On Sun, 04 Aug 2002 09:43:22 PDT John Desmond wrote:
Thank you for all the details John. They really help in the
troubleshooting process. I have snipped most of them below
to save bandwidth.
> I hope you can help me. I've been using ESb4 and its
> predecessors for about two years and decided it's time
> to upgrade to a more modern LEAF. I downloaded Bering
> V1.0-rc3 and documentation and made the suggested
> changes for my particular situation: several
> workstations behind LEAF, which is handling the pppoe
> connection to the ISP through the ADSL modem. No port
> forwarding going on. The pppoe link came up without a
> hitch but packet forwarding is not working.
>
> Symptoms:
> 1. I can ping the firewall from a workstation and can
> browse the weblet (nice improvements there, BTW).
> 2. I can ping the workstations and external sites from
> the firewall.
> 3. I *can't* ping ("unreachable destination") external
> sites by IP from the workstations through the
> firewall. It also causes a reject in the logs. See
> excerpt from logs below.
> 4. I *can't* ping (long delay and eventual "unknown
> host xxxxxxx") an external site by name. It also
> causes a flurry of rejects in the logs as dnscache
> tries to hit the root nameservers (which seems at odds
> with #2, above). See excerpt from logs below.
>
> Examples from logs.
>
> In response to ping from workstation, through
> firewall, to internet by IP:
>
> Aug 4 15:15:48 firewall kernel:
> Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0
> SRC=192.168.1.10 DST=64.58.76.223 LEN=84 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
> ID=11272 SEQ=0
>
> In response to ping from workstation, through
> firewall, to internet by name:
>
> Aug 4 15:17:31 firewall kernel:
> Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90
> DST=192.36.148.17 LEN=59 TOS=0x00 PREC=0x00 TTL=64
> ID=60946 DF PROTO=UDP SPT=33411 DPT=53 LEN=39
> Aug 4 15:17:31 firewall kernel:
> Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90
> DST=192.5.5.241 LEN=59 TOS=0x00 PREC=0x00 TTL=64
> ID=53616 DF PROTO=UDP SPT=2809 DPT=53 LEN=39
> ... etc. ((many, many of these))
Hmm. These seem contrary to your shorewall rules file.
Looks like they're hitting the default output policy of
REJECT.
[ big snip ]
> /etc/shorewall/interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> #net eth0 detect dhcp,routefilter,norfc1918
> net eth0 detect routefilter,norfc1918
> loc eth1 detect routestopped
Ahh! Notice the "OUT=ppp0" in the log entries. Yet there's
no "ppp0" in shorewall/interfaces. Change "eth0" to "ppp0"
and I bet your problems will go away.
--Brad
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
