--On Thursday, December 12, 2002 02:00:12 PM -0800 Joshua Klein <[EMAIL PROTECTED]> wrote:
Did you follow the instructions in one of the Shorewall QuickStart Guides and if so which one (three-interface or the setup guide)?This is my first time on this list, so please be gentle. :) After reading all the docs, previewing the logs, and lurking on this list for a while I finally decided to try Bering. My goal is to get the three-interfaces setup on Shorewall along with the pptp server to allow access to the DMZ from both the Loc and Net zones. Leaving aside pptp for now, I've managed to get Bering working with my three NICs, dispensing IPs on eth1 (loc) and eth2 (dmz) w/ dhcp, and picking up a dynamic ip with pump on eth0 (net).
No -- it sounds like you aren't allowing pings from the fw zone to the net zone.But that's as far as I've got. So far I can't ping out from the Bering machine with shorewall started, getting this error:# ping mit.edu PING mit.edu (18.7.21.70): 56 data bytes ping: sendto: Operation not permitted which I've identified as most likely being routing related.
Similarly, I
can't ping machines on the loc or dmz subnets, i.e.: # ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes ping: sendto: Operation not permitted
So in other words, you aren't allowing ping out of the 'fw' zone at all.
Which means that you probably have 'noping' specified on all of your interfaces OR you have specified 'filterping' on those interfaces then haven't included rules to accept ping.Finally, I can't ping the bering box from either the dmz or loc subnets - attempts to do so just time out.
Sounds like you are missing that configuration file!When I try these tests with shorewall turned off I can ping the machines on the loc and dmz networks from the bering box, and ping the bering box from said networks, but can't ping out to the Net at large attempts to do so result in: # ping mit.edu ping: unknown host mit.edu Trying to ping the Net at large from the bering box gives me this error: # ping mit.edu ping: mit.edu: Host name lookup failure When I ping the bering box from the Net I get zero results - it just times out. Most frustratingly, no messages appear in the logs on the Bering machine when I try any of the above. I can see that DNS resolution only occurs when shorewall is up and that shorewall is blocking ping probes, but can't pinpoint where that problem stems from. My main concern is that I would like to be able to debug this myself and don't know where to start. My first instinct is to reach for tcpdump, but it's not available on Bering. Given that I copied the three-interfaces file set for shorewall and otherwise followed the Installation guide more or less exactly I'd rather not just dump all my .conf files on this list - but can anyone give me any advice on where to start debugging this otherwise? There are only two suspicious things I can see with the LRP load sequence: 1) when booting, shorewall gives me this error: .: Can't open /etc/shorewall/common.def
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
