might
> change unexpectedly.
> 
> I suggest that you setup nameif with desired mactab entries for your
> firewall box.
> 
> Prasanna.
> 
> On 2/3/07, Shawn Singh <callmeshawn@gmail.com> wrote:
>> hey guys ... user error ... my cable checked out ...  I plugged the
wire
>> scheme A end into my client and the wire scheme B end into my work
laptop,
>> and was able to ping "the other host" ... remember I said I
had 3 NICs  ...
>> in my "brilliance" I figured that I''d
"correctly" identified eth0, eth1, and
>> eth2 ... NOPE! once I plugged into the correct NIC things began to work
just
>> fine.
>>
>> thanks for your help.
>>
>> Shawn
>>
>>
>> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
>>> thanks for your input David. maybe my x-over cable is the culprit.
I''ll
>> try connecting two other computers together using it and see what
happens.
>>>
>>>
>>> On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
>>>> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
>>>>> I suspect my shorewall config is correct, I think something
>> network-wise
>>>>> might be screwy. I just can''t put my figure on
what it is.
>>>> If you really have the setup that you described, then the only
thing
>>>> network-wise that you have is your crossover cable. Are you
sure that
>>>> you tested it and were able to transmit data over it?
>>>> There is pretty much nothing that should prevent you from
pinging if
>>>> neither host has a firewall activated.
>>>>
>>>>> On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
>>>>>> Hi,
>>>>>> did things work without shorewall? Disconnect from the
internet
>>>>>> (unplug the cable), run ''shorewall
clear'' and at least make sure
>> that
>>>>>> the firewall and the client can ping each other before
you attempt
>> any
>>>>>> shorewall troubleshooting.
>>>>>>
>>>>>> ~David
>>>>>>
>>>>>> On 2/2/07, Shawn Singh < callmeshawn@gmail.com>
wrote:
>>>>>>> crap... I just realized one thing ... in the
section where I was
>> trying
>>>>> to
>>>>>>> illustrate the ping from my client to my firewall,
I did the
>> opposite
>>>>>>> (pinged the client from my firewall).
>>>>>>>
>>>>>>> so:
>>>>>>> PING 192.168.1.2 (192.168.1.2) 56(84) bytes of
data.
>>>>>>>  >From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
>>>>>>> From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
>>>>>>> From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
>>>>>>> From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
>>>>>>>
>>>>>>> is when I''m logged into my fw (remotely)
trying to ping my client
>>>>> machine.
>>>>>>> sorry for the confusion.
>>>>>>>
>>>>>>>
>>>>>>> On 2/2/07, Shawn Singh
<callmeshawn@gmail.com> wrote:
>>>>>>>> Hello List,
>>>>>>>>
>>>>>>>> This is my first post to the list, and as such
I apologize for
>> the
>>>>> length
>>>>>>> of it. I tried to put as much detail into this as
possible.
>>>>>>>> I recently installed Shorewall on a computer
running Gentoo
>> Linux. The
>>>>>>> computer has 3 network cards in it, but
I''ve only configured 2.
>> Going
>>>>> the
>>>>>>> cheap route, I''m connecting my client
directly to my firewall
>> using a
>>>>>>> crossover cable.
>>>>>>>> When I try to access the Internet from my
client, the operation
>> times
>>>>> out.
>>>>>>>> Client is running Windows XP Home Edition.
>>>>>>>> Card is set to Auto-negotiate the speed and
duplex.
>>>>>>>>
>>>>>>>> Firewall is running Gentoo Linux ( 2006.1).
>>>>>>>> The version of shorewall I have installed is:
3.0.8
>>>>>>>> eth0 is connected to a cable modem and gets its
IP information
>> via
>>>>> DHCP
>>>>>>> from my ISP.
>>>>>>>> eth1 reports the following information from
ifconfig eth1:
>>>>>>>>
>>>>>>>> eth1      Link encap:Ethernet  HWaddr
00:10:B5:0E:D6:E9
>>>>>>>>           inet addr: 192.168.1.1  Bcast:
192.168.1.255
>>>>> Mask:255.255.255.0
>>>>>>>>           UP BROADCAST MULTICAST  MTU:1500 
Metric:1
>>>>>>>>           RX packets:0 errors:0 dropped:0
overruns:0 frame:0
>>>>>>>>           TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
>>>>>>>>           collisions:0 txqueuelen:1000
>>>>>>>>           RX bytes:0 ( 0.0 b)  TX bytes:0 (0.0
b)
>>>>>>>>           Interrupt:10 Base address:0x6c00
>>>>>>>>
