Hello, I have Shorewall v4.5.5.3 installed on Ubuntu server v12.10 and Webmin v1.620. When I choose DROP for wan to ANY and already have in place a rule from wan to FIREWALL to accept source ports 10000:10001, I am not able to access the server at will via SSH or Webmin. I have to go in and edit the policy file to ACCEPT for wan to ANY. Please advise. Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 <http://www.gemcc.com/> www.gemcc.com <http://www.gemcc.com/> gem-logo CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
Hello, I apologize, I believe the first file I attached does not reflect when wan> FIREWALL is set to DROP. The one that is now attached does. Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 www.gemcc.com <http://www.gemcc.com/> <http://www.gemcc.com/> gem-logo CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. From: Donald S. Doyle [mailto:dsdoyle@gemcc.com] Sent: Friday, March 15, 2013 1:58 PM To: ''shorewall-users@lists.sourceforge.net'' Subject: Not able to access router Hello, I have Shorewall v4.5.5.3 installed on Ubuntu server v12.10 and Webmin v1.620. When I choose DROP for wan to ANY and already have in place a rule from wan to FIREWALL to accept source ports 10000:10001, I am not able to access the server at will via SSH or Webmin. I have to go in and edit the policy file to ACCEPT for wan to ANY. Please advise. Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 www.gemcc.com <http://www.gemcc.com/> <http://www.gemcc.com/> gem-logo CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/15/2013 11:17 AM, Donald S. Doyle wrote:> I apologize, I believe the first file I attached does not reflect when > wan> FIREWALL is set to DROP. The one that is now attached does. >> > I have Shorewall v4.5.5.3 installed on Ubuntu server v12.10 and Webmin > v1.620. > > > > When I choose DROP for wan to ANY and already have in place a rule from > wan to FIREWALL to accept source ports 10000:10001, I am not able to > access the server at will via SSH or Webmin. I have to go in and edit > the policy file to ACCEPT for wan to ANY. Please advise. >A couple of things: - A trace is useful in cases where the firewall won''t start; it is not helpful for diagnosing connection issues. For that, we need to see the output of ''shorewall dump''. - I fail to understand why you believe that accepting source ports 10000:10001 would allow you to access SSH and Webmin. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
Hi Tom, I try /sbin/shorewall dump > /tmp/shorewall_dump.txt and I am getting an error message LOGFILE (/var/log/messages) does not exist! I look in the sbin directory and see the shorewall file. I am using port 10000 for SSH and 10001 to access Webmin Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 www.gemcc.com CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, March 15, 2013 2:40 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Not able to access router On 03/15/2013 11:17 AM, Donald S. Doyle wrote:> I apologize, I believe the first file I attached does not reflect when > wan> FIREWALL is set to DROP. The one that is now attached does. >> > I have Shorewall v4.5.5.3 installed on Ubuntu server v12.10 and Webmin > v1.620. > > > > When I choose DROP for wan to ANY and already have in place a rule > from wan to FIREWALL to accept source ports 10000:10001, I am not able > to access the server at will via SSH or Webmin. I have to go in and > edit the policy file to ACCEPT for wan to ANY. Please advise. >A couple of things: - A trace is useful in cases where the firewall won''t start; it is not helpful for diagnosing connection issues. For that, we need to see the output of ''shorewall dump''. - I fail to understand why you believe that accepting source ports 10000:10001 would allow you to access SSH and Webmin. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 3/15/13 12:02 PM, "Donald S. Doyle" <dsdoyle@gemcc.com> wrote:>Hi Tom, > >I try /sbin/shorewall dump > /tmp/shorewall_dump.txt and I am getting an >error message LOGFILE (/var/log/messages) does not exist!Then set LOGFILE correctly. A dump is not nearly so useful without the accompanying netfilter log messages; that''s why the program refuses to continue dumping if the specified file doesn''t exist. See Shorewall FAQ 91.> >I look in the sbin directory and see the shorewall file. > >I am using port 10000 for SSH and 10001 to access WebminThen you want to open DEST PORT(S) 10000:10001, not SOURCE PORT(S) 10000:10001 -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
