HI (i hope i didn''t double post) I have multiple cients in my network and a server with dhcp,shorewal,.... I wanted the server to be a realy tight firewall. so i created this /etc/shorewall/policy file loc net DROP loc loc ACCEPT loc fw ACCEPT fw all ACCEPT net all DROP all all REJECT of cause i want all my clients to have access to the web /etc/shorewall/rules ACCEPT loc net tcp 80 But when i do this, only one of my clients can look up webpages and the others don''t. So; why does this happen and how can i correct it? Toralf ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Where is your DNS server? Is it on your firewall machine? If it''s not then you need to allow your DNS server to contact the outside world. Another point to consider, how does the machine which works do DNS? As always, to debug the problem, please submit a report according to http://shorewall.net/troubleshoot.htm Prasanna. On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote:> HI > > (i hope i didn''t double post) > > I have multiple cients in my network and a server with > dhcp,shorewal,.... > I wanted the server to be a realy tight firewall. > > so i created this /etc/shorewall/policy file > > loc net DROP > loc loc ACCEPT > loc fw ACCEPT > fw all ACCEPT > net all DROP > all all REJECT > > of cause i want all my clients to have access to the web > > /etc/shorewall/rules > ACCEPT loc net tcp 80 > > But when i do this, only one of my clients can look up webpages and > the others don''t. > So; why does this happen and how can i correct it? > > Toralf > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I use dnsmasq on my router.
and i configured dhcpd like this
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.99;
option domain-name-servers 192.168.0.1;
option netbios-name-servers 192.168.0.1;
option routers 192.168.0.1;
}
Am 28.03.2007 um 13:15 schrieb Prasanna Krishnamoorthy:
> Where is your DNS server? Is it on your firewall machine?
>
> If it''s not then you need to allow your DNS server to contact the
> outside world.
>
> Another point to consider, how does the machine which works do DNS?
>
> As always, to debug the problem, please submit a report according to
> http://shorewall.net/troubleshoot.htm
>
> Prasanna.
>
> On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote:
>> HI
>>
>> (i hope i didn''t double post)
>>
>> I have multiple cients in my network and a server with
>> dhcp,shorewal,....
>> I wanted the server to be a realy tight firewall.
>>
>> so i created this /etc/shorewall/policy file
>>
>> loc net DROP
>> loc loc ACCEPT
>> loc fw ACCEPT
>> fw all ACCEPT
>> net all DROP
>> all all REJECT
>>
>> of cause i want all my clients to have access to the web
>>
>> /etc/shorewall/rules
>> ACCEPT loc net tcp 80
>>
>> But when i do this, only one of my clients can look up webpages and
>> the others don''t.
>> So; why does this happen and how can i correct it?
>>
>> Toralf
>>
>> ---------------------------------------------------------------------
>> ----
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net''s Techsay panel and you''ll get
the chance to
>> share your
>> opinions on IT & business topics through brief surveys-and earn
cash
>> http://www.techsay.com/default.php?
>> page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
> ----------------------------------------------------------------------
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 3/28/07, Toralf Niebuhr <gmThor85@aim.com> wrote:> I use dnsmasq on my router. > > and i configured dhcpd like this > > subnet 192.168.0.0 netmask 255.255.255.0 { > range 192.168.0.10 192.168.0.99; > option domain-name-servers 192.168.0.1; > option netbios-name-servers 192.168.0.1; > option routers 192.168.0.1; > }That seems fair enough.. As always, to debug the problem, please submit a report according to http://shorewall.net/troubleshoot.htm Additional things to try, a) Make sure that the other systems have picked up IP via DHCP and have the DNS server address correct b) They don''t have Windows XP firewall or firewall of some sort turned on. For further debugging, we''re going to need the shorewall dump collected according to the link above. Prasanna. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok, here is my dump.txt. I and another pc tryed to access webpages at the same time and only I (192.168.0.10) was able to. Am 28.03.2007 um 18:08 schrieb Prasanna Krishnamoorthy:> On 3/28/07, Toralf Niebuhr <gmThor85@aim.com> wrote: >> I use dnsmasq on my router. >> >> and i configured dhcpd like this >> >> subnet 192.168.0.0 netmask 255.255.255.0 { >> range 192.168.0.10 192.168.0.99; >> option domain-name-servers 192.168.0.1; >> option netbios-name-servers 192.168.0.1; >> option routers 192.168.0.1; >> } > That seems fair enough.. > > As always, to debug the problem, please submit a report according to > http://shorewall.net/troubleshoot.htm > > Additional things to try, > a) Make sure