>>>>>>>> My routing table is as follows:
>>>>>>>>
>>>>>>>> Kernel IP routing table
>>>>>>>> Destination     Gateway         Genmask        
Flags Metric Ref
>>>>> Use
>>>>>>> Iface
>>>>>>>> 192.168.1.0     192.168.1.1     255.255.255.0  
UG    0      0
>>>>> 0
>>>>>>> eth1
>>>>>>>> 192.168.1.0       *               255.255.255.0
U     0      0
>>>>> 0
>>>>>>> eth1
>>>>>>>> c-71-203-144-0. *               255.255.252.0  
U     0      0
>>>>> 0
>>>>>>> eth0
>>>>>>>> loopback        *               255.0.0.0      
U     0      0
>>>>> 0 lo
>>>>>>>> default         c-71-203-144-1. 0.0.0.0        
UG    0      0
>>>>> 0
>>>>>>> eth0
>>>>>>>> One thing that I noticed is if I do mii-tool
eth1 I get:
>>>>>>>> eth1: no link
>>>>>>>>
>>>>>>>> Since I can ping eth1 from the firewall,
shouldn''t that mean
>> there is
>>>>> a
>>>>>>> link?
>>>>>>>> Things I''ve tested / tried / ensured:
>>>>>>>>
>>>>>>>> On the firewall side of things:
>>>>>>>> The link light is lit on my client and firewall
(eth1 and on the
>>>>> client''s
>>>>>>> NIC)
>>>>>>>> From the firewall I can get to the Internet (I
can browse sites,
>> SSH
>>>>> to
>>>>>>> another computer on another network, etc)
>>>>>>>> I can ping the address of the interior
interface (eth1:
>> 192.168.1.1 )
>>>>> from
>>>>>>> the firewall. (replies are in < 1ms)
>>>>>>>> I''ve toggled the SSH rule on the
firewall to ensure that if I am
>> not
>>>>>>> accepting SSH from net to fw that it won''t
work, and that works
>> fine, so
>>>>> I
>>>>>>> think that rule is behaving as I''d expect.
>>>>>>>> I''ve blocked ping at the firewall, and
that works fine, so that
>> rule
>>>>> seems
>>>>>>> to be correct.
>>>>>>>> I cannot ping the address of my client from the
firewall (the
>> clients
>>>>>>> address is 192.168.1.2).
>>>>>>>> On the client side of things:
>>>>>>>> When I try to ping my firewall or reach the
Internet I can see
>> that it
>>>>> is
>>>>>>> sending packets.
>>>>>>>> The send counter increases, but not the
received counter (the
>> received
>>>>>>> counter stays at 0)
>>>>>>>> PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of
data.
>>>>>>>> >From 192.168.1.1 icmp_seq=1 Destination
Host Unreachable
>>>>>>>> From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
>>>>>>>> From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
>>>>>>>> From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
>>>>>>>>
>>>>>>>> --- 192.168.1.2 ping statistics ---
>>>>>>>> 4 packets transmitted, 0 received, +4 errors,
100% packet loss,
>> time
>>>>>>> 3009ms
>>>>>>>> , pipe 3
>>>>>>>>
>>>>>>>> I don''t think it''s an issue
with my DNS setup, as I''ve entered
>> the IP
>>>>>>> address of the site I wish to visit, but still
can''t get there.
>> The
>>>>>>> operation will take too long, and just timeout.
>>>>>>>> I''ve set the IP parameters as follows
on the client:
>>>>>>>> IP address: 192.168.1.2
>>>>>>>> Netmask:     255.255.255.0
>>>>>>>> Default Gateway: 192.168.1.1
>>>>>>>> Preferred DNS:     192.168.1.1
>>>>>>>>
>>>>>>>> No matter what traffic I send to the firewall,
whether it be a
>> ping or
>>>>> my
>>>>>>> client trying to get to the Internet, I
don''t see anything getting
>>>>> logged. I
>>>>>>> see the firewall is busy, but it''s not
getting anything from my
>> client.
>>>>>>>> just a snippet of shorewall show log:
>>>>>>>>
>>>>>>>> Feb  2 07:59:28 fury [32025.333661]
>> Shorewall:net2all:DROP:IN=eth0
>>>>> OUT>>>>>>> SRC= 220.178.32.78
DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
>> TTL=107
>>>>>>> ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
>>>>>>>> Feb  2 08:08:43 fury [ 32579.604207 ]
>> Shorewall:net2all:DROP:IN=eth0
>>>>> OUT>>>>>>> SRC= 71.204.17.37 DST=
71.203.146.136 LEN=92 TOS=0x00 PREC=0x20
>> TTL=114
>>>>>>> ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
>>>>>>>> Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN>>>>> OUT=eth0
>>>>>>> SRC= 71.203.146.136 DST=68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
>> TTL=64
>>>>>>> ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
>>>>>>>> Feb  2 08:11:13 fury [ 32730.239305]
>> Shorewall:net2all:DROP:IN=eth0
>>>>> OUT>>>>>>> SRC= 193.95.190.178 DST=
71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
