1. With any problem of this sort, it would be easier to respond if you'd provided the basic configuration info we ask for in the SR FAQ. If you post again, please include it. It would especially help if we better understood the addressing and, if any, NATing relationship between "the firewall" (the LEAF router) and "the router" (the unidentified device that is the LEAF router's default gateway).
In particular, I really don't know what "eh0 has the same net IP address of the router" means ... are you just saying that they are on the same network? Or do you have some bridging arrangement in place that causes them to have the same IP address (this would be an arrangemne I am not familiar with)?
2. I believe Shorewall will start up during boot/init if installed. You can check this for yourself, though, using the standard iptables commands that I assume you know ... Shorewall is just an elaborate front end for iptables and related commands, designed to simplify the process of creating a semi-custom iptables-based group of rulesets. (There are also Shorewall commands for checking this, which I imagine the Shorewall docs identify.)
3. You mention being able to ping from the LEAF router (which you call fw) to the LAN or the external router, and from a LAN host through the LEAF router to the external router. You don't say if you can ping (or traceroute) from a LAN host through the external router to the Internet. Surely you tried this test (both to the router's own external address and to some true outside address that responds to pings). What was the result?
4. In the Shorewall rules you list below, I see only one rule that covers port 80, one that ACCEPTs traffic from loc (this is the LAN, right?) to fw (the LEAF router). You have a default ACCEPT policy for local to net, but a default DENY policy for net to all. So how does net traffic *from* port 80 get to the LAN?
(Because you've only posted fragments of your configuration, there might well be a way that it does. But it is the obvious thing missing from what you did report.)
5. Finally, "it doesn't work" is a vague description of a browser failure. Where does it fail? At the DNS stage, at the connecting stage, or somewhere else?
At 10:22 PM 10/8/2003 +0200, Jose Luis Abuelo Sebio wrote:
Hey how is everybody doing?
Let see if you can spot me here with my problem. I use to work with Bering 1.2 for VLAN issues but now I want to configure an old machine as a firewall using the software shorewall which is include in Berig 1.2.
I have downloaded the quick start guide for a simple configuration, a local net conected to the firewall (eth1) by a hub (local PCs and the firewall by eth1 are conected to the same hub) and the firewall conected to the router (eth0) of course eth1 has the net IP address of the local net and eh0 has the same net IP address of the router. Also I have configurated all the machines within the local net with their gateway set with the IP address of the local interafce of the firewall (eth1) as it is said in the quickstart guide of shorewall for two interfaces.
I have the following policies:
local net ACCEPT net all DROP all all REJCET
Them in the rules I have PORT RULE Source DEST Proto DEST ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # For ssh conection ACCEPT loc fw tcp 22
ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8
ACCEPT loc fw tcp 80 ACCEPT loc fw udp 53
ACCEPT loc fw tcp 4662 ACCEPT net fw tcp 4662 ACCEPT fw net tcp 4662 ACCEPT fw loc tcp 4662
ACCEPT net fw udp 4672 ACCEPT loc fw udp 4672 ACCEPT fw net udp 4672 ACCEPT fw loc udp 4672
#SMTP mail ACCEPT loc fw tcp 25 ACCEPT net fw tcp 25 ACCEPT fw net tcp 25 ACCEPT fw loc tcp 25
#POP mail ACCEPT loc fw tcp 110 ACCEPT net fw tcp 110 ACCEPT fw net tcp 110 ACCEPT fw loc tcp 110
and in the Masq option of the Shorwall menu I have
#Interface Subnet Address eth0 eth1 192.168.10.106
Where 192.168.10.106 is teh ip address of eth0
Because I am not giving any service I dont use the NAT protocol, so my question is that from any computer of the local net I can ping the private interface of the router (which is conected to the fw) and from the firewall I can ping either the router or any local PC. But when I try to open my web broser in any of my local PCs it doesnīt work.
So here is my question, with Bering 1.2 and itīs shorewall, do I have to start the firewall with any command? or does it get set up automaticly by it self after the sistem is booted? if so, how can I get it started?
Did I do anything wrong in my configuration of the firewall or in the desing of the net?
Thanks for yor time falks
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
