Hi there, I have moving from a two-interface set-up to a three-interface set-up where the third interface will be a DMZ. My shorewall is version 4.0.15 on Debian Lenny and has the following interfaces: eth0 loc 10.0.0.3 eth1 net dhcp eth2 dmz 10.0.10.3 I''m trying to ping from a machine on the local network 10.0.0.6 to 10.0.10.1 and I get destination unreachable. I''m trying to ping from a machine on the DMZ network 10.0.10.1 to 10.0.10.3 and I get destination unreachable. Could someone please help me find out what''s wrong with my setup? I''ve attached a shorewall dump. Is there anything else you need to help me troubleshoot? Thanks very much Mark. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Mark Allison wrote:> Hi there, > > I have moving from a two-interface set-up to a three-interface set-up > where the third interface will be a DMZ. My shorewall is version > 4.0.15 on Debian Lenny and has the following interfaces: > > eth0 loc 10.0.0.3 > eth1 net dhcp > eth2 dmz 10.0.10.3 > > I''m trying to ping from a machine on the local network 10.0.0.6 to > 10.0.10.1 and I get destination unreachable. > I''m trying to ping from a machine on the DMZ network 10.0.10.1 to > 10.0.10.3 and I get destination unreachable. > > Could someone please help me find out what''s wrong with my setup? I''ve > attached a shorewall dump. Is there anything else you need to help me > troubleshoot?Before we start looking at the Shorewall configuration, does this local traffic all pass perfectly if you temporarily ''shorewall clear''? (be sure to ''shorewall start'' after testing). From a quick look at the dump, I suspect that your problem has nothing to do with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Tom Eastep wrote:> Mark Allison wrote: >> Hi there, >> >> I have moving from a two-interface set-up to a three-interface set-up >> where the third interface will be a DMZ. My shorewall is version >> 4.0.15 on Debian Lenny and has the following interfaces: >> >> eth0 loc 10.0.0.3 >> eth1 net dhcp >> eth2 dmz 10.0.10.3 >> >> I''m trying to ping from a machine on the local network 10.0.0.6 to >> 10.0.10.1 and I get destination unreachable. >> I''m trying to ping from a machine on the DMZ network 10.0.10.1 to >> 10.0.10.3 and I get destination unreachable. >> >> Could someone please help me find out what''s wrong with my setup? I''ve >> attached a shorewall dump. Is there anything else you need to help me >> troubleshoot? > > Before we start looking at the Shorewall configuration, does this local > traffic all pass perfectly if you temporarily ''shorewall clear''? (be > sure to ''shorewall start'' after testing). > > From a quick look at the dump, I suspect that your problem has nothing > to do with Shorewall.Okay -- I took a closer look and it appears that you haven''t defined either eth2 or the dmz to Shorewall at all! I notice that you are running Debian and Debian users can''t seem to resist using /etc/init.d/shorewall to restart Shorewall. This is really too bad because the Debian init script is totally silent when restart fails. I suspect that you are getting a syntax error during compilation which will be immediately obvious when you use ''shorewall restart'' rather than the init script. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> Okay -- I took a closer look and it appears that you haven''t defined > either eth2 or the dmz to Shorewall at all! > > I notice that you are running Debian and Debian users can''t seem to > resist using /etc/init.d/shorewall to restart Shorewall. This is really > too bad because the Debian init script is totally silent when restart > fails. I suspect that you are getting a syntax error during compilation > which will be immediately obvious when you use ''shorewall restart'' > rather than the init script. >Tom, first of all thanks for looking at this for me and for taking the time. I tried the shorewall restart command and it all looks ok except for this message: WARNING: Zone dmz is empty I have attached my zones, interfaces, policy and rules files. They all look fine to me - can you spot anything wrong there? It looks like I''ve defined the dmz. I don''t understand. Cheers, Mark. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Tom Eastep wrote:>I notice that you are running Debian and Debian users can''t seem to >resist using /etc/init.d/shorewall to restart Shorewall.It''s natural - when restarting/manipulating most services "/etc/init.d/<service> <some action>" is the natural and correct way to do it. Interestingly, I''ve never been tempted and always use "shorewall [safe-]restart" - I''ve never thought about it, and now I''m wondering why it is that I''ve never been tempted to use "/etc/init.d/shorewall restart" ! Possibly because I''ve been using Shorewall from before it was packaged for Debian ?>This is really >too bad because the Debian init script is totally silent when restart >fails.That does seem a problem. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