>>>>> TTL=108
>>>>>>> ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
>>>>>>>> Feb  2 08:16:33 fury [ 33049.711995]
>> Shorewall:net2all:DROP:IN=eth0
>>>>> OUT>>>>>>> SRC= 180.10.35.7 DST=
71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
>> TTL=45
>>>>>>> ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
>>>>>>>> Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN>>>>> OUT=eth0
>>>>>>> SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
>> TTL=64
>>>>> ID=0
>>>>>>> DF PROTO=UDP SPT=32769 DPT=53 LEN=50
>>>>>>>> I set my rules, policy, masq, interfaces, etc
according to the
>> basic
>>>>>>> two-interface firewall howto, and used an FAQ to
configure my
>> firewall
>>>>> as
>>>>>>> follows:
>>>>>>>> /etc/shorewall/params:
>>>>>>>> ETH0_IP=`find_first_interface_address eth0`
>>>>>>>>
>>>>>>>> /etc/shorewall/rules:
>>>>>>>> #
>>>>>>>> # Local Rules
>>>>>>>> SSH/ACCEPT      loc     $FW
>>>>>>>> Ping/ACCEPT     loc     $FW
>>>>>>>>
>>>>>>>> # DNS
>>>>>>>> DNS/ACCEPT      loc     $FW
>>>>>>>>
>>>>>>>> # DHCP SERVER
>>>>>>>> ACCEPT          loc     net             UDP    
67
>>>>>>>> ACCEPT          loc     net             TCP    
67
>>>>>>>>
>>>>>>>> # DHCP CLIENT
>>>>>>>> ACCEPT          loc     net             UDP    
68
>>>>>>>> ACCEPT          loc     net             TCP    
68
>>>>>>>> #
>>>>>>>> # Remote Rules
>>>>>>>> #
>>>>>>>> SSH/ACCEPT      net     $FW
>>>>>>>> Ping/ACCEPT     $FW     loc
>>>>>>>>
>>>>>>>> # DNAT
>>>>>>>> DNAT     loc    loc: 192.168.1.1        tcp    
www   -
>> $ETH0_IP
>>>>>>>> /etc/shorewall/policy:
>>>>>>>> loc            net             ACCEPT         
info
>>>>>>>> $FW         net             ACCEPT         
info
>>>>>>>> $FW         loc             ACCEPT         
info
>>>>>>>> net            all             DROP           
info
>>>>>>>> all             all             REJECT         
info
>>>>>>>>
>>>>>>>> /etc/shorewall/interfaces:
>>>>>>>> net     eth0            detect          dhcp
>>>>>>>> loc     eth1             192.168.1.255   
routeback
>>>>>>>>
>>>>>>>>
>>>>>>>> /etc/shorewall/masq:
>>>>>>>> eth1: 192.168.1.1         eth1          
192.168.1.1     tcp
>> www
>>>>>>>> I was getting an error when I initially setup
shorewall telling
>> me
>>>>> that
>>>>>>> the route had not been defined for my internal
interface at the
>> point
>>>>> where
>>>>>>> the firewall was trying to start, so I placed the
following entry
>> into
>>>>>>>> /etc/shorewall/init
>>>>>>>> route add -net 192.168.1.0 netmask
255.255.255.0 gw 192.168.1.1
>> eth1
>>>>>>>> However, I''ve been through many
evolutions since then; so this
>> may no
>>>>>>> longer be needed.
>>>>>>>>
>>>>>>>>
>>>>>>>> "Doing linear scans over an associative
array is like trying to
>> club
>>>>>>> someone to death with a loaded Uzi."
>>>>>>>> ---Larry Wall
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> "Doing linear scans over an associative array
is like trying to
>> club
>>>>> someone
>>>>>>> to death with a loaded Uzi."
>>>>>>> Larry Wall
>>>>>>>
>>>>
>>
-------------------------------------------------------------------------
>>>> Using Tomcat but need to do more? Need to support web services,
>> security?
>>>> Get stuff done quickly with pre-integrated technology to make
your job
>> easier.
>>>> Download IBM WebSphere Application Server v.1.0.1 based on
Apache
>> Geronimo
>>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>>> _______________________________________________
>>>> Shorewall-users mailing list
>>>> Shorewall-users@lists.sourceforge.net
>>>>
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>>
>>> --
>>>
>>> "Doing linear scans over an associative array is like trying
to club
>> someone to death with a loaded Uzi."
>>> Larry Wall
>>
>>
>> --
>>
>> "Doing linear scans over an associative array is like trying to
club someone
>> to death with a loaded Uzi."
>> Larry Wall
>>
-------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier.
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
>>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>>
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
-- 
Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
http://www.jonwatson.ca
+1.403.770.2837

