First of all, thanks for your quick responses to my silly questions. I am sorry to take up your time.
With regards to the /etc/shorewall/hosts file, how should I have done it? Please tell me the clean way it should have been done as opposed to the messy way I have done it. I am sorry with regards to rebooting the Bering box, yes I know I did not have to reboot but I had added those ip_conntrack_pptp.o and ip_nat_pptp.o modules (that you recommended from my previous post) and I decided to reboot to get them to load. I realize that all I needed to do was "shorewall restart". Thanks again! Have a great day. Troy -----Original Message----- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 2:49 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: RE: [leaf-user] Shorewall questions On Mon, 2003-12-08 at 12:36, Troy Aden wrote: > I made these changes to shorewall and rebooted. WHY REBOOT? > The result was all hosts > lost Internet access. That's not a problem description that can be done much with. > > /ETC/shorewall/hosts > > #ZONE HOST(S) OPTIONS > loc eth1:192.168.1.0/24 > loc eth1:192.168.2.0/24 > loc eth1:192.168.140.0/24 > loc eth1:192.168.142.0/24 > loc eth1:192.168.143.0/24 > loc eth1:192.168.145.0/24 > loc eth1:192.168.146.0/24 > loc eth1:192.168.147.0/24 > loc eth1:192.168.148.0/24 And you are defining each subnet individually because? > > And then this: > > /ETC/shorewall/Interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 142.165.207.162 > routefilter,norfc1918,tcpflags > loc eth1 > 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255, > 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255 With the above mess in the hosts file, you don't want "loc" in the zone column there -- you want "-" since you are defining the zone entirely through use of the hosts file. > vpn ipsec0 > > I watched shorewall load and it did show all of these networks as defining > the "loc" zone as I would expect. I am just not sure why we lost Internet > access after that point. Do I need to define these subnets as for example > "192.168.1.0/24,192.168.2.0/24...) > > I think I may not have given all the information in my previous post. Here > are the relevant configs. (Some IPs have been altered to protect the > innocent) > > IP ROUTE: > > 192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 > 192.168.146.0/24 via 192.168.147.2 dev eth1 > 192.168.145.0/24 via 192.168.147.2 dev eth1 > 192.168.2.0/24 via 192.168.147.5 dev eth1 > 192.168.1.0/24 via 192.168.147.5 dev eth1 > 192.168.148.0/24 via 192.168.147.2 dev eth1 > 10.10.26.0/24 via 142.165.207.254 dev ipsec0 > 192.168.143.0/24 via 192.168.147.1 dev eth1 > 192.168.142.0/24 via 192.168.147.1 dev eth1 > 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* > 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* > 192.168.140.0/24 via 192.168.147.3 dev eth1 > default via 142.165.207.254 dev eth0 > > > IP ADDR: > > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff > inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0 > 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff > inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1 > 9: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10 > link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff > inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0 > > /ETC/INTERFACES > > auto eth0 > iface eth0 inet static > address 142.165.207.* > netmask 255.255.255.0 > broadcast 142.165.207.255 > gateway 142.165.207.254 > > # Step 2: configure internal interface > # Default: eth1 / fixed IP = 192.168.1.254 > auto eth1 > iface eth1 inet static > address 192.168.147.4 > netmask 255.255.255.0 > broadcast 192.168.147.255 > > up ip route add 192.168.140.0/24 via 192.168.147.3 || true > up ip route add 192.168.142.0/24 via 192.168.147.1 || true > up ip route add 192.168.143.0/24 via 192.168.147.1 || true > up ip route add 192.168.1.0/24 via 192.168.147.5 || true > up ip route add 192.168.2.0/24 via 192.168.147.5 || true > up ip route add 192.168.145.0/24 via 192.168.147.2 || true > up ip route add 192.168.146.0/24 via 192.168.147.2 || true > up ip route add 192.168.148.0/24 via 192.168.147.2 || true > > > /etc/shorewall/masq > > #INTERFACE SUBNET ADDRESS > eth0 192.168.1.0/24 > eth0 192.168.2.0/24 > eth0 192.168.140.0/24 > eth0 192.168.142.0/24 > eth0 192.168.143.0/24 > eth0 192.168.145.0/24 > eth0 192.168.146.0/24 > eth0 192.168.147.0/24 > eth0 192.168.148.0/24 Assuming that eth1 is up when shorewall [re]starts, all you needed was: eth0 eth1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html