I hate to do this as it is certainly outside the direct parameters of a Shorewall question, but my brain is pretzeled. I have an office network connected to the internet and a branch office network also connected to the internet. I have an ipsec vpn tunnel setup and running between the two offices, and they are on two private subnets: Office A Office B 192.168.1.0/24 10.254.0.0/24 So far so good. Now for the fun. I have a private fiber link between the offices I would like to dedicate to VOIP traffic. The fiber link is essentially stateless (it''s a switched fiber circuit), so I can configure it bridge or routed as I please. Each end of the fiber circuit simply presents as a normal CAT-5 connection which I can plug into a router or NIC. What I''d like to do is keep the existing VPN connection for DATA and add the new fiber circuit dedicated to VOIP between the offices. The place I''m stuck is architecturally. I''m trying to determine the best methodology to route both links between the two offices, one link for VOIP, and one link for DATA. Assuming I can concentrate both links on a single shorewall box on each end, would the multi-isp setup work in this situation? Am I on crack for even trying this? I apologize for broaching this topic here, but I know this list is full of folks who understand linux routing and might be able to point me in the right direction. If someone wants to contact me directly on a consultative basis, I am game for that if this is too far outside the purpose of this list. Any suggestions other than "get lost" would be greatly appreciated. -- Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Work) 858-495-3540 (Fax) ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Keith Mitchell wrote:> I hate to do this as it is certainly outside the direct parameters of a > Shorewall question, but my brain is pretzeled. > > I have an office network connected to the internet and a branch office > network also connected to the internet. > > I have an ipsec vpn tunnel setup and running between the two offices, and > they are on two private subnets: > > Office A Office B > 192.168.1.0/24 10.254.0.0/24 > > So far so good. > > Now for the fun. I have a private fiber link between the offices I would > like to dedicate to VOIP traffic. The fiber link is essentially stateless > (it''s a switched fiber circuit), so I can configure it bridge or routed as I > please. Each end of the fiber circuit simply presents as a normal CAT-5 > connection which I can plug into a router or NIC. > > What I''d like to do is keep the existing VPN connection for DATA and add the > new fiber circuit dedicated to VOIP between the offices. > > The place I''m stuck is architecturally. I''m trying to determine the best > methodology to route both links between the two offices, one link for VOIP, > and one link for DATA. > > Assuming I can concentrate both links on a single shorewall box on each end, > would the multi-isp setup work in this situation? > >Since you wish to use this link just for voip and nothing else why don''t you plug it in on your voip server. On the other hand if your plans might change ( for instance your internet link goes down and you wish to use voip link for data also ) that is another story. Decide how you wish to "employ" the fiber link to make the most out of it and come again. In your shoes I would prefer to have vpn - data ( if private no need to have vpn ) and voip over the private fiber. Cheers Harry. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> The place I''m stuck is architecturally. I''m trying to determine the best > methodology to route both links between the two offices, one link for > VOIP, > and one link for DATA. > > Assuming I can concentrate both links on a single shorewall box on each > end, > would the multi-isp setup work in this situation?I think that the multi-isp Shorewall feature would work just fine for your situation. You could define your primary Internet link as one provider and your fiber link as the other. Use entries in the /etc/shorewall/tcrules or /etc/shorewall/route_rules files to force your VOIP traffic to use the fiber link and all other traffic (including the encapsulated VPN packets) to go over the regular ISP link. --Russel ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> WARNING: Zone dmz is empty > > I have attached my zones, interfaces, policy and rules files. They all > look fine to me - can you spot anything wrong there? It looks like > I''ve defined the dmz. I don''t understand.1. Please read http://www.shorewall.net/Notices.html#Shell-EOL 2. All of the sample Shorewall configuration files have this as their last line: #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE There is a reason for that, which you have just discovered (your ''dmz'' line is not terminated by a newline character and hence the shell igores it). - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrDmqQACgkQO/MAbZfjDLKrtwCfbFVxlv8Ikts714yabIIU6pcF MUwAn2RTFdVxPc7K0f/z1YpyuHKYWRk9 =7r+x -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> 1. Please read http://www.shorewall.net/Notices.html#Shell-EOL > 2. All of the sample Shorewall configuration files have this as their > last line: > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > There is a reason for that, which you have just discovered (your ''dmz'' > line is not terminated by a newline character and hence the shell igores > it).Thanks Tom, that was it. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf