Re: Stopping the Shorewall firewall stops my Internet connection
On Fri, 4 Mar 2011 10:48:12 +0200 Andrei Popescu andreimpope...@gmail.com wrote: On Jo, 03 mar 11, 22:08:00, Jason Hsu wrote: What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections. Shorewall is not just a firewall (frontend), it can be used to activate the NAT, via the: IP_FORWARDING=On option in /etc/shorewall/shorewall.conf. It defaults to 'keep', but it's very convenient to use if you already use shorewall. IIUC (and I actually use a configuration like this with Shorewall), turning forwarding on just causes Shorewall (or rather, the kernel) to forward packets, without actually modifying them at all. To get NAT modification, you need to write a 'masq' file in Shorewall's config directory. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110306150154.34364b69.cele...@gmail.com
Re: Stopping the Shorewall firewall stops my Internet connection
On Jo, 03 mar 11, 22:08:00, Jason Hsu wrote: What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections. Shorewall is not just a firewall (frontend), it can be used to activate the NAT, via the: IP_FORWARDING=On option in /etc/shorewall/shorewall.conf. It defaults to 'keep', but it's very convenient to use if you already use shorewall. If you want to do forwarding without shorewall set it to 'keep' and do the setting in /etc/sysctl.conf (for unknown reasons that never worked for me, which is why I prefer the shorewall way) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Stopping the Shorewall firewall stops my Internet connection
My setup: Modem - Firewall/server computer - Ethernet switch - Main computer The firewall/server computer has Shorewall (firewall), DNSMasq, DHCP3 Server, and SSH. I'm trying to troubleshoot why I'm unable to connect to my network from another location by using SSH. But that's not the subject of this post. This problem is what led me to try stopping the Shorewall firewall. When I stop the Shorewall firewall, I'm unable to connect to the Internet from the main computer. However, I'm still able to connect to the Internet from the firewall/server computer. (I'm able to ping yahoo.com from the firewall/server computer with 0% packet loss. However, when I try to ping yahoo.com from the main computer, I get 100% packet loss.) When I start the Shorewall firewall, the main computer's Internet access is restored. What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections. -- Jason Hsu jhsu802...@jasonhsu.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110303220800.80cd98ce.jhsu802...@jasonhsu.com
Re: Stopping the Shorewall firewall stops my Internet connection
On 03/04/2011 09:38 AM, Jason Hsu wrote: My setup: Modem - Firewall/server computer - Ethernet switch - Main computer The firewall/server computer has Shorewall (firewall), DNSMasq, DHCP3 Server, and SSH. I'm trying to troubleshoot why I'm unable to connect to my network from another location by using SSH. But that's not the subject of this post. This problem is what led me to try stopping the Shorewall firewall. When I stop the Shorewall firewall, I'm unable to connect to the Internet from the main computer. However, I'm still able to connect to the Internet from the firewall/server computer. (I'm able to ping yahoo.com from the firewall/server computer with 0% packet loss. However, when I try to ping yahoo.com from the main computer, I get 100% packet loss.) When I start the Shorewall firewall, the main computer's Internet access is restored. What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections. How are you stoping shorewall ? if you issue a shorewall stop, it goes in to a lockdown mode. You have to issue a shorewall clear to allow all traffic. See : http://www.shorewall.net/starting_and_stopping_shorewall.htm Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d7068b9.6050...@gmail.com
Re: Stopping the Shorewall firewall stops my Internet connection
Jason Hsu put forth on 3/3/2011 10:08 PM: My setup: Modem - Firewall/server computer - Ethernet switch - Main computer The firewall/server computer has Shorewall (firewall), DNSMasq, DHCP3 Server, and SSH. I'm trying to troubleshoot why I'm unable to connect to my network from another location by using SSH. But that's not the subject of this post. This problem is what led me to try stopping the Shorewall firewall. You must open TCP 22 on the public interface. If you then want to SSH into your main computer you would use the SSH client on the Shorewall box. If you want to SSH directly into your main computer from a remote location, select a high TCP port on the public interface and forward it to TCP 22 at the IP address of the main computer. From your remote computer, you will then have to specify the SSH TCP port manually when connecting to the main computer. When I stop the Shorewall firewall, I'm unable to connect to the Internet from the main computer. However, I'm still able to connect to the Internet from the firewall/server computer. (I'm able to ping yahoo.com from the firewall/server computer with 0% packet loss. However, when I try to ping yahoo.com from the main computer, I get 100% packet loss.) When I start the Shorewall firewall, the main computer's Internet access is restored. What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections. This is wholly dependent on how the firewall software is designed. If NAT is part of the design, which it almost always is these days, turning off NAT kills access to the outside world for internal PCs, thought the firewall box itself still has full access to the external interface. This is likely what happened in your case. I'm not a shorewall user, but given it's Linux based, I'm guessing when you shut it down it executes a script that clears all the iptables rules, thus killing NAT, and external connectivity at your main computer. When you restart shorewall it repopulates the iptables rules via a shell script and everything works once more. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d706d55.4010...@hardwarefreak.com
Re: Stopping the Shorewall firewall stops my Internet connection
On Fri, 04 Mar 2011 09:51:13 +0530 Mihira Fernando mihirathe...@gmail.com wrote: How are you stoping shorewall ? if you issue a shorewall stop, it goes in to a lockdown mode. You have to issue a shorewall clear to allow all traffic. I tried shorewall clear, but that also disabled my Internet connection. Again, I had to start Shorewall up again to restore my Internte connection. -- Jason Hsu jhsu802...@jasonhsu.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110303231240.2e082176.jhsu802...@jasonhsu.com
Re: Stopping the Shorewall firewall stops my Internet connection
On 03/04/2011 10:42 AM, Jason Hsu wrote: I tried shorewall clear, but that also disabled my Internet connection. Again, I had to start Shorewall up again to restore my Internte connection. Then it is as Stan had said, stopping shorewall disables your NATing as well. Follow his advise and open a port in the firewall computer that is forwarded to TCP port 22 in the main computer. Mihira. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d7075b4.3090...@gmail.com