That was the problem! I needed to set dest. ports, not source! Thanks for your help! Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 www.gemcc.com CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, March 15, 2013 3:21 PM To: Shorewall Users Subject: Re: [Shorewall-users] Not able to access router On 3/15/13 12:02 PM, "Donald S. Doyle" <dsdoyle@gemcc.com> wrote:>Hi Tom, > >I try /sbin/shorewall dump > /tmp/shorewall_dump.txt and I am getting >an error message LOGFILE (/var/log/messages) does not exist!Then set LOGFILE correctly. A dump is not nearly so useful without the accompanying netfilter log messages; that''s why the program refuses to continue dumping if the specified file doesn''t exist. See Shorewall FAQ 91.> >I look in the sbin directory and see the shorewall file. > >I am using port 10000 for SSH and 10001 to access WebminThen you want to open DEST PORT(S) 10000:10001, not SOURCE PORT(S) 10000:10001 -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/15/2013 01:25 PM, Donald S. Doyle wrote:> Tom, > > I am trying the /sbin/shorewall dump > /tmp/shorewall_dump.txt command again > and now I am getting "gprep: /proc/net/nf_conntrack: no such file or > directory". I found the proc directory and what appears to be the net > directory, but I am not able to create the nf_conntrack file needed. Any > ideas?I suspect that the attached patch will correct the problem. patch /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch Please let me know. -Tom ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/15/2013 01:45 PM, Tom Eastep wrote:> On 03/15/2013 01:25 PM, Donald S. Doyle wrote: >> Tom, >> >> I am trying the /sbin/shorewall dump > /tmp/shorewall_dump.txt command again >> and now I am getting "gprep: /proc/net/nf_conntrack: no such file or >> directory". I found the proc directory and what appears to be the net >> directory, but I am not able to create the nf_conntrack file needed. Any >> ideas? > > I suspect that the attached patch will correct the problem. > > patch /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch >Please disregard the patch. If you have applied it: patch -R /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch -Tom ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
1. Shorewall v4.5.5.3 Kernel v3.5.0-25-generic 2. I did do the patch, did not help. I removed it. 3. I do not have /proc/net/nf_conntrack or /proc/net/ip_conntrack Have a great weekend, Donald S. Doyle President G.E.M. Computer Consulting, LLC 317.250.4448 www.gemcc.com CONFIDENTIALITY NOTICE The materials enclosed with this electronic transmission are private and confidential and are the properties of the sender. The information contained in the material is privileged and is intended only for the use of the individual(s) or entity (ies) named above. If you are not the intended recipient, be advised that any unauthorized disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, March 15, 2013 4:51 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Not able to access router On 03/15/2013 01:45 PM, Tom Eastep wrote:> On 03/15/2013 01:25 PM, Donald S. Doyle wrote: >> Tom, >> >> I am trying the /sbin/shorewall dump > /tmp/shorewall_dump.txt >> command again and now I am getting "gprep: /proc/net/nf_conntrack: no >> such file or directory". I found the proc directory and what appears >> to be the net directory, but I am not able to create the nf_conntrack >> file needed. Any ideas? > > I suspect that the attached patch will correct the problem. > > patch /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch >Please disregard the patch. If you have applied it: patch -R /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch -Tom ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/15/2013 01:50 PM, Tom Eastep wrote:> On 03/15/2013 01:45 PM, Tom Eastep wrote: >> On 03/15/2013 01:25 PM, Donald S. Doyle wrote: >>> Tom, >>> >>> I am trying the /sbin/shorewall dump > /tmp/shorewall_dump.txt command again >>> and now I am getting "gprep: /proc/net/nf_conntrack: no such file or >>> directory". I found the proc directory and what appears to be the net >>> directory, but I am not able to create the nf_conntrack file needed. Any >>> ideas? >> >> I suspect that the attached patch will correct the problem. >> >> patch /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch >> > > Please disregard the patch. If you have applied it: > > patch -R /usr/share/shorewall/lib.cli < NF_CONNTRACK.patch >One way to solve Donald''s problem is to install the ''conntrack'' utility. When that utility is installed, Shorewall will use it to display the conntrack table rather than /proc. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar