Re: [Shorewall-users] 2 interface firewall router

If you want a cleaner log file, create this file /etc/rsyslog.d/00-shorewall.conf  : if $msg contains 'Shorewall' then {  action(type="omfile" file="/var/log/shorewall.log") # if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning # if ($syslogfacility == 0 and $syslogseverity >=

Re: [Shorewall-users] 2 interface firewall router

Tom    I attempted to follow the instructions below.   But I failed the gzip test. Jim On 12/12/2017 03:27 PM, Tom Eastep wrote: On 12/12/2017 03:07 PM, jamby wrote: Tom    On my system I get a file "shorewall-init.log" is that the dump you referring to?   Otherwise most messages

Re: [Shorewall-users] 2 interface firewall router

Tom   I think I got it right in the later message with the shorewall_dump.txt file. Bill   It originally was /var/log/messages  but I changed it to /var/log/shorewall  but nothing ever is written there. Even after the change it was writing to /var/log/messages.   I was hoping to have a

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 03:23 PM, jamby wrote: > Tom & Bill > >    Attached is the output of the "shorewall dump" command. > > I changed LOGFILE = /var/log/shorewall   but nothing is ever written > there. > Now, neither of your ethernet interfaces has an IP configuration. Looks like you messed

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 03:23 PM, jamby wrote: > Tom & Bill > >    Attached is the output of the "shorewall dump" command. > > I changed LOGFILE = /var/log/shorewall   but nothing is ever written > there. > As described in the shorewall.conf manpage and in the FAQs, LOGFILE does NOT specify where

Re: [Shorewall-users] 2 interface firewall router

You were posting excerpts from a log file earlier.  Which one was it? /var/log/messages ?  That's where they would be on a Fedora 22 system. Your shorewall.conf should have: LOGFILE=/var/log/messages Bill On 12/12/2017 6:23 PM, jamby wrote: Tom & Bill    Attached is the output of the

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 03:07 PM, jamby wrote: > Tom > >    On my system I get a file "shorewall-init.log" is that the dump you > referring to?   Otherwise most messages get dumped into the > /var/log/messages log file. > Here are the instructions from the URL I posted: If Shorewall is starting

Re: [Shorewall-users] 2 interface firewall router

Tom & Bill    Attached is the output of the "shorewall dump" command. I changed LOGFILE = /var/log/shorewall   but nothing is ever written there. Thanks Jim On 12/12/2017 02:39 PM, Tom Eastep wrote: On 12/12/2017 01:16 PM, jamby wrote: Bill   from the FW  I can ping out into the

[Shorewall-users] DNAT and UDP

I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse SSH tunneled from another machine). Rather than flanging those ports directly to the outside interface in the router, I'm hoping for a little added

Re: [Shorewall-users] 2 interface firewall router

Tom    On my system I get a file "shorewall-init.log" is that the dump you referring to?   Otherwise most messages get dumped into the /var/log/messages log file. Jim On 12/12/2017 02:39 PM, Tom Eastep wrote: On 12/12/2017 01:16 PM, jamby wrote: Bill   from the FW  I can ping out into

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 01:16 PM, jamby wrote: > Bill > >   from the FW  I can ping out into the internet.  And Firefox will > connect to websites. > But from 192.168.2.8  neither will work.  And nothing shows up the > messages file. > > As frustrated as I am,  I am sure its worse for you since you can't

Re: [Shorewall-users] 2 interface firewall router

Bill   from the FW  I can ping out into the internet.  And Firefox will connect to websites. But from 192.168.2.8  neither will work.  And nothing shows up the messages file. As frustrated as I am,  I am sure its worse for you since you can't see what is going on here. I am sure I have

Re: [Shorewall-users] 2 interface firewall router

If you want to accept traffic from the wan zone, add a policy before the wan  all  DROP  info line: wan    fw ACCEPT wan    all    DROP    info OR add a rule: SECTION NEW ACCEPT  wan:192.168.1.1  fw  tcp  http Bill On 12/12/2017 2:36 PM, jamby wrote: Bill   Made those changes and

