I just did an hw upgrade on my FW (new cpu, mb etc.) but without reinstall of my debian system. but after my upgrade I can''t get access to the internet through the fw. 1. I can ping the FW from loc, 2. I can ping net from FW 3. I can''t ping loc from FW? (ICMP host unreachable) 4. I can access the apache server running on FW from both loc and net I can''t see where the error is, so I hope that someone here are able to help out. I have a shorewall dump available at http://bowmo.dk/shorewall Regards Thomas ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Thomas Mørch wrote:> I just did an hw upgrade on my FW (new cpu, mb etc.) but without > reinstall of my debian system. > > but after my upgrade I can''t get access to the internet through the fw. > > 1. I can ping the FW from loc, > 2. I can ping net from FW > 3. I can''t ping loc from FW? (ICMP host unreachable) > 4. I can access the apache server running on FW from both loc and netCan you do any of these things if you disable Shorewall (shorewall clear)? The only Shorewall-related issue I see in the dump is that you don''t have IP_FORWARDING=Yes in shorewall.conf but that doesn''t explain most of your problems. Sounds like you have a more basic IP configuration problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
2009/3/20 Tom Eastep <teastep@shorewall.net>> Thomas Mørch wrote: > > I just did an hw upgrade on my FW (new cpu, mb etc.) but without > > reinstall of my debian system. > > > > but after my upgrade I can''t get access to the internet through the fw. > > > > 1. I can ping the FW from loc, > > 2. I can ping net from FW > > 3. I can''t ping loc from FW? (ICMP host unreachable) > > 4. I can access the apache server running on FW from both loc and net > > Can you do any of these things if you disable Shorewall (shorewall clear)? >I tried to ping a host on loc, without shorewall loaded (shorewall clear), and it worked fine. After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 Destination Port Unreachable" 192.168.2.12 is the firewalls loc ip address. I tried to ping 192.168.2.20 on my loc net.> > The only Shorewall-related issue I see in the dump is that you don''t > have IP_FORWARDING=Yes in shorewall.conf but that doesn''t explain most > of your problems. Sounds like you have a more basic IP configuration > problem. >Hmm.. I''ll try to change the IP_FORWARDING from KEEP to On tomorrow, could the default value of /proc/sys/net/ipv4/ip_forward have been changed by a kernel recompilation? (recompiled the kernel for the new hardware setup, but everything else is left as the old PC..) / Thomas ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Thomas Mørch wrote:> > > 2009/3/20 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > Thomas Mørch wrote: > > I just did an hw upgrade on my FW (new cpu, mb etc.) but without > > reinstall of my debian system. > > > > but after my upgrade I can''t get access to the internet through > the fw. > > > > 1. I can ping the FW from loc, > > 2. I can ping net from FW > > 3. I can''t ping loc from FW? (ICMP host unreachable) > > 4. I can access the apache server running on FW from both loc and net > > Can you do any of these things if you disable Shorewall (shorewall > clear)? > > > I tried to ping a host on loc, without shorewall loaded (shorewall > clear), and it worked fine. > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 > Destination Port Unreachable" > 192.168.2.12 is the firewalls loc ip address. I tried to ping > 192.168.2.20 on my loc net.192.168.2.20 is not in the loc zone. It is in the stat zone and you have not enabled ping from fw->stat.> > > > The only Shorewall-related issue I see in the dump is that you don''t > have IP_FORWARDING=Yes in shorewall.conf but that doesn''t explain most > of your problems. Sounds like you have a more basic IP configuration > problem. > > > Hmm.. I''ll try to change the IP_FORWARDING from KEEP to On tomorrow, > could the default value of /proc/sys/net/ipv4/ip_forward have been > changed by a kernel recompilation? (recompiled the kernel for the new > hardware setup, but everything else is left as the old PC..) >Lenny has apparently made a mess of /proc/sys/net/ipv4/ip_forward -- there are a number of reports of problems in that area. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
2009/3/21 Tom Eastep <teastep@shorewall.net>> Thomas Mørch wrote: > > > > > > 2009/3/20 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > > > > Thomas Mørch wrote: > > > I just did an hw upgrade on my FW (new cpu, mb etc.) but without > > > reinstall of my debian system. > > > > > > but after my upgrade I can''t get access to the internet through > > the fw. > > > > > > 1. I can ping the FW from loc, > > > 2. I can ping net from FW > > > 3. I can''t ping loc from FW? (ICMP host unreachable) > > > 4. I can access the apache server running on FW from both loc and > net > > > > Can you do any of these things if you disable Shorewall (shorewall > > clear)? > > > > > > I tried to ping a host on loc, without shorewall loaded (shorewall > > clear), and it worked fine. > > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 > > Destination Port Unreachable" > > 192.168.2.12 is the firewalls loc ip address. I tried to ping > > 192.168.2.20 on my loc net. > > 192.168.2.20 is