Re: [newbie] ICS, Shorewall stops rest of network
Hi Derek, Your wrote: Shorewall is a very effective firewall, but there are a couple of things you should know. Many thanks for that - it is the clearest explanation I have yet read about this issue. Great! More importantly, following your steps & suggestions EVERYTHING is working as I want. Mate, the next shout's on me, as we say down here! -- Pierre Final Filer Software http://www.finalfiler.com Worrigee, NSW, Australia 2540 -- Life's like a roll of toilet paper- The closer it gets to the end, the faster it goes. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ICS, Shorewall stops rest of network
Hi everyone, especially those who responded to my thread. You've given me a fair bit to go on with. Many thanks -- Pierre Final Filer Software http://www.finalfiler.com Worrigee, NSW, Australia 2540 -- Life's like a roll of toilet paper- The closer it gets to the end, the faster it goes. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ICS, Shorewall stops rest of network
On October 26, 2003 04:18 am, Derek Jennings wrote: > Shorewall is a very effective firewall, but there are a couple of things > you should know. > > 1/ Mandrake sets up shorewall assuming eth0 is the Internet and eth1 is the > local network. If you use anything else (such as ADSL) then edit > /etc/shorewall/interfaces accordingly. (an ADSL interface is usually ppp0) This is a problem with how Mandrake sets up Shorewall if, for example, you have eth1 at the internet and eth0 as the local network. It took one hell of a long time to figure that out. :-) The ASDL comment is wrong. Not in it's entirety but wrong none the less. Some ADSL applications, notably European and some North American do force you to use pppX as the interface. Others, notably North American, will quite happily set up as ethX and will sulk if you try to set them up as pppX. It appears to be how the modem is configured, though I'm not entirely sure of that. Cable modems, at least the ones I'm familiar with, will set up as ethX as the interface. ttfn John Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ICS, Shorewall stops rest of network
On Sunday 26 Oct 2003 7:47 am, [EMAIL PROTECTED] wrote: > It has taken me several months to work out that the reason I can't > access the SAMBA server I have set up is because of the Shorewall > settings configured by invoking MDK9.x ICS. > > At least that is my reading of it. > > Essentially, everything else on my network seems to work - ICS, and the > Linux box can read and write to the shared folders on the WinXP boxes. > However, although I can see the Samba Server connection on the WinXP > box, attempting to open it results in "Network Path not found". I cannot > ping 192.168.1.1 > > However, when I disable Shorewall, I can ping 192.168.1.1 and I can > access Samba. But now ICS is disabled :( > > I have tried to make of sense of the "instructions and solutions" out > there on the internet. Frankly, my head is spinning. The Quickstart > guide at Shorewall.net left me even more confused. > > Is anyone able to give me a simple, plain english explanation on how to > configure Shorewall & ICS so the other computers on my local workgroup > network can access SAMBA? > > > Many thanks in advance... Shorewall is a very effective firewall, but there are a couple of things you should know. 1/ Mandrake sets up shorewall assuming eth0 is the Internet and eth1 is the local network. If you use anything else (such as ADSL) then edit /etc/shorewall/interfaces accordingly. (an ADSL interface is usually ppp0) 2/ By default shorewall disables ping. If you want to enable ping to the firewall device then edit /etc/shorewall/rules and add the line ACCEPT masqfw icmp8 to allow pings from the local network, or ACCEPT net fw icmp8 to allow ping from the Internet 3/ Mandrake sets up shorewall with 3 zones. 'net' is the internet, 'masq' is the local network, and 'fw' is the firewall device itself. If you want the firewall device to run other services (such as samba) then you must open up ports to 'fw' from 'net' or 'masq' as appropriate. Edit /etc/shorewall/rules For example to enable samba to the firewall box from the local network. ACCEPT masqfw tcp 137,138,139 ACCEPT masqfw udp 137,138,139 (I assume you do not want to open samba to the 'net' interface) If you do not mind reducing your security a little you might like to consider opening *all* services between the firewall and local network. You can do that by editing /etc/shorewall/policy and add the line masqfw ACCEPT 4/ After making any change to the shorewall files restart it with shorewall restart in a root terminal. derek -- -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ICS, Shorewall stops rest of network
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, October 26, 2003 15:47 Subject: [newbie] ICS, Shorewall stops rest of network > It has taken me several months to work out that the reason I can't > access the SAMBA server I have set up is because of the Shorewall > settings configured by invoking MDK9.x ICS. > > At least that is my reading of it. > > Essentially, everything else on my network seems to work - ICS, and the > Linux box can read and write to the shared folders on the WinXP boxes. > However, although I can see the Samba Server connection on the WinXP > box, attempting to open it results in "Network Path not found". I cannot > ping 192.168.1.1 > > However, when I disable Shorewall, I can ping 192.168.1.1 and I can > access Samba. But now ICS is disabled :( > > I have tried to make of sense of the "instructions and solutions" out > there on the internet. Frankly, my head is spinning. The Quickstart > guide at Shorewall.net left me even more confused. > > Is anyone able to give me a simple, plain english explanation on how to > configure Shorewall & ICS so the other computers on my local workgroup > network can access SAMBA? > > > Many thanks in advance... hi Pierre, i'm using Samba with ICS on Mandrake 9.0. it works perfectly, although Shorewall has taken quite abit of flak on this list due to the way mandrake configures it. bjorn has highlighted the requirements in another reply, that is to open ports 137, 138 and 139. FYI, the two config files you need to touch for mandrake are /etc/shorewall/rules, and maybe /etc/shorewall/interfaces. you should try using the rules and interfaces with the appropriate configuration from quickstart guide at shorewall.net, which you've already found, and define rules and interfaces. the reason to use is cos they come heavily commented, and IIRC the mandrake tools strips the comments out. you never stated your configuration, but this is how i'm configured for two ethernet cards, with my dsl connected to eth1. eg /etc/shorewall/interfaces #ZONEINTERFACE BROADCAST OPTIONS net eth1detect loc eth0detect /etc/shorewall/rules #samba #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT loc fw tcp 137,138,139 - ACCEPT loc fw udp 137,138,139 - oh, and btw, you should remove the Reply-To in your email software when posting to this list. the reasons are documented at http://mandrake.vmlinuz.ca/bin/view/Main/MandrakeMailingListEtiquette item number 2. hth, Jim Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ICS, Shorewall stops rest of network
On Sunday 26 Oct 2003 7:47 am, [EMAIL PROTECTED] wrote: > I have tried to make of sense of the "instructions and solutions" out > there on the internet. Frankly, my head is spinning. The Quickstart > guide at Shorewall.net left me even more confused. > > Is anyone able to give me a simple, plain english explanation on how to > configure Shorewall & ICS so the other computers on my local workgroup > network can access SAMBA? I tried Shorewall once (MDK9.0) and it broke all connectivity. My conclusion was that it needs setting up if you are using it for more than a dedicated firewall. Don't know about ICS, and haven't tried it since. Firewalls are complex bits of kit. They require really getting to grips with what you are doing with them. Automatic installs are only ever going to get you so far. You could try the webmin interface. (urpmi webmin) It's not a magic bullet, but it might help. You could install a hardware firewall between you and the internet. Then ditch shorewall and let the firewall manufacturers worry about it. If nothing else it simplifies your problem by splitting it in two. You should keep reading until it all makes sense. That could take a long time; it's a very complex subject. But if you keep reading over and over, not expecting to understand it all first time through, things will drop into place one by one. Get a working knowledge of configuring shorewall and samba. Then if you post exactly what your network setup is and what your configuration files are someone will probably be able to point you in the right direction. -- Richard Urwin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com