"Trying to learn to hack on a DOS or Windows machine or under MacOS is
like trying to learn to dance while wearing a body cast" - ESR

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Jon & Prasanna,

Thanks for the suggestion. I''ll have to do a bit of reading on this, as
this
is my first machine in which I''ve had 2 "live" NIC cards, so
I''ll be
somewhat interesting to see how the system behaves. Besides, you''ve got
me
curious as to how Linux knows what order to assign the labels for the
various devices.

Thanks,

Shawn

On 2/4/07, jon <me@jonwatson.ca> wrote:
>
> I''m popping in here without any real digging in to what the
original
> problem was, but it may be of interest to you that you can control which
> NIC comes up as which ethX.
>
> In a Debian-based distro you can specify which interface is assigned
> eth0 or eth1 (etc) by editing the /etc/iftab file. You can tell your
> system which interface  becomes ethX by MAC address in the iftab file.
> I''m not sure how to do this on an RPM or Slack distro, but
I''m sure
> there is an equivalent file somewhere.
>
> Glad you got it working,
>
> J
>
>
> Prasanna Krishnamoorthy wrote:
> > The naming of eth0, eth1, eth2 doesn''t always happen in the
same order
> > in linux - if you remove or add another network card the naming might
> > change unexpectedly.
> >
> > I suggest that you setup nameif with desired mactab entries for your
> > firewall box.
> >
> > Prasanna.
> >
> > On 2/3/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> >> hey guys ... user error ... my cable checked out ...  I plugged
the
> wire
> >> scheme A end into my client and the wire scheme B end into my work
> laptop,
> >> and was able to ping "the other host" ... remember I
said I had 3
> NICs  ...
> >> in my "brilliance" I figured that I''d
"correctly" identified eth0,
> eth1, and
> >> eth2 ... NOPE! once I plugged into the correct NIC things began to
work
> just
> >> fine.
> >>
> >> thanks for your help.
> >>
> >> Shawn
> >>
> >>
> >> On 2/2/07, Shawn Singh <callmeshawn@gmail.com> wrote:
> >>> thanks for your input David. maybe my x-over cable is the
culprit.
> I''ll
> >> try connecting two other computers together using it and see what
> happens.
> >>>
> >>>
> >>> On 2/2/07, David Mohr <damailings@mcbf.net> wrote:
> >>>> On 2/2/07, Shawn Singh <callmeshawn@gmail.com>
wrote:
> >>>>> I suspect my shorewall config is correct, I think
something
> >> network-wise
> >>>>> might be screwy. I just can''t put my figure
on what it is.
> >>>> If you really have the setup that you described, then the
only thing
> >>>> network-wise that you have is your crossover cable. Are
you sure that
> >>>> you tested it and were able to transmit data over it?
> >>>> There is pretty much nothing that should prevent you from
pinging if
> >>>> neither host has a firewall activated.
> >>>>
> >>>>> On 2/2/07, David Mohr <damailings@mcbf.net>
wrote:
> >>>>>> Hi,
> >>>>>> did things work without shorewall? Disconnect from
the internet
> >>>>>> (unplug the cable), run ''shorewall
clear'' and at least make sure
> >> that
> >>>>>> the firewall and the client can ping each other
before you attempt
> >> any
> >>>>>> shorewall troubleshooting.
> >>>>>>
> >>>>>> ~David
> >>>>>>
> >>>>>> On 2/2/07, Shawn Singh <
callmeshawn@gmail.com> wrote:
> >>>>>>> crap... I just realized one thing ... in the
section where I was
> >> trying
> >>>>> to
> >>>>>>> illustrate the ping from my client to my
firewall, I did the
> >> opposite
> >>>>>>> (pinged the client from my firewall).
> >>>>>>>
> >>>>>>> so:
> >>>>>>> PING 192.168.1.2 (192.168.1.2) 56(84) bytes of
data.
> >>>>>>>  >From 192.168.1.1 icmp_seq=1 Destination
Host Unreachable
> >>>>>>> From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
> >>>>>>> From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
> >>>>>>> From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
