Shorewall by default disables ping - is it not? But you say you are able to ping from both internal and external networks! Maybe you should first try a masquerade without limiting services. If it works, then try other services. I also think Shorewall disables forwarding by echoing 0 into rp_filter of each device. This is again a security measure. Is that creating problems?
Check this out. The way I would go about this is to first stop shorewall, turn on masquerading in iptables by hand and see if what you want works. If it does, then I would start up shorewall and try the same in shorewall. HTH Mohan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Fritz Sent: 10 September 2002 16:49 To: Kyle Fitch Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Unable to bring up interfaces On Tue, 10 Sep 2002 06:04:38 EST Kyle Fitch wrote: > Brad- > Good news, I got the NIC's recognized and up. But now I have encountered > another problem. I cannot access the internet from my internal network. I > can ping the Bering machine from an internal host, and I can ping an > internet host from the Bering machine. But I cannot ping an internet host > from an internal network host. Thanks again for your help. Sounds like a firewall problem if both NICs can ping their respective zones, but you can't ping _through_ the firewall. Have you run a "tail -f /var/log/syslog" while attempting the ping through the firewall? The output there as well as a better description of how the ping fails[1] might be useful. I thought the default loc -> net policy was ACCEPT, so the failing pings surprises me. You might want to verify that you have loc net ACCEPT in /etc/shorewall/policy. (If you want to allow all traffic from loc -> net, anyhow.) If you don't use that policy, you'll need to add ACCEPT loc net icmp 8 to /etc/shorewall/rules to allow echo requests through. Something else to check is that you have /etc/shorewall/interfaces set properly. By default eth0==net and eth1==loc. Use "ip addr" to verify that is the case in your setup. --Brad [1] http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- In remembrance www.osdn.com/911/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