not in the loc zone. It is in the stat zone and you have > not enabled ping from fw->stat. >stat is defined as a nested zone within loc : zones: loc ipv4 kids:loc ipv4 voks:loc ipv4 stat:loc ipv4 and in hosts it''s defined as a "subnet" of loc: loc eth0:192.168.2.0/24 kids eth0:192.168.2.192/26 voks eth0:192.168.2.128/26 stat eth0:192.168.2.127/25 In my policy file I have set the nested zones to CONTINUE : voks all CONTINUE kids all CONTINUE stat all CONTINUE So I thought that if I have a rule that allows the fw to ping loc, then it would enable ping to the whole loc network (including voks/kids/stat zones) Is this assumption wrong? / Thomas ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Thomas Mørch wrote:> > > 2009/3/21 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > Thomas Mørch wrote: > > > > > > 2009/3/20 Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net > <mailto:teastep@shorewall.net>>> > > > > Thomas Mørch wrote: > > > I just did an hw upgrade on my FW (new cpu, mb etc.) but without > > > reinstall of my debian system. > > > > > > but after my upgrade I can''t get access to the internet through > > the fw. > > > > > > 1. I can ping the FW from loc, > > > 2. I can ping net from FW > > > 3. I can''t ping loc from FW? (ICMP host unreachable) > > > 4. I can access the apache server running on FW from both > loc and net > > > > Can you do any of these things if you disable Shorewall (shorewall > > clear)? > > > > > > I tried to ping a host on loc, without shorewall loaded (shorewall > > clear), and it worked fine. > > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 > > Destination Port Unreachable" > > 192.168.2.12 is the firewalls loc ip address. I tried to ping > > 192.168.2.20 on my loc net. > > 192.168.2.20 is not in the loc zone. It is in the stat zone and you have > not enabled ping from fw->stat. > > > stat is defined as a nested zone within loc : > zones: > loc ipv4 > kids:loc ipv4 > voks:loc ipv4 > stat:loc ipv4 > and in hosts it''s defined as a "subnet" of loc: > loc eth0:192.168.2.0/24 <http://192.168.2.0/24> > kids eth0:192.168.2.192/26 <http://192.168.2.192/26> > voks eth0:192.168.2.128/26 <http://192.168.2.128/26> > stat eth0:192.168.2.127/25 <http://192.168.2.127/25> > In my policy file I have set the nested zones to CONTINUE : > voks all CONTINUE > kids all CONTINUE > stat all CONTINUE > So I thought that if I have a rule that allows the fw to ping loc, then > it would enable ping to the whole loc network (including voks/kids/stat > zones) > > Is this assumption wrong?Yes. fw->stat traffic matches none of those CONTINUE policies you would need to add stat all CONTINUE kids all CONTINUE voks all CONTINUE -Tom. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
2009/3/21 Tom Eastep <teastep@shorewall.net>> Thomas Mørch wrote: > > > > > > 2009/3/21 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > > > > Thomas Mørch wrote: > > > > > > > > > 2009/3/20 Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net> <mailto:teastep@shorewall.net > > <mailto:teastep@shorewall.net>>> > > > > > > Thomas Mørch wrote: > > > > I just did an hw upgrade on my FW (new cpu, mb etc.) but > without > > > > reinstall of my debian system. > > > > > > > > but after my upgrade I can''t get access to the internet > through > > > the fw. > > > > > > > > 1. I can ping the FW from loc, > > > > 2. I can ping net from FW > > > > 3. I can''t ping loc from FW? (ICMP host unreachable) > > > > 4. I can access the apache server running on FW from both > > loc and net > > > > > > Can you do any of these things if you disable Shorewall > (shorewall > > > clear)? > > > > > > > > > I tried to ping a host on loc, without shorewall loaded (shorewall > > > clear), and it worked fine. > > > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 > > > Destination Port Unreachable" > > > 192.168.2.12 is the firewalls loc ip address. I tried to ping > > > 192.168.2.20 on my loc net. > > > > 192.168.2.20 is not in the loc zone. It is in the stat zone and you > have > > not enabled ping from fw->stat. > > > > > > stat is defined as a nested zone within loc : > > zones: > > loc ipv4 > > kids:loc ipv4 > > voks:loc ipv4 > > stat:loc ipv4 > > and in hosts it''s defined as a "subnet" of loc: > > loc eth0:192.168.2.0/24 <http://192.168.2.0/24> > > kids eth0:192.168.2.192/26 <http://192.168.2.192/26> > > voks eth0:192.168.2.128/26 <http://192.168.2.128/26> > > stat eth0:192.168.2.127/25 <http://192.168.2.127/25> > > In my policy file I have set the nested zones to CONTINUE : > > voks all CONTINUE > > kids all CONTINUE > > stat all CONTINUE > > So I thought that if I have a rule that allows the fw to ping loc, then > > it would enable ping to the whole loc network (including voks/kids/stat > > zones) > > > > Is this assumption wrong? > > Yes. fw->stat traffic matches none of those CONTINUE policies > > you would need to add > > stat all CONTINUE > kids all CONTINUE > voks all CONTINUE >It works now (Ping to all hosts on loc network) also I can now use the fw as a masq fw, thanks for the great support Tom :) Now I just need to figure out how to let the kids have access to their precious MSN messenger video calls (Playing arround with dante at the moment..) / Thomas ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com