> >>>>>>>
> >>>>>>> is when I''m logged into my fw
(remotely) trying to ping my client
> >>>>> machine.
> >>>>>>> sorry for the confusion.
> >>>>>>>
> >>>>>>>
> >>>>>>> On 2/2/07, Shawn Singh
<callmeshawn@gmail.com> wrote:
> >>>>>>>> Hello List,
> >>>>>>>>
> >>>>>>>> This is my first post to the list, and as
such I apologize for
> >> the
> >>>>> length
> >>>>>>> of it. I tried to put as much detail into this
as possible.
> >>>>>>>> I recently installed Shorewall on a
computer running Gentoo
> >> Linux. The
> >>>>>>> computer has 3 network cards in it, but
I''ve only configured 2.
> >> Going
> >>>>> the
> >>>>>>> cheap route, I''m connecting my client
directly to my firewall
> >> using a
> >>>>>>> crossover cable.
> >>>>>>>> When I try to access the Internet from my
client, the operation
> >> times
> >>>>> out.
> >>>>>>>> Client is running Windows XP Home Edition.
> >>>>>>>> Card is set to Auto-negotiate the speed
and duplex.
> >>>>>>>>
> >>>>>>>> Firewall is running Gentoo Linux (
2006.1).
> >>>>>>>> The version of shorewall I have installed
is: 3.0.8
> >>>>>>>> eth0 is connected to a cable modem and
gets its IP information
> >> via
> >>>>> DHCP
> >>>>>>> from my ISP.
> >>>>>>>> eth1 reports the following information
from ifconfig eth1:
> >>>>>>>>
> >>>>>>>> eth1      Link encap:Ethernet  HWaddr
00:10:B5:0E:D6:E9
> >>>>>>>>           inet addr: 192.168.1.1  Bcast:
192.168.1.255
> >>>>> Mask:255.255.255.0
> >>>>>>>>           UP BROADCAST MULTICAST  MTU:1500
Metric:1
> >>>>>>>>           RX packets:0 errors:0 dropped:0
overruns:0 frame:0
> >>>>>>>>           TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
> >>>>>>>>           collisions:0 txqueuelen:1000
> >>>>>>>>           RX bytes:0 ( 0.0 b)  TX bytes:0
(0.0 b)
> >>>>>>>>           Interrupt:10 Base address:0x6c00
> >>>>>>>>
> >>>>>>>> My routing table is as follows:
> >>>>>>>>
> >>>>>>>> Kernel IP routing table
> >>>>>>>> Destination     Gateway         Genmask   
Flags Metric Ref
> >>>>> Use
> >>>>>>> Iface
> >>>>>>>> 192.168.1.0     192.168.1.1    
255.255.255.0   UG    0      0
> >>>>> 0
> >>>>>>> eth1
> >>>>>>>> 192.168.1.0       *              
255.255.255.0   U     0      0
> >>>>> 0
> >>>>>>> eth1
> >>>>>>>> c-71-203-144-0. *              
255.255.252.0    U     0      0
> >>>>> 0
> >>>>>>> eth0
> >>>>>>>> loopback        *               255.0.0.0 
U     0      0
> >>>>> 0 lo
> >>>>>>>> default         c-71-203-144-1. 0.0.0.0   
UG    0      0
> >>>>> 0
> >>>>>>> eth0
> >>>>>>>> One thing that I noticed is if I do
mii-tool eth1 I get:
> >>>>>>>> eth1: no link
> >>>>>>>>
> >>>>>>>> Since I can ping eth1 from the firewall,
shouldn''t that mean
> >> there is
> >>>>> a
> >>>>>>> link?
> >>>>>>>> Things I''ve tested / tried /
ensured:
> >>>>>>>>
> >>>>>>>> On the firewall side of things:
> >>>>>>>> The link light is lit on my client and
firewall (eth1 and on the
> >>>>> client''s
> >>>>>>> NIC)
> >>>>>>>> From the firewall I can get to the
Internet (I can browse sites,
> >> SSH
> >>>>> to
> >>>>>>> another computer on another network, etc)
> >>>>>>>> I can ping the address of the interior
interface (eth1:
> >> 192.168.1.1 )
> >>>>> from
> >>>>>>> the firewall. (replies are in < 1ms)
> >>>>>>>> I''ve toggled the SSH rule on the
firewall to ensure that if I am
> >> not
> >>>>>>> accepting SSH from net to fw that it
won''t work, and that works
> >> fine, so
> >>>>> I
> >>>>>>> think that rule is behaving as I''d
expect.
> >>>>>>>> I''ve blocked ping at the
firewall, and that works fine, so that
> >> rule
> >>>>> seems
> >>>>>>> to be correct.
> >>>>>>>> I cannot ping the address of my client
from the firewall (the
> >> clients
> >>>>>>> address is 192.168.1.2).
> >>>>>>>> On the client side of things:
> >>>>>>>> When I try to ping my firewall or reach
the Internet I can see
> >> that it
> >>>>> is
> >>>>>>> sending packets.
> >>>>>>>> The send counter increases, but not the