that the other systems have picked up IP via DHCP and > have the DNS server address correct > b) They don''t have Windows XP firewall or firewall of some sort > turned on. > > For further debugging, we''re going to need the shorewall dump > collected according to the link above. > > Prasanna. > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, a little OT, but I think worth pointing out: On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote:> I have multiple cients in my network and a server with > dhcp,shorewal,.... > I wanted the server to be a realy tight firewall. > > so i created this /etc/shorewall/policy file > > loc net DROP > loc loc ACCEPT > loc fw ACCEPT > fw all ACCEPT > net all DROP > all all REJECTYou do realize that this is really not a tight firewall. Giving your whole local network access to anything on the firewall is not a good idea. Also, for a ''tight'' system, I would restrict outgoing requests from the firewall, at least to the net. And why do you have a ''loc loc ACCEPT'' policy? Wouldn''t that be only needed for bridges? You might be ok with your current setup, and I don''t mean to criticize, but please don''t call it tight :-) ~David ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
i added this line>> loc loc ACCEPTbecause i din''t know if the firewall could/would do anything if i want to send file from one client to another. and those are ok (i think so)>> loc fw ACCEPT >> fw all ACCEPTbecause i know exactly what service are runing on my server an i didn''t want to bother writing rules for each one of them. Am 28.03.2007 um 18:30 schrieb David Mohr:> Hi, > a little OT, but I think worth pointing out: > > On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote: >> I have multiple cients in my network and a server with >> dhcp,shorewal,.... >> I wanted the server to be a realy tight firewall. >> >> so i created this /etc/shorewall/policy file >> >> loc net DROP >> loc loc ACCEPT >> loc fw ACCEPT >> fw all ACCEPT >> net all DROP >> all all REJECT > > You do realize that this is really not a tight firewall. Giving your > whole local network access to anything on the firewall is not a good > idea. Also, for a ''tight'' system, I would restrict outgoing requests > from the firewall, at least to the net. And why do you have a ''loc loc > ACCEPT'' policy? Wouldn''t that be only needed for bridges? > > You might be ok with your current setup, and I don''t mean to > criticize, but please don''t call it tight :-) > > ~David > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
In the dump you sent, I see tcp 6 431984 ESTABLISHED src=192.168.0.11 dst=209.85.129.147 sport=1092 dport=80 packets=5 bytes=711 src=209.85.129.147 dst=89.62.111.143 sport=80 dport=1092 packets=4 bytes=2376 [ASSURED] mark=0 use=1 which implies that the connection was established and packets exchanged. However, I don''t see any other established connections from 192.168.0.11. Can you check syslog or shorewall.log to see if packets are getting dropped for any reason? A tcpdump on eth1 might be useful. tcpdump -n -i eth1 host 192.168.0.11 and then try to open a webpage from 192.168.0.11 Prasanna. On 3/28/07, Toralf Niebuhr <gmThor85@aim.com> wrote:> i added this line > >> loc loc ACCEPT > because i din''t know if the firewall could/would do anything if i > want to send file from one client to another. > > and those are ok (i think so) > >> loc fw ACCEPT > >> fw all ACCEPT > because i know exactly what service are runing on my server an i > didn''t want to bother writing rules for each one of them. > > Am 28.03.2007 um 18:30 schrieb David Mohr: > > > Hi, > > a little OT, but I think worth pointing out: > > > > On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote: > >> I have multiple cients in my network and a server with > >> dhcp,shorewal,.... > >> I wanted the server to be a realy tight firewall. > >> > >> so i created this /etc/shorewall/policy file > >> > >> loc net DROP > >> loc loc ACCEPT > >> loc fw ACCEPT > >> fw all ACCEPT > >> net all DROP > >> all all REJECT > > > > You do realize that this is really not a tight firewall. Giving your > > whole local network access to anything on the firewall is not a good > > idea. Also, for a ''tight'' system, I would restrict outgoing requests > > from the firewall, at least to the net. And why do you have a ''loc loc > > ACCEPT'' policy? Wouldn''t that be only needed for bridges? > > > > You might be ok with your current setup, and I don''t mean to > > criticize, but please don''t call it tight :-) > > > > ~David > > > > ---------------------------------------------------------------------- > > --- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net''s Techsay panel and you''ll get the chance to > > share your > > opinions on IT & business topics through brief surveys-and earn cash > > http://www.techsay.com/default.php? > > page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Toralf Niebuhr wrote:>i added this line >>> loc loc ACCEPT >because i din''t know if the firewall could/would do anything if i >want to send file from one client to another.Unless you have a bridge and the client-client traffic goes through it, then you cannot do anything about that traffic. In a switched network, the server/firewall will not even see the packets.