David wrote:
In the future, please send your problem report to the Shorewall Users
list. If you are paranoid about posting your configuration to the list,
you can send the dump OUTPUT to support@shorewall.net.
> I recently installed Engarde Secure Linux, version 3.0.18.i868, on an HP
> Pavilion 523n desktop PC. Has an AMD Athlon 2200+ processor. Nothing
> else is installed on the machine.
>
> Can''t get NAT working.
I think NAT is working fine -- the problem appears to be that you
haven''t configured your firewall rules to allow DNS.
From the log:
Feb 17 11:28:08 fw2ext:REJECT:IN= OUT=eth0 SRC=72.90.81.14
DST=68.237.161.12 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=5339 DF PROTO=UDP
SPT=32768 DPT=53 LEN=50
Feb 17 11:28:10 int2fw:REJECT:IN=eth1 OUT= SRC=192.168.1.45
DST=192.168.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=24304 PROTO=UDP
SPT=1212 DPT=53 LEN=39
The machine came with a Nic built in and I> installed an additional card to use as the external connection. Engarde
> sees both cards and configures them properly. The overall install is
> flawless, no problems, but again, no NAT. I''m using static IPs
> internally and externally.
>
> Engarde comes with version 3.2 of Shorewall. I downloaded your document
> ''Basic Two-Interface Firewall'' and made a few changes to
Engardes setup.
> Namely, in /etc/shorewall/interfaces I replaced the
''detect'' with the
> actual IP addresses, in /etc/shorewall/masq I added the external IP
> address to the 3rd column and in /etc/shorewall/shorewall.conf I set
> ADD_SNAT_ALIASES=Yes.
It appears that you are running a DNS server on your firewall yet you
haven''t enabled DNS from the local net (int zone) to the firewall or
from the firewall to the internet (ext zone).
>
> Made no difference. In /etc/shorewall/shorewall.conf I then set
> CLAMPMSS=Yes. Again, no difference.
>
> My external connection consists of a Verizon Fios fiber optic line.
I''m
> not sure of the connectivity issue that''s why I tried the
CLAMPMSS. My
> previous connection was a DSL line and that was PPPoE. This new line
> comes into a box and is converted to a standard RJ45 jack.
>
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