received counter (the
> >> received
> >>>>>>> counter stays at 0)
> >>>>>>>> PING 192.168.1.2 (192.168.1.2 ) 56(84)
bytes of data.
> >>>>>>>> >From 192.168.1.1 icmp_seq=1
Destination Host Unreachable
> >>>>>>>> From 192.168.1.1 icmp_seq=2 Destination
Host Unreachable
> >>>>>>>> From 192.168.1.1 icmp_seq=3 Destination
Host Unreachable
> >>>>>>>> From 192.168.1.1 icmp_seq=4 Destination
Host Unreachable
> >>>>>>>>
> >>>>>>>> --- 192.168.1.2 ping statistics ---
> >>>>>>>> 4 packets transmitted, 0 received, +4
errors, 100% packet loss,
> >> time
> >>>>>>> 3009ms
> >>>>>>>> , pipe 3
> >>>>>>>>
> >>>>>>>> I don''t think it''s an
issue with my DNS setup, as I''ve entered
> >> the IP
> >>>>>>> address of the site I wish to visit, but still
can''t get there.
> >> The
> >>>>>>> operation will take too long, and just
timeout.
> >>>>>>>> I''ve set the IP parameters as
follows on the client:
> >>>>>>>> IP address: 192.168.1.2
> >>>>>>>> Netmask:     255.255.255.0
> >>>>>>>> Default Gateway: 192.168.1.1
> >>>>>>>> Preferred DNS:     192.168.1.1
> >>>>>>>>
> >>>>>>>> No matter what traffic I send to the
firewall, whether it be a
> >> ping or
> >>>>> my
> >>>>>>> client trying to get to the Internet, I
don''t see anything getting
> >>>>> logged. I
> >>>>>>> see the firewall is busy, but it''s
not getting anything from my
> >> client.
> >>>>>>>> just a snippet of shorewall show log:
> >>>>>>>>
> >>>>>>>> Feb  2 07:59:28 fury [32025.333661]
> >> Shorewall:net2all:DROP:IN=eth0
> >>>>> OUT> >>>>>>> SRC=
220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> >> TTL=107
> >>>>>>> ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> >>>>>>>> Feb  2 08:08:43 fury [ 32579.604207 ]
> >> Shorewall:net2all:DROP:IN=eth0
> >>>>> OUT> >>>>>>> SRC= 71.204.17.37
DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20
> >> TTL=114
> >>>>>>> ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=26501
> >>>>>>>> Feb  2 08:11:04 fury [32720.939826]
Shorewall:fw2net:ACCEPT:IN> >>>>> OUT=eth0
> >>>>>>> SRC= 71.203.146.136 DST=68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
> >> TTL=64
> >>>>>>> ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> >>>>>>>> Feb  2 08:11:13 fury [ 32730.239305]
> >> Shorewall:net2all:DROP:IN=eth0
> >>>>> OUT> >>>>>>> SRC=
193.95.190.178 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> >>>>> TTL=108
> >>>>>>> ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> >>>>>>>> Feb  2 08:16:33 fury [ 33049.711995]
> >> Shorewall:net2all:DROP:IN=eth0
> >>>>> OUT> >>>>>>> SRC= 180.10.35.7
DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> >> TTL=45
> >>>>>>> ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> >>>>>>>> Feb  2 08:23:49 fury [33486.225830]
Shorewall:fw2net:ACCEPT:IN> >>>>> OUT=eth0
> >>>>>>> SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70
TOS=0x00 PREC=0x00
> >> TTL=64
> >>>>> ID=0
> >>>>>>> DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> >>>>>>>> I set my rules, policy, masq, interfaces,
etc according to the
> >> basic
> >>>>>>> two-interface firewall howto, and used an FAQ
to configure my
> >> firewall
> >>>>> as
> >>>>>>> follows:
> >>>>>>>> /etc/shorewall/params:
> >>>>>>>> ETH0_IP=`find_first_interface_address
eth0`
> >>>>>>>>
> >>>>>>>> /etc/shorewall/rules:
> >>>>>>>> #
> >>>>>>>> # Local Rules
> >>>>>>>> SSH/ACCEPT      loc     $FW
> >>>>>>>> Ping/ACCEPT     loc     $FW
> >>>>>>>>
> >>>>>>>> # DNS
> >>>>>>>> DNS/ACCEPT      loc     $FW
> >>>>>>>>
> >>>>>>>> # DHCP SERVER
> >>>>>>>> ACCEPT          loc     net            
UDP     67
> >>>>>>>> ACCEPT          loc     net            
TCP     67
> >>>>>>>>
> >>>>>>>> # DHCP CLIENT
> >>>>>>>> ACCEPT          loc     net            
UDP     68
> >>>>>>>> ACCEPT          loc     net            
TCP     68
> >>>>>>>> #
> >>>>>>>> # Remote Rules
> >>>>>>>> #
> >>>>>>>> SSH/ACCEPT      net     $FW