Re: [Shorewall-users] 2 interface firewall router

Bill   Made those changes and attached the new files.   Still not getting it to work. Dec 12 11:19:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT= MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56014 DF PROTO=TCP

Re: [Shorewall-users] shorwall 5.1.9 Rev 1 DNAT

ok, I'll try.. thanksdino On Tuesday, December 12, 2017 1:00 AM, Tom Eastep wrote: On 12/11/2017 02:49 PM, Tom Eastep wrote: > On 12/11/2017 07:48 AM, dino muzic via Shorewall-users wrote: >>   >> Hi, >> >> I was trying to DNAT as usually (pass-through external

Re: [Shorewall-users] 2 interface firewall router

For Red Hat based systems, yes remove GATEWAY= from /etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-enp3s0 Ensure that there is a: GATEWAY=192.168.1.1 DEFROUTE=yes in /etc/sysconfig/network-scripts/ifcfg-enp4s0 Bill

Re: [Shorewall-users] 2 interface firewall router

Tom   Ran that command and got this back sudo ip route del default via 192.168.1.1 dev enp3s0 RTNETLINK answers: No such process Attached the files for enp 3/4 s0 Jim It will be in your Distrobution's network configuration file for enp3s0. That would be the stanza for that interface in

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 10:19 AM, jamby wrote: > On 12/12/2017 10:16 AM, jamby wrote: >> On 12/12/2017 10:05 AM, Tom Eastep wrote: >>> On 12/12/2017 09:26 AM, jamby wrote: Sorry Tom    I am not sure what you mean.  Is that the Interfaces file and the Default info? #ZONE  

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 10:16 AM, jamby wrote: On 12/12/2017 10:05 AM, Tom Eastep wrote: On 12/12/2017 09:26 AM, jamby wrote: Sorry Tom    I am not sure what you mean.  Is that the Interfaces file and the Default info? #ZONE   INTERFACE   OPTIONS wan enp4s0

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 10:05 AM, Tom Eastep wrote: On 12/12/2017 09:26 AM, jamby wrote: Sorry Tom   I am not sure what you mean.  Is that the Interfaces file and the Default info? #ZONE   INTERFACE   OPTIONS wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 lan

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 09:26 AM, jamby wrote: > Sorry Tom > >   I am not sure what you mean.  Is that the Interfaces file and the > Default info? > > #ZONE   INTERFACE   OPTIONS > wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > lan enp3s0

Re: [Shorewall-users] 2 interface firewall router

Sorry Tom   I am not sure what you mean.  Is that the Interfaces file and the Default info? #ZONE   INTERFACE   OPTIONS wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 lan enp3s0 tcpflags,nosmurfs,routefilter,logmartians,dhcp

Re: [Shorewall-users] 2 interface firewall router

On 12/12/2017 02:58 AM, Bill Shirley wrote: > You should define policy for fw: > fw all   ACCEPT > lan    fw    ACCEPT > The order of these is important.  They should be at the top.  This is > probably why > 192.168.2.8 can't talk to the fw (192.168.2.1).  Get traffic flowing and > then narrow

Re: [Shorewall-users] 2 interface firewall router

Bill   Made the changes you suggested but still not working.  I ran the ip command and attached a file of the output. Thanks Jim these were trying to ping 205.171.3.65 Dec 12 06:43:21 nub kernel: IPv4: martian source 192.168.1.2 from 192.168.1.1, on dev enp4s0 Dec 12 06:43:21 nub kernel:

Re: [Shorewall-users] 2 interface firewall router

You should define policy for fw: fw all   ACCEPT lan    fw    ACCEPT The order of these is important.  They should be at the top.  This is probably why 192.168.2.8 can't talk to the fw (192.168.2.1).  Get traffic flowing and then narrow it down to what is allowed. In your snat file you're