>and those are ok (i think so) >>> loc fw ACCEPT >>> fw all ACCEPT >because i know exactly what service are runing on my server an i >didn''t want to bother writing rules for each one of them.Then with all due respect you can''t be bothered to do it properly. You either accept that your firewall is ''loose'' or you do the work in selecting what outbound connections are allowed. If you know what you are running then it''s easy to write rules to allow it, only then can you claim to be running a tight firewall - the reason for controlling outbound connections is not to allow what you know you''re running, but to prevent what you don''t know about (either now or at some point in the future). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>so i created this /etc/shorewall/policy file > >loc net DROP >loc loc ACCEPT >loc fw ACCEPT >fw all ACCEPT >net all DROP >all all REJECTI haven''t looked at any of your dump (nor do I know how to read it), but you logs will probably be a lot more useful if you change your policy file to this: loc net DROP info loc loc ACCEPT loc fw ACCEPT fw all ACCEPT net all DROP info all all REJECT info All though, as others have mentioned, the following rules are kind of a bad idea or not needed IMHO: loc loc ACCEPT loc fw ACCEPT fw all ACCEPT Particularly the loc->fw ACCEPT policy is a bad idea. It''s much better to just add a coupple of rules instead. For more tips, see PPPPPPS at http://linuxman.wikispaces.com/PPPPPPS -Russel ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi I figured out my prob. Even thou i set up the option "option domain-name-servers 192.168.0.1;" in my dhcpd.conf, all my windows based clients thought it was smart to use another dns server. (my mac notebook worked just fine) I manualy changed all of their dns-servers now to the router ip and everything works fine. Thanks guys Toralf Am 28.03.2007 um 18:52 schrieb Prasanna Krishnamoorthy:> In the dump you sent, I see > tcp 6 431984 ESTABLISHED src=192.168.0.11 dst=209.85.129.147 > sport=1092 dport=80 packets=5 bytes=711 src=209.85.129.147 > dst=89.62.111.143 sport=80 dport=1092 packets=4 bytes=2376 [ASSURED] > mark=0 use=1 > > which implies that the connection was established and packets > exchanged. > > However, I don''t see any other established connections from > 192.168.0.11. > > Can you check syslog or shorewall.log to see if packets are getting > dropped for any reason? > > A tcpdump on eth1 might be useful. > > tcpdump -n -i eth1 host 192.168.0.11 > > and then try to open a webpage from 192.168.0.11 > > Prasanna. > > On 3/28/07, Toralf Niebuhr <gmThor85@aim.com> wrote: >> i added this line >>>> loc loc ACCEPT >> because i din''t know if the firewall could/would do anything if i >> want to send file from one client to another. >> >> and those are ok (i think so) >>>> loc fw ACCEPT >>>> fw all ACCEPT >> because i know exactly what service are runing on my server an i >> didn''t want to bother writing rules for each one of them. >> >> Am 28.03.2007 um 18:30 schrieb David Mohr: >> >>> Hi, >>> a little OT, but I think worth pointing out: >>> >>> On 3/28/07, Toralf Niebuhr <gmthor85@aim.com> wrote: >>>> I have multiple cients in my network and a server with >>>> dhcp,shorewal,.... >>>> I wanted the server to be a realy tight firewall. >>>> >>>> so i created this /etc/shorewall/policy file >>>> >>>> loc net DROP >>>> loc loc ACCEPT >>>> loc fw ACCEPT >>>> fw all ACCEPT >>>> net all DROP >>>> all all REJECT >>> >>> You do realize that this is really not a tight firewall. Giving your >>> whole local network access to anything on the firewall is not a good >>> idea. Also, for a ''tight'' system, I would restrict outgoing requests >>> from the firewall, at least to the net. And why do you have a >>> ''loc loc >>> ACCEPT'' policy? Wouldn''t that be only needed for bridges? >>> >>> You might be ok with your current setup, and I don''t mean to >>> criticize, but please don''t call it tight :-) >>> >>> ~David >>> >>> -------------------------------------------------------------------- >>> -- >>> --- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net''s Techsay panel and you''ll get the chance to >>> share your >>> opinions on IT & business topics through brief surveys-and earn cash >>> http://www.techsay.com/default.php? >>> page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> --------------------------------------------------------------------- >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net''s Techsay panel and you''ll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV