I started shorewall, rebooted, and SSH connections from the internal net were refused. From the console I had to stop shorewall and iptables to get in with SSH again. Note for below, interface Int is working and is how I am connected to the gateway. Interface Ext is connected to a switch that has no other connections. This is so the Interface will come up, but nothing will happen on it. Policy: all fw DROP info fw all DROP info Int Ext ACCEPT Ext Int ACCEPT rules: SECTION NEW ACCEPT all all icmp ACCEPT all fw tcp 7722 ACCEPT all fw tcp 10000 ACCEPT Int fw tcp 5902:5903 ACCEPT Ext fw tcp 5902:5903 Rules are suppose to override Policy, per http://www.shorewall.net/manpages/shorewall-rules.html: "Entries in this file govern connection establishment by defining exceptions to the policies layed out in shorewall-policy <http://www.shorewall.net/manpages/shorewall-policy.html>(5)." so why does ssh 1.2.3.4 -p 7722 get a connection refused? ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> I started shorewall, rebooted, and SSH connections from the internal net > were refused. From the console I had to stop shorewall and iptables to > get in with SSH again. > > Note for below, interface Int is working and is how I am connected to > the gateway. Interface Ext is connected to a switch that has no other > connections. This is so the Interface will come up, but nothing will > happen on it. > > Policy: > all fw DROP info > fw all DROP info > Int Ext ACCEPT > Ext Int ACCEPT > > rules: > SECTION NEW > ACCEPT all all icmp > ACCEPT all fw tcp 7722 > ACCEPT all fw tcp 10000 > ACCEPT Int fw tcp 5902:5903 > ACCEPT Ext fw tcp 5902:5903 > > > Rules are suppose to override Policy, per > http://www.shorewall.net/manpages/shorewall-rules.html: > > "Entries in this file govern connection establishment by defining > exceptions to the policies layed out in shorewall-policy > <http://www.shorewall.net/manpages/shorewall-policy.html>(5)." > > > so why does > > ssh 1.2.3.4 -p 7722 > > get a connection refused? >Have you configured the SSH daemon to listen on port 7722? Regards, Steve. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> I started shorewall, rebooted, and SSH connections from the internal net > were refused. From the console I had to stop shorewall and iptables to > get in with SSH again.shorewall AND iptables? You should start one or the other; never both.> so why does > > ssh 1.2.3.4 -p 7722 > > get a connection refused?Look at your log!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom Eastep wrote:> Robert Moskowitz wrote: >> I started shorewall, rebooted, and SSH connections from the internal >> net were refused. From the console I had to stop shorewall and >> iptables to get in with SSH again. > > shorewall AND iptables? You should start one or the other; never both.Oh. So I stop iptables before I start shorewall?>> >> ssh 1.2.3.4 -p 7722 >> >> get a connection refused? > so why does > > Look at your log!!!I did not see anything in /var/log/messages that would pertain to what is happening. Probably have to change from ''info'' to ''debug''? ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
lists_shorewall wrote:> Robert Moskowitz wrote: > >> I started shorewall, rebooted, and SSH connections from the internal net >> were refused. From the console I had to stop shorewall and iptables to >> get in with SSH again. >> >> Note for below, interface Int is working and is how I am connected to >> the gateway. Interface Ext is connected to a switch that has no other >> connections. This is so the Interface will come up, but nothing will >> happen on it. >> >> Policy: >> all fw DROP info >> fw all DROP info >> Int Ext ACCEPT >> Ext Int ACCEPT >> >> rules: >> SECTION NEW >> ACCEPT all all icmp >> ACCEPT all fw tcp 7722 >> ACCEPT all fw tcp 10000 >> ACCEPT Int fw tcp 5902:5903 >> ACCEPT Ext fw tcp 5902:5903 >> >> >> Rules are suppose to override Policy, per >> http://www.shorewall.net/manpages/shorewall-rules.html: >> >> "Entries in this file govern connection establishment by defining >> exceptions to the policies layed out in shorewall-policy >> <http://www.shorewall.net/manpages/shorewall-policy.html>(5)." >> >> >> so why does >> >> ssh 1.2.3.4 -p 7722 >> >> get a connection refused? >> >> > Have you configured the SSH daemon to listen on port 7722?That was the port I was using all along for SSH. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> Tom Eastep wrote: >> Robert Moskowitz wrote: >>> I started shorewall, rebooted, and SSH connections from the internal >>> net were refused. From the console I had to stop shorewall and >>> iptables to get in with SSH again. >> shorewall AND iptables? You should start one or the other; never both. > Oh. So I stop iptables before I start shorewall? >>> ssh 1.2.3.4 -p 7722 >>> >>> get a connection refused? >> so why does >> >> Look at your log!!! > I did not see anything in /var/log/messages that would pertain to what > is happening. Probably have to change from ''info'' to ''debug''?No. The log level has nothing whatsoever to do with verbosity of the messages. What DO you see in your log when you try to connect? