I''m new to shorewall or any ip-config/network type configuration, so I applogize ahead for any misstakes in terms. I''ve decsided that I will turn an old desktop of mine into a wireless router and torrent box. I installed shorewall and looked as the documentation and the sample two-interface configuration. The wireless card is a madwifi one (ath_pci) and I can connect to it and get an ip from it from dnsmasq. An ethernet port gets the internet. Now, when I wireless connect to my desktop router, I have complete access to the local network. I can ping the box and ssh into it. The box gets internet and can torrent (I made the suggested modifications from the guide). However when I try to ping anything, say google.com, I get rejected and lines like this in my log:> Shorewall:loc2fw:REJECT:IN=ath0 OUT= MAC=..... SRC=10.0.0.2 DST=10.0.0.1 ....So something is misconfigured because its looking in $FW for google. When I change the policy line from:> loc $FW REJECT infoto> loc $FW ACCEPTSuddenly the machine can get google''s ip, but it still can''t ping it. I don''t know what files would be important to post here, or what would be helpful, but I''m confused as to why its doing things this way. I''m using Arch Linux with Shorewall version 4.0.13. My configuration files are the two-interface ones with eth0 (net) becoming eth1 and eth1 (net) becoming ath0. -- - Simon Gomizelj ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Mon, Nov 17, 2008 at 02:56:15PM -0500, Simon Gomizelj wrote:> > So something is misconfigured because its looking in $FW for google. When I > change the policy line from: > > > loc $FW REJECT info > to > > loc $FW ACCEPT >I am very new to Shorewall so I apologize if I am wrong, but by doing this you are enabling internet access from your local network past the firewall, but you should still look in /etc/shorewall/rules for icmp/ping entries. You are probably somehow blocking ping. -- Follow my Tweets at http://twitter.com/pobega AIM:BlockMeHarder MSN:pobega@gmail.com JIM:pobega@jaim.at SIP:pobega@ekiga.net ICQ:467047394 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Mon, Nov 17, 2008 at 03:27:06PM -0500, Michael Pobega wrote:> On Mon, Nov 17, 2008 at 02:56:15PM -0500, Simon Gomizelj wrote: > > > > So something is misconfigured because its looking in $FW for google. When I > > change the policy line from: > > > > > loc $FW REJECT info > > to > > > loc $FW ACCEPT > > > > I am very new to Shorewall so I apologize if I am wrong, but by doing > this you are enabling internet access from your local network past the > firewall, but you should still look in /etc/shorewall/rules for > icmp/ping entries. You are probably somehow blocking ping. > > -- > Follow my Tweets at http://twitter.com/pobega > > AIM:BlockMeHarder MSN:pobega@gmail.com JIM:pobega@jaim.at > SIP:pobega@ekiga.net ICQ:467047394Only ping related rule is to drop anything coming from the outside in: - Ping/DROP net $FW If it helps, these are my policies: - loc net ACCEPT - loc $fw REJECT info <== changing this line to ACCEPT allows machines in loc to do DNS lookups. But still no internet or pinging - loc all REJECT info - - $FM net ACCEPT - $FM loc REJECT info - $FM all REJECT info - - net $FM ACCEPT - new loc DROP info - net all DROP info - - all all REJECT info and this is my interface list: - net eth1 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians - loc ath0 detect dhcp,tcpflags,nosmurfs I was thinking, and this is a noobish question, and I understand shorewall is a firewall, but do I explicitly have to open http access?> ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- - Simon Gomizelj ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Simon Gomizelj wrote:> However when I try to ping anything, say google.com, I get rejected and lines > like this in my log: > >> Shorewall:loc2fw:REJECT:IN=ath0 OUT= MAC=..... SRC=10.0.0.2 DST=10.0.0.1 ....See Shorewall FAQ 17 -- it tells you how to interpret these messages. Note the "DST=10.0.0.1". That means that the DESTINATION IP ADDRESS IS 10.0.0.1. That is NOT an IP address used by google.com. That is an IP address reserved by RFC 1918 and is likely an IP address used by your firewall. So either DNS name resolution is completely broken or you have some sort of unwise DNAT rule.> > So something is misconfigured because its looking in $FW for google. When I > change the policy line from: > >> loc $FW REJECT info > to >> loc $FW ACCEPT > > Suddenly the machine can get google''s ip, but it still can''t ping it.What does ''can get google''s IP'' mean? I guess it means that DNS resolution from the source host now works? So does that change the log messages when you try to ping?> I don''t > know what files would be important to post here, or what would be helpful,To post on this list, you must subscribe to the list. When you subscribed, you received a welcome post that instructed you to read http://www.shorewall.net/support.htm before posting. I''m guessing that you didn''t do that. http://www.shorewall.net/support.htm asks that for connection problems, you post the output of "shorewall dump" collected in a particular way and accompanied by certain information that is useful in diagnosing your problem. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Caveat: This is just a guess. Really. :) On Mon, 2008-11-17 at 14:56 -0500, Simon Gomizelj wrote:> Now, when I wireless connect to my desktop router, I have complete access to > the local network. I can ping the box and ssh into it. The box gets internet > and can torrent (I made the suggested modifications from the guide). > > However when I try to ping anything, say google.com, I get rejected and lines > like this in my log: > > > Shorewall:loc2fw:REJECT:IN=ath0 OUT= MAC=..... SRC=10.0.0.2 DST=10.0.0.1 ....You snipped some important parts, but my guess is that this is a DNS query, port 53 (assuming DHCP and announcing a local DNS on the FW).> So something is misconfigured because its looking in $FW for google. When I > change the policy line from: > > > loc $FW REJECT info > to > > loc $FW ACCEPT > > Suddenly the machine can get google''s ip, but it still can''t ping it.^^^^^^^^^^^^^^^^^^^ Supports the above guess about DNS. You didn''t show your rules, so I further guess that you don''t ACCEPT DNS traffic from the loc zone. Moreover I guess that the reason why you can''t access *any* service on the Internet from a machine in your loc zone is, that you didn''t configure /etc/shorewall/masq at all (or got INTERFACE and SOURCE reverted). That much for my crystal ball today. :) -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/