> >>>>>>>> Ping/ACCEPT     $FW     loc
> >>>>>>>>
> >>>>>>>> # DNAT
> >>>>>>>> DNAT     loc    loc: 192.168.1.1       
tcp     www   -
> >> $ETH0_IP
> >>>>>>>> /etc/shorewall/policy:
> >>>>>>>> loc            net             ACCEPT     
info
> >>>>>>>> $FW         net             ACCEPT        
info
> >>>>>>>> $FW         loc             ACCEPT        
info
> >>>>>>>> net            all             DROP       
info
> >>>>>>>> all             all             REJECT    
info
> >>>>>>>>
> >>>>>>>> /etc/shorewall/interfaces:
> >>>>>>>> net     eth0            detect         
dhcp
> >>>>>>>> loc     eth1             192.168.1.255   
routeback
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> /etc/shorewall/masq:
> >>>>>>>> eth1: 192.168.1.1         eth1          
192.168.1.1     tcp
> >> www
> >>>>>>>> I was getting an error when I initially
setup shorewall telling
> >> me
> >>>>> that
> >>>>>>> the route had not been defined for my internal
interface at the
> >> point
> >>>>> where
> >>>>>>> the firewall was trying to start, so I placed
the following entry
> >> into
> >>>>>>>> /etc/shorewall/init
> >>>>>>>> route add -net 192.168.1.0 netmask
255.255.255.0 gw 192.168.1.1
> >> eth1
> >>>>>>>> However, I''ve been through many
evolutions since then; so this
> >> may no
> >>>>>>> longer be needed.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> "Doing linear scans over an
associative array is like trying to
> >> club
> >>>>>>> someone to death with a loaded Uzi."
> >>>>>>>> ---Larry Wall
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>>
> >>>>>>> "Doing linear scans over an associative
array is like trying to
> >> club
> >>>>> someone
> >>>>>>> to death with a loaded Uzi."
> >>>>>>> Larry Wall
> >>>>>>>
> >>>>
> >>
> -------------------------------------------------------------------------
> >>>> Using Tomcat but need to do more? Need to support web
services,
> >> security?
> >>>> Get stuff done quickly with pre-integrated technology to
make your
> job
> >> easier.
> >>>> Download IBM WebSphere Application Server v.1.0.1 based on
Apache
> >> Geronimo
> >>
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >>>> _______________________________________________
> >>>> Shorewall-users mailing list
> >>>> Shorewall-users@lists.sourceforge.net
> >>>>
> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >>>
> >>>
> >>> --
> >>>
> >>> "Doing linear scans over an associative array is like
trying to club
> >> someone to death with a loaded Uzi."
> >>> Larry Wall
> >>
> >>
> >> --
> >>
> >> "Doing linear scans over an associative array is like trying
to club
> someone
> >> to death with a loaded Uzi."
> >> Larry Wall
> >>
> -------------------------------------------------------------------------
> >> Using Tomcat but need to do more? Need to support web services,
> security?
> >> Get stuff done quickly with pre-integrated technology to make your
job
> >> easier.
> >> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> >>
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >>
> >> _______________________________________________
> >> Shorewall-users mailing list
> >> Shorewall-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >>
> >>
> >>
> >
> >
> -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
> security?
> > Get stuff done quickly with pre-integrated technology to make your job
> easier.
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> >
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>
> --
> Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
> http://www.jonwatson.ca
> +1.403.770.2837
>
> "Trying to learn to hack on a DOS or Windows machine or under MacOS is
> like trying to learn to dance while wearing a body cast" - ESR
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
"Doing linear scans over an associative array is like trying to club
someone
to death with a loaded Uzi."
Larry Wall