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> Tom Eastep wrote: >> Robert Moskowitz wrote: >>> I started shorewall, rebooted, and SSH connections from the internal >>> net were refused. From the console I had to stop shorewall and >>> iptables to get in with SSH again. >> shorewall AND iptables? You should start one or the other; never both. > Oh. So I stop iptables before I start shorewall?Yes. You should disable the iptables service if you are going to use Shorewall. Because if iptables starts after shorewall, it will be iptables that defines the ruleset, not Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom Eastep wrote:> Robert Moskowitz wrote: >> Tom Eastep wrote: >>> Robert Moskowitz wrote: >>>> I started shorewall, rebooted, and SSH connections from the internal >>>> net were refused. From the console I had to stop shorewall and >>>> iptables to get in with SSH again. >>> shorewall AND iptables? You should start one or the other; never both. >> Oh. So I stop iptables before I start shorewall? > > Yes. You should disable the iptables service if you are going to use > Shorewall. Because if iptables starts after shorewall, it will be > iptables that defines the ruleset, not Shorewall.And always remember that "shorewall stop" does not open the firewall; it places it in a ''safe'' state controlled by the ADMINISABSENTMINDED setting in shorewall.conf and the /etc/shorewall/routestopped file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom Eastep wrote:> Robert Moskowitz wrote: >> Tom Eastep wrote: >>> Robert Moskowitz wrote: >>>> I started shorewall, rebooted, and SSH connections from the >>>> internal net were refused. From the console I had to stop >>>> shorewall and iptables to get in with SSH again. >>> shorewall AND iptables? You should start one or the other; never both. >> Oh. So I stop iptables before I start shorewall? >>>> ssh 1.2.3.4 -p 7722 >>>> >>>> get a connection refused? >>> so why does >>> >>> Look at your log!!! >> I did not see anything in /var/log/messages that would pertain to >> what is happening. Probably have to change from ''info'' to ''debug''? > > No. The log level has nothing whatsoever to do with verbosity of the > messages. > > What DO you see in your log when you try to connect?Jul 4 16:38:58 enter2 smartd[5152]: smartd has fork()ed into background mode. New PID=5152. Jul 4 16:40:45 enter2 root: Shorewall Stopped Note that there is NOTHING there between the last message from the boot process to my stopping shorewall. Once I stopped shorewall, I went from connection refused to connection timedout. Then I stopped iptables: Jul 4 16:46:56 enter2 kernel: ip_nat_pptp version 3.0 unloaded Jul 4 16:46:56 enter2 kernel: ip_conntrack_pptp version 3.1 unloaded Jul 4 16:46:58 enter2 kernel: Removing netfilter NETLINK layer. And then I could SSH in. From what you said earlier, I should stop the iptables service and just use shorewall? I thought that shorewall just set iptables then terminated. I guess I better read those docs again. Been about 6 months and a lot of other software inbetween... BTW, I am signing off for now, will be back saturday night. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom Eastep wrote:> Tom Eastep wrote: >> Robert Moskowitz wrote: >>> Tom Eastep wrote: >>>> Robert Moskowitz wrote: >>>>> I started shorewall, rebooted, and SSH connections from the >>>>> internal net were refused. From the console I had to stop >>>>> shorewall and iptables to get in with SSH again. >>>> shorewall AND iptables? You should start one or the other; never both. >>> Oh. So I stop iptables before I start shorewall? >> >> Yes. You should disable the iptables service if you are going to use >> Shorewall. Because if iptables starts after shorewall, it will be >> iptables that defines the ruleset, not Shorewall. > > And always remember that "shorewall stop" does not open the firewall; > it places it in a ''safe'' state controlled by the ADMINISABSENTMINDED > setting in shorewall.conf and the /etc/shorewall/routestopped file.OK. Some stuff to try saturday night. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Just want to let you know that everything SEEMs to be working now. I stopped iptables from running, started shorewall, and rebooted. Things seem to work right. Will know tomorrow when I work with my ISP to make this my new access router! Tom Eastep wrote:> Robert Moskowitz wrote: >> Tom Eastep wrote: >>> Robert Moskowitz wrote: >>>> I started shorewall, rebooted, and SSH connections from the >>>> internal net were refused. From the console I had to stop >>>> shorewall and iptables to get in with SSH again. >>> shorewall AND iptables? You should start one or the other; never both. >> Oh. So I stop iptables before I start shorewall? > > Yes. You should disable the iptables service if you are going to use > Shorewall. Because if iptables starts after shorewall, it will be > iptables that defines the ruleset, not Shorewall. > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08