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Prasanna Krishnamoorthy wrote:
>  The naming of eth0, eth1, eth2 doesn''t always happen in the same
order
>  in linux - if you remove or add another network card the naming might
>  change unexpectedly.
>
>  I suggest that you setup nameif with desired mactab entries for your
>  firewall box.
jon wrote:
>I''m popping in here without any real digging in to what the
original
>problem was, but it may be of interest to you that you can control which
>NIC comes up as which ethX.
>
>In a Debian-based distro you can specify which interface is assigned
>eth0 or eth1 (etc) by editing the /etc/iftab file. You can tell your
>system which interface  becomes ethX by MAC address in the iftab file.
>I''m not sure how to do this on an RPM or Slack distro, but
I''m sure
>there is an equivalent file somewhere.

Shawn Singh wrote:
>Jon & Prasanna,
>
>Thanks for the suggestion. I''ll have to do a bit of reading on
this,
>as this is my first machine in which I''ve had 2 "live"
NIC cards, so
>I''ll be somewhat interesting to see how the system behaves.
Besides,
>you''ve got me curious as to how Linux knows what order to assign
the
>labels for the various devices.

Note that it''s not neccessary to quote the entire 50k of previous
thread !


I had a look at this yesterday on a box I''ve just set up with Debian
Etch.

nameif seems to be installed by default as part of package net-tools. 
However there is no init script which calls it. Calling it can be 
added to the top of ifupdown or you can add an additional script of 
your own (which is what I did) and link to it from /etc/rcS.d.

There is also a separate tool called ifrename which uses iftab but is 
not installed but appears more flexible.

Note that neither of these tools* can rename eth2 to eth0, so I''ve 
ended up calling my interfaces ethint and ethext.

* nameif fails, didn''t try ifrename but man page warns against it.


Simon

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Simon Hobson wrote:
(snip)
> Note that neither of these tools* can rename eth2 to eth0, so I''ve
> ended up calling my interfaces ethint and ethext.
> 
> * nameif fails, didn''t try ifrename but man page warns against it.
> 
nameif can be used to rename eth0, etc.. you just have to rename the
interfaces to a non-"eth" name first.

Example from a Gentoo init.d script:

#!/sbin/runscript

#
# for this script to work do the following:
#   1. Update /etc/init.d/net.eth0 to include
#   "need nameif" prior to the "use hotplug .." line.
#
#   2. Reassign the existing eth0, eth1, etc to
#      "unused" names so that we can reassign
#      them. The kernel will not "overwrite" an
#      existing device name (e.g. eth1 can''t be renamed to eth0
#      until eth0 is "removed"/renamed.)

depend() {
    before net.lo
}

start() {
        # First rename the existing eth0, ...
        # Motherboard
        /sbin/nameif -s foo0 00:0f:ea:d1:cf:7a
        # 3Com 3c905b #1
        /sbin/nameif -s foo1 00:50:04:73:7a:dc
        # 3Com 3c905b #2
        /sbin/nameif -s foo2 00:50:04:ce:a9:9a

        # Now assign the "standard" names in the
        # preferred order
        # Motherboard
        /sbin/nameif -s eth0 00:0f:ea:d1:cf:7a
        # 3Com 3c905b
        /sbin/nameif -s eth1 00:50:04:73:7a:dc
        # 3Com 3c905b #2
        /sbin/nameif -s eth2 00:50:04:ce:a9